On Spyware, More Sanctions Please

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

House Intelligence Committee chair Rep. Adam Schiff has vowed to tackle commercial spyware proliferation and "respond to this threat with urgency".

Last week we assessed the anti-spyware provisions added to the draft Intelligence Authorization Act (including the possibility of sanctions and an annual DNI assessment of the industry) and concluded that they were a good first step. But given increased interest in reigning in the industry, what more can be done?

During an open hearing on spyware held last week, Schiff expressed two separate concerns about the commercial spyware industry. The first is that proliferation allows the targeting of governments themselves with sophisticated spyware, and the second is that commercial spyware is used by authoritarian governments to facilitate oppression and human rights abuses such as the targeting of journalists and activists. Thankfully, we don't have to choose between these two concerns — both can be satisfied with similar mitigations.

Some experts, including several UN Special Rapporteurs for human rights and freedom of expression, have argued for what we'd describe as a maximalist approach. This would start with a moratorium on the sale and transfer of surveillance technologies until robust mitigations are put in place. These mitigations would include countries passing domestic legislation limiting the use of surveillance technologies, export controls, human rights impact assessments prior to the transfer of spyware, and increased transparency.

Aside from a moratorium, which we don't think is likely, these initiatives all make sense to some degree. Together, they'd form a holistic set of complementary controls that would limit abusive use of commercial spyware aka mercenary spyware. At the same time, they feel tremendously ambitious and don't look like they'll be implemented in many countries any time soon. This is underscored by the lack of progress implementing these recommendations since they were first published in 2019 in a UN Special Rapporteur report on Surveillance and human rights. Although, perhaps now, the dangers represented by commercial spyware are better understood.

A particular gem in this report is that the Special Rapporteur examines 'national security' as a rationale for targeted surveillance and finds it "should be limited in application to situations in which the interest of the whole nation is at stake, which would thereby exclude restrictions in the sole interest of a Government, regime or power group". In other words, governments shouldn't use spyware to stay in power or attack domestic political enemies.

Unfortunately, however, the number one priority for some governments is to stay in power, and this is exactly what too many governments use spyware for. All states have legitimate national security needs where magically advanced spyware could be of use, but relatively few states have the mature governance structures like an independent judiciary with robust oversight that prevent these tools being abused to advantage those in power.

Even amongst EU member states, for example, the use of spyware to target politicians for domestic political gain is not uncommon. Just last week Nikos Androulakis, the president of Greece's second-largest opposition party PASOK and a member of the EU Parliament, claimed his device had been compromised by Predator spyware. This comes in addition to previous news about the targeting of Catalan activists in Spain and journalists in Hungary. These incidents all look to be domestic targeting for political purposes rather than targeting for legitimate national security reasons.

Pressing countries like Hungary and Spain (and other countries of concern) to pass new laws limiting the use of spyware will have limited effect. A government oppressing its citizens to suppress dissent won't magically behave well the moment it passes new laws, especially when those laws are a fig leaf designed to make them appear responsible enough to be trusted with advanced spyware. Encouraging countries to pass effective laws is a worthwhile goal, it's just a long-term project and the short-term pay off will be pretty light.

Aside from domestic regulation, we also think that using traditional export control mechanisms to rein in spyware proliferation will be difficult, as there is no technical basis for defining 'good' exports vs 'bad' exports. The exact same spyware used to target terrorists and organised crime syndicates can also be used against political opponents and human rights advocates. Incorporating effective human rights assessments into export decisions is the answer here, but these efforts are at a relatively early stage and will take time to implement across countries that are home to spyware producers.

To be clear, export control regulations and new legislation that tackles the supply and use of surveillance technology are both worthwhile, but will take time to be implemented and have effect.

Robert Chesney, Dean at the University Texas School of Law and co-host of the National Security Law Podcast, told Seriously Risky Business that there is "no way to stop bad guys" intent on providing spyware to the highest bidder, but the goal should be to prevent as many abuses as possible. For that goal, he says, "I think sanctions are an underrated option".

Sanctions provide both "specific and general deterrence", he says, in that they punish the actual company involved and also warn other companies in the field. Sanctioned companies are "destroyed as objects of investment and their business model is ruined". Sanctions also apply after the fact, so they can be applied when bad behaviour is discovered so it doesn't require that human rights impact assessments be perfect at time of sale. Under what criteria should spyware makers be sanctioned? It doesn't matter, you'll know it when you see it.

So the best solution is a comprehensive regime that encourages both companies and countries to behave well, while monitoring and restricting sales to the worst customers. Even then, an effective regime can only cover some of the countries which produce advanced spyware. In the meantime, more sanctions please.

Ransomware Good News, Ransomware Bad News

In just the last week ransomware incidents have affected a Luxembourg energy company, healthcare organisations, a semiconductor components maker, a Spanish government ministry and British schools.

First, the good news: ransomware incident response firm Coveware has found fewer victims are paying ransoms and operators appear to be avoiding high-profile attacks which could result in outsized law enforcement and geopolitical attention. Coveware also says the Ransomware-as-a-Service (RaaS) business model may no longer be as attractive as it once was. RaaS provides shared branding, infrastructure and services such as data storage and negotiations, but these shared elements now come with increased risk from either insider threat or increasing the operation's attack surface. In other words, the risk-reward payoff for the RaaS model may have changed.

In other good news the US House of Representatives passed the "Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act" or the "RANSOMWARE Act". This is a fantastic backronym, but we are not sure how much of a dent this legislation will make in ransomware — it requires the FTC to report on cross-border complaints involving ransomware every two years.

Now, the bad news: ENISA, the European Union Agency for Cybersecurity, surveyed a sample of ransomware incidents from May 2021 to June 2022 and found "ransomware has adapted and evolved, becoming more efficient and causing more devastating attacks".

At first glance the summary findings in the two reports look to be incompatible but these are almost certainly due to differences in sampling and methodology. ENISA examined 623 ransomware incidents it found on ransomware sites and also from media, government and security company reports. Coveware's data comes from actual cases where it handles incident response. Both sources are subject to multiple biases.

There are massive gaps in the ENISA report — in the 623 cases it examined it was not possible to confirm if a ransom had been paid in 588 of them. Of the 66 where data was available only eight organisations or 12% admitted to paying a ransom. This relatively low payment rate — we've anecdotally heard in the past that about a third of victims pay — is contradicted by other data in the ENISA report. It examined data extortion and found that only 38% of victims had their data leaked on the internet, perhaps suggesting that more than 60% had paid a ransom. Who knows?

An Atlantic Council report released this week recommends that Congress directly tackle this data issue by mandating that ransomware payments be reported to CISA, with "liability protections so that the report cannot form the basis for regulatory or enforcement action against the victim". We are definitely fans of this proposal and wonder why not report ransomware incidents rather than just payments? The report argues that payments are "clear and undeniable", which will make enforcement easier.

Other recommendations focus on ways for Congress to encourage improved security at small to medium enterprises. The overall conclusion is that ransomware is here to stay, so we should start working on efforts that will yield improvements over the long term.

TikTok Has Backbone But it Might Not be Enough

TikTok rebuffed attempts by the Chinese government to create a covert propaganda account, but the Chinese Communist Party trying it on in the first place is a bad omen.

According to internal messages seen by Bloomberg, a Chinese government entity responsible for public relations approached TikTok and asked it to help establish an account on the app that would target Western audiences with propaganda but not appear as linked to the Chinese government. TikTok executives said no, but the incident is not reassuring — it illustrates that at least some elements of the Chinese government would like to covertly take advantage of TikTok's reach.

Meanwhile, BuzzFeed News reported that a different ByteDance product, the now-defunct English-language news app TopBuzz, has already been used to promote Chinese propaganda. The story relates that specific pieces of pro-China content were pinned to the top of the app, including panda and travel videos.

These examples seem innocuous enough, but they take on an Orwellian cast when you realise they are likely part of a deliberate Chinese government strategy to "tell China's story well". This Xi Jinping-initiated strategy involves tremendous investment in the state-run China Global Television Network (CGTN), buying overseas media outlets, training foreign journalists and even the censorship of Hollywood movies. Remember John Cena's grovelling apology for calling Taiwan a country?

TikTok has announced that it is working on new transparency tools for researchers, but that may not be enough to confirm that TikTok executives are continuing to resist Xi Jinping's propaganda directives.

Three Reasons to be Cheerful this Week:

1. Malicious use of Microsoft Office macros down: Perhaps unsurprisingly, default blocking of Microsoft Office macros has forced threat actors to distribute malware using different methods. Proofpoint reports that malware use of macros has decreased 66% since October 2021. They have pivoted towards using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files instead.
2. The latest version of ThinkstScapes is out: Thinkst Canary curates security research into a quarterly highlights document with very nice one-page summaries. Highlights for us from this edition include "What Log4j teaches us about the Software Supply Chain" and "Software Update Strategies: A Quantitative Evaluation Against Advanced Persistent Threats". Disclosure: Thinkst Canary is a Risky Business sponsor.
3. Australian stalkerware author charged: The Australian Federal Police (AFP) have charged a 24-year old Australian for allegedly creating, selling and administering the Imminent Monitor (IM) Remote Access Trojan. The IM operation was busted in 2019, with an international effort leading to 85 search warrants and 13 arrests. The man was only 15 years old when he created the spyware and the AFP think he spent most of the AUD$300-400k he earned from selling IM "on food delivery services and other consumable and disposable items".

Running a Global Vulnerability Management Program with Nucleus

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Scott Kuffer shows Patrick Gray the ins and outs of Nucleus Security. Nucleus is a platform that ingests the scan outputs from a number of vulnerability identification tools, normalises that information and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.

You can subscribe to our product demo page on YouTube here.

Shorts

Post Quantum encryption contender cracked

Ars Technica has excellent coverage of the breaking of a Post-Quantum Cryptography candidate algorithm. A single traditional computer was able to crack SIKE, one of the algorithms selected by NIST as a potential secure public-key cryptography solution after the advent of quantum computers. Ars examines how a potential standard was found to be flawed so late in the standardisation process and it appears that the cryptographers involved did not understand the maths involved as well as they needed to.

US and Ukraine expand cyber security cooperation

CISA and the SSSCIP signed a deal to expand cyber security cooperation. The Memorandum of Cooperation mentions sharing best practices on incident response, critical infrastructure security technical exchanges and training and joint exercises. Further coverage at The Record.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

The last Seriously Risky Business podcast also contains "Between Two Nerds", a segment where The Grugq and Tom Uren discuss the superpower that is bureaucracy. State cyber power requires bureaucracy to harness the varied specialist skills required to run effective and impactful cyber operations.

From Risky Biz News:

Proxy service hack: The operators of the 911[.]re proxy network said they are shutting down in the aftermath of a data breach that destroyed key components of its business operation, Brian Krebs reported. The shutdown also comes days after the same Krebs published an in-depth look at the shady service earlier this month.

Microsoft puts the limelight on another spyware maker—DSIRF from Austria: Microsoft's security teams published a report exposing the hacking tools of another company—namely, Austrian software maker DSIRF.

The revelation that DSIRF was a commercial spyware vendor was news for most international audiences, but German media had been on their case for at least a year and especially focused on the possible ties the company may have with Russia.

Founded in 2016, the company appears to have gone through multiple stages in its six-year history, such as election security, biometrics authentication, and cyber-warfare, before deciding to have a go at the commercial surveillance market (continued).

Nomad bridge disaster: The Nomad cryptocurrency bridge platform suffered a security breach on Monday after an attacker exploited a vulnerability in the platform and stole millions of US dollars across various cryptocurrencies. Making matters worse, as news of the hack became public, other threat actors also began exploiting the same bug, leading to currently-estimated losses of more than $190 million. As the Web3 Is Doing Great portal pointed out, "some didn't seem to think through the consequences of using wallets tied to their real-life identities to exploit the vulnerability."