Srsly Risky Biz: Tuesday, January 5

SolarWinds hacking was stellar, British court rejects US request to extradite Assange, Judge dismisses first of Apple's claims against Corellium

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

SolarWinds hacking was stellar

US government agencies and infosec vendors are among the many entities compromised in a nine-month cyber espionage operation, discovered by FireEye and attributed to Russia's SVR.

The campaign unravelled after researchers discovered a tainted software update from network monitoring vendor SolarWinds.

The hacking was top-shelf, involving supply chain infiltration, evasion of security tools, protocol-compliant exfil and the forging of SAML tokens to swim upstream from the target's network into their cloud service accounts. And all conducted with enough stealth to keep it unnoticed for nine months.

Attackers were able to cherry-pick targets from up to 18,000 SolarWinds customers that downloaded the malicious software update, but in most cases the SVR didn't leverage this access. The Risky.Biz grapevine says the number of organisations compromised in the campaign tops out at "a few hundred", with some prized intelligence targets among them.

Reuters' Chris Bing, who was first to report the SolarWinds compromise, named the US Departments of Treasury and Commerce as compromised targets. Trump administration officials added the State Department, Homeland Security and the Pentagon to the list. That list now includes the US National Institute of Health and numerous Department of Energy entities including the Federal Energy Regulatory Commission (FERC), the National Nuclear Security Administration, and the corporate networks of the Los Alamos and Sandia National Labs. US State and city governments were also infiltrated.

And while the attackers spent most of their time on these US targets (80% of second-stage downloads were US entities), the rest of the world shouldn't assume it's in the clear. FireEye notes that targets included "government, consulting, technology, telecom and extractive entities" in North America, Europe, Asia and the Middle East.

This public list of targets is likely to grow. Microsoft told the New York Times that close to half of the 40 customers it identified as compromised were fellow technology vendors. Telcos and software vendor networks are prized espionage targets because they offer attackers privileged access into a larger number of customer networks. Just ask Belgacom, CCleaner, Juniper Networks and a whole bunch of cloud providers, to name a few historical examples.

Supply chain compromises might be old hat, but this one seems to have cut deep. It serves to remind the United States and its allies of how vulnerable computer networks are to what Risky.Biz is going to dub "Actually Quite Good Hacking," or AQGC. It turns out many policymakers have forgotten AQGC actually exists, and now they've been reminded, some of them are out for blood.

President-elect Joe Biden told reporters that the espionage campaign "can't go unanswered".

"A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place," he declared. "I will not stand idly by in the face of cyberassaults on our nation.”

Sources close to the incoming administration told journalists that sweeping financial sanctions and retaliatory attacks are being proposed. Democrat Dick Durbin called the operation "virtually a declaration of war".

The tub-thumping is understandable, but most of it is groundless.

It's ill-advised to frame a response based on what Russia could have achieved with such access to US government networks. Yes, Russian operators have used supply chain attacks for destructive or disruptive purposes in the past, but so far it looks like that the SolarWinds compromise was used to spy, which is what we all should reasonably expect a foreign intelligence service to do. This was not a NotPetya moment (a NotNotPetya moment, if you will) and shouldn't be treated like one.

Microsoft policy lead Brad Smith proposed that "broad" supply chain attacks should be off-limits for traditional espionage. But was this actually "broad"? Five Eyes agencies exploit vulnerabilities in commonly used software all the time. What’s the functional difference when an adversary goes one step further and actually inserts the means of access into the targeted software via a supply chain attack?

It appears SVR was careful to avoid exposing non-targets to unacceptable risks. Punishing them this time around may remove the incentive to be as careful next time. Remember: it's not a cyber war crime just because it makes Brad Smith sad.

As for proposals to establish norms that would impose blanket bans on targeting third parties, we doubt the Five Eyes agencies would be thrilled with the idea.

Quibbles about what makes for an appropriate response offers little comfort for many readers of this newsletter, whose Christmas was spoiled by the discovery of this malware on their networks. If it's any consolation, it wasn't a particularly merry Christmas for the attackers, either. We can assume the Russians, if they are indeed responsible, spent their festive season pouring one out for their sweet, sweet shells as their op was burned when a) their hubris got the better of them and they decided to pivot into FireEye and b) a security staffer at FireEye actually followed up on a suspicious MFA alert.

This isn't the first time Russia has been in many of these systems and it likely won't be the last. It may take months to get a complete picture of how successful this campaign was. Alerts are firing all over the place on shared indicators between companies that did and didn't run the SolarWinds update. Microsoft, a SolarWinds customer, was breached and its source code accessed. Numerous Azure customers were subsequently popped after a Microsoft reseller was compromised.

We're expecting a steady drumbeat of news relating to this campaign to continue for months.

British court rejects US request to extradite Assange

A British court has rejected a US extradition request for Julian Assange, who was accused, among other things, of violating the US Espionage Act.

The result was surprising because Judge Vanessa Baraitsar agreed with just about every charge [pdf] US prosecutors put forward.

Judge Baraitsar noted that Assange's attempts to help Private Chelsea Manning crack password hashes was conduct that "most obviously demonstrates Mr Assange's complicity" in the theft of information and "separates his activity from that of the ordinary investigative journalist."

The judge nonetheless rejected the extradition request based on concerns Assange would commit suicide if he faced the harsh reality of the US penal system. Assange's defence lawyers successfully argued that a conviction on espionage charges would most likely see him billeted within the luxurious confines of ADX Florence or somewhere equally grim. (Whatever you think about Assange, he's not Hannibal Lecter, he's just a naughty boy.)

The United States has 15 days to file an appeal, and has indicated it will. We're not entirely sure it's possible, but if the United States can take supermax off the table and promise it would only send Assange to a prison with good shrinks and a ping pong table, he could be in real trouble.

Assange also has 15 more days to hope for a federal pardon before Trump leaves office. After that, we doubt a Democrat-led administration is likely to be as sympathetic to his plight, given the events of 2016.

Judge dismisses Apple's first claim against Corellium

Apple's pursuit of iOS emulation company Corellium has stalled after a federal judge in Florida ruled that the company's emulation of iOS constitutes fair use.

As we previously reported, Apple argued [pdf] that Corellium's software, a tool that helps security researchers virtualise the hardware iOS runs on, was "profiting from blatant copyright infringement". Apple sought a permanent injunction against Corellium license sales.

Judge Rodney Smith found [pdf] that Corellium "makes several changes to iOS and incorporates its own code to create a product that serves a transformative purpose" that Apple doesn't offer, therefore subjecting the testing kit to fair use protection.

"The Corellium Product makes available significant information about iOS, permitting users to, inter alia: (1) see and halt running processes; (2) modify the kernel; (3) use CoreTrace, a tool to view system calls; (4) use an app browser and a file browser; and (5) take live snapshots. These features are beneficial to security research."

But the battle isn't over just yet. Judge Smith did not rule on Apple's second claim against Corellium, in which Apple argued that the testing product "violated the anti-trafficking provisions of the Digital Millennium Copyright Act (DMCA)". This statute prohibits the sale of tools whose sole purpose is to circumvent a technical access control measure designed to protect the rights in a copyrighted work. Apple argued that Corellium circumvents several technical controls (Apple's authentication server validation check, secure boot chain, Buddy program, and trust cache) that prevent iOS from running on non-Apple hardware. A trial on the DMCA claim is scheduled for April.

Chinese telcos shown the door

The outgoing Trump administration is following through on threats to evict Chinese telcos from the United States.

The New York Stock Exchange has announced that, subject to a November executive order from President Trump, it will delist China Telecom, China Mobile and China Unicom Hong Kong. The three state-owned enterprises already list the vast majority of shares in Hong Kong.

The US is also, albeit at a glacial pace, taking steps to revoke China Telecom America's (CTA) operating license in the US. The Federal Communications Commission (FCC) has finally determined [pdf] (after eight months!) that CTA "failed to provide a satisfactory response" to a "show cause" order issued in April 2020. The FCC will now "institute proceedings" [pdf] to revoke and terminate CTA's license. FCC Chairman Ajit Pai promised the company a "full and fair opportunity to explain itself," but only in writing, not in front of a court. But with the onus now on CTA to demonstrate that it isn't a security risk, its goose is cooked.

In related news, the US added SMIC, China's largest semiconductor manufacturer, to its trade blacklist (the 'entity list)'. US firms now require Commerce Department permission before they can license technology to SMIC and dozens of other Chinese companies.

Reuters journalists pointed out that the SMIC listing only applies to supply of semiconductor technology at or below 10nm. So the US has effectively cut out the supply of materials for the manufacturer of leading edge consumer tech (the latest Macs, iPhones and Samsung smartphones use 5-7nm technology), but has left a door open for US companies to supply technology for the manufacture of products that use a 14 nm process, such as cheap Intel-based PCs or Huawei routers.

FinCEN demands KYC for cryptocurrency wallets

Citing concerns over money laundering and ransomware, the US Treasury's Financial Crimes Enforcement Network has proposed that all cryptocurrency wallets -- including unhosted wallets -- be subject to KYC (know your customer) requirements before exchanges or other financial institutions can transact with them.

KYC would require a bank or exchange to obtain proof of identity before facilitating transfers greater than US$3,000 (for their customer) or US$10,000 (for both their customer and a counter-party). France has pushed out similar requirements, without providing much in the way of notice.

The idea has outraged the free-thinking citizens of Blockchain-land. Tying an identity to transactions on a public ledger introduces privacy risks that don't apply to private ledgers (like bank accounts), because while your bank and card scheme know of your every transaction, it's a different story when the public has access to that data. It's not unreasonable to assume that crypto exchanges and financial regulators will continue to get hacked, especially once they are storing data that identifies holders of cryptocurrency.

Three reasons to actually be cheerful this week:

  1. The hunt for Red Azure: CISA and CrowdStrike have separately released tools to help incident responders and security analysts search for malicious AzureAD/Office 365 activity identified in the Russian espionage campaign that leads this newsletter. This NSA advisory [pdf] is also worth a read.
  2. Not so bulletproof: A German-led, global law enforcement action dismantled three bulletproof VPN providers that offered anonymity services to ransomware actors, card skimming groups and other cybercrooks for close to a decade.
  3. A "Ransomware Task Force'': 19 organisations, including Microsoft, are collaborating on a "standardised framework for dealing with ransomware attacks". We'd also suggest somebody be tasked with applying force to ransomware gangs, given they are now going after K-12 schools.

APT32/Ocean Lotus doxxed.... by Facebook!

Facebook's InfoSec team named a group of related Vietnamese IT firms as front companies for APT32 or "OceanLotus", one of the more prolific attackers in South East Asia. Facebook analysts used intel pulled together from numerous APT32 campaigns where Facebook profiles were used as lures. Reuters' Raphael Satter had a fun chat with a correspondent from one of the firms before its Facebook account was yanked.

The iPhones of Al Jazeera staff hacked using iMessage 0day

Citizen Lab exposed another shady NSO Group operation: attackers from Saudi Arabia and the UAE used NSO Group’s "Kismet" exploit chain to hack the iPhones of 36 Al Jazeera staff and a journalist at London-based Al Araby TV. At the time, Kismet included an interaction-less 0day in Apple's iMessage service, a bug patched as part of the iOS14 update in September 2020.

FBI creating headaches for Joker's Stash forum

The FBI seized servers used by the Joker's Stash carding forum in the hope of disrupting its operations. Forum admins claim the seized servers were merely proxies: they are advertising Tor links to the forum to demonstrate that it remains operational.

COVID-19 docs stolen from European Medicines Agency

Undisclosed attackers stole documents from the European Medicines Agency as it was reviewing COVID-19 vaccine candidates from BioNTech, Moderna and others. BioNTech and Moderna confirmed that data each company submitted to the regulator was accessed. The EMA approved the BioNTech vaccine on December 21.

Attackers snooped on Finnish parliament email

Official email accounts used by Finland's Ministers of Parliament were hacked earlier this year. Catalin Cimpanu at ZDNet notes that the timing lines up with a GRU operation that targeted Norway’s Parliament.

Vietnam subject to supply chain attack

Attackers compromised two Windows apps that businesses and individuals in Vietnam had to use when signing and submitting official documents to the government.

Kazakhstan's MITM strategy fails, again

All major browser vendors revoked a certificate the Kazakh government forced residents of Nur-Sultan to use in order to access foreign websites. That's the second time in two years that Kazakh authorities have tried in vain to intercept traffic on a city or state-wide basis.

Japanese military contractor hacked

Kawasaki Heavy Industries, a Japanese manufacturer of military aircraft and submarines, was compromised in attacks starting in mid-2020. Judging from information released about the incident [pdf], the company isn't confident it knows the full extent of the breach.

Malaysia's Defence website defaced

Someone posted dirty pictures on the public web site of the Malaysian Armed Forces (MAF). The MAF claims the miscreants were attempting to "steal information from the government."

TicketMaster fined US$10m over corporate espionage

The US DoJ fined TicketMaster US$10m after it endorsed an employee's scheme to use passwords stolen from rival company SongKick to hack into the accounts of SongKick clients (artists and promoters). Ticketek hired an ex-employee of SongKick, who supplied his new colleagues with stolen passwords for numerous SongKick artist accounts in order to monitor their ticket sales. The company previously paid US$110m in a private settlement to SongKick over the same events.

Adobe, Microsoft kill Flash properly

Adobe isn't just ending support for Adobe Flash, it's killing it good! From January 12, Flash Player will no longer be able to play content. And while everybody should manually uninstall the program now, Microsoft has also detailed plans to remove it automatically in updates to Windows 10.

This week's long read

In late December, ProPublica and the New York Times collaborated on a story that details how China's army of censors were instructed to censor news about the COVID-19 outbreak. The story is based on 3,200 official directives, 1,800 memos and other files reportedly lifted from the country’s internet regulator (the Cyberspace Administration of China) by a hacking group calling itself "CCP Unmasked".