Srsly Risky Biz: Thursday, November 4

USCYBERCOM trips and spooks REvil, PNG ransomware mess

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

WaPost: Cyber Command Tripped and Spooked REvil

US Cyber Command was involved in a campaign targeting the REvil ransomware gang that resulted in the group scattering. The unofficial attribution to USCYBERCOM, via Ellen Nakashima's report in the Washington Post, should deliver a significant psychological impact to the ransomware scene.

The report says USCYBERCOM used stolen or cracked key material to spin up a fake duplicate of the ransomware crew's Tor .onion server. This spooked the REvil group enough to take a serious look at its infrastructure. From there, it discovered a historical server breach, apparently conducted by a US partner's security agency. This really gave the REvil team the willies.

It's good news! We want ransomware crews to know hounds have been released, and we want them to be worried about the biggest, baddest hounds.

Chris Inglis, the US National Cyber Director, touched on the psychological aspects of deterrence this week. In an interview at the TechNetCyber conference in Baltimore, Inglis spoke aggressively about bringing national instruments of power to bear on cybercriminals.

Deterrence has to "start with the psychology of the aggressor… not what we think would make a difference to us… It starts with the psychology of the actors, what makes a difference to them?"

Papua New Guinea Ransomware Crisis is a Real Mess

A ransomware attack on Papua New Guinea's financial management system has plunged the country's finances into disarray. The attack targeted the IFMS, the government's centralised financial management system, and has disrupted the government's ability to manage its finances and pay bills.

The attack occurred in the early hours of Friday 22 October and although the government claimed to have "fully restored" the IFMS by the following Thursday, access was limited "so as to give time to address cyber security matters".

The aftereffects are still being felt, however, and on Tuesday this week Sasindran Muthuvel, the governor of West New Britain province expressed his concerns in a statement:

In reality the situation is far from over as they fixed it for a few departments having access and operating at some 10 percent of their capacity... We in the provinces are really suffering without being able to print any cheques to support funding commitments to projects or recurrent expenses… Issues with IFMS will affect also Alesco payroll system in the province and arms such as the provincial health authority.

At the same time, PNG is a developing nation of nine million people suffering from its worst Covid wave so far in the pandemic. Hospitals are overwhelmed, oxygen supplies are short, many health workers have been infected, and less than 2% of its  population has been vaccinated.

Andrew Muller, who has provided cyber security services across PNG, Indonesia and the South Pacific, and is Managing Director of Ionize Cyber Security, told Seriously Risky Business that he thought PNG's cyber security preparedness was low and wasn't surprised that something like this had happened. "There have been a multitude of other cyber incidents over the years," he said. "I've not yet come across a network there that wasn't already owned."

He wondered whether the ransomware attack was random or accidentally triggered, "a competent actor in the IFMS would probably be better off transferring funds rather than launching ransomware".

It's fairly easy to draw a straight line between PNG's cyber security and Australia's national interest — Papua New Guinea is our closest neighbour. The Australian government has already invested significantly in both cyber security cooperation and in cyber capacity building, allocating funds to establish a PNG National Cyber Security Centre (NCSC), a Cyber Security Operations Centre and enhancing PNG's CERT.

Additionally, in recent years Australia has also invested heavily in critical telecommunications infrastructure in the South Pacific. It paid AUD$130m toward the Coral Sea Cable System from PNG and the Solomon Islands to Sydney, and, together with the US and Japan, will fund a cable to service the Republic of Palau. In addition to submarine cables the government recently underwrote Telstra's (Australia's largest telco and former national carrier) purchase of Digicel Pacific, the leading telecommunications provider in the South Pacific.

In his memoir Malcolm Turnbull wrote that the Coral Sea Cable System investment was to ensure "that critical communications infrastructure didn’t fall under the control of China or any other country whose interests may not always be aligned with our own, let alone the values of Pacific island nations".

Unfortunately, these investments in cyber security capacity and critical infrastructure didn't prevent the IFMS being owned.

In the aftermath of the incident, PNG's ICT Minister, Timothy Masiu, pointedly noted that the Department of Finance "did not take up the offer for endpoint protection services from the NCSC". He also wrote of the need to "escalate ICT to the strategic level in the Public Service" and that currently ICT is viewed as a support service. "The cyberattack that occurred was bound to happen because we don’t have appropriate mechanisms for enforcement of cyber security standards and a governance framework for ICT functions".

Speaking to Seriously Risky Business, Jonathan Pryke, Director of the Lowy Institute's Pacific Island Program, thought that this incident "shines a light on the challenges that the PNG government is facing. Cyber security is not top of the list of problems they face, but if they don't get it right it can undermine everything".

Pryke also thought that the nature of how aid was delivered did not lend itself to longer-term projects such as building skills in cyber security capacity. "The nature of the aid system, with three-year cycles and priorities that can tend to change as [Australian] government priorities change can make delivering longer-term aid projects messy," he says.

Muller agreed that aid funding did not align well with what was needed to deliver good cyber security to the PNG government. "Cyber security isn't a destination, it's a journey. Doing all the boring, sustained work like patching and MFA that gets you to a better place. With project-based aid it's really hard to get the longitudinal funding to support a capability longer term."

He also thinks projects often deliver capabilities that "were appropriate for our context, but may not be appropriate in PNG". Muller argues for a different approach, "perhaps free software or tools but with more funding to train local folks in how to use them".

Muller was concerned that although the PNG government had been offered assistance from various international bodies including Australia and the US, they'd not so far accepted them. "The real problem is that they won't get to the root cause, which means it's very likely that something like this will happen again. This really should be a wake up call to accept the massive amounts of foreign assistance on offer".

Pryke could understand the PNG government's reluctance, however — it may simply not trust foreign governments enough (especially given Snowden) and may even be concerned about evidence of mismanagement or even corruption being discovered. He also warned that we should be realistic about what foreign aid can achieve. "Canberra Hospital — one of two public hospitals servicing the ACT’s 430,000 people — has an operating budget of 1.37 billion, double what we spend on aid to PNG in a given year and ten times our investments in the PNG health system (which totals 137 million)," he says. "PNG is a very young place and a poor and challenging place. And it's going to remain that way for many years to come."

Three Reasons to be Cheerful this Week:

  1. One step back from dystopia:  Facebook is turning off facial recognition capabilities and says it will delete the "face prints" of approximately 1 billion people. It'll still be used in limited ways for verification and authentication, but won't automatically recognise people in photos or videos.
  2. Eat, drink and be merry: The BlackMatter ransomware group appears to have shut down, at least for now, due to pressure from authorities (which authorities?). Dmitri Alperovitch has some thoughts about gangs being spooked by unexplained disappearances. German investigators identifying a core REvil member will help too. And it could partly be because BlackMatter's brand was tarnished by their use of a faulty encryption system that allowed free decryption.
  3. In-built privacy: MacOS Monterey will have some in-built privacy features, including the ability to sign up to online services with unique email addresses. Some of Apple's position on privacy is marketing and posturing, but it also takes positive steps to protect user privacy.


USA Acts on NSO Group

The US Department of Commerce added four foreign firms to its export restriction Entity List. Israel's NSO Group and Candiru, Russia's Positive Technologies and Singapore's Computer Security Initiative Consultancy (aka COSEINC).

NSO and Candiru are both being blacklisted because they "developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers". Positive Technologies and COSEINC because they "traffic in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide".

Patrick Gray interviewed COSEINC founder and CEO Thomas Lim about exploit export restrictions for the Risky Business podcast in 2014. The interview stands up very well.

On Bad Unicode Parsing in Compiler Implementations

Researchers at the University of Cambridge discovered that source code could be invisibly compromised using Unicodes's bidirectional algorithm, the mechanism Unicode uses to display text either left-to-right or right-to-left (as in English or Arabic, for example). Using this technique, code that is innocuous to the eye could actually be malicious.

The report also touches on the difficulty of fixing this through normal processes:

About half of the compiler maintainers we contacted during the disclosure period are working on patches or have committed to do so. As the others are dragging their feet, it is prudent to deploy other controls in the meantime where this is quick and cheap, or relevant and needful.

They expect that Gitlab, Github and Atlassian will deploy tools to detect these types of subversions.

Harnessed Lightning

Georgetown University's Center for Security and Emerging Technology has released a report on how the Chinese military is adopting artificial intelligence. They scoured procurement records to build an open-source view and here is a twitter-thread precis.

VoIP Industry DDoS attacks

A UK telecommunications sector industry group has warned of a nearly month-long coordinated DDoS extortion campaign. expects the attacks to reduce revenue by USD$9–12m.

EU Strengthens Wireless Security Regulations

The European Commission is updating regulations to introduce tighter security standards for wireless internet-connected equipment such as smartphones and tablets, wearables, and toys and childcare devices. It's not altogether clear what these standards will be yet as the European Standards Organisation still has to develop "harmonised standards".

We are absolutely in favour of better security, but are a bit concerned that this initiative will be the cyber security equivalent of mandating USB-C as the solution to charge all devices.

You Must be This High to Enter

Google has launched the Minimum Viable Secure Product, a vendor-neutral security baseline to help B2B procurement and vendor assessment and aims to increase security as simply as possible.

APAC Ransomware Guide

CyberCX, a corporate sponsor of this newsletter, has released a ransomware guide with a bunch of APAC-specific info in it. Check it out if you are still struggling to cut through at board level. (It's rego-walled but we've seen it and it's good.)

NSA Guidance for 5G Operators

NSA released Part 1: Prevent and Detect Lateral Movement of its four part Security Guidance for 5G Cloud infrastructures. Zero Trust is coming to 5G, or at least NSA wants it to.

Rupee Wiper

There has been a possible wiper attack on the National Bank of Pakistan. Is it really a destructive attack or is it meant to hide theft?

A Nice Piece at Lawfare

Lawfare has a Brief History of Online Influence Operations.