Srsly Risky Biz: Thursday May 26

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Ostrich Approach to Disinfo Not a Great Strategy

Adversary states are promoting state-sponsored disinformation and manipulating social media, but some Western liberal democracies — particularly the United States — are poorly placed to respond.

There is evidence that some countries are actively building the infrastructure that's required to launch and sustain disinformation operations. Last week the security company Nisos released a report on the Fronton IoT botnet, which it describes as "a botnet for [the] creation, command, and control of coordinated inauthentic behaviour".

Public knowledge of Fronton comes from a 2020 leak from supposed hacktivist group Digital Revolution, which claimed to have found documents related to Fronton after it breached an FSB subcontractor. After an initial tranche of documents was released, Fronton was described in subsequent reporting as an IoT botnet likely to be used to launch DDoS attacks.

Nisos' analysis is based on a second tranche of documents that, although released just a day later, didn't receive the same media attention at the time. Based on these documents, Nisos believes Fronton's primary purpose is to manipulate social media:

Nisos analysed the data and determined that Fronton is a system developed for coordinated inauthentic behaviour on a massive scale. This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse.

According to Nisos, Fronton can be used to automatically create user accounts, and it could use several SMS services to create phone numbers to respond to authentication and verification requests. Fronton supported social media ("six popular social media platforms"), blogs, media sites, and various forums, depending on the underlying technology used.

These accounts were assigned "behaviour models" that configured how they behaved over time, presumably so that they behaved like real people. But they could also be tasked with executing particular social media behaviours en masse, such as coordinated posting or commenting.

It appears that the botnet was the backend infrastructure that provided geographically diverse internet points of presence to avoid the social media manipulation system losing its accounts. (20,000 troll accounts logging in via a single IP tends to raise some red flags.)

It's not clear if Fronton was actually used operationally and Nisos reports that Fronton was developed as part of a research project. Nisos found what it believes to be a test or demonstration system online, but doesn't believe that is currently being used by the FSB.

Dr Jacob Wallis, head of disinformation research at the Australian Strategic Policy Institute, told Seriously Risky Business it was "no surprise" to see evidence of a system like this pop up in the wild.

"Russia already has multiple assets in play, actively manipulating the information environment across a range of locations of strategic interest to the Kremlin," he said. "In our own analysis of disinformation campaigns on social media we see indications in at-scale campaigns… that applications like Fronton are likely to be operational already."

Major General (retired) Dr. Marcus Thompson, former head of the Australian Defence Force's Information Warfare Division and now Chief Strategy Advisor at ParaFlare agrees with Wallis. "Military deception has been around since biblical times," he told Seriously Risky Business. "What's new is being able to conduct those same military activities in and through cyberspace."

"We've known for some time that social media is being used for nefarious purposes, for deception, for misinformation, and that algorithms are being used to manipulate is not new. That these kinds of tools and techniques are being used by nation states shouldn't surprise anyone."

Indeed, a variety of groups are currently spreading disinformation related to the Russian invasion of Ukraine. Mandiant reports a variety of cyber-enabled information operations it believes are "operating in support of the political interests of nation-states such as Russia, Belarus, China, and Iran, including ongoing campaigns that we have tracked for years".

These operations use a variety of techniques including specially created Telegram channels, compromised websites, forged source materials, fake media outlets, and compromised or actor-controlled social media accounts.

Russian and Belarusian actors want to demoralise Ukraine and bolster Russia, but other states may have their own reasons, including to merely disparage the US and Western response. China-linked groups are also currently promoting Russian disinformation, but not for the reasons you might expect.

Mandiant reports that a pro-PRC campaign dubbed Dragonbridge has echoed false Russian state narratives about the existence of US military-linked biological weapons research facilities in Ukraine. Rather than necessarily indicating a pro-Russian or pro-invasion stance, Jessica Brandt, a digital authoritarianism expert at the Brookings Institute told Radio Free Europe that China's motivations are really about deflecting blame for COVID-19.

"This is really about COVID; it’s about China pushing back on the narrative that it might bear responsibility for COVID’s origins and [it] has a desire to push conspiracy theories of its own around the origins of COVID", she said.

Given that Russia and China are increasingly invested in disinformation and the active control of online spaces, how are liberal democracies responding?

For the US at least, the answer is "not very well". Last week the US Department of Homeland Security put on hold plans for a Disinformation Governance Board, after the announcement of its establishment resulted in an outcry.

Wallis thinks there is increasing concern among policymakers in liberal democracies about disinformation and propaganda, particularly from Russia and China, but it is a tricky issue to tackle. "Domestic political misinformation creates complications for governments and in the US the issue has become intensely politicised".

Despite this, Wallis thinks that democratic governments should absolutely be engaging with the challenge of disinformation.

"Disinformation is a national security threat in the context of foreign interference, subversion, and election interference. Through social media adversaries now have direct reach into the populations of their strategic competitors in a way that they didn't before."

Marcus Thompson agrees, but points out that from a military perspective there are policy questions to resolve. In liberal democracies, he said, we have "sensible, important constraints on the use of these tools," and there are policy decisions about what tools we should (and shouldn't) hold, and under what circumstances we should use them. He cautioned that "if we don't compete in this space, we are potentially ceding this space to an adversary in the event of conflict".

So what should democracies do? Both Wallis and Thompson cited Ukraine and President Volodomyr Zelensky as having run an effective information warfare campaign that made Russia's disinformation moot. And Wallis pointed to US and Ukrainian efforts to counter Russian disinfo by getting on the front foot using declassified intelligence.

Thompson also argues for a more nationally coordinated approach and referred to the DIME model of national power, which describes national power as consisting of four elements — Diplomatic, Informational, Military, and Economic.

"We have ministers and departments of state that are responsible for leading the Diplomatic, Military and Economic. Who's leading the Informational? Where is the I in DIME?"

The Artist Formerly Known as Conti

Counter-ransomware efforts may be biting and the ransomware industry is evolving in response, but government needs better information.

The Conti ransomware brand is shutting down, according to threat intelligence company AdvIntel. Unfortunately, the group itself will continue and has partnered or merged with a number of other groups including Karakurt, BlackBasta, BlackByte, AlphV/BlackCat, HIVE, HelloKitty/FiveHands and AvosLocker.

AdvIntel believes this rebrand is occurring because the Conti name is so toxic it is preventing the group from being paid. Partly, this is because Conti shot itself in the foot by aligning itself so closely to the Russian state at the beginning of the invasion of Ukraine. As a direct result, a pro-Ukrainian security researcher leaked years of Conti chat logs, revealing a wealth of information about the group including names, photos and personal details of a number of group members.

This unwanted transparency made affiliates reluctant to deal with them. It also made it crystal clear to victims that Conti was associated with Russia, and has made them reluctant to pay ransoms for fear of breaking the many invasion-related US sanctions on Russian entities. Bill Siegel, for example, the co-founder of ransomware incident response firm Coveware, told ProPublica that Coveware stopped making payments to Conti after the proclamation.

In addition, the US State Department offered a USD$10m reward for information about Conti leadership and the political stance likely kicked off internal conflict between Ukrainian and Russian members.

AdvIntel claims that the recent high-profile Conti attack on the Costa Rican government was all smoke and mirrors, designed to distract attention as it developed a new structure.

If sanctions and rewards are effective, why not impose them more often? ProPublica explores the difficulties of sanctions — it's far better to list specific individuals rather than essentially meaningless group (nick)names, but it is hard for OFAC, the Treasury office responsible for sanctions, to attribute ransomware operations to particular individuals. (We suspect other agencies would find it easier.)

The US is continuing with further counter-ransomware initiatives, with CISA announcing a Joint Ransomware Task Force and the Department of Justice announcing efforts to counter illegal cryptocurrency transactions and disrupt cyber actors.

These efforts (combined with the fallout from the invasion of Ukraine) appear to be making some difference — there appears (maybe) to be a shift to more attacks outside of the US and besides Costa Rica, there have been attacks in Greenland, Peru and Ecuador.

Allan Liska, a ransomware expert at Recorded Future, told this newsletter it appeared to be a real trend towards more attacks in South America and parts of Asia, although "attacks against the US and Western European countries don’t seem to be slowing down".

Brett Callow, threat analyst at Emsisoft, thinks that US counter-ransomware efforts might actually be having some effect. "I suspect this has resulted in some threat actors deciding to test the waters in countries where they perceive there to be less risk in the risk-reward ratio," he said. But he cautioned "the reality is that we [have] so little data that it's extremely difficult to say whether the number of attacks have decreased at all and, if they have, whether they're down everywhere or whether some attacks have been shifted from one country to another".

A US Senate Committee report released this week agrees that the US doesn't have a good picture of ransomware attacks. The report found data collection on ransomware attacks is "fragmented and incomplete" and:

This limited collective understanding of the ransomware landscape and the cryptocurrency payment system blunts the effectiveness of available tools to protect national security and limits private sector and federal government efforts to assist cybercrime victims.

In other words, we could do a lot better if we just knew what was actually going on.

Three Reasons to be Cheerful this Week:

1. A Kindler, Gentler CFAA: The US Department of Justice announced last week a "revision" to its policy charging cases under the Computer Fraud and Abuse Act. For the first time, the policy states that "good faith security research" should not be charged. The announcement has a list of "hypothetical CFAA violations" that should not be charged, including embellishing an online dating profile, checking sports scores at work and using a pseudonym on a social networking site. I mean, really, and it only took 30 years for common sense to prevail.
2. Gold in them thar hills!: Pwn2Own Vancouver awarded more than USD$1.2m for 27 vulnerabilities discovered during the event. STAR Labs, a small Singaporean cyber security company, took home more than USD$270k alone. This kind of money is absolutely dwarfed by the rewards on offer in the cryptocurrency space — a bug hunter going by 'satya0x' earned a USD$10m reward for discovering a bug in the Ethereum Wormhole bridge. Using the vulnerability an attacker could have wiped out (but not stolen) USD$736m worth of crypto currency assets. With rewards this big, this author is looking forward to writing even more about cryptocurrency hacks as competent hackers smell that gold.
3. A picture worth a thousand words: The Bank of Zambia responded to a HIVE ransomware attack by sending dick pics to the attacker. This newsletter does not normally approve of unsolicited dick pics, but we are making an exception in this case.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Sergio Gonzalez shows Patrick Gray the ins and outs of Red Canary's Managed Detection and Response service.

You can subscribe to our product demo page on YouTube here.

Shorts

The Always Hilarious Problem With "Code is Law"

Bloomberg has a very interesting deep dive into a hack of the Indexed Finance decentralised finance (DeFi) platform. A teenage Canadian maths prodigy, Andean Medjedovic, exploited Indexed Finance's code in a series of steps that started with him borrowing USD$157m and ended with him holding USD$11.9m worth of cryptocurrency.

Medjedovic was tracked down by the Indexed Finance team, who offered him a 10% "reward" if he returned the funds. He declined and instead taunted Indexed Finance on Twitter saying "You were out-traded. There is nothing you can do about that. … Such is crypto". After their ultimatum was not accepted Indexed Finance decided to sue Medjedovic for fraud. In discussions with Bloomberg reporter Christopher Beam, he argued that "code is law" and he didn't use unauthorised access or stolen keys — he simply executed trades as per the smart contract's publicly available rules.

It'd be interesting to see a court ruling on this, but we may not see it. Medjedovic has disappeared, and almost USD$400k of the stolen funds have been moved through a mixing service.

The Ls Keep Rolling in For Clearview AI

Clearview AI, which we wrote about two weeks ago ("Crunch time for facial recognition"), has been fined £7,442,800 by the United Kingdom's Information Commissioner's Office. Clearview was found to have broken data protection laws by, among other things, scraping people's images from the public web without consent. This was the result of a joint investigation with the Office of the Australian Information Commissioner, although the Australian Office didn't impose any financial penalty.

They'll Steal Your Account Before You Even Have It

New research from Avinash Sudhodanan and Andrew Paverd shows that some web accounts can be "pre-hijacked" before a user even creates them. Sudhodanan and Paverd write that an attacker knowing a victim's email can "perform some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account". The pair found five different types of account pre-hijacking attacks, and 35 of 75 popular services the pair analysed were susceptible to one or more of them.

It Was Just Innocent Research, Your Honour!

Popular Python and PHP libraries were compromised to send environment variables to the attacker, possibly including secrets such as AWS keys. The Python library was compromised by the attacker re-registering an expired email domain to gain control of the package's developer account. This is covered very well with more detail in this edition of our other newsletter, Risky Business News. The attacker has now written about the hacks, claiming they were not malicious, and just good ole security research. Maybe they had read about the Department of Justice's CFAA policy change?

You Should Read The Grugq

Apropos of nothing, The Grugq's Info Op newsletter is quite good and you should subscribe to it. Best described as a daily list of things The Grugq found interesting, studies indicate it contains at least 10 grams of pure cyber per serve.