Srsly Risky Biz: Thursday, August 19

A Shared PrintNightmare

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

A Shared PrintNightmare

Multiple ransomware gangs are exploiting Microsoft's PrintNightmare bug.

There's confusion about what exactly PrintNightmare is, but in June, July and August a series of bugs were discovered relating to Windows printing functions and services that allowed either local or remote privilege escalation.

One group, known as Vice Society, targets small or midsize organisations. Another called Magniber focused on South Korean victims. The Conti ransomware group incorporated exploitation of PrintNightmare into its technical manuals.

In the case of Conti, their technical instructions were based on a github proof-of-concept. They did at least go to the effort of changing "-NewUser" from "john" to "HACKER" and "-NewPassword" to "FxxKER". Given that other PoCs were accidentally leaked, it's possible or even likely that other groups took advantage of publicly available exploit code.

This is to be expected given trends in cyber crime towards big game hunting (targeted attacks on organisations able to pay large ransoms) and increasing specialisation across the cyber crime ecosystem.

Taken together, these trends make it both easier and more lucrative for ransomware crews to adapt new techniques as they are discovered.

In this menagerie of crime -- involving initial access brokers, affiliates and ransomware-as-a-service operators -- each actor focusses on their own niche and can hone their skills and tools rather than needing to build and maintain skills across the entire ransomware enterprise. Thus, affiliates are highly incentivised to take advantage of new techniques as they are discovered.

The Conti ransomware group technical manuals (leaked in early August) included information on PrintNightmare, describing it as "...fresh, but already sensational. We use it until we shut it down. CVE-2021-34527 allows you to create a local administrator, useful if an agent arrived with the rights of a simple user".

For Microsoft and its customers, PrintNightmare has been a rolling fiasco. After initial disclosure Microsoft released a hotfix that only partially solved the problem. Microsoft then published a "full" fix (by requiring admin privileges),  only to admit to the existence of another local privilege escalation print spooler vulnerability the next day that is yet to be patched. Microsoft's very practical mitigation is to disable the print spooler.

There are at least two lessons here.

Firstly, do better, Microsoft. A string of vulnerabilities requires a concerted effort rather than another half-assed patch that mitigates rather than fixes. Local privilege escalation bugs are a significant step to total network control, especially when initial access to an organisation can be bought.

Secondly, part of the reason that criminal networks have become more effective is increasing specialisation and division of effort. In the last month we have seen reports of even more specialised services covering malware distribution ("Cloudflare for crime"), phishing, and traffic proxying being provided as services to other cyber criminals. This division of labour makes criminals more effective, but also opens potential avenues for disruption.

We expect ransomware crews will only become more agile over time. Their use of the PrintNightmare bug -- and earlier use of various edge of network device vulnerabilities -- show us that we can't be complacent anymore. If there's an opening, they'll move to fill it, and quickly.

We can't Cyber the Nazis Away

There's a new transnational terrorism threat bearing down and it's one we can't use cyber tools -- SIGINT or disruption -- to counter.

An investigative report from Melbourne's The Age newspaper describes the inner workings of an Australian neo-Nazi organisation, the National Socialist Network. The group attempts to practice decent operational security (OPSEC), using encrypted messaging apps to communicate and systematic procedures to vet new members.

The ultra-nationalist threat is on the rise, globally. On the same day the The Age report was published the US Department of Homeland Security issued a terrorism threat summary highlighting the threat posed by "racially or ethnically motivated violent extremists". ASIO, Australia's internal security organisation, has reported that nearly half of its onshore counter-terrorism caseload now focusses on racists and nationalists and the UK head of MI5 has also warned of the rise of racist and neo-fascist groups.

The threat posed by these groups is, in some ways, similar to the threat posed by ISIS. But the response will have to be different.

Cyber agencies played a major role in countering ISIS. US, UK and Australian organisations, for example, were all involved in disrupting ISIS propaganda efforts and infrastructure. And the cyber operations often extended beyond intelligence collection to other operations: like disrupting ISIS recruitment and supporting the use of lethal force in Syria.

Obviously we won't see the Australian military staging drone strikes on the Grampians anytime soon, which begs the question: If domestic extremists are a problem should we bring the capabilities of these agencies to bear?

In short, no.

The 5-Eyes organisations that ran operations against ISIS all have a foreign focus. Their capabilities and their legal authorities are optimised for overseas operations and the intelligence collection organisations are built to collect foreign intelligence at scale. The fight against ISIS had a significant overseas element that simply isn't present when countering domestic extremists.

Cyber operations give governments options when they don't have physical access to or control of a jurisdiction. That doesn't apply here.

As for domestic agencies, countries generally have a process to classify groups as terrorist organisations. The US can only designate foreign organisations but Australia, Canada, the UK and New Zealand processes can proscribe domestic terrorist organisations.

The exact effects of being listed as a terrorist organisation varies across jurisdictions, but generally speaking being listed is bad news. Belonging to or supporting listed organisations is criminalised and group assets frozen. New Zealand has even listed Brenton Tarrant, the individual responsible for the Christchurch massacre, as a terrorist entity. Being president of his fan club could get a little dicey. Maybe even just being in his fan club would be enough.

Being defined as a terrorist organisation also generally makes criminal prosecution easier --  an offence can be established by proving a link to a listed organisation, rather than proving a link to terrorism from first principles. Being proscribed doesn't unlock extra domestic surveillance powers, although in Australia the Richardson review recommended (recommendation 45, not yet implemented) that it be possible for ministers to authorise intelligence agency warrants for Australians who were members of a listed terrorist organisation en masse rather than individually. So, no extra powers, but the paperwork gets easier.

Rather than trying to refocus cyber capabilities governments would be better off proscribing more ultra-nationalist terrorist organisations. One direct effect would be to make fundraising more difficult for these organisations. They currently use a variety of online funding platforms to solicit donations.

Given the rising threat of ideologically motivated violent extremism, it's notable that many governments list very few of these organisations. The Age reports six neo-Nazi groups have cells in Australia -- but none are listed here or in New Zealand. One is listed in the UK, and three in Canada.

The UK-based group Sonnenkreig Division, meanwhile, has been listed as a terrorist organisation and effectively banned in Australia. Despite the designation, we don't expect ASD to "roll full SIGINT" on these guys when domestic agencies in the UK are likely to have a close eye on the group and its members. And herein lies the difference between countering the ISIS threat and the Nazi threat -- this threat isn't being orchestrated and directed by string pullers operating from a lawless war zone. This threat is much more homegrown.

We predicted something... that's already happening

In last week's issue we covered the changing landscape of legal privilege in incident response (IR), suggesting some organisations might start doing report-free incident investigations to avoid said reports being used by plaintiffs in lawsuits.

Apparently this is already happening -- there is a significant trend away from the production of formal reports.

As long as the IR response appears to be competent -- or at least not negligent -- the absence of a formal report is not material. You had a problem, but now it is fixed. Voila, nothing to see here!

We think this is a shame. We'd like to see these reports made public more often. A continuing lack of transparency means that firms cannot learn from each other and will continue to make the same mistakes.

Kiteworks a Low Altitude Flier

Risky Business co-host Adam Boileau and his team have published research into the Accellion Kiteworks "secure" file sharing platform.

Kiteworks is the replacement for the end-of-life Accellion File Transfer Appliance (FTA). Accellion's FTA had a host of SQLi, command injection and SSRF flaws which were exploited worldwide by criminals to steal sensitive files that were then held to ransom via threat of publication.

Adam and co discovered that Kiteworks also has a bevy of vulnerabilities allowing an authenticated user to escalate to remote root control of the Kiteworks host.

Despite using an entirely new codebase, Accellion's new and improved product still had some problems. Still, exploitation required a little bit of fancy footwork in this case, so at least they'd fixed all the truly dumb stuff.


Million Dollar Porky Pies

British education company Pearson settled with the US Securities and Exchange Commission for USD$1 million for lying to investors about a data breach. Pearson knew a significant data breach had occurred but deliberately didn't announce it until a journalist started asking them about it.

Conveniently for us, the SEC press release and associated cease and desist order act as a handy translator of prior statements made by Pearson:

  • Hypothetical data privacy risk = data has already been stolen
  • May include dates of birth and email addresses = definitely includes those and also usernames and hashed passwords too
  • "Protecting our customers’ information is of critical importance to us" =  we don't patch critical vulnerabilities, or at least not in the first six months

Use this authoritative cheat sheet on some of the breach notifications you've received -- they make for sobering reading when translated.

Corellium vs Apple. Round 3. Fight!

Apple is appealing the dismissal of the copyright infringement portion of its lawsuit against Correllium, maker of iOS virtualisation software, after last week settling claims that Correllium's products were violating the Digital Millennium Copyright Act's prohibition on circumventing copy protection measures.

The original ruling (on the non-DMCA part of the case) was entirely sensible. Correllium's products don't compete with Apple's -- they are genuinely transformative and allow customers to conduct security research that can't be done with stock iOS devices.

This is also relevant to Apple's plans to implement on-device scanning of Child Sexual Abuse Material (CSAM). Apple claims researchers can examine how the feature is implemented and independently check that it works as advertised. In practice, however, Apple makes it deliberately difficult to inspect how their devices work. Encouraging researchers to verify their claims then suing the one company that can enable that strikes us as somewhat duplicitous. Pat Howell O'Neill has a good piece up on this.


The BlackBerry QNX Real Time Operating System (RTOS) is vulnerable to an integer overflow vulnerability, one from the "BadAlloc" family of vulnerabilities that affect many RTOSs. QNX is used in numerous potentially safety critical applications including in cars (more than 175 million of them!), medical devices, industrial control systems and aerospace applications.

RTOSs are everywhere, performing critically important functions. Let's hope they get fixed. Meanwhile, watch out for shady people trying to plug in to the USB port in your Toyota's head unit.

Rate My Bitcoin

Criminals can now use the Antinalysis Tor site to check how "clean" their cryptocurrency addresses are and whether they will be flagged by law enforcement as being suspicious. This may indicate increasing criminal concern about the traceability of crypto currencies, but we applaud the enterprise exhibited by the person(s) running the service. It appears that Antinalysis is just a rebranded version of AMLBot, which has been around since 2019. AMLBot, in turn, is a reseller for analytics company Crystal Blockchain, which looks like it might actually be a legitimate AML tech firm. Anyone with insight on this feel free to email us.

Twice is a Trend?

The SynAck ransomware group has released its decryption keys after shutting down previous operations as it rebrands to El_Cometa. The Avaddon group also released keys when it shut down its operation in June, so perhaps this is a trend. If rebranding is part of an effort to avoid law enforcement attention it may make sense to release keys to start with a clean slate.

A Little e2ee Between Friends

Facebook announced increased options for end-to-end encryption in Messenger. Voice and video chats can now (optionally) be end-to-end encrypted. Facebook also announced it will start rolling out end-to-end encrypted group chats and calls -- but only for pre-existing relationships. This tries to give people the privacy benefits of encrypted messaging while not at the same time making it absurdly easy for sick and twisted people to find each other.

Dissidents Stalked by Shady JS

A Chinese watering hole operation is collecting a lot of details about potential dissidents. A JavaScript framework called Tetris inserted into independent blogs critical of the Chinese government assesses all visitors.

This is almost certainly a Chinese operation designed to identify individuals that are critical of the government.