Srsly Risky Biz: Thursday April 7

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

We Cannot Allow an Embuggerance Gap

As first reported in Cyberscoop, the Biden administration is reviewing the Trump-era policy that gave US Cyber Command (USCYBERCOM) greater freedoms to pew pew their cyber operations without White House approval.

The policy in question, National Security Presidential Memorandum-13 (NSPM-13), is classified, although The Washington Post reported the intent of the policy was to remove procedural barriers to the authorisation of offensive cyber operations. In other words it would give DoD personnel greater freedom to fire their pew pew cyber cannons without jumping through a series of very complicated, bureaucratic hoops.

The policy that preceded NSPM-13, was President Obama's Presidential Policy Directive 20 aka PPD-20. Former USCYBERCOM General Counsel Gary Corn, described PPD-20 as "a process that was notorious for reinforcing indecision".

NSPM-13 was released in 2018, and together with that year's National Defence Authorisation Act clarified both the process and the authorities for USCYBERCOM to conduct offensive cyber operations. In contrast to PPD-20, Senator Angus King and House Representative Mike Gallagher, co-chairs of the  Cyberspace Solarium Commission, described NSPM-13 as "a more agile process" that enabled USCYBERCOM to disrupt Russian cyber-enabled interference in US elections in both 2018 and 2020.

USCYBERCOM has even extended its operations beyond state adversaries to target ransomware crews. And despite this much more liberal oversight, there haven't been any publicly reported USCYBERCOM snafus that have resulted in unwanted escalation or international incidents.

So, if NSPM-13 isn't broken, why is the White House trying to fix it?

Robert Chesney, Associate Dean at University Texas School of Law and co-host of the National Security Law Podcast, told Seriously Risky Business there are several possibilities.

One is that a review is simply a response to the move fast and break things style of the Trump administration. As in: Trump did it, so it's probably sketchy. But it's also possible that the process for weighing competing agency interests under NSPM-13 wasn't so much streamlined as jettisoned. "Cyber operations are risky, and involve a lot of competing equities that we are just trying to balance," Chesney says. Thus, a review might make sense.

However, Chesney points out that although NSPM is classified there is evidence that interagency coordination still takes place, it just seems to be run out of Department of Defense (DoD) rather than the National Security Council. For example in 2018 Brig. Gen. Alexus Grynkewich, deputy director for global operations on the Joint Staff, told Breaking Defense "you still have to do interagency coordination, but it’s not through a National Security Council process. Instead it’s through a DoD process. It seems like a minor distinction, but it makes all the difference in the world in terms of the speed we need to move."

Umm, well, yes. It makes sense that when you are in charge of the process you get to do things faster. You can just ignore, for example, State Department concerns about the sovereignty of third parties. But that doesn't mean that those concerns are illegitimate or go away.

Another factor here is there are more senior officials in White House cyber roles these days.

Chris Inglis is in the National Cyber Director position and Anne Neuberger is the Deputy National Security Advisor for Cyber and Emerging Technology. And just this week the State Department established its Bureau of Cyberspace and Digital Policy. Given the cyber security vacuum in the previous administration, Chesney thinks it's "perfectly reasonable" that these positions have an interest in these kinds of potentially high-impact cyber operations. Perhaps interagency vetting is being coordinated in the wrong place?

Chesney also thinks NSPM-13 may carry risks in delegating too much authority to DoD for operations that are destructive and therefore potentially escalatory. "Are we talking about defending forward (defensive operations outside of DoD networks), or disruptive or even destructive operations that could be escalatory?"

In this case, the review could be about potential risk and "anticipating a shoe that hasn't yet dropped, but will be a problem if we don't [anticipate it]".

Given current tensions over the invasion of Ukraine, USCYBERCOM activities countering Russian activity are likely "at a fever pitch and surely, right now, we want Cyber Command to be nimble," Chesney says. Yet at the same time these same tensions mean we don't want to accidentally escalate the situation somehow.

In their letter this week to President Biden, Senator King and Representative Gallagher both strongly supported NSPM-13, writing:

Any effort to alter and possibly weaken NSPM-13 signals to our adversaries a lack of credible willingness to use offensive cyber capabilities which undermines the credibility of our deterrent.

…we urge in the strongest possible terms that you do not alter the existing processes and policies that allow for an agile, effective planning process for the conduct of offensive cyber operations — the security of our national critical infrastructure may very well depend upon it.

We agree, although we think the main value in offensive cyber operations is that they simply make things harder for adversaries. They're about embuggerance, not deterrence.

Given the creation of senior cyber leadership positions in the White House, reviewing NSPM-13 probably makes sense. But it's vital that any changes to the policy are about frustrating the adversary, rather than frustrating USCYBERCOM.

Serious Crypto Clampdown Continues

Governments are aligning efforts and using more tools in the fight against illegal cryptocurrency activities and they're actually getting somewhere.

On Tuesday, the German Federal Criminal Police (the Bundeskriminalamt), in coordination with U.S. law enforcement, shut down the Russian-language Hydra Market, seizing its servers and Bitcoin wallets containing USD$25m of cryptocurrency. The US DoJ also announced criminal charges against Russian Dmitry Olegovich Pavlov for his role in administering Hydra's servers.

Hydra was the world's largest darknet market, and its vendors sold hacking tools and services, illegal drugs and fake IDs. Since late 2015 the marketplace has facilitated over USD$5bn in Bitcoin transactions, including USD$1.3bn in 2020 alone.

The US Department of Justice's press release was also at pains to highlight US domestic cooperation: the IRS, FBI, DEA, Homeland Security, and US Postal Inspection Service all got a mention for being involved.

The US Treasury Department also got involved and sanctioned the Hydra Market. This is new, but also makes perfect sense — a range of money laundering services were available on the Hydra Market from vendors and Hydra itself offered an in-house mixing service.

It is clear that financial sanctions are now part of the standard toolset that will be used against cryptocurrency businesses that facilitate illegal activity. In the same press release Treasury also announced the sanctioning of the Garantex virtual currency exchange, which was originally registered in Estonia but today mostly operates in Moscow and St Petersburg. It's clear that Garantex isn't a responsible player — it continues to operate despite losing its Estonian licence to provide virtual currency services.

The sanctions are just one more example of the extension of state power into the cryptocurrency space. In early March, President Biden issued an executive order to establish a federal strategy for digital assets and on 31 March European politicians voted in favour of draft legislation to extend conventional anti-money laundering requirements to crypto assets. According to the European Parliament announcement, the proposed law's aim is "to ensure crypto-assets can be traced in the same way as traditional money transfers". The proposed laws remove minimum transaction thresholds for reporting because the "speed and virtual nature [of] crypto-asset transactions easily circumvent existing rules based on transaction thresholds". This effectively outlaws anonymous transactions, no matter how small.

But criminals and rogue states (looking at you, North Korea) haven't yet got the memo and are still making hay while the sun shines.

In March this year nearly USD$600m of cryptocurrency was stolen from the Axie Infinity game's Ronin sidechain, a private ethereum-based blockchain. In addition to the amount stolen, this theft is notable because the attackers didn't just find a flaw in some sort of smart contract – they compromised a small number of "validator nodes" to pull off the heist.

The Ronin sidechain only had nine validator nodes in its network and the thieves managed to compromise the private keys for five of them, enough to forge transactions with a five of nine validation threshold. In the short term Ronin is moving to an eight of nine validator threshold and adding more validators from different organisations. Will it be enough? Who knows! Stay tuned to find out! Probably not! Lol!

Ars Technica has an excellent description of the hack and how Sky Mavis, the makers of Axie Infinity, came to develop its own crypto asset system to track ownership of in-game items. (I guess they'd never heard of a database).

The Axie Infinity incident made a splash due to its size, but there's a constant flow of other significant but not as spectacular cryptocurrency thefts hitting the news. Here's a sampling from the last few weeks:

• Nearly USD$5m was stolen from decentralised lending platform Ola Finance. The thieves used a re-entrancy attack in which loan collateral was returned even though the borrowed funds were not repaid.
• A Mailchimp breach targeting accounts in the cryptocurrency and finance sectors appears to have been used to target subsequent phishing attacks.
• A North Korean group is distributing a trojaned version of the DeFi Wallet app. (They do this sort of thing all the time.)

Of course, increasing government focus will take time to have an effect, but we think the coordination of law enforcement efforts with sanctions actually does signal the beginning of the end — criminals will find it increasingly difficult to convert ill-gotten cryptocurrency into cash.

Pushback on Spring4Shell Hype Actually Went Too Far

A 0day RCE vulnerability in the open source Spring Java framework was discovered and patched, but the hype cycle on this one has been all over the place.

The vulnerability, known as Spring4Shell or SpringShell was initially compared to Log4Shell as it is a vulnerability in a widely used Java framework. It is less impactful than Log4Shell — it's not as widespread and has some prerequisites that aren't defaults — but this is still a very serious bug.

So there was initial hype, then a backlash to the hype, and now it's wound up underhyped.

Like Log4Shell, this bug will show up in vendor kit. VMWare has already pushed patches for some of its products and we suspect that's because the company is currently hyper vigilant about these sorts of bugs in upstream libraries after its horrible experience with Log4Shell. But what about other vendors? Are they even looking?

CISA's has added Spring4Shell to its catalogue of exploited bugs. This week's Risky Business podcast has a good discussion about Spring4Shell from 2:45, so go have a listen if you'd like to know more.

Three Reasons to be Cheerful this Week:

1. Cyber budgets bulge: the Australian government is literally doubling down on cyber capabilities, with the Australian Signals Directorate (Australia's NSA) set to double in size over the next 10 years. In the longer term this will result in a pipeline of experienced professionals, but in the short term it will make the talent pool look even thinner. The proposed US budget for the coming fiscal year also proposes large cyber security spending rises.
2. Operation Eagle Sweep: The FBI and international partners arrested 65 suspects in the US and overseas in Operation Eagle Sweep. The suspects are alleged to be BEC fraudsters responsible for targeting over 500 US victims and stealing over USD$51m and were in the US, Canada, Cambodia, South Africa and Nigeria.
3. Cyclops Blink: The US Department of Justice announced its disruption of the Cyclops Blink botnet by disabling its command and control infrastructure. Cyclops Blink is run by a group known as Sandworm or Sofacy, previously attributed to the the Main Intelligence Directorate of the General Staff of Russia’s Armed Forces (the GRU). The FBI obtained court authorisation to remove malware from machines used for Cyclops Blink's C2 communications.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Devicie CEO Martin McGregor shows Patrick Gray how Devicie manages devices from initial provisioning through to default application installation, patch management and OS updates.

You can subscribe to our product demo page on YouTube here.

Shorts

Bad Take-apalooza

This newsletter exists to educate policymakers, so sometimes we feel compelled to speak out when we see analysis we disagree with.

A Foreign Affairs piece by NATO cyber and intelligence boffins David Cattler and Daniel Black argues that "cyber-operations have been Russia's biggest military success to date in the war in Ukraine".

The pair argue broader Russian military failures left them unable to capitalise on these successful cyber operations and cite the Viasat disruption and several wiper attacks as examples of "real-world impact".

At Risky Biz HQ we don't think Russia's cyber campaign can be called successful. Even if the traditional military invasion campaign were effective, these cyber operations wouldn't have supercharged the campaign. You can't just declare a cyber campaign to be a success without explaining how it could have made a broader military campaign more effective.

Another bad take: ASD Director-General Rachel Noble has told The Sydney Morning Herald Russian cyber operations in Ukraine might have been deterred by the possibility of Western cyber retaliation. Lol, probably not, hey.

While Russia may be deterred from destructive operations by the possibility of even more stringent financial or economic sanctions, offensive cyber operations simply don't cause enough pain to deter other states. It's not "mutually assured deterrence", so much as mutually assured discomfort.

Triton/Trisis Hackers Indicted

The US Department of Justice unsealed indictments against four Russian government officials accused of hacking energy companies worldwide. One of the four, Evgeny Viktorovich Gladkikh, is accused of being involved in the attempted destructive attack of a Saudi Arabian petrochemical plant.

Gladkikh worked for a Russian state scientific research centre (TsNIIKhM) in its Applied Development Centre (ADC). The TsNIIKhM organisation has been sanctioned by the US government, along with Gladkikh, TsNIIKhM's Director and the Chief of the ADC where Gladkikh worked.

Viasat Hack Explained

The (likely) methods used in the Russian Viasat attack are becoming clear. A statement from Viasat and research from SentinelOne and Ruben Santamarta all dovetail nicely.

Viasat found a misconfigured VPN was used to gain remote access to its network, which was then used to "to execute legitimate, targeted management commands on a large number of residential modems simultaneously". These "destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable".

Santamarta thinks that the TR069 protocol, used to manage customer premise equipment, was used to upload and run a wiper executable. The protocol has functionality that can be used to upload and run arbitrary binaries without any verification because yolo, amirite?

Meanwhile SentinelOne dug some new wiper malware out of VirusTotal it calls AcidRain which is clearly designed to wipe modems and routers. SentinelOne noted the malware had some similarity to Russian government VPNFilter malware, and in a statement to The Record Viasat confirmed that the AcidRain malware was used in the Viasat attack:

The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.

So to summarise: It was Colonel Mustard in the legacy VPN abusing a dumb management command to drop a wiper.