Srsly Risky Biz: Thursday February 3

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

China's Olympics App Meets Expectations. Citizen Lab Doesn't.

A Citizen Lab report into the official Beijing Winter Olympics app has triggered a flurry of over-the-top news articles about privacy risks to those attending the games. It's true there are risks to the privacy and digital security of games attendees, but a poorly constructed event app is pretty low on the list of things to worry about.

The My 2022 app provides a wide range of functions including voice and text chat, weather updates, translation services, navigation and Covid-19 health monitoring. According to Citizen Lab's report, installation of the app is "mandated" for attendees. Other reputable sources say attendees can use a web portal to submit their health information if they don't want to install it on their device. So… not mandatory.

As for the flaws, Citizen Lab found My 2022 fails to validate SSL certificates, which potentially allows person-in-the-middle attacks to harvest sensitive data from victims or send them spoofed messages. Additionally, Citizen Lab found that some message metadata was sent unencrypted, including account identifiers and sender and receiver names.

These don't seem like 'devastating flaws' to us — more like flaws that could well be present in any mobile app. Unfortunately, the report reads as if Citizen Lab needed to find gotchas  to justify its analysis work. "Beijing Olympics App Meets Expectations" is not a catchy headline.

To be clear, at least some Olympic attendees (athletes, delegates, journalists) are potential targets and these are flaws that would be fixed in an ideal world.

In the past Olympic athletes, and indeed the Winter Olympics themselves, have been targeted by state-sponsored groups, notably the Russian military intelligence agency the GRU. These operations seem to have been motivated by a desire to retaliate after Russia's state-sponsored athlete doping program was exposed.

However, Recorded Future speculates that these Olympics may be somewhat 'protected' from state meddling by China's relatively close relationships with the usual suspects (Russia, Iran and North Korea).

Regardless, the My 2022 app itself doesn't make the risk of state interference significantly worse. It makes more sense from an attacker's point of view to try to breach the centralised databases where athlete information is stored rather than trying to spoof an app. These databases are already under Chinese government's control, so we do wonder why they'd try to hack their own app to collect information they can just look up. And it would be a brave Russian who'd wander through the Olympic village spoofing malicious wifi access points to collect information of limited intelligence value.

A different, legitimate concern, at least for some officials and athletes, is how the Chinese government itself will treat their data. Unfortunately for them, giving the Chinese government at least some sensitive information is part of the price of entry to the games and whether the My 2022 app is secure or not makes no difference whatsoever.

It's also worth mentioning that the Chinese government does have legitimate reasons to ask for more than the usual amount of personal and medical data. After all, these Olympics are being held during a pandemic and trying to keep the games Covid-free will require more information than normal.

Visitors will be surveilled while at the games, above the 'normal' baseline level of Chinese surveillance. The Beijing Olympics is implementing a 'closed loop' system to isolate participants from the general public and vice versa, in a bid to protect the viability of China's zero-Covid strategy. Anyone who tries to jump the Olympic village fence to do some sightseeing may find themselves in trouble.

Citizen Lab's report did contain some interesting findings. The app apparently contains an inactive censorship keyword list.

Bundled with the Android version of MY2022, we discovered a file named “illegalwords.txt” which contains a list of 2,442 keywords generally considered politically sensitive in China. However, despite its inclusion in the app, we were unable to find any functionality where these keywords were used to perform censorship. It is unclear whether this keyword list is entirely inactive, and, if so, whether the list is inactive intentionally. However, the app contains code functions designed to apply this list toward censorship, although at present these functions do not appear to be called.

These keyword lists have been found in other Chinese apps, but it's not clear why an inactive blocklist was included in My 2022. The contents of the illegal word list may be interesting for China watchers — the verboten terms are mostly Chinese, with some in Tibetan, Uyghur and English, and mostly related to politics or pornography.

The IOC has tried to rebut the security concerns. In comments to ZDNet, an IOC spokesperson pointed out "the user is in control over what the 'My 2022' app can access on their device. They can change the settings already while installing the app or at any point afterwards. It is not compulsory to install 'My 2022' on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead."

"The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities", they added.

But none of this is to say there aren't real risks. Many countries are warning their athletes about the surveillance and cyber security risks at the games and are dispensing sensible advice about burner phones. Some are going further and providing their delegations with phones, SIM cards, and sometimes even sovereign wifi networks. Our cyber security advice for all our Olympian readers? Use a burner and a temporary email account and sell the hardware as Olympic memorabilia to some sucker on eBay when you get home.

But whatever protections games attendees take, China's surveillance will be pervasive — it is not about poorly developed apps, it’s about an entire system. As a tech advisory from the US Olympic & Paralympic Committee obtained by Axios warns, "assume that every device and every communication, transaction, and online activity will be monitored".

Unfortunately, the fundamental problem underlying concerns about the My 2022 app is that the winter Olympics are being held in an authoritarian surveillance state that perpetrates large-scale human rights abuses. Despite this, for the vast majority of the participants the benefits of attending the games will outweigh the risks, especially if they take sensible precautions. It's just a pity Citizen Lab's marketing zeal — and the subsequent press coverage that stemmed from it — pushed the public discourse in the wrong direction.

Some Troubling Developments in Ransomware

Colonial 2.0

The operations of a major German oil storage company, Oiltanking GmbH Group, have been disrupted by a cyber attack. The company claims its ICS environment was spared but its IT systems were impacted. Still, its German operations were impacted when it had to roll back to manual tank loading and unloading processes. Unsurprisingly, manual processes are comparatively inefficient.

This attack comes in the wake of a Palo Alto Networks report detailing the activity of a new ransomware family called BlackCat (perhaps related to Darkside) which appeared in November 2021 and has rapidly gained 'market share'. Based on the leak sites that PAN tracks, BlackCat was the seventh most prolific ransomware group in December. It operates on an affiliate model and part of its success may be due to effective marketing coupled with relatively high payout ratios — in ads it has offered affiliates 80% to 90% of ransoms.

BlackCat uses the Rust programming language, which PAN says is a first for ransomware and "the malware authors are able to easily compile it against various operating system architectures, which facilitates the group’s ability to pivot from one victim to the next". BlackCat has targeted both Windows and Linux systems. Otherwise BlackCat uses 'standard' ransomware tactics including multiple extortion methods that include DDoS attacks and threats of data releases.

BlackCat shows how quickly a new ransomware strain can rise in prominence, and one possible reaction to recent Russian government law enforcement action may be increased ransomware gang 'churn'. Increased international law enforcement cooperation may defeat particular gangs but still not beat the crime. We'll have to see what the fallout from REvil arrests in mid-January will be.

It's Not All About Russia

A new Cybereason report claims the Iranian state-sponsored APT35 group (aka Charming Kitten or Phosphorus) is linked to the Memento ransomware. This underscores previous reports on APT35 ransomware activity dating back to May 2021, while other Iranian groups (it's not clear if they're state linked or not) deployed ransomware as early as 2016.

It's becoming clearer that ransomware isn't just a Russia problem, and it's hard to see how diplomatic efforts would make much difference with Iran (or North Korea, for that matter, if they happen to take up ransomware). Anecdotally, it appears that some of these groups are contractors that moonlight as ransomware operators if the compromised network doesn't have intelligence value.

Wholesale Ransomware

Ransomware crews continue to explore business model innovation. Deadbolt ransomware managed to infect more than 3,600 QNAP network-attached storage (NAS) devices. The Deadbolt team tries to extract ransoms from both QNAP NAS owners and the company itself. Owners can receive a key to unlock their files for USD$1,100, QNAP itself can pay for details of the vulnerability used to infect the devices for USD$1.86m or pay USD$18.6m to get a master decryption key.

It strikes us that for QNAP purchasing the master key could be quite attractive, especially if they negotiate a steep discount — how do you weigh up the reputational damage on future business vs the ransom cost? This isn't the first time we've seen this: Kaseya faced a similar dilemma in July last year. If this approach is successful it could well encourage ransomware attacks on commodity devices as it hedges bets for the operator. They are almost guaranteed at least some ransoms and in addition can pressure the manufacturer and hope for a big payout.

QNAP's response was also innovative — it pushed out a forced automatic update to their devices. Unfortunately, although this protected devices from new attacks, it disabled some otherwise working devices and also prevented some ransomware victims from recovering after paying Deadbolt's ransom. QNAP had warned users to "Take Immediate Actions to Secure QNAP NAS" on 7 January, but we wonder what proportion of users were aware of that warning.

Fortunately for those victims who have paid but were locked out by the subsequent update, Emsisoft has released a tool which (despite the blog title) takes the paid-for key and decrypts files.

Three Reasons to be Cheerful this Week:

1. Federal Strategy to Move to Zero Trust: The US government released its Federal zero trust architecture (ZTA) strategy, aiming for implementation by the end of the 2024 fiscal year. A particular highlight is "agencies must remove password policies that require special characters and regular password rotation from all systems". This has been NIST advice for years, so it's a victory for all of us!
2. Making the Right Noises on Ransomware Cooperation: Former Russian President and current deputy secretary of Russia's security council, Dmitri Medvedev, highlighted the need for international cooperation to combat cyber crime. He cited US-Russia cooperation and the FSB's recent arrest of REvil operators as examples of increased cooperation "despite very problematic relations with the United States". All countries have problems with cyber crime that they can't fix themselves, so let's hope this is real progress and not more ransomware diplomacy?
3. Darkweb market facilitator sentenced: Tal Prihar, the Israeli administrator of DeepDotWeb (DDW) was sentenced to eight years in prison for money laundering. DDW collated dark web news and also provided links to dark web markets. Prihar and partner earned USD$8.4m in cryptocurrency from referring people to these marketplaces (affiliate marketing for advertisers but illegal kickbacks in DoJ speak) but plead guilty to money laundering. We wonder how Prihar would have fared if he'd not attempted to hide his earnings.

Paying the Bills

If you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

We'll be publishing some more video demos in the coming weeks.

Shorts

What About Windows?

ESET has analysed MacOS malware they called DazzleSpy that was dropped on visitors to various Hong Kong pro-democracy websites (including some fake ones). The watering hole attacks were first described by Google TAG late last year, and ESET's report analyses the DazzleSpy payload dropped on visitors to D100, a pro-democracy internet radio station.

ESET assesses the group behind the operation "has strong technical capabilities," which gels with TAG's description of "a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code". It seems there are enough high-value targets using macOS for state actors to devote the effort to developing good quality exploits and implants.

The OPSEC seen in DazzleSpy is mixed — it used TLS to encrypt its C2 — but there were also some possible lapses such as Chinese error messages, the username 'wangping' was left in paths embedded in the binary (lol), and times were converted to China Standard Time before being sent to C2.

All Your Website Are Belong To Ryan

Security researcher Ryan Pickren collected a USD$100k bug bounty for stringing together four 0days that could potentially grant an attacker access to web accounts accessed by a targeted Safari user. The chain took advantage of design flaws and bugs in Safari web archive files, iCloud file sharing and MacOS Gatekeeper protections. Pickren's technical report is an interesting read. It's not RCE per se, but an attacker using this bugchain would get full local filesystem access and session cookie theft from all Safari sessions. Nice.

Trololol

Kim Zetter has another fabulous exploration of tit-for-tat wiperware posing as ransomware in the not-quite-conflict between Ukraine and Russia. It appears that Ukrainian wiperware first used to target Russians may have been re-purposed by Russians to target Ukraine. Ukraine's State Services for Special Communication and Information Protection described the similarities (which include use of the same bitcoin address) as a false flag attempt. Another possibility — Russian operators just like to be trolls.

Facebook Funny Money is Dead

Meta's cryptocurrency project Diem (formerly known as Libra), has been sold to Silvergate Capital, a California bank with cryptocurrency and fintech interests. Meta spent years on the initiative and attempted to address compliance concerns but never successfully convinced regulators and lawmakers of the currency's merits.

The White House is reportedly preparing a US government-wide digital assets strategy. Together with this increased government focus, the failure of Meta to gain traction with a relatively regulator-friendly cryptocurrency reinforces our view that Signal's integration with the privacy-enhanced MobileCoin cryptocurrency is folly.

So. Many. Packets.

Microsoft Azure has published an update on the state of DDoS activity. Attacks are getting bigger and lasting longer and the gaming industry remains the main target. Will these attacks start to have effects that policymakers care about? The report says we have a new high water mark for attack volume: 3.45Tbps. Whew!

Android is Still A Bin Fire

Android banking malware that wipes a user's phone after stealing their money has been discovered. This would slow down users trying to respond to theft and also remove evidence of the malware. Ouch. This wasn't on the Play Store, so perhaps if you are sideloading shady apps look out for the "Erase all data" permission.

A malicious 2FA app on the Play Store — built off the legitimate open source Aegis authenticator — would profile the phone and then install banking malware if it was vulnerable to the attack. Again, some of the permissions requested, such as disable keylock and install apps, weren't consistent with the app's stated purpose, although somehow these weren't visible on the Play Store listing.

Long Read

The New York Times has published an in-depth article on NSO, its history, how it was used diplomatically by Israel and how the FBI tested its products. It pulls together information that has come out over time into a coherent narrative.

That's a lot of Apes

These barely rate as news these days, but lol.