Srsly Risky Biz: Thursday, November 18

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

NSO Group Sales Were Key to Israel's Regional Diplomacy

Israel's Government must decide if it values its relationship with the US more than the benefits it gains from playing fast and loose with powerful cyber espionage capabilities.

For many years the interests of the Israeli government and companies that export offensive cyber tools — such as NSO Group in particular, but also Candiru — were aligned.

The Israeli government, which must approve every Pegasus export licence, actively assisted NSO efforts to sell Pegasus in the region, brokering meetings with Arab states. A person involved in NSO's pitches to Gulf governments told the Financial Times "it’s like the toy that every intelligence officer wants".

The claim — that has surfaced a few times now — is that sales of the NSO technology were offered as a quid pro quo for improved bilateral relations.

NSO's former CEO denied this in July this year, telling FT "we are not a tool for diplomacy for the Israeli government; we are a commercial company".

We are skeptical of this denial, partly because leveraging Israeli technology for geopolitical advantage just kinda makes sense, and partly because this sort of thing is spelled out as official Cyber Security Strategy:

The government of Israel has set a vision for Israel to be a leading nation in harnessing cyberspace as an engine of economic growth, social welfare and national security…

Israel is also engaged in efforts to assist partner nations in strengthening their national cyber security, while harnessing Israel's cyber capacities.

Other incidents also demonstrate close links between NSO Group and the state. Last week Seriously Risky Business wrote about the Israeli government designating Palestinian human rights groups as 'terror organisations' in what looked like an attempt to retrospectively justify its use of NSO Group tools.

Regardless of how close the links between NSO and the Israeli government are, overseas sales make it an export success. Even though 2020 was a bad year, NSO had revenues of USD$243m from 60 customers in 35 countries and employed 750 people.

In addition to exports, jobs and improved diplomatic relationships, selling high-end capabilities to frenemies will likely cause their sovereign capabilities to atrophy. From an Israeli government point of view, what's not to like?

A string of stories have cast doubt on NSO's claims that its products are used exclusively to combat criminals and terrorists. Too often, Pegasus is used to spy on the opponents of authoritarian regimes. Amnesty International describes it as "a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril”.

And this week ESET released a report implicating Candiru in watering hole attacks launched from a London-based news website (among many other sites). This campaign seems to have been targeted against Yemeni interests, but using a UK site will piss people off.

Earlier this month both NSO Group and Candiru were placed on a US export control list because they "developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers". The export control list, known as the Entity List, will make it difficult if not impossible for US firms to sell certain products to the two companies. This was a surprise to Israel — its government was only given an hour's warning of the announcement.

NSO's CEO asked the Israeli government to lobby the US to remove NSO from the Entity List, but it seems that the government, after initially being keen, ultimately decided to hold off. A senior Israeli official told Axios that "We want to talk to the U.S. first in order to make sure that the NSO affair didn’t damage our bilateral relations. We would also want to hear from the U.S. if they have any information we need to know about NSO".

It seems it didn't take long for NSO Group to meet the underside of a bus.

China Using Exploits for a Good Time, Not a Long Time

Attacks targeted at democracy advocates provide more evidence that Chinese groups are capturing domestic research for use in watering hole attacks.

Google's Threat Analysis Group (TAG) found watering hole attacks targeting iOS and macOS "visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group". They believe the group is well-resourced and "likely state-backed" but declined to speculate about attribution.

Along with Uyghurs, Tibetans, Taiwanese and the Falun Gong, democracy advocates comprise the Chinese Communist Party's Five Poisons. These groups are different in many respects, but all represent a threat because they provide an alternative vision of China.  Patrick Wardle, who specialises in Apple product security research, analysed the campaign's implant and found Chinese language strings and identified communication with a command and control server in Hong Kong.

No prizes for guessing which country might be responsible, sorry.

This is — possibly — the second time that groups prosecuting Chinese state interests have used exploits in watering hole attacks in the time between publication and subsequent patching.

In this case the attack involved, among other things, a macOS exploit that was presented at a security conference in April 2021. This exploit was subsequently patched in Big Sur (macOS 11) but not in Catalina, the previous version of macOS. (wtf, Apple?). Even though it was published research Google classified this as an 0day as it had never been demonstrated against Catalina.

Previously, an iOS exploit chain published at the 2018 Tianfu Cup was subsequently discovered being used in watering hole attacks against Uyghur muslims. Uyghurs are an oppressed minority population in the Western Chinese province of Xinjiang.

At first glance, trying to take advantage of the gap between publication and patching seems like a waste of time. The return on investment for turning an exploit into a capability is almost certainly guaranteed to be short, so why not focus on something more enduring?

But in the context of watering hole attacks, using short-lived vulnerabilities makes sense if you have the capacity. These kinds of attacks are relatively visible and can be detected relatively rapidly. TAG has demonstrated its ability to find watering hole attacks and the previously mentioned ESET report identified attacks using its "custom in-house system to uncover watering hole attacks". If you are going to be detected anyway, why not use "pre-burnt" exploits and save other exploits for more covert operations?

Speaking to Seriously Risky Business, Google's Huntley said that although the hypothesis was interesting "we are reporting on what we are observing so it’s hard to speculate on what we aren’t".

"I think attackers use whatever they think will work. The capabilities available to each attacker varies. They may have more serious capabilities they are keeping in reserve or this could be what they have."

Hack For Hire Industry Gaining Momentum

A Russian-speaking hacking-for-hire team calling itself Rockethack is in the news, and we can add these sort of organisations to the pile of things we'll have to worry about in 2022.

We've seen hack-anyone-for-money outfits before — Citizen Lab uncovered Indian company BellTroX (aka Dark Basin) that hacked thousands of individuals — but Rockethack looks like it takes things to the next level. Its business model is described in Trend Micro's report on the group as going "after the most private and personal data of businesses and individuals then sell[ing] that data to whomever wants to pay for it". (Trend Micro calls the group Void Balaur.)

Beyond account hacking (USD$550 for Gmail and USD$2,064 for Telegram!) Rockethack also offers other sensitive information to buyers including: passport information, marriage certificates, criminal records, passenger arrivals at Russian airports, passport to phone number lookups, phone call and SMS records, and call records with cell tower locations.

Rockethack has targeted telecom engineers and executives, so it seems it escalates individual hacks into a broader telco capability. And it looks like Rockethack is trying to expand its targeting to include fintech companies and banks, ATM vendors, Russian IVF clinics, genetic testing services, point-of-sale system vendors and business aviation companies. It also engages in straight-up cryptocurrency account phishing.

These types of groups target valuable information and consequential targets — BellTroX and Rockethack targets include hedge funds, short sellers, financial journalists, elected officials, activists and even Belarusian presidential candidates.

The risk you'll get caught hiring a group like Rockethack or BellTroX is low, so evidence of  expanding capabilities is worrying. A Rockethack motto is apt:

Money is not the main thing on the free internet. The main thing is the power that belongs to the one who controls the flow of information.

Will these types of illegal enterprises flourish in the coming years? We hope not.

Waiting for Maksim

The relatively worry-free life of cyber criminals in Russia has been upset, at least a bit, by the US offers of large rewards.

Last week this newsletter wrote of the potential psychological impact on ransomware crews of US State Department's rewards for information on ransomware crews and their affiliates. Joe Tidy, the BBC's cyber reporter attempted to track down Maksim Yakubets, leader of the Evil Corp cybercrime network.

Although he didn't manage to track Maksim down, Joe did manage to talk to Yakubets' father, who said that a 2019 USD$5m reward for Yakubets had caused the family to live in fear of attack. "The Americans," he said, "created a problem for my family, for many people who know us, for our relatives". Prior to the reward Yakubets lived large, with a Lamborghini and lavish 2017 wedding. The article is worth reading for both its colour and for its insight into how these criminals are otherwise immune from local law enforcement efforts.

We're stoked nobody Novichoked Joe during his trip to Russia, too. Nice work, guy!

Three Reasons to be Cheerful this Week:

1. DHS Cybersecurity Talent Management System: DHS has a new program to help CISA attract and retain cyber security talent. Streamlined employment processes, better pay and better careers is the promise.
2. 10 years for Ad Fraud: Russian Aleksandr Zhukov has been sentenced to 10 years in prison for running Methbot, a giant ad fraud botnet. Methbot fraudulently obtained digital advertising revenue by using over 1,000 servers to sell ads to fake visitors on 10,000 fake websites. No one had to watch internet ads, so it's almost like it's a victimless crime.
3. Overseas Holidays for Russians Still Unwise: Denis Dubnikov, a Russian cryptocurrency exchange co-founder has been arrested after attempting to holiday in Mexico. In a sign of international cooperation, he was denied entry to Mexico and bounced to Amsterdam, where Dutch police arrested him on behalf of the FBI. He's accused of money laundering cryptocurrency for the Ryuk ransomware gang.

Shorts

Well, This is Awkward

Mandiant has linked the Ghostwriter hacking and influence operation campaign to Belarusian government interests. This is more than a bit awkward because in September this year the EU formally sanctioned Russia for the Ghostwriter campaign. Whoooops.

Ghostwriter disseminated falsified anti-NATO content in Eastern Europe in operations that were consistent with Russian interests, but after the contested August 2020 re-election (ha!) of Belarusian president Lukashenko the operation became far more Belarus-specific. Combined with technical evidence that points to Minsk (not Moscow!) Mandiant now has high confidence it is associated with the Belarusian government.

Germany, meanwhile, has doubled down on its attribution to Russia. In our view there's only one way to settle this: Pistols at dawn.

Well, This is Also Awkward

The FBI's Law Enforcement Enterprise Portal (LEEP) site was abused to send fake cyber incident warnings from an official FBI email address. Amazingly, the LEEP account application procedure used an address verification process where message content was generated client-side on the applicant's computer and then passed to the LEEP via a POST request to be sent via email. This POST request could be modified to send any email to any recipient from the LEEP portal.

The hacker, pompompurin, sent tens of thousands of fabulously nonsensical emails which warned of "Threat actor in systems… Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack".

Pompompurin told Brian Krebs he did so to highlight the portal's insecurity, saying "I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data”.

Frickin' Iranians With Frickin' Laser Beams on Their Frickin' Heads

The UK, US and Australian governments have warned of Iranian state-sponsored actors exploiting Microsoft Exchange and Fortinet vulnerabilities to gain access and sometimes deploy ransomware.

These actors are targeting "multiple U.S. critical infrastructure sectors" and Australian organisations, although the advisory also states "the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors".

It's not really clear if these are genuine ransomware attacks or disruption-disguised-as-ransomware campaigns.

At CYBERWARCON this week, Crowdstrike researchers spoke about a trend they had observed of Iranian actors including "a significant ransomware component that does not have a readily apparent financial motive... available evidence points to the Iranian cyber operations enterprise as having recognised ransomware’s potential as a cyberattack capability able to inflict disruptive impacts on victims with low cost and relatively plausible deniability".

Interestingly, these groups use Microsoft's Bitlocker to encrypt data in their ransomware attacks.

Major APAC Payroll Company Hacked

Frontier Software, a provider of payroll software, has been ransomwared, leaving hundreds of employers without automated payroll this week. Frontier is the most popular product amongst large employers in Australia. The company claims everything is back up and running as its production systems were segmented from its corporate systems.

Meta Disruption

Facebook (now known as Meta) has disrupted the operations of one Pakistani and three Syrian hacking groups. The Pakistani group targeted the former Afghan government and operated an Android app store hosting malicious apps. The Syrian groups targeted anti-regime individuals.

Moses Staff

Israeli organisations are being targeted for destructive attacks by a group calling itself Moses Staff. Rather than the impressively competent wiper attacks we've seen on Iran in recent months, this feels much more like a group of angry pentesters.

New Chinese Draft Regulations

The Cyberspace Administration of China issued draft Cyber Data Security Administrative Rules for comment. Naturally, they are both wide-ranging but short on precise details. Henry Gao has a thread on the highlights.

Emotet, the Sequel

After a coordinated international takedown operation, Emotet is running again. Apparently TrickBot is helping Emotet recover, and researchers are not (yet) seeing active distribution.

Being Fired by Trump Equals Great Success and Happiness

We'd like to wish Chris Krebs a happy one year fired-by-presidential-tweet anniversary. What a disaster for him: As a result of his high profile dumping he's had to endure becoming a national hero to millions of people, a stake in a successful startup and a gazillion Twitter followers. Poor guy. Oh, and now he has this sweet jacket, too.