Srsly Risky Biz: Thursday February 10

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Mayday: Computer Crash Investigations

The US Department of Homeland Security has officially established the Cyber Safety Review Board (CSRB), with its first task to be a review of the Log4j vulnerability and responses to it.

The new organisation is tasked with reviewing cyber security incidents, establishing root causes and providing recommendations to improve security. This CSRB concept is comparable to the NTSB, which investigates civil aviation accidents in the US and issues safety recommendations aimed at preventing future disasters.

Reassuringly, "to the greatest extent possible, the CSRB will share a public version of the report with appropriate redactions for privacy and to preserve confidential information". This is welcome. The CSRB, as originally described, did not have a clear requirement for public reports. These are necessary for the broader industry to learn lessons from the review.

There are some significant legislative differences between the operation of the CSRB and the NTSB. Firstly, the NTSB has the power to issue subpoenas and can compel cooperation. Secondly, NTSB reports cannot be used in civil court proceedings. It's a carrot and stick approach that helps the NTSB get to the bottom of the incidents it investigates. The CSRB doesn't have these powers and doesn't offer similar protections to the entities it will investigate, but it has the implicit backing of the US government. It remains to be seen whether the culture of cooperation in NTSB investigations translates into the cyber realm.

Adam Shostack, a long-time advocate of an 'NTSB for cyber' and co-author of Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity, told Seriously Risky Business the board is "potentially [a] huge step forward".

On Log4J, Shostack thinks "the key questions are what happened and why, and in this incident, why was it so hard to address? I know a great many people who lost their Decembers to managing these issues".

Given the CSRB cannot subpoena witnesses, Shostack thought focussing on federal agencies would be a good first step. He also thought that measuring how effective government standards such as the NIST Cybersecurity Framework were during the Log4J incident would be useful.

"Did those standards help with this? Did they enable those building or acquiring software to be ready? Distract from the things that would have set us up to deal with them?"

As an aside, some of this information already does see the light of day. Cisco CISO Brad Arkin summarised his testimony to a Senate Committee on the Log4J vulnerability in an excellent twitter thread.

Seriously Risky Business offers our congratulations to all board members, especially Dmitri Alperovitch, Co-Founder and Chairman of the Silverado Policy Accelerator and friend of the newsletter.

First, They Came for the Oil. Now it's Just Bananas

There has been a rash of attacks affecting European critical infrastructure this week.

Dutch oil storage company Evos also suffered from "disruption of IT services" that caused delays in oil transfer at terminals in Terneuzen in the Netherlands, Ghent in Belgium and Malta, although this hasn't been confirmed as ransomware (yet).

Port terminal operator SEA-Invest was also hit by a cyber attack. A person in the fruit trade told Fresh Plaza that the incident was affecting supplies. "It's complete chaos… banana supplies are already ten days behind schedule. All the fruit has to be removed from the containers manually. That all leads to very short ripening schedules and a lot of unease in the various links."

This appears to be another ransomware incident — SEA-Invest recently appeared on Conti's .onion site and security firm Secutec told Fresh Plaza the incident was caused by ransomware.

Aviation services company Swissport was also struck by ransomware, although this appears to be well contained.

Vodafone Portugal announced on Tuesday it suffered a "deliberate and malicious" cyber attack that took down all data services including "the 4G/5G network, fixed voice, television, SMS and voice/digital answering services". We don't have any further details on that one, it could be anything from a DDoS attack to a wiper campaign or ransomware.

These latest incidents come on top of earlier attacks we covered in early February. Two German companies – oil storage company Oiltanking and mineral oil trade company Mabanaft (both subsidiaries of the Marquard and Bahls energy and logistics group) – were hit by the BlackCat ransomware. Both companies declared force majeure, an inability to meet contracts because of unforeseen events, although to us it seems a bit rich to describe ransomware as unforeseeable or unlikely.

In a short statement the Dutch National Cyber Security Centre hosed down speculation that the attacks against the oil and chemical sectors were coordinated . "Based on our information, it’s not likely that these attacks are part of a coordinated campaign. It is probable that these attacks have been carried out with a criminal intent aimed at financial gain."

This string of attacks comes despite Russian law enforcement ramping up its actions against cybercriminals. This week authorities there seized several cyber crime forums. Dmitry Volkov, the CEO of Russian cyber security firm Group-IB told Cyberscoop "we have never seen that many takedowns of card shops and forums within such a short period of time". This follows the mid-January arrests of 14 REvil ransomware group members and the administrator of the Unicc carding forum.

Even if we take increased Russian law enforcement activity at face value, more arrests don't necessarily mean that ransomware crime will go away. The supply of cyber criminals may shrink as fewer are willing to risk arrest, but the crime is so lucrative that it is likely a considerable number will keep going, change their tactics and take steps to improve their OPSEC.

The United States government has been the most vocal about ransomware on the international stage, so another possible response from ransomware crews may be to avoid US-based targets. This may be why we're seeing increased "big game" ransomware campaigns hitting European interests.

Seriously Risky Business thinks that ransomware is a serious enough problem that countries need holistic approaches that use all of the tools they have available: diplomacy, law enforcement, improved defences and even disruptive offensive cyber operations. The many nations within the EU make it harder to coordinate some of these approaches

We Were Uncorrect

The US Internal Revenue Service has backed down from its plan to use the third party ID.me service to verify people's identities using facial recognition technology. Two weeks ago we wrote that we expected we'd all have to use face verification systems to access government services, but it looks like citizen pushback has kiboshed these plans, at least for now.

Unfortunately, the terrible state of cyber security means that the semi-private information we have in the past used to verify our identity such as address, birthday, and phone or driver's licence numbers, are readily available from data breaches. This makes these no-longer-sorta-secret details less useful for identity verification, and therefore makes faces and matching to photo ID relatively more important. Faces also have some additional benefits — they are harder to steal and harder to lose.

So there are good reasons to use facial verification technologies. But let's be clear, the reason the IRS is stepping back is that citizens simply don't trust the government, or the contracts it might enter into with private companies that do this sort of thing.

Three Reasons to be Cheerful this Week:

1. MS Office internet macros were blocked, and there was much rejoicing: From April some Microsoft Office applications, including Word, Excel and Powerpoint, will block macros from documents obtained from the internet by default. This will make it much harder for criminals to trick users into opening malware-laden Microsoft documents — rather than clicking a single button users have to jump through many more hoops.
2. Top NPM packages will have mandatory 2FA: The maintainers of the top 100 javascript packages on the Node Package Manager (npm) repository are now required to use 2FA. Packages being stolen via credential theft isn't the only problem in supply chain security, but it is definitely one of them.
3. Two ways to improve the security of open source software: The Open Source Security Foundation is launching the Alpha-Omega Project to improve open source software security with an initial investment of USD$5m from Microsoft and Google. The Alpha 'arm' will provide tailored help to improve security in the most critical open source software. The Omega arm will use automated techniques to improve security across at least 10,000 widely deployed open source projects.

Paying the Bills

If you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

We'll be publishing some more video demos in the coming weeks.

Shorts

Webmail of the Damned

European governments and media organisations have been targeted by (probably) a Chinese APT group using a 0day for the Zimbra open source email platform. The group first ran a reconnaissance phase using innocuous and relatively generic emails to test whether accounts existed and would open phishing emails. A second phase on promising target accounts involved a malicious email that would launch a cross-site scripting attack to steal the account's email.

Volexity, the company that discovered the campaign, believes it is Chinese because of the organisations and individuals targeted and the lack of any apparent financial motivation combined with indications that the attackers worked in China's time zone.

State Department Weighs in on ICRC Hack

The State Department has warned about a recent hack of the International Committee of the Red Cross (ICRC) that stole personal data from more than half a million highly vulnerable people.

The stolen data related to the ICRC's Restoring Family Links service, which aims to reconnect people separated by war, migration and violence. One theory is that this is the work of intelligence organisations looking to find potential terrorists from conflict areas. That is fair enough, perhaps, but another theory is that this is the work of people aiming to persecute certain displaced people. The State Department's warning makes us worry it is the latter.

It is good to see the State Department being more active in cyber-related issues. It has offered significant rewards for ransomware crews, foreign election interference, attacks on US critical infrastructure and also for specific individuals in cyber crimes.

And although it was not a State Department event, the 30-nation White House Counter-Ransomware summit highlights the need for international cooperation to tackle cyber crime. Bring on the new Bureau of Cyberspace and Digital Policy.

$3.6bn of Stolen Cryptocurrency Seized. 3.6bn!!

USD$3.6bn of cryptocurrency were seized from Ilya Lichtenstein and Heather Morgan, a New York husband and wife couple who have been arrested for allegedly laundering cryptocurrency stolen in a 2016 hack of the Bitfinex Bitcoin exchange.

The 120,000 Bitcoin stolen were worth about USD$71m at the time but over the last five years the couple only transferred about 25,000 Bitcoin out of the wallet containing the stolen funds. These Bitcoins appear to have gone through complex money laundering procedures, some of which involved the transfer of funds through dark markets, anonymity-enhanced cryptocurrencies, and even Walmart gift cards — the level of detail in the indictment is amazing. The remaining 94,000 Bitcoin were seized. It is not clear how the couple came to possess the stolen bitcoin.

The wife, Heather Morgan, is a colourful character and describes herself as a "serial entrepreneur," "rapper" and Forbes writer. A rap video of hers remains online and is truly awful. It's just terrible. Click through, but only if you dare.

In other cryptocurrency news, more detail has emerged about an unrelated cryptocurrency theft we very briefly mentioned in last week's newsletter, in which USD$322m was stolen by abusing a vulnerability in the Wormhole blockchain bridge. The attacker was able to mint new Ethereum out of nowhere on the Solana blockchain, which makes you wonder… who was the money stolen from? And who gets it if it is returned?

Well. That's one way to Bypass a Paywall

Chinese state-linked hackers have been discovered breaching media organisations in the US, UK and Australia in two separate reports.

In the first, News Corp, owner of mastheads including The Wall Street Journal and The Times, reported that it has been hacked, likely by Chinese groups. News Corp says a "limited number" of email accounts were targeted across News Corp's US and UK businesses and it appears only news-related properties were of interest to the hackers.

Separately, media reports say an Australian news organisation was also hacked by Chinese state-linked actors in December last year.

Interestingly, this attack took advantage of the Log4J vulnerability to gain initial access via an affected vendor solution on the day the vulnerability was publicly announced.

News organisations are such large information clearing houses that it's hard to know what the hacker's specific interests were without knowing details about who or what they targeted.

An Excellent Piece from NBC's Kevin Collier

A mid-December ransomware attack on Kronos, a major payroll company in the US, is still affecting worker's pay (this piece is well-worth reading). This is one example of how cyber security incentives don't align correctly. Employers are fine, but workers suffer. It's disgusting.

The Researchers are Revolting

The victim of a North Korean cyber espionage campaign targeting security researchers is striking back by launching attacks against North Korea's internet infrastructure, apparently with some success. The anonymous man told Wired "it felt like the right thing to do here".