Srsly Risky Biz: Thursday, November 11

US offers millions to ransomware snitches, offsec export crackdown

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

US State Department Seeks Ransomware Snitches

A wave of international action against ransomware demonstrates the effectiveness — and the limits — of coordinated action. The actions involved arrests coupled with unsealed indictments, cryptocurrency seizures, cryptocurrency exchange sanctions and multimillion dollar rewards for information about Darkside or REvil leadership and affiliates. Some of these actions will directly affect the ransomware ecosystem, but the doxxing and rewards appear intended to make life deeply uncomfortable for criminals in bullet-proof jurisdictions like Russia.

Europol announced seven ransomware affiliate arrests, five for involvement in REvil/Sodinokibi ransomware and another two for involvement with GandCrab. The arrests occurred around the world: two people in Romania, three in South Korea, one in Kuwait and one in Poland at the request of the US.

The Department of Justice also unsealed indictments against two ransomware affiliates. The first, Yaroslav Vasinskyi, a 22-year-old Ukrainian national arrested in Poland, is accused of being responsible for the Kaseya attack that affected up to 1,500 businesses.

The second indictment charged Russian Yevgeniy Polyanin with ransomware attacks, claiming he extorted around USD$13m from his victims. Polyanin is still at large, presumably in Russia.

Dmitri Alperovitch, co-founder of Crowdstrike and Chair of the Silverado Policy Accelerator, described the indictment as "an important test case for Russian cooperation on ransomware. If the Russians don’t arrest him soon, we will know that they have no intention to cooperate".

Although Polyanin hasn't (yet?) been arrested, the Department of Justice seized (by cashier's cheque!) USD$6.1m in cryptocurrency he was holding with a cryptocurrency exchange based in the Bahamas.

The US also sanctioned the Chatex cryptocurrency exchange for "facilitating financial transactions for ransomware actors," claiming "Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware". Treasury claims Chatex also had ties to the Suex exchange (sanctioned in September), "using Suex’s function as a nested exchange to conduct transactions".

The US State Department also announced large rewards for information on the identity and location of DarkSide or REvil leadership and their affiliates (USD$10m and USD$5m respectively).

We seriously doubt the US needs to use monetary rewards to identify ransomware criminals — criminal-level opsec is no match for top-tier intelligence services. For Yevgeniy Polyanin, for example, the US knows his passport no, driver's licence, date of birth, tax ID, business registration number and cryptocurrency addresses, and also has a few nice mug shots. These rewards are squarely targeted at the psychology of criminals in bullet-proof jurisdictions.

Dmitry Smilyanets, Russian former hacker and Expert Threat Intelligence Analyst at Recorded Future, agrees. He told Seriously Risky Business the rewards might result in information and arrests, but are "aimed to cause disruption and create a psychological impact".

"Their lives will never be the same again… For cybercriminals [they will be] hiding from law enforcement and physical world criminals at the same time. It's hard to think straight when you know your neighbor can sell you for $10,000,000."

He also thought it would change the nature of the relationship between criminals and the police. "I believe these high rewards will raise the bar for kickbacks because now the local cops have new opportunities to monetize their proteges."

It's a loltastic way to leverage Russian law enforcement. Hopes were raised of improved Russian police cooperation last week when a former carder in St Petersburg was arrested on an Interpol warrant, but dashed as he was released three hours later. Maybe Russian cops will be more effective as State Department snitches?

Loser Traitors Who Are Worse Off

The Security Service of Ukraine (SSU) engaged in their own psychological operation by doxxing Russian Federal Security Service (FSB) members, releasing telephone intercepts on YouTube (amazing!), and releasing an English-language technical report on a group the SSU calls Armageddon (aka Gamaredon).

This group has been launching attacks against Ukrainian critical infrastructure and government agencies and the SSU views some of its members as traitors as they "are officers of the ‘Crimean’ FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014".

Some of the intercepts seem to have been chosen to provide evidence of hacking activities, but others cover frequent Covid testing and getting screwed on pay and awards. These appear to have been chosen to make fun of the defectors.

The Grugq told Seriously Risky Business "most of those FSB guys are former SSU. They switched sides. They are stuck in a provincial, remote, low-tier location, where they are traitors to Ukraine if they leave, but f**king Ukrainian province dudes to everyone else. They’re not respected in FSB, and they’re not very elite. There is a real sense of 'these guys thought it was clever to switch sides, and now look at them. Lololo. Loser traitors who are worse off'".

Big Boys' Toys

An Atlantic Council report, Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets, examined 20 years of international arms fairs and found that the market for surveillance and lawful intercept capabilities is becoming more globalised. Surveillance companies are increasingly willing to sell their goods and services overseas, outside of alliance partners such as NATO and sometimes even to Russia and China.

Speaking to the MIT Technology Review, Johann Ole Willers, one of the paper's authors and a fellow at the Norwegian Institute of International Affairs (NUPI) Centre for Cyber Security Studies said "the most basic takeaway from this paper is that we are dealing with an industry. That is a fundamental insight. It’s not enough to target NSO Group."

Two of the five firms that were found to market in Russia and China are mobile forensics companies — Israel's Cellebrite and Swedish firm Micro Systemation AB (MSAB). So this part of the paper may not be as bad as it sounds; the national security implications of foreign governments having access to mobile forensics capabilities are nowhere near the concerns that arise from them having zero-click iPhone hacking capabilities.

The overall conclusion argues for stronger regulation:

The proliferation of cyber and surveillance capabilities is a thorny policy question. Preventing the harms caused by this industry is an important policy goal, and should be treated as such. Yet, attempts at regulating the industry through export regulation and global regimes have had limited success so far. On top of this, this analysis indicates that there exists a significant group of private companies willing to act irresponsibly: marketing capabilities that carry the risk of becoming tools of oppression for authoritarian regimes or strategic tools for non-NATO allies. The United States, NATO, and their allies still have policy tools they can use to prevent privately developed offensive cyber capabilities from proliferating irresponsibly. The continued absence of assertive policy response risks a grim outlook: a growing number of private corporations that see few consequences to bolstering the cyber arsenals of major Western adversaries, and only profit.

Speaking to the Risky Business podcast in 2014, Thomas Lim, CEO of COSEINC described intrusion software export control as "the big boys restricting access to the things they already have [so they] have an advantage over other people… I have all these new toys and I do not want other people to have such toys". COSEINC was last week placed on the Entity List (a US export control list) for "traffic[king] in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide".

In one sense Lim is right. Export control is absolutely about restricting access to shiny toys.

But it's not just the "big boys" that restrict access. The Wassenaar Arrangement is a 42-country 'club' that restricts conventional arms and dual-use goods and technologies, including information security and intrusion software. It's not just the 'big boys' that think it is a bad idea to have sophisticated cyber capabilities popping up all over the place.

Last week, Israel's NSO Group was placed on the Entity List because it "developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers".

Just this week, Frontline Defenders, a non-profit organisation that tries to protect human rights defenders, announced it found NSO Group malware on the phones of six Palestinian human rights activists.

It looks like the Israeli government caught wind of the discovery and decided to retrospectively justify its actions by suddenly designating the groups the activists worked for to be 'terror organisations'. The activists were hacked years ago, but the declaration came just weeks ago and the whole thing stinks. The Israeli government would have been far better off coming up with plausible excuses, like 'we target people when we have good information they are doing bad stuff, regardless of affiliation' or 'we targeted these activists to get information about other people'. As it stands, this incident destroys any confidence the Israeli government can effectively regulate companies like NSO Group (or Candiru) and its wider cyber espionage export industry.

In his 2014 interview with us, Lim "categorically" denied selling to the PLA but, even though he was aware of human rights violations in Xinjiang, would be open to it if asked. "I do not have a problem selling something to the Chinese government, I do not".

Fortunately for Lim, being added to the Entity List probably won't make much difference to his business. It restricts US companies from exporting certain products (including intrusion software) to COSEINC, but given that Lim's company is in the 'finds vulnerabilities' business rather than the 'buy and sell' business, it probably won't have much effect. Russian company Positive Technologies says that being on the Entity List and also being subject to US financial sanctions had very little effect on its business.

Three Reasons to be Cheerful this Week:

  1. Less leaky: GitHub will notify Meta (Facebook's new corporate name) when it detects Facebook API tokens that are accidentally leaked in GitHub repositories. This will let Meta automatically invalidate leaked tokens rather than allowing them to be used to pillage the personal information of millions of people. Sounds like a win.
  2. Thankfully, not a princeling: Yanjun Xu, a Chinese intelligence officer from the Jiangsu Province Ministry of State Security was convicted of economic espionage. Xu had attempted to steal turbofan technology from GE Aviation and was the first Chinese intelligence officer to be extradited to the United States after he was lured to Belgium in a sting operation. Thankfully, he's not a 'princeling', so the Chinese government hasn't arrested a bunch of Americans to take as hostages in retaliation.
  3. More work: The US House of Representatives approved a USD$1.2tn infrastructure bill that includes $1.9bn for cybersecurity spend. But not for paying ransoms!


Sound and Fury, Signifying Something?

The Chinese Ministry of State Security announced that foreign intelligence services had stolen passenger records from Chinese airlines last year. Targeting of airlines and hotels by intelligence agencies is not new, but it is interesting to see the MSS publicly comment.

Alex Joske, independent researcher studying Chinese Communist Party interference and espionage, told Seriously Risky Business he thinks the announcement was domestically focussed. "If it were for foreign purposes you'd expect to see more promotion of it in English-language state media and more details about the actor."

"There's a longstanding belief in the MSS that the right kind of domestic propaganda creates a favourable operational environment, both by making the public more cooperative as well as raising awareness of the MSS's work among the Party leadership. Under Xi Jinping they've been under more pressure to demonstrate their political reliability, which might be another motivation".

$55m Theft Barely an Inconvenience

More than USD$55m was stolen from the bZx DeFi (decentralised finance) platform, after a bZx developer was hacked. The attack used a malicious Word macro to steal private keys for the platform's integration with both the Polygon and Binance Smart Chain (BSC) blockchains. These private keys were then used to steal Polygon and BSC funds.

bZx has taken steps that sound a lot like what you'd do in the traditional finance system. From their preliminary post mortem:

  • Contacted Tether and froze USDT from the hackers wallet.
  • Contacted Binance and froze the BZRX that was stolen on BSC to prevent it from being transferred.
  • Contacted KuCoin and identified that one of the hackers wallets was used to transfer in and out of the exchange.
  • Contacted USDC and requested to freeze USDC in the hackers wallet.
  • Contacted KuCoin to identify the hackers KuCoin account.

This makes us think that perhaps increased regulation of cryptocurrencies might be worthwhile until information security is a solved problem. Lol.

Amazingly, this is only the fifth largest cryptocurrency heist this year. The financial system of the future!

The Time to Worry is When the Tianfu Cup Gets Boring

After the stunning display of 0day at last month's Tianfu Cup, the news out of Pwn2Own Austin was yawn-inducing. A Western Digital NAS got owned! And a printer! But none of the phone targets fell...

Of course, the two events aren't really comparable. Pwn2Own Austin focused on consumer-grade printers, NAS devices, TVs and speakers, whereas the Tianfu Cup focussed on some seriously hard targets.

But the bigger difference is in the maturity of the job market for exploit developers. In the US and Europe intelligence services and cybersecurity companies pay top dollar to employ exploit developers — talent is rewarded but exploits are siphoned away from public displays of leetness.

The 'capture' of exploit developers has just not happened (yet) to the same extent in China and there is still a vibrant pool of exploit developers that have the spare time to fight and win at the only competition they can attend.

Better to be Safe than (Bone-)Sawwy

The Conti ransomware group has publicly apologised for doxxing the UAE, Qatar and Saudi royal families. Conti will implement "a more rigid data review process" so it doesn't happen again.

To End, Start Here

CISA has established an ongoing catalog of vulnerabilities that it knows are being exploited in the wild. It ordered US federal agencies to patch vulnerabilities in the catalog.