Srsly Risky Biz: Thursday July 21

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, and founding corporate sponsor Proofpoint.

The CSRB Solution: Make Better Software!

The first ever Cyber Safety Review Board (CSRB) report has landed. It's an excellent deep dive on the Log4j event, but the broadness of its recommendations show just how far we have to go to make critical software safer.

First, the findings. The Board found that the Log4j vulnerability (as we covered here) was a bad one made worse by common practices in modern software development. It's likely that other just as bad vulnerabilities are still out there, so a whole lotta work needs to be done across the software and cyber security ecosystem to mitigate the risks.

The CSRB's report documents how the vulnerability was first created in 2013, its discovery in late 2021 and the subsequent exploitation and response, before moving on to recommendations.

The Log4j vulnerability was found by an Alibaba Cloud Security team engineer in the PRC and reported to the Apache Software Foundation team that maintains Log4j. Prior to the public release of a patch, however, the vulnerability and proof of concept code was posted to Chinese social media WeChat by Chinese security firm BoundaryX. This led to widespread exploitation.

Significantly, the Board found that there was no evidence of malicious exploitation of Log4j prior to public disclosure. It couldn't say for sure how the researcher at BoundaryX uncovered the vulnerability, but Board member Dmitri Alperovitch believes it likely the vulnerability was reverse engineered from information publicly available on the Log4j project's tracking system.

The Board applauded Alibaba for following recognised practices for coordinated vulnerability disclosure, but is concerned PRC vulnerability disclosure laws which compel researchers to tell the government about vulnerabilities within two days of discovery could "afford the PRC government early access to serious, exploitable vulnerabilities before they are patched". The Board was able to confirm that this didn't happen in this case — Alibaba didn't inform the PRC government of the Log4j vulnerability until after the vulnerability was made public, 17 days after the two-day deadline. The Board wasn't able to get to the bottom of public reporting that Alibaba was punished for this delay, but is concerned that these sanctions will "create a chilling effect on future coordinated disclosure".

The Board identified a number of factors that contributed to the severity of the Log4j vulnerability:

an enormous attack surface vulnerable to exploitation; vulnerability response teams that often could not identify where the vulnerable code could be found in their systems; and a vulnerability that is easily exploited to grant significant unauthorised access to systems, including sensitive systems used to support critical infrastructure and federal government operations.

Most of these contributing factors are not unique to Log4j, so there are potentially other software projects with similarly high-impact vulnerabilities waiting to be discovered.

The Board also found that the vulnerability was likely preventable. A focused code review code at the time could have identified the vulnerability, but of course the volunteer Log4j team didn't have the resources for these kinds of reviews in 2013.

The CSRB is often compared with the NTSB, the independent US government agency that investigates civil aviation accidents and issues safety recommendations aimed at preventing future disasters. Seriously Risky Business is a fan of the concept and we wrote previously that the Board's mission:

should be to improve the effectiveness of economy-wide cyber security practice by producing public reports that — like NTSB reports — examine incidents systemically and seek to identify the root cause. This is different from the typical focus of incident response, which is to understand and remediate current intrusions.

When it comes to recommendations, a minority of the Board's recommendations deal with Log4j specifically. It describes Log4j as an "endemic" vulnerability and "vulnerable versions will remain in systems for the next decade, and we will see exploitation evolve to effectively take advantage of the weaknesses". Recommendations here focus on continuing to look for, addressing and communicating Log4j vulnerabilities.

A majority of the Board's recommendations are focussed on broader issues such as "best practice for security hygiene", "build a better software ecosystem", and "investments in the future". This is pleasing as it addresses root causes — exactly what this newsletter wanted — but also sobering, in that the recommendations are so wide-ranging that even if they are immediately (and voluntarily) implemented by stakeholders they will take many years to bear fruit.

In contrast to the CSRB's wide-ranging recommendations, NTSB accident reports are reassuringly tangible and can refer to specific part numbers with details of their faults. The NTSB, however, is nearly 100 years old and software isn't an aeroplane. Hopefully we won't have to wait that long before software improves to the point that the CSRB is handing down narrow and specific recommendations instead of wide ranging best practice advice.

However, even today the CSRB's broad recommendations are useful in policy circles. They're all eminently sensible and now they're on record. And the work the Board did in pinning down the timeline of events and debunking reports of pre-disclosure exploitation of the bug was terrific. We just hope one day these reports will say something like "this function should be deprecated" instead of "we should teach computer science students how to write more secure code".

Cybercrime Kingpins Are Few and Vulnerable

Leaks from the TrickBot malware group show it is an organised and capable cyber crime syndicate, but also reveal points of vulnerability.

UK cyber security firm Cyjax has released a report that analyses internal communications and other information leaked from the TrickBot malware gang by the Twitter account trickleaks. TrickBot malware is a sophisticated trojan first identified in 2016 and originally designed to steal financial data, but has since evolved into modular multi-purpose malware.

The TrickBot group is very closely related to the Conti ransomware gang and it appears both groups are part of the same umbrella organisation. Many members, including senior leadership, also appear in the Conti Leaks, which we covered here and is also extensively covered in Brian Krebs' excellent series.

The Conti Leaks material, which received most media coverage at the time, provided insight into how the group operated and what it was trying to achieve. Although much of the TrickBot leaks dataset covers the same territory — these are well-organised groups effectively operating as medium-sized enterprises — there are some interesting new nuggets.

For example, the TrickBot leaks set contains some extensive doxxing material, including lists of members and doxxing pdfs with extensive personal details including names, passport numbers, phone numbers and even home, IP and MAC addresses. Hopefully these details made their way to law enforcement or intelligence types, where we imagine they might be useful.

The TrickBot group was also investing in organisational capacity and attempting to move its communications to the Tox encrypted messaging service. Tox didn't quite suit TrickBot's needs because it didn't support group chats, so TrickBot investigated how to speed up the development of a Tox fork with group chats. They even contacted the fork's developer and considered paying them.

Perhaps most interestingly, these leaks indicate that the organisation was extremely reliant on just a few key people. A February 21 message shows how sticky things get when "the Chief" goes AWOL:

I sincerely apologise for having to ignore your questions for the last few days. Regarding the Chief, Silver, salaries and everything else. The reason I had to is because I simply had nothing to say to you. I was dragging my feet, screwing around with the salary as best I could, hoping that the Chief would show up and give us clarity on our next steps.

But the Chief is gone, and the situation is not getting any softer and pulling the cat by the balls makes no sense anymore. We are in a difficult situation, with too much outside scrutiny of the firm, and the boss has apparently decided to lay low.

The message goes on to announce a two to three month shutdown, so making the right person disappear can certainly disrupt cyber crime groups. Now, we aren't necessarily advocating throwing cyber crime kingpins off real bridges, although we do wonder if it might be morally justifiable after they launch ransomware attacks on healthcare organisations. But we certainly think that there could be opportunities to disrupt or hijack the communications and identity systems these groups use to make people virtually disappear.

The Global Internet is Dead

A Council of Foreign Relations Independent Task Force report released last week spells out some hard truths and foreshadows changes in US policy.

The major findings ring true to us:

• The era of the global Internet is over.
• U.S. policies promoting an open, global Internet have failed, and Washington will be unable to stop or reverse the trend toward fragmentation.
• Data is a source of geopolitical power and competition and is seen as central to economic and national security.
• The United States failure to adopt comprehensive privacy and data protection rules at home undercuts Washington’s ability to lead abroad on digital trade.
• Increased digitisation increases vulnerability, given that nearly every aspect of business and statecraft is exposed to disruption, theft, or manipulation.
• Most cyberattacks that violate sovereignty remain below the threshold for the use of force or armed attack. These breaches are generally used for espionage, political advantage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.
• Cybercrime is a national security risk, and ransomware attacks on hospitals, schools, businesses, and local governments should be seen as such.
• The United States can no longer treat cyber and information operations as two separate domains.
• Artificial intelligence (AI) and other new technologies will increase strategic instability.
• The United States has failed to impose sufficient costs on attackers.
• Norms are more useful in binding friends together than in constraining adversaries.
• Indictments and sanctions have been ineffective in stopping state-backed hackers.

Perhaps significantly, Nathaniel Fink, one of the co-Chairs of the Task Force is President Biden's nominee to lead the State Department's new Bureau of Cyberspace and Digital Policy. The report recommends the US Government sharpens its focus on digital competition and trade, but rein in its expectations when trying to shape the global Internet.

One particular gem in the report addresses the separation of cyber and information security in US and allied governance structures. The report says:

After the creation of U.S. Cyber Command (CYBERCOM), at a meeting of Russian and U.S. defence officials, one Russian officer reportedly derided the lack of information warfare in Cyber Command’s mission. General Nikolai Makarov told his counterparts, “One uses information to destroy nations, not networks.”

The report also included dissenting views — on the development of norms and the national security threat of cyber crime — and they're worth a look.

Three Reasons to be Cheerful this Week:

1. Schulte sent away: Joshua Schulte was convicted of stealing classified material and leaking it to WikiLeaks in the so-called Vault 7 Leaks. Schulte hasn't yet been sentenced as he is still awaiting trial for the possession of child sexual abuse material.
2. Cyber Command shares IOCs from malware targeting Ukraine: US Cyber Command has disclosed dozens of IOCs that have been used against computer networks in Ukraine. They've been shared on Pastebin, GitHub and VirusTotal.
3. Half a million seized from North Korean healthcare hackers: The US Department of Justice seized approximately half a million dollars from North Korean hackers that had targeted US healthcare organisations with ransomware attacks using Maui ransomware. Deputy Attorney General Lisa Monaco said that rapid reporting and cooperation from a victim "not only… allowed[ed] us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain".

Running a Global Vulnerability Management Program with Nucleus

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Scott Kuffer shows Patrick Gray the ins and outs of Nucleus Security. Nucleus is a platform that ingests the scan outputs from a number of vulnerability identification tools, normalises that information and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.

You can subscribe to our product demo page on YouTube here.

Shorts

Malicious Password Crackers Target Industrial Systems

Dragos has released a report showing malicious password cracking software for industrial systems is being used to infect industrial systems with the Sality botnet. In this infection scenario, someone forgets or loses the password for a particular Automation Direct Programmable Logic Controller. A user then downloads the cracker and runs it on their internet-connected production system to recover the lost password. In addition to recovering the password the software also installs Sality, a peer-to-peer botnet which Dragos says is used "for distributed computing tasks such as password cracking and cryptocurrency mining".

The password cracker Dragos examined didn't brute force passwords, but instead used a firmware vulnerability to extract the password directly from the device. (Hilariously, although the password cracker required a serial connection, the vulnerability could also be exploited over ethernet.) The vendor has released a firmware update for this particular vulnerability, but who knows if it has actually been installed anywhere? And then how would people recover passwords?

Although Dragos examined only one specific password cracking software tool, it says the same group is distributing a range of password crackers affecting a wide variety of industrial-related software including PLCs and Human-Machine Interfaces.

Flying Without Top Cover

In mid-June we explored ("Keep Your Enemies Closer") some reasons why US defence contractor L3Harris buying NSO group could make sense. On July 10 The New York Times reported officials in the US intelligence community supported plans to purchase the firm, but it looks like White House officials were blindsided by news of the potential purchase. So, as we predicted, the deal is now as dead as a doornail.

The US$620m pdf

It turns out the Axie Infinity hack, which resulted in the theft of over USD$620m from the NFT-based (non-fungible token) game, was set in train by luring a senior engineer to open a malicious job offer pdf. The senior engineer was approached via LinkedIn and ultimately opened the malicious job offer after multiple interview rounds. The US government attributed the hack to the North Korean state-sponsored groups.

From Risky Biz News:

TikTok security chief steps down: TikTok announced major changes to its security leadership on Friday as the social media platform faces renewed scrutiny from US lawmakers over its ties to China. Security chief Roland Cloutier will step down in September, while current security executive Kim Albarella will replace him on an interim basis, TikTok said. [More coverage in The Record]

Denmark bans Google Workspace: The Danish data protection agency banned the use of Google Workspace (formerly known as Google Apps and later G Suite) by local governments. The agency's decision came in a case involving the city of Helsingør, which was using Chromebooks and Google Workspace apps to for administrative tasks, including for the management of local schools. The Datatilsynet banned the use of Google Workspace, citing Google's hidden data collection practices, which transferred the personal details of Danish citizens abroad to US servers, contrary to EU and Danish legislation.

Google removes app permissions from the Play Store: If you haven't visited the Google Play Store in recent weeks, the official Android OS app store is going through a major change through the phase-out of the old section that listed permissions an app would require before installation.

Replacing the App Permissions section is a new one called Data Safety.

As Ron Amadeo writes in his Ars Technica piece, Google is moving away from a highly technical and trusted procedure to an "honor system" where users must hope that app developers don't lie about what permissions their apps use.

This is problematic in so many ways, and the overwhelming response has been very critical of Google's latest decision. (continued)