Srsly Risky Biz: Thursday April 28

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Movement on Data Brokers, Hopefully

US lawmakers look like they will tackle the serious national security problems presented by the data broker ecosystem, but the current proposals don't go far enough.

A class-action lawsuit has been filed against Otonomo, a data broker that harvests and sells access to the location information of tens of millions of vehicles. The privacy protection mechanism described in Vice's original article on Otonomo — a pseudonymous identifier — is woefully inadequate, and it is entirely possible to identify people and track their behaviour over time. Otonomo gets data by striking deals with car manufacturers, but the lawsuit alleges that the owner of the car was not even asked for consent to be tracked.

When it comes to solving the national security problem of data brokers a class-action suit is better than nothing, but not by much. Although car location data by itself is powerful, it is just one of the smorgasbord of data types available for sale and could be replaced by, for example, location data from an app. Last year this newsletter described how a priest was identified using 'anonymous' data from the Grindr dating app, and this week The Intercept reported US-based company Anomaly Six demonstrates its technology by tracking and deanonymising NSA and CIA employees down to their home address using commercially available data sets.

Given the data is available for a price, there is every reason to fear that adversary countries may already have these kinds of capabilities. After all, Chinese cyber espionage groups have already sought out bulk US data sets (see breaches at OPM, Equifax, health insurance company Anthem, Marriott and United Airlines). They have demonstrated the intent to acquire this data, but is hacking easier or cheaper than buying it?

Various legislation has been proposed with more coming, but we worry that these proposals are all too narrow. All of them focus to a greater or lesser degree on restricting the sale and export of data once it has been created and collated, but the real game is in preventing the collection and collation of the riskiest data in the first place. In his report Data Brokers and Sensitive Data on US Individuals Justin Sherman, of the Duke University Sanford Cyber Policy Program recommends (among other things):

The U.S. Congress should also make data brokerage a central part of robust federal privacy legislation that establishes rules around and implements restrictions on the private collection, aggregation, sale, licensing, and sharing of U.S. individuals’ data — including placing limits on federal government purchasing of data broker data and giving the Federal Trade Commission further authority to investigate unfair and exploitative data broker practices and use of data broker data by other firms.

We agree. But achieving this involves more than just banning sales to 'bad' countries.

Risky Business Has Launched a News Service

Prolific infosec journalist Catalin Cimpanu is now working with us here at Risky Business. He's publishing a cybersecurity news newsletter three times a week which you can subscribe to here. There is also a podcast version of the newsletter which you can subscribe to via RSS here. (Apple Podcasts links are coming soon.) Welcome on board, Catalin!

Russian Ransomware Crews Down But Definitely Not Out

Research by Flashpoint has found the Russian invasion of Ukraine is making it more difficult for Russian cybercriminals to launder funds. This is partly due to Western sanctions, but also to Russian capital controls and the takedown of Hydra Market. In addition to being a dark web marketplace, Hydra also offered cryptocurrency laundering services. "Prior to the takedown, the market was emerging as a hub of cash-out services, a reaction to increased KYC and AML requirements of cryptocurrency exchanges," Flashpoint's report says.

Flashpoint has seen criminals exploring other potential money transfer techniques. These include the use of  P2P cryptocurrency exchanges (presumably in an attempt to obfuscate the movement of funds), using Russian banks that aren't being sanctioned or banks in countries not participating in US sanctions, and using the Chinese UnionPay card system. Other criminals suggest holding cryptocurrency rather than immediately trying to cash out. All of these alternatives have various drawbacks and there doesn't yet seem to be a clear way for Russian cybercriminals to move their criminal proceeds.

Seriously Risky Business previously speculated (second article) that cashout difficulties combined with nationalistic fervour stoked by the war might actually result in Russian cybercriminals launching more destructive ransomware attacks. If you are not going to get paid, why not support the motherland by causing maximum damage?

So far, there is no evidence this is taking place, but it doesn't seem that ransomware has declined either. The Record's ransomware tracker shows, if anything, a slightly higher than average number of attacks and the FBI has warned of attacks on agricultural cooperatives timed to disrupt planting or harvesting.

Russian crews are proving to be pretty resilient.

The ALPHV aka BlackCat group (a Darkside/Blackmatter rebrand) is going strong, with an FBI alert indicating it has compromised at least 60 entities worldwide since appearing in November 2021.

Conti, a group that at least some expected to disappear after it suffered massive leaks because it expressed a strongly pro-Russian position, has hung around and is causing significant disruption. Since the leaks, it has struck Panasonic, US-based Snap-On Tools, and in the last week several systems owned by the government of Costa Rica, including the Ministry of Finance. The outgoing Costa Rican President Carlos Alvarado claimed the attacks were intended to destabilise the country as it transitions to a new government under President-elect Rodrigo Chaves, but we really don't think that Russian cybercriminals are all that focused on Costa Rican politics.

It also looks like some part of REvil may also have (re)started operations. The Russian government arrested 14 REvil members in mid-January, but someone has resurrected REvil's leak site. The old leak site URL now redirects visitors to a new leak site which lists both old REvil victims and apparently new victims. It is not clear how REvil and the new operators are related, although the redirect implies the new operators have access to REvil's private keys.

One of the new (claimed) victims is Oil India, India's second largest oil and gas company. The Economic Times reports that the attack hasn't affected operations, but IT systems have been affected and the criminals have asked for a USD$7.5m ransom. It also appears that REvil-like ransomware was used in this attack. So operators with REvil-like ransomware and access to REvil infrastructure…

Although ransomware launched from Russia doesn't appear to have diminished, ransomware crews targeting Russian organisations is now a thing. There are many, many Russian companies being breached and their data made publicly available.

Group-IB, which is at pains to call itself "a Singapore-based cybersecurity company" (i.e. is trying to disown its Russian origins), reports on a group it calls OldGremlin launching malicious email campaigns in March. Group-IB notes that since "many international providers of email security products suspended operations on the Russian market, the campaigns of OldGremlin and other threat actors that use email at the initial stage are likely to become more successful and frequent".

And malware found in Russia, 'RUransom', turns out to be a wiper despite the name. Its intent is captured in translated text that is written to a 'ransom' note:

On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President. There is no way to decrypt your files. No payment, only damage. And yes, this is "peacekeeping" like Vladi Papa does, killing innocent civilians. And yes, it was translated from Bangla into Russian using Google Translate... (This is a direct translation.)

So deliberately destructive hacking targeting Russia is taking place. Will Russian ransomware crews adopt the same tactic out of frustration or patriotism? Let's hope not.

Inside Lapsus$

Brian Krebs has posted an interesting exploration of how the hacker group Lapsus$ operates based on leaked private Telegram chat logs. Lapsus$ was tremendously effective at breaching companies using relatively simple techniques and Krebs reports it "had exactly zero problems buying, stealing or sweet-talking their way into employee accounts at companies they wanted to hack".

MFA could still be a stumbling block, however, and Lapsus$ was stymied in attempting to hack at least one target when they couldn't convince support to modify or remove MFA settings. One strategy Lapsus$ used to overcome SMS MFA was to actively target T-mobile employees to get access to systems that enabled easy SIM swap attacks. These attacks let Lapsus$ sidestep SMS MFA by transferring a target's mobile phone number to a device it controlled.

Three Reasons to be Cheerful this Week:

1. USD$50m for Civil Cyber Defence: Craig Newmark Philanthropies (the Craig formerly of craigslist) has committed more than USD$50m to funding Civil Cyber Defence, "with a focus on tools and services for regular people". The Record has an interview with Newmark about the initiative and it's good to see effort aimed at everyday folk rather than just preaching to the converted.
2. BellTroX cutout pleads guilty: Aviram Azari, an Israeli private detective operating in New York has pleaded guilty to being involved in organising hack-for-hire jobs. Reuters reports that this relates to BellTroX aka Dark Basin, an Indian firm behind hacking campaigns targeting "thousands of individuals" including "advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries". This is a strike against the hack-for-hire industry, but it looks like Azari was just the go-between for US companies, lobbying firms and lawyers. Will the entities that paid him be held to account? Azari's lawyers say he is not cooperating with the US government.
3. That's a Lot of Vodka: The US government is offering a reward up to USD$10m for information about six GRU officers involved in various destructive critical infrastructure attacks. We suspect the target audience for these rewards is the anonymous disgruntled GRU worker drone dreaming of a more comfortable life overseas. We are sure whatever passes for a witness protection scheme would be pretty good too.

Shorts

Citizen Lab and CatalanGate

Citizen Lab has a new report detailing the targeting of Catalan civil society groups using malware from Israeli spyware-for-hire companies Candiru and NSO Group. Victims included "Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations" and in some cases also their family members. (Catalonia is an autonomous region in north-eastern Spain with a strong independence movement).

Strikingly, Citizen Lab says, "every Catalan Member of the European Parliament (MEP) that supported independence was targeted" either directly or through their family or close associates. It says "extensive circumstantial evidence" points to the Spanish government, which has denied involvement.

Isabel Rodríguez, Spain's Minister for Territorial Policy denied government involvement and told Euronews "the government has nothing to hide, absolutely nothing".

The news is just in time for the European Parliament inquiry into Pegasus spyware and raises the question of what you do when a democracy misuses these capabilities. The answer, at least when it comes to Israel as a vendor, is to apply diplomatic pressure — Globes reports Israeli spyware companies are struggling as export licences disappear.

The New Yorker has a good long read on the issue with more background and colour.

On the same day it released its report, Citizen Lab also revealed it had found Pegasus infections in the UK Prime Minister's Office and the Foreign and Commonwealth Office. These seem to be confirmed by official sources, yet at the same time it appears the NCSC never tracked down the infected devices. "It's a bloody hard job," an NCSC official told The New Yorker.

Meta E2E and Human Rights

Meta has released an independent human rights assessment on Meta's implementation of end-to-end encryption (E2EE) which finds, unsurprisingly, that E2EE is on balance a good thing and shouldn't be weakened with exceptional access schemes. The assessment also recognises, however, that the roll out of E2EE also comes with risks such as increased child sexual exploitation or increased criminal activity, and that there are reasonable steps that should be taken to mitigate many of these risks.

To that end, the report includes 45 recommendations covering a vast scope from specific product features to external stakeholder engagement. Some of the potentially more controversial recommendations include investigating client-side scanning techniques and using metadata analysis to identify bad actors. On the whole we think this is pretty sensible stuff, and provides many suggestions for tackling bad actors on E2EE systems without introducing exceptional access. Meta has committed to implementing most of the recommendations although it won't explore client-side scanning.

Whatever Meta does isn't the be all and end all. We can't imagine Signal — or some other E2EE players — will implement many of these measures.

The Five Eyes Russian Threat Guidebook

Five Eyes cyber security authorities have released a joint Cyber Security Advisory on Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure. It is a very nice overview of the many different groups involved in these threats and it must have taken quite some time to get the wording of various different overlapping attribution claims just right.

North Korea Hacked Axie Infinity

On 14 April the US government attributed the recent theft of USD$600m worth of cryptocurrency from the Axie Infinity game to North Korea. North Korea was initially outed by the Treasury's sanctions unit when it updated Lazarus Group sanctions with an Ethereum wallet address used in the hack. The attribution was also confirmed by the FBI. Treasury also added three more addresses to its North Korea sanction list in the last week.

The View from Ground Zero

The Record published an interview with Natalia Tkachuk, the head of Ukraine's Information Security and Cybersecurity Service, that covers Russian cyber activity throughout the war. Attacks have been constant, but are becoming increasingly coordinated, with the "main purpose of the attacks is to destroy information using various data wiper malware". Tkachuk also says Russia is increasingly trying to damage critical infrastructure using cyber operations because of their relative lack of success in conventional warfare. Burn.

Phishing For Apes

The Bored Ape Yacht Club NFT project's Instagram account was hacked and used to launch a phishing attack. Victims had their crypto wallets compromised and it appears a number of virtual apes theoretically worth around USD$3m were stolen.

Also this week, malicious Google ads were used in a phishing operation that stole over USD$4m in the Terra stablecoin.