Srsly Risky Biz: Thursday, July 22

Stern words for China as Candiru joins the bogeyman club

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsors CyberCX and Proofpoint.

A sternly worded letter is unlikely to contain China's cyber aggression

In a largest-by-far joint condemnation of Chinese cyber activity, the US and its 5-Eyes allies, the European Union, all NATO members, and Japan and South Korea denounced the Chinese government over its involvement in the mass exploitation of Microsoft Exchange servers earlier this year.

European nations held China responsible for allowing 'malicious cyber activities to have been undertaken' from its territory, while 5-Eyes countries drew direct links between the Ministry of State Security and contract hackers responsible for numerous exploitation campaigns and intrusions.

The US went furthest. Along with an indictment of four Chinese nationals overseeing or conducting hacking on behalf of the Ministry of State Security (MSS), CISA revealed that Chinese hackers had compromised US critical infrastructure to develop attack capabilities by re-releasing a decade-old alert with updated attribution. The statement even tied the MSS to ransomware on US networks.

Regardless of the differences in diplomatic messaging, this is by far the biggest joint attribution in history. But did it go far enough?

In the early days of the Biden administration and in the aftermath of the SolarWinds Orion compromise, the US sanctioned several companies that supported Russia's cyber infrastructure. This came despite this hack being a model cyber espionage operation that was tightly scoped to military and government targets and took reasonable steps to avoid collateral damage.

By contrast, although the Chinese exploitation of Exchange servers was discovered relatively quickly and wasn't the intelligence coup that the Russian operation was, in other respects it stepped far beyond 'acceptable' state espionage practices. Exchange servers were exploited en masse, indiscriminately, and with no effort to avoid collateral damage -- compromised servers were left open with unsecured webshells that were subsequently exploited by criminals.

This is the first argument for stronger action.

A second argument is that diplomacy has just not worked. The agreements that the PRC signed to not conduct cyber-enabled theft of intellectual property with the US, and at the G20 did not hold, and previous joint denunciations and indictments have not deterred cyber activities.

But there are arguments against stronger action.

Firstly, many countries -- not least the US -- have strong economic and trade relationships with China, and the chances it will play dirty (economic coercion, bureaucratic warfare) in response to sanctions may discourage the Biden administration from imposing them.

Secondly, it's possible the US lacks evidence of direction from state officials. If the mass exploitation of Exchange servers was state-directed there would surely have been a far stronger response. If it were rogue contractors then perhaps the thinking is to apply maximum diplomatic pressure to pull them into line.

Still, it's significant. The large number of countries involved in this coordinated action is an indication that global sentiment has shifted significantly against the scale and scope of Chinese cyber operations. And despite China's denials, this protest will affect China's decision making to some degree.

But it is not clear how big a difference this will make -- China’s cyber espionage program directly addresses its strategic goals of acquiring critical technologies and securing economic growth. We'll let you place your bets on how it will weigh international embarrassment against its cyber program's contribution to important strategic goals.

China wants 0days for the 0day gods

The Chinese government has published new vulnerability disclosure rules that will take effect on September 1.

Notably, these rules ban the sale of vulnerability information and encourage researchers to report bugs to vendors. They also require vendors to send bug reports  to the Ministry of Industry and Information Technology within two days. Another provision prevents the disclosure of vulnerabilities to overseas organisations (other than vendors).

Fundamentally these rule changes are designed to strengthen China’s cyber capabilities, in two different ways.

Firstly, they are intended to improve Chinese domestic cyber security. Although some rules look a bit unconventional to us (“do not deliberately exaggerate the hazards and risks of network product security vulnerabilities”) or are too stringent (“report vulnerabilities to the government within two days”), other rules encourage or oblige vendors to solicit, receive and fix bug reports. That’s entirely sensible.

Secondly, they are intended to funnel China’s domestic security research directly to Chinese intelligence agencies. Previous research indicates that vulnerabilities are vetted by the Ministry of State Security (MSS) before being published in China's National Vulnerability Database (equivalent to the US National Vulnerability Database). As we wrote above, the MSS is suspected of controlling contract hackers that have been indicted by the US Department of Justice for conducting a wide-ranging decade-long intellectual property theft campaign against Western companies.

There's a domestic intelligence angle to this too. Internal security is a very high priority and in the past extremely valuable vulnerabilities -- like exploit chains that could take control of fully patched iPhones -- have been used for spying on China’s own Uyghur population.

Since cyber operations, these days, are one of the main ways that states seek geopolitical advantage, will these new laws change the balance of power in competition between the US and China?

There is a tension here that limits how far the PRC can actually improve national cyber security. There is no doubt that funnelling all the country’s vulnerabilities through the MSS will strengthen their intelligence-gathering capabilities, but its focus on internal unrest means that it's often reluctant to use some common security best practices. WeChat is not end-to-end encrypted in China, for example, because the government wants to censor and surveil its citizens. These opposing objectives -- decent national cybersecurity and mass surveillance via state mandated insecurity -- may prove difficult to reconcile.

Lots of cyber chefs in America's cyber kitchen

It's not yet clear how their different roles and responsibilities will work together, but the US government now has a wealth of talent in senior cyber security positions: Jen Easterly is head of CISA; Anne Neuberger is Deputy National Security Advisor for Cyber and Emerging Technology; Chris Inglis is National Cyber Director; and General Paul Nakasone 'dual-hats' at NSA and Cyber Command.

Last week the White House revealed the launch of an interagency ransomware task force. Beyond the obligatory website, one focus will be on strengthening cryptocurrency exchange's protections against money laundering, while another initiative is an up to $10 million reward for information regarding the state-sponsored hacking of US critical infrastructure. This reward is an interesting way to flush out state activities (and pays better than the Colonial Pipeline hack!) but has been carefully worded to focus on activities 'at the direction or under the control of a foreign government', presumably to avoid encouraging more critical infrastructure hacking just to collect the reward. Do criminals read the fine print? Is North Korean eyeing this as a new revenue opportunity?

Google TAG: Improved security, detection and response driving 0day boom

Google’s Threat Analysis Group speculates that the increased discovery of 0days in the wild is best explained by improvements in product security and detection and response to attacks. Google reports that for the first six months of 2021, 33 0days have been disclosed after being discovered in the wild compared to 22 in all of 2020. Requiring 0days raises the costs of espionage campaigns, yet at the same time an ecosystem of commercial exploit vendors and hacking-for-hire companies has risen.

The end result may be that it is both harder to build a cyber operation (because it requires more technical expertise) and easier to get one (cos you can just buy it).

Candiru joins bogeyman club. Founding member NSO also in the news.

There are reports this week detailing some of the activities of two Israeli spyware-for-hire companies.

The University of Toronto’s Citizen Lab released a deep dive into Candiru, a spyware-for-hire company with clients in ‘Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America’.

Some of the domains Candiru used in its campaigns aimed to masquerade as Amnesty International, Black Lives Matter-related entities and Refugees International. This suggests that at least some of its target set resides in political and civil society, not the criminal underworld. Microsoft, which worked with Citizen Lab on Candiru's malware, found that targeted individuals included “politicians, human rights activists, journalists, academics, embassy workers and political dissidents”.

Also this week: Multiple reports examine the alleged distribution of NSO Group’s Pegasus malware and found, among other things, the targeting of murdered columnist Jamal Khashoggi’s wife and fiance, as well as human rights activists and journalists.

Amnesty International and Forbidden Stories, a Paris-based journalism non-profit, received a list of more than 50,000 numbers they initially claimed contain phone numbers of interest to NSO clients. Examination of 67 of the phones on the list found evidence of a successful or attempted compromise in 37 of them.

This story is still playing out. NSO's denials are strident, as is usual, but Risky.Biz first flagged potential issues with the list of 50,000 “targets” in our July 22 podcast. Amnesty has walked back the description it was a list of targets. This is hugely problematic. Much of the news media has made a very big deal about phone numbers belonging to heads of state appearing in the “leak”. We think it's time for Amnesty and Forbidden Stories to disclose what this list actually is and where it came from.

Shorts:

A convenient backdoor

The developer of KiwiSDR, a software defined wideband HF radio, included a hardcoded backdoor that granted him remote administrator access, which he used when troubleshooting. The KiwiSDR is designed to allow public sharing over the web, which allows interesting multi-receiver applications like geolocation, so remote administrator access makes some sense. But it would’ve been better to tell people upfront and not send passwords in the clear...

Test your backups

Brian Krebs examines the various reasons that backups alone are not enough to protect from ransomware. The crucial but often missed second step is to ensure you can recover from backups!

ASD updates the Essential Eight

The Australian Signals Directorate's ACSC released an update to its Essential Eight maturity framework that, among other things, encourages tighter timeframes for patching, mandates MFA on government-to-citizen communications, and now factors in logging, monitoring and response when judging an agency's security operations.

WhatsApp multi-device encryption

WhatsApp is beta testing a new architecture that will allow users to enrol multiple devices without relying on a smartphone to host the conversation. Though enrolling a new device will no doubt generate a warning, proponents for exceptional access will undoubtedly see the announcement as evidence that since these clever engineers can provide multiple devices with access to the same conversation they can surely provide it to law enforcement as well...

Don’t crap where you eat

Trend Micro researchers discovered malware targeting users of illegal Chinese gambling sites in mainland China, with indications that it has some association with Chinese hacking group APT41. It’s unusual for a state-sponsored group to attack domestic targets without explicit direction.

From compromise to recovery

Anti-spam nonprofit Spamhaus helped re-secure 780,000 email accounts compromised by the Emotet malware gang. Law enforcement gained access to lists of compromised accounts when they seized Emotet servers, but apparently there is no way for law enforcement to directly notify account holders, so they relied on Spamhaus to act as a trusted intermediary.

It’s unclear exactly what happened, but it appears that Spamhaus used its established relationships with domain owners to re-secure the affected accounts.