Srsly Risky Biz: Thursday February 24

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Who Hacked the Red Cross?

Servers that host data for the International Committee of the Red Cross's (ICRC) Restoring Family Links service were breached in January. The service reunites families and individuals separated by conflict and disaster and the details of the more than half a million people using the service are likely to have been stolen. Who was responsible? And why?

We mentioned this hack briefly two weeks ago when the US State Department warned that it was a "dangerous development" that "harmed the global humanitarian network’s ability to locate missing people and reconnect families".

Here at Risky Business HQ we've speculated about motivations behind the hack — the data could potentially be useful to intelligence agencies looking to lawfully track terrorists, but could also be used by states seeking to persecute vulnerable people. Let's examine what we know in light of further information the ICRC released about the incident.

Firstly, the ICRC stated the attack was "highly sophisticated and targeted" and implied a state actor was responsible:

The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors.

We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).

The ICRC also reports the hackers gained access using a vulnerability in Zoho ManageEngine ADSelfService Plus which allowed unauthenticated attackers to upload webshells to get access. This vulnerability was announced by Zoho on 7 September 2021 and just over a week later a public Proof of Concept (PoC) exploit was available and CISA warned APT actors were exploiting the vulnerability.

The ICRC wasn't hacked until 9 November, so by that time an exploit would have been available to anyone who wanted it.

We think we can discount the possibility of a Five Eyes campaign trying to identify terrorist movements. The US State Department statement on the incident spells out why — the incident harms the ICRC's humanitarian work, which all states have agreed to support in the Geneva Conventions.

Brian Krebs reports that a cybercriminal, "Sheriff", advertised the ICRC data for sale on the English-language RaidForums cybercrime forum on 19 January, the same day the breach was announced. Krebs found that an email address Sheriff used to register at RaidForums is linked to an Iranian-based influence operation.

So Iran? Maybe, but also maybe not. Sheriff could well be pretending to have the data and planning to shake down the ICRC, and that would be a tough sell.

"We have not had any contact with the hackers and no ransom ask has been made," the ICRC's 'What We Know' statement reads. "We do not have any conclusive evidence that this information from the data breach has been published or is being traded."

Seriously Risky Business confirmed with the ICRC that these statements were still true as of 22 February — more than a month after Sheriff first advertised the ICRC data for sale.

The Zoho ManageEngine vulnerability used against the ICRC has also been used in an APT campaign tracked by Microsoft and Palo Alto Networks (PAN). Both companies have linked this campaign to China although neither has gone so far as to explicitly implicate the Chinese government. Neither company mentions the ICRC hack.

The Microsoft Threat Intelligence Centre is confident the campaign belongs to a group it calls DEV-0322, "a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures". PAN observed "some correlations between the tactics and tooling used in the cases we analysed and Threat Group 3390 (TG-3390, Emissary Panda, APT27)" although they warn that "attribution remains ongoing".

PAN also found that the attackers conducted a broader campaign taking advantage of vulnerabilities in other Zoho ManageEngine products. PAN believes the group downloaded older versions of ManageEngine to develop working exploits for known vulnerabilities.

What motivation would a Chinese group have to breach the ICRC? Disturbingly, it appears that the PRC is running an organised campaign to have Chinese Uyghurs living overseas deported back to China. Would the ICRC's Family Links database help them find displaced Uyghurs?

China has the opportunity and motive here, but so do plenty of other countries. Either way, it's looking more and more likely that the people behind this have positively malevolent motivations. Ugh.

Taiwanese Finance Sector Crawling with Chinese APT Crews

A report this week from Taiwanese cyber security company CyCraft AI describes a Chinese cyber espionage supply chain attack against the Taiwanese financial sector masquerading as a credential stuffing attack for financial gain.

The attackers used an undisclosed vulnerability in software widely used in Taiwan's financial sector but hid their entry vector under cover of a credential stuffing attack. CyCraft believes — but isn't sure — that once they gained access the attackers executed unauthorised trades from impacted Taiwanese brokerage accounts on the Hong Kong stock exchange. (CyCraft told Seriously Risky Business the trades took place but they cannot 100% confirm the same group is responsible).

After initial entry the attackers remained in the network for months. CyCraft thinks the objective "does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value PII data, damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan".

CyCraft thinks the hackers are Chinese, probably APT10 (aka Potassium aka Stone Panda). APT10 works in association with the Tianjin bureau of the Chinese Ministry of State Security and is most famously known for Operation Cloud Hopper for which it was sanctioned by multiple countries.

Earlier this month a Symantec report described a Chinese group it calls Antlion and its 18-month long campaign against Taiwanese financial institutions. The tradecraft Symantec describes is different to that reported by CyCraft, so Antlion is possibly a second Chinese espionage crew tasked with targeting the Taiwanese financial system.

Seriously Risky Business asked Winnona DeSombre, nonresident fellow with the Atlantic Council’s Cyber Statecraft Initiative about the APT10 campaign. She thinks the intelligence interest could be related to Tawan's relatively robust economy.

"Taiwan has experienced above average economic growth over the pandemic partially due to the world chip shortage, and also experienced large increases in private investment. Given how Taiwan has claimed they have a 'silicon shield' that protects them from China, I would not be surprised if China is trying to figure out which private investors and brokers are helping to bolster the Taiwanese economy, during a time where China-Taiwan tensions are rising."

Ukraine: It's Still not Cyber War

Russian cyber operations are being used to disrupt services and undermine confidence in concert with its military actions in Ukraine. In January, Seriously Risky Business discussed how these kinds of cyber operations were unlikely to make a major difference in any conflict on their own, but could be impactful when combined with military action.

Early last week a series of DDoS attacks knocked two of Ukraine's largest banks offline and also the websites of the Ministry of Defence and the Armed Forces. This coincided with text message spam falsely claiming ATMs in the country did not work. There is also late-breaking news that a wiper is affecting organisations in Ukraine, Latvia and Lithuania — reportedly Ukrainian financial institutions and government military contractors. Do these wiper attacks foreshadow shells and tanks?

This presence of the wiper outside Ukraine raises the prospect that destructive Russian cyber operations will spill out of Ukraine and have broader impacts on other countries, a la NotPetya. (This possibility was covered in an excellent twitter thread by Ciaran Martin, founding CEO of the UK's NCSC and now Professor at the University of Oxford, on the possible use of cyber operations in Ukraine and more broadly against the US or UK.)

But Joe Slowik, Senior Manager of Threat Intelligence and Detections Engineering at Gigamon, warns against "over-enthusiastic reporting" exaggerating the wiper incident into a global threat. He told this newsletter that despite "reports of impacts in areas beyond Ukraine," such as the Baltics, it's possible the attackers are just propagating the wiper malware across international borders through the internal networks of organisations with a presence in both regions.

One way the US is responding to these disruptive attacks is, by previous standards, extremely rapid attribution.

By Friday, the US had attributed the DDoS attacks earlier in the week to the Russian government. In a White House press briefing Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said "we believe that the Russian government is responsible for wide-scale cyberattacks on Ukrainian banks this week".

"We have technical information that links… the Russian Main Intelligence Directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communications to Ukraine-based IP addresses and domains," she added. (The UK NCSC also agrees, btw.)

Neuberger says the unusual speed of attribution was born "of a need to call out the behaviour quickly as part of holding nations accountable when they conduct disruptive or destabilising cyber activity".

She also warned of the likelihood "Russian cyber actors likely have targeted the Ukrainian government, including military and critical infrastructure networks, to collect intelligence and pre-position to conduct disruptive cyber activities. These disruptive cyber operations could be leveraged if Russia takes further military action against Ukraine."

This is a deliberate strategy to deter Russian action and Patrick Howell O'Neill at the MIT Technology Review has a very interesting article exploring this new response to looming aggression.

This sort of thing has worked in the past, but may not do much anymore.

Mandiant's groundbreaking 2013 APT1 report changed the cyber security landscape by very convincingly linking cyber espionage activity to the Chinese PLA. APT1 activities diminished afterwards.

It's likely Mandiant's report also contributed to the 2015 Obama-Xi presidential agreement that "neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors".

As we all know, for a time, things did actually improve before regressing.

Unfortunately this public attribution may no longer be effective. In last week's US-China Economic and Security Review Commission hearings into China's Cyber Capabilities, several experts testified that nowadays public exposure and attribution was not effective at deterring Chinese activity.

But the current situation with Russia and Ukraine is also totally different to Chinese economic espionage.

It's unlikely that these attributions will deter Russia from launching cyber campaigns, but the US government's rapid disclosure of intelligence relating to the Ukraine crisis isn't confined to cyber shenanigans.

Other US disclosures are intended to undercut Russian justifications for military action. For example, the US has warned Russia plans to fake an attack against Russian speakers by the Ukrainian military. By releasing this information the US hopes to undermine the effectiveness of disinformation Russia might use as a pretext for war.

We are supportive of using intelligence this way. If Putin wants a war he'll get it, but this at least raises the costs beforehand — we think there is relatively little value in doing so after the tanks roll, shells are fired and lives destroyed.

Three Reasons to be Cheerful this Week:

1. CISA sorts wheat from chaff: CISA has compiled a list of free cyber security services and tools, categorised into preparation, detection, response and resilience. There are a ton of resources available online and it's difficult to find the best ones easily, so it is good to have a curated list.
2. Forced updates for the win: A pretty bad bug in the WordPress plugin UpdraftPlus was forcibly updated. The bug allowed any logged-in user to download site backups made with the UpdraftPlus plugin. 65% of installs are now updated, with over 1.7m downloads in a single day (for over 3m active installations).
3. Decrypting Hive: South Korean researchers published a technique to recover files encrypted by the Hive ransomware. Some clever work figured out how Hive ransomware generates and uses a master key to encrypt victim files and from there the researchers figured out a technique to recover the master key and decrypt files. However, Michael Gillespie of the Malware Hunter Team and developer of the ID Ransomware service thinks the technique might not be practical. He told Seriously Risky Business that although this was good news and "the approach taken is certainly interesting, unfortunately it may not actually help too many victims primarily due to the Hive gang having updated their ransomware".

Paying the Bills

If you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

We'll be publishing some more video demos in the coming weeks.

Shorts

A New Social Contract for the Digital Age

US National Cyber Director Chris Inglis has published an article on changing the relationship between public and private sectors. His twitter summary: "Cyberspace is made up of overwhelmingly private components yet has incalculable public value. We need a new social contract of shared responsibility in this new domain". It is worth a read and is nice to hear a call-to-arms based on opportunity rather than the typical "we all need to improve security or we'll die a horrible death in cyber world war".

Cryptofeds Are Go

Speaking at the Munich Cyber Security Conference, Deputy Attorney General Lisa O. Monaco said the FBI is investigating more than 100 different ransomware variants and will invest in capabilities to fight cyber crime. The FBI will develop a centre of expertise, the Virtual Asset Exploitation Unit (VAXU), which will "combine cryptocurrency experts into one nerve center that can provide equipment, blockchain analysis, virtual asset seizure and training to the rest of the FBI".

The expertise in the VAXU will complement the National Cryptocurrency Enforcement Team (NCET) which prosecutes crimes involving cryptocurrency. The FBI also announced an International Virtual Currency Initiative and Cyber Operations International Liaison. The increased international focus aims for more "joint, international law enforcement operations".

More cryptocurrency seizures to come.

Tying Turla to the FSB

Here is a nice graphical report describing the links between two Russian developers, the FSB, and the hacking group known as Turla. Turla is particularly interesting because of the variety of innovative techniques they've used. It has:

• Piggybacked off Iranian APT operations by hijacking Iranian command and control (C2) infrastructure and repurposing Iraninan tools.
• Abused satellite communications to run C2 from hosts that didn't exist. Turla implants would beacon to an invalid address it knew would be broadcast over a large satellite downlink. Turla's C2 server would see this activity on the downlink and spoof a reply over a wired network. This provided some anonymity and effectively allowed Turla to use C2 infrastructure that didn't exist. This is like, so cool.
• Used a peer-to-peer communication protocol within infected networks to route C2 through nodes with internet access.
• Used comments on Britney Spear's Instagram account to hide directions to C2 servers.

Stalkerware Still Insecure

A fleet of nine (or possibly more) re-branded Android stalkerware apps are configured insecurely so that the data from 400,000 devices can be accessed without authentication because of an insecure direct object reference bug. Yikes.

Now That's a Bug!

Tree of Life, a security researcher, picked up a USD$250k reward for discovering a bug in a CoinBase API that allowed a user to sell cryptocurrency they didn't own.

A Long Read

Dina Temple-Raston at The Record has a good interview with Reality Winner.