Srsly Risky Biz: Tuesday, January 19

Idiot-fuel: hackers post COVID-19 vaccine docs online, The SolarWinds thing isn't really a SolarWinds thing, No free pass for MacOS apps

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

Idiot-fuel: hackers post COVID-19 vaccine docs online

COVID-19 vaccine documents stolen from Europe's pharmaceutical regulator were altered before being published in a cybercrime forum, in what now looks like an effort to erode trust in Europe's COVID-19 vaccination program.

The European Medicines Agency confirmed that a subset of the documents stolen during a December 2020 attack have been published online.

Italian cyber security firm Yarix discovered a 33.4MB archive of data, which was posted in two cybercrime forums (one English-language, one Russian-language) in late December. The forums were invite-only and more typically dealt with the buying and selling of unauthorised access to corporate networks.

The subject of the post was: “Astonishing fraud! Evil Pfffizer! Fake vaccines!"

The post included 50 files of "data on the authorisation and commercial process of the Pfizer-BioNTech vaccine." This included correspondence between Pfizer staff and the EMA, most of which were contained in screenshots, and other evidence that suggested the files were sourced from the EMA's Eudralink file transfer system.

Yarix CTO Nicola Bressan told Risky.Biz that a preliminary analysis of the documents suggested they were authentic, as names in the correspondence matched with EMA personnel and Pfizer staff. Yarix passed the files on to Italian authorities (CNAIPIC) for further analysis.

An EMA statement has since revealed that "some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines."

The EMA won't provide specifics on what the modifications entailed. A spokesperson told Risky.Biz that "some of the correspondence has been published not in its integrity and original form and/or with comments or additions by the perpetrators."

Risky.Biz perused a few screenshots of the leaked data. They include correspondence in which EMA staff discuss pressure to speed up their evaluation in the hope of aligning approval with the US FDA process, and discussions about potential variations between the vaccine put forward in clinical trials and what was later made available for sale.

We're not in a position to judge whether the documents we've seen reveal anything scandalous, mostly because we aren't immunologists or public health experts. But we can easily imagine anti-vaxxers drawing from those documents whatever conclusions best suit their beliefs.

Europe can ill-afford a disinformation campaign that further erodes trust in the efficacy and safety of COVID-19 vaccines approved for distribution. It also can't afford to further inflame "vaccine nationalism", in which some European states pursued bilateral agreements with pharmaceutical companies, despite a plan for the EU to centrally acquire and distribute them on a per capita basis. The European Parliament intends to counter "vaccine nationalism" with transparency: by setting up a "reading room" whereby Members of the European Parliament can physically inspect contacts signed between the EU and pharmaceutical companies.

As an aside, Dutch and German press reports suggest the attack on the EMA started with the compromise of a legitimate user that was working from home, which then led to the compromise of EMA's Active Directory, and at some point required the defeat of multifactor authentication. The compromise was reportedly detected after an analyst took interest in why some of these resources were accessed at unusual times.

The SolarWinds thing isn't really a SolarWinds thing

Mimecast is the latest company known to have exposed customers to a broad Russian espionage campaign that accessed numerous targets through their software and cloud service partners.

Mimecast advised customers to replace a digital certificate  it issued to connect their Sync and Recover, Continuity Monitor and Internal Email Protect products to Microsoft 365 Exchange Web Services. Microsoft informed Mimecast that the certificate had been compromised.

Mimecast said that 10% of its 3900 customers had used the stolen certificate, but the attackers were selective about exploiting it. They'd accessed the emails of fewer than 10 Mimecast clients.

Details on this incident are paper-thin. The company won't say (or just might not know) how its certificate was compromised, so once again defenders are dealing with critical gaps in the public record.

The Wall Street Journal reported that the attackers that compromised Mimecast "used tools and techniques that link them to the hackers who broke into SolarWinds". The same report confirmed that Mimecast wasn't a SolarWinds customer at the time of the event.

So Mimecast joins a growing list of organisations that don't use SolarWinds but now find themselves caught up in this thing that everyone (including us) keeps describing as "the SolarWinds thing".

This thing is bigger and broader than SolarWinds. SolarWinds delivered the indicators from which a large amount of related activity has been unearthed, but we still don't know if the poisoning of the SolarWinds update was the beginning, the middle or the most recent activity. And there are well-founded expectations that more technology companies were compromised that are yet to go public about it.

So we're long past the point where it's fair to identify this activity set as the "SolarWinds" or "Solarigate" event. We also need to agree on what it is we are even describing. Is this a campaign, or are we unpicking our way through several campaigns by the same actor? Can we be certain it all stems from the one actor group (SVR), or are we making assumptions based on tradecraft openly shared between actor groups? What's an appropriate name for it?

A similarly broad set of espionage activity in 2008 eventually came to be known by the investigation and mop up operation that followed it: "Buckshot Yankee". So, how about it, FBI? Can we have a code-name please? Because if you don't have one already, Pat is hellbent on "HAND-WAVY RUSSIASTUFF".

No free pass for MacOS apps

Many infosec teams have been flying (partially) blind on MacOS endpoints in recent months, thanks to an unexpected "feature" in macOS11 that exempted 53 native Apple apps from inspection by third party security tools.

Sources told ZDNet's Catalin Cimpanu that Apple's ContentFilterExclusionList was a kludgy, temporary way to hide that Apple's own apps weren't ready for the company's long-planned deprecation of kernel-mode extensions and introduction of user-mode system and network extensions.

Cimpanu now reports that the newly-released MacOS 11.2 beta appears to remove the exclusion list.

The problem arose after Apple began deprecating kernel extensions (kexts) with the release of Big Sur. Endpoint security software for macOS was, up until then, largely kext-based, so these utilities had to be re-engineered to use Apple's new endpoint security and network extension APIs.

All the main endpoint vendors (CrowdStrike, Symantec, McAfee etc.) and some challenger brands (Objective’s See’s BlockBlock and Lulu 2.0 and Objective Development’s Little Snitch 5) now use these APIs.

However, by exempting some of Apple's own apps from API control, it made the network actions of Apple’s software invisible to endpoint security software.

The death of the exclusion list marks the end of the transition to a fundamentally better way for a mainstream operating system to support third party endpoint protection apps. We much prefer the idea of our security software interfacing with an Apple-created API as opposed to loading up kernel extensions written by some rando at McAfee in 2006.

Famed macOS security expert Patrick Wardle is onboard the API train, telling Risky.Biz the EndpointSecurity API is fantastic while the Network Extension API is "fantastic in theory, but marred by a bunch of bugs and issues".

Wardle says Apple appears to have squashed most of these bugs in macOS 11.2. Onwards and upwards!

Chinese telcos eye the Indo-Pacific

Chinese State media are talking up an agreement reached between Indonesia and a visiting Chinese delegation that would "provide a legal basis upon which Chinese telecom firms are able to expand overseas without subjecting them to arbitrary restrictions".

China’s Global Times claims that the MoU includes a pledge that neither country will "ask its firms to provide any backdoor to seize intelligent (sic) information of the other nation".  (That reminds us of the 2014 pact made between Australia and Indonesia, in which the two countries agreed they would only spy on each other if they felt it was in their mutual interests!)

While Indonesian media outlets (Antara, Kompas) reported that China and Indonesia signed an MoU, news coverage focused on trade in pineapples, herbs and coal.

Nearby, the Sydney Morning Herald reports that China Mobile remains the frontrunner to acquire the Pacific assets of Digicel, the largest mobile telecommunications operator in Papua New Guinea, Fiji, Tonga and Samoa.


Joker's Stash to close

The administrators of Joker's Stash, an online market for stolen credit card data, announced they plan to shut up shop . The forum reportedly facilitated the sale of 43m stolen credit card details in 2020 alone. A little law enforcement attention might have helped them reach their decision.

UK deploys DoH service for remote gov workers

The UK NCSC spun up a web filtering service for UK government employees working from home that makes use of the DNS-over-HTTPS protocol. "PDNS Digital Roaming" requires staff running Windows 10 to install an app that encrypts and redirects DNS queries to the government's DNS resolver.

...meanwhile, NSA issues advice, caution on encrypted DNS

The US National Security Agency had its say on DNS-over-HTTPS. The SIGINT agency recommends network administrators host their own encrypted DNS resolver and block access to public DNS resolvers (see this list, maintained by AlphaSOC). The NSA and Risky.Biz: we are as one.

Joyce returns to USA, Neuberger shifts to White House

Former NSA Tailored Access Operations chief, special assistant to the President and National Security Council Cybersecurity Coordinator Rob Joyce was named director of the NSA's cybersecurity directorate, filling a vacancy left by Anne Neuberger's appointment as a deputy on the National Security Council. We're "as one" on these appointments too.

Treasury delays KYC obligations on cryptocurrency

US Treasury allowed 15 more days of public consultation on a proposal that would lump KYC obligations on all organisations that exchange cryptocurrency, kicking the can down the road for the Biden administration to grapple with.

China trawls airline passenger records

Fox-IT analysts published a detailed paper on a China-nexus actor that has rummaged through the networks of several airlines looking for records of passenger movements. On occasion the attackers routed their C2 through Google's App Engine and Microsoft's Azure Edge (CDN).

Parler domain moves to "Russia's very own CloudFlare"

Hard right social network Parler[.]com is now protected by DDoS-Guard, a service described as "Russia's very own CloudFlare". Parler must be thrilled to have found protection from this completely and totally legitimate service. A Twitter hot take on this move has gone massively viral. But, well, it's wrong.

This week's long read

This read requires patience and assumes some technical knowledge. Google Project Zero penned a six-part blog series about an early 2020 watering hole campaign detected by the company's Threat Analysis Group (TAG). The campaign used 0days in Windows and Chrome to compromise targeted Windows and Android devices.

Google found that high-tier attackers spend an inordinate amount of time and energy on exploit reliability. These attackers will maintain exploits for older vulnerabilities for long periods of time — well after they’ve been patched — if the exploits prove reliable enough. They will also swap out good quality 0-day for better quality ones to achieve incremental gains in exploit reliability.