Srsly Risky Biz: Thursday January 6

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Welcome back to the first edition of 2022! This edition highlights some of the themes we expect will be important over the coming year — surveillance and exploit dev for hire, ransomware, and supply chain security and resiliency.

A Big Theme for 2022: Beyond NSO

Public discussion of mobile exploit and malware developers has so far focussed on a small number of companies (and NSO Group in particular), but this will change in 2022.

A December report into the surveillance-for-hire industry by Facebook/Meta has unearthed a few new (to the public) players. Meta booted seven organisations from its platform and alerted 50,000 people it believes were targeted.

It's good reading. The Meta report defines what it calls the "surveillance chain" as consisting of phases of Reconnaissance, Engagement and Exploitation. These phases are pretty much what you'd expect based on their names, and the different surveillance-for-hire entities it identified collectively provided services across all of these phases.

It's a doxing bonanza. Meta identifies four Israeli-based companies: Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI; Indian company BellTroX; North Macedonian company Cytrox; and an unknown China-based entity. These groups were banned from Meta services, related infrastructure blocked and cease and desist warnings issued.

Collectively, Meta states these surveillance-for-hire groups targeted people in over 100 countries including "journalists, dissidents, critics of authoritarian regimes, families of opposition members and human rights activists".

Citizenlab also released a report that further examines the activities of Cytrox and its relationship to the Intellexa Alliance, which Citizenlab describes as the "Star Alliance of spyware". Intellexa is a marketing label that includes a consortium of companies, none of which appear in Facebook's report. Other than their relationship to Cytrox it's not clear what these companies actually do, which is perhaps a cause for suspicion on its own.

Regarding Cytrox itself, Citizenlab found its Predator spyware (Cytrox's own name) on the phone of exiled Egyptian politician Ayman Nour, alongside NSO's Pegasus spyware — Nour was simultaneously hacked by two separate groups.

The reports were published amidst an avalanche of press coverage on politically motivated surveillance that relied on private sector tooling.

In January we learned the Polish government used NSO Group's Pegasus software to target opposition figures including a high-profile lawyer and a prosecutor challenging government attempts to purge the judiciary. Pegasus was also deployed on the phone of Jamal Khashoggi’s wife in the months prior to his murder. And Loujian al-Hathloul, a Saudi Arabian women's rights activist, has launched a lawsuit against UAE group DarkMatter and three employees and former US intelligence agency officials for hacking her iPhone. The lawsuit alleges this led to her "arbitrary arrest by the UAE’s security services and rendition to Saudi Arabia, where she was detained, imprisoned, and tortured." Her crime? Al-Hathloul live-streamed herself breaking a women's driving ban.

Some of the activities of the groups Meta identified seem to be on behalf of law enforcement — Meta suspects that the Chinese group is used by domestic law enforcement and its "malware tools were used to support surveillance against minority groups throughout the Asia-Pacific region, including in the Xinjiang region of China, Myanmar, and Hong Kong".

The US government has already taken action against NSO Group and Candiru. We expect to see further government attempts to rein in these types of firms as the scale of the industry is laid out in 2022.

Second Theme: Sorry, it's Still Ransomware

Ransomware will continue to be a major issue in 2022. The best case: combined international efforts tamp down ransomware while defences improve ever so slowly. Worst case: ransomware escalates into a crisis as crews in multiple untouchable jurisdictions get involved.

Ransomware has not markedly diminished despite far greater US focus and some significant government actions. These include a US Cyber Command offensive operation against the REvil ransomware gang, rewards being offered to ransomware snitches, sanctions on cryptocurrency exchanges and an international ransomware summit.

Recorded Future ransomware expert Allan Liska thinks some data may show a "slowing down [in] the number of ransomware attacks in some sectors and geographic areas". We think you really have to squint your eyes pretty hard (and optimistically) to see a decrease.

Since the last edition of Seriously Risky Business on December 16 the Conti ransomware group used the Log4Shell vulnerability to target VMWare vCenter servers and also attacked US photography site Shutterfly and McMenamins breweries.

Two media companies were also hit in different campaigns. Impresa, Portugal's largest media conglomerate, was hit by Lapsus$ ransomware taking websites and internet streaming services down. A large Norwegian media company, Amedia, was also hit by ransomware and its printing, subscription and advertising operations disrupted. This is the fifth publicly reported ransomware attack on a major media organisation in the last six months, on top of Australia's Nine Entertainment being struck in March of 2021.

We gained a little insight into two different crews, too. A breach disclosure — perhaps inadvertently — revealed that the FBI suspects that the HelloKitty ransomware crew are Ukrainian. Cause for some optimism, perhaps, as Ukraine has a track record of action against cybercriminals. On the other hand, the group responsible for the June ransomware attack on the Cox Media Group are reportedly Iranian.

One strand of US government efforts to tackle ransomware has involved diplomatic engagement and pressure, but this has limits. For Russia, the main target of diplomatic efforts to date, cooperation is so far invisible if not non-existent. If Iran or North Korea decide to up their ransomware game in a big way diplomatic efforts won't make a dent.

Third Theme: Yep, It's the Supply Chain

The security and resiliency of our supply chains will become an even bigger issue this year.

The Log4Shell vulnerability did a fantastic job of highlighting the need for policy initiatives to address the security of the open source software that finds its way into every crevice of critical infrastructure and enterprise computing. (See our December 16 edition for a recap of Log4Shell.)

Google's Open Source Insights team analysed the Maven Central repository (the most significant Java package repository) and found that over 17,000 packages incorporated log4j-core, the vulnerable Log4j component. Part of the difficulty is that probably most affected packages rely on Log4j indirectly, that is Log4j is a dependency of a dependency. The Log4j dependency could be nested as many as nine layers deep, and package maintainers need to wait for all of a package's downstream dependencies to be fixed before they can take action.

The good news is that Google found a quarter of affected packages had fixed versions available by 19 December. The bad news: for other publicly disclosed critical vulnerabilities less than half the affected packages have been fixed. The ubiquity of Log4Shell and the number of packages it is used in guarantees a long tail.

A fundamental problem with the open source software chain is that 'free' software doesn't necessarily get the security attention and expertise commensurate with its status as some components grow to essentially become critical infrastructure. Patrick Howell O'Neill examined this in a terrific MIT Technology Review article.

That article was cited by an FTC statement that warned the commission "intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future".

Three Reasons to be Cheerful this Week:

1. Facebook is adding scraping attacks to its bug bounty program: researchers that find loopholes in its anti-scraping protections can receive USD$500+ rewards, depending on complexity. Scraping can be hard to stop because it abuses otherwise legitimate functionality; hopefully this will help minimise it.
2. AFP to crooks — you're cooked: The AFP and FBI continue to make hay from AN0M, an encrypted messaging network they controlled and marketed to organised crime to intercept messages in real time. AN0M collected GPS data and the AFP has identified up to 160 targets for a second phase of its operation and stated arrests "will continue for years". These media releases and disclosures can be seen as a form of disruption designed to sow doubt in criminal networks.
3. Ignoring cyber security is costing more: Cyber insurance payouts are increasingly unsustainable, so premiums are rising and coverage cut. Additionally, municipal bond credit analysts do not think state and local governments are prepared for cyber attacks, which feeds through to higher cost of debt. The good news is that these dual trends could force governments to actually improve security rather than papering over vulnerability with insurance policies.

Paying the Bills

Risky Business has launched something new: product demos that we're publishing to YouTube. This new sponsorship product will help us fund this newsletter and make it sustainable, so if you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

Shorts

Log4Shell Apocalypse Fails to Materialise

It's not over yet, but all signs point to the Log4Shell vulnerability drama working out better than most people expected. Microsoft reports exploitation of Log4Shell remained high throughout December from both sophisticated state actors and commodity attackers. They "observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks". There are also some reports of specific incidents. Crowdstrike identified that a Chinese actor used a Log4j exploit in an attempt to compromise a "large academic institution". A Vietnamese crypto exchange was hacked after attackers used Log4Shell to access a development server that unfortunately had access to production Amazon S3 buckets. And the Belgian Ministry of Defence was affected.

But it hasn't yet been a planet-melting vulnerability. Don't get us wrong, a LOT of people got owned with this one and we expect to see a trickle of breach disclosures flow through into SEC filings over the coming months, but it just wasn't the epic disaster we were initially expecting. One possible reason is that Java is a fiddly hot mess that nobody wants to deal with.

Hack SEC filings, buy shares, profit

Speaking of SEC filings, the US Department of Justice has charged five Russians for a hacking and illegal stock trading scheme. The group hacked 'filing agents' — companies that facilitate corporate filings to the US Securities and Exchange Commission —  to steal documents such as annual and quarterly reports before they were made public. The stolen information was then used to make profitable share trades by buying or shorting stocks from companies about to disclose financial results that beat or fell short of market expectations respectively.

One of the Russians charged, Ivan Yermakov, once worked for the Russian GRU military intelligence agency, and has previously been charged in relation to both Russian interference in the 2016 US Presidential elections and hacking of international anti-doping agencies. Quite the resume.

Another of the Russians charged is now in US custody. Vladislav Klyushin was extradited to the US from Switzerland, where he was arrested in March. Bloomberg reports (the reputable part) US government officials hope that Klyushin may provide further information about Russian interference in the 2016 US election. His company, M-13, has done work for the Russian government and Klyushin was awarded a medal of honor from President Putin in 2020.

It Really is the New IRC

An Iranian group known as MuddyWater was using free workspaces on Slack for malware command and control. This makes sense as comms from remote collaboration tools will blend into other network traffic, but also introduces a single point of failure if detected. Slack has now shutdown the reported workspaces, although it's not clear if they were able to (or even tried to) identify similar activity across other workspaces.

Congratulations! You've Got Malware!

North Korean hackers are targeting Russian diplomats using Russian holiday greetings screensavers as a phishing lure. Attached zip files contained a Windows screensaver file with the Konni remote access trojan baked into it. So retro!

Time to Take U2F Seriously

2FA-capable phishing toolkits are proliferating. These toolkits relay communications between a target and a legitimate site in a MitM attack and so they can relay 2FA codes from the victim to authenticate themselves to the real site. U2F hardware tokens mitigate this.

Everyone Can Get Stuffed

The New York Office of Attorney General investigated credential stuffing attacks and found over a million compromised accounts at 17 well-known companies by monitoring online communities dedicated to credential stuffing. It notified those companies, worked with them to improve security and also released a Business Guide for Credential Stuffing Attacks. A great way for a government organisation to truly understand a problem and make sensible recommendations.