Srsly Risky Biz: Thursday, October 28

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Cozy Bears up in yer Clouds

Espionage efforts that target cloud and managed services to enable access are becoming the new normal.

This week Microsoft announced it had detected further espionage activity from the Russian state actor it calls Nobelium (aka APT29 and Cozy Bear), the one responsible for the Holiday Bear campaign and part of Russia's foreign intelligence service, the SVR.

This activity targeted "organisations integral to the global IT supply chain" such as

resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.

This all sounds very familiar.

In operation Cloud Hopper China's APT10, on behalf of the Ministry of State Security, compromised managed IT service providers (MSPs) to get access to their clients for both espionage and intellectual property theft. Cloud Hopper started as far back as 2013, affected at least a dozen MSPs and provided access to hundreds of client firms. Illustrating the breadth of access gained, APT10's targets came from at least 12 countries and covered diverse sectors including automotive, finance, mining, telecommunications and biotechnology.

When discovered, this operation eventually resulted in coordinated attribution statements and even targeted sanctions from the EU. These statements and sanctions did not object to APT10's targeting of MSPs, but instead objected to the theft of intellectual property and trade secrets for commercial advantage. In other words, attacking cloud and managed services is fine, just don't steal from our industries.

Cloud Hopper showed us that, when it comes to breaches, the incentives of MSPs and their clients aren't aligned — clients want their data protected while MSPs want to keep costs down and their reputations intact. Reuters reported the response to Cloud Hopper was undermined:

service providers withheld information from hacked clients, out of concern over legal liability and bad publicity, records and interviews show. That failure, intelligence officials say, calls into question Western institutions’ ability to share information in the way needed to defend against elaborate cyber invasions. Even now, many victims may not be aware they were hit.

Since Cloud Hopper, the move to cloud services has accelerated, and what might have been an innovative tactic in 2014 is becoming standard practice now — the cloud holds the information intelligence services are after. The cloud service subversions that featured in the Holiday Bear campaign weren't one-offs. They marked a likely permanent shift in tactics from the SVR.

American officials are aware of the need to apply pressure to cloud services to up their security game. Speaking to The New York Times, a senior American official stated that the recent Russian efforts were "unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices."  The official was clear who was to blame, "the responsibility to implement simple cybersecurity practices to lock their — and by extension, our — digital doors rests with the private sector."

The US government also has efforts underway to shine light on poor private sector security practices. Earlier this month the Department of Justice announced it will be pursuing companies that hide breaches or falsely claim to follow cybersecurity standards. And this newsletter has previously covered other transparency efforts including an SEC investigation into breaches in the wake of the SolarWinds incident and proposed legislation that would establish a Bureau of Cyber Statistics.

As for this particular attack, Microsoft reports that it used "a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts". Nobelium used commercial residential proxy services for both OPSEC and for distributed password spraying.

Among other suggestions, in its Guidance for partners on Nobelium targeted attacks, Microsoft offers service providers a free 2 year subscription to Azure Active Directory Premium Plan 2 which offers more advanced and secure identity management capabilities. In a world where attacking the IT supply chain is standard business, we think charging extra for the "safe" version is beyond the pale.

Release the… Dingos?

Confirming Seriously Risky Business's speculation last week, a REvil group server was hacked by a foreign partner of the US in a multi-country operation. Initial results are promising — despite being a very limited affair, REvil appears to have disbanded — but the long-term effects of offensive cyber operations against criminal groups will take some time to play out.

As best we can tell — with incomplete information — the REvil drama was precipitated by a single machine getting owned. The attackers didn't even do anything besides show up, and it sent an entire crew scattering. That's a good sign.

There are at least a few countries that could be responsible.

The UK is one possibility. At the US Cipher Brief Threat Conference, GCHQ director Jeremy Fleming joined the line up of allies normalising the use of offensive cyber operations against ransomware crews. "I'm pretty clear from an international law perspective and certainly from our domestic law perspective you can go after [criminal actors]", and that one way of targeting groups beyond the reach of law enforcement was to deploy the National Cyber Force to "go after" ransomware gangs.

Australia's Secretary of the Department of Home Affairs, Michael Pezzulo, was even more bolshy. He told senate estimates "We are going hunting, we are using offensive capabilities" and speaking of ASD, (which actually has a legislated function to disrupt cybercrime)  "they're hunting every night".

Regardless of who might be responsible, the longer-term results of this action — beyond REvil's disappearance — are worth following.

Some groups are engaging in come-at-me-bro bravado. The Groove ransomware gang has tried to rally compatriots to attack US interests (edited for spam filters)

In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start [mucking] up the US public sector

Posting such a threat was a terrible idea. Following through on it would be suicidally stupid.

Conti also published a trolling statement attacking the US's human rights record while wishing  "our retired colleagues from REvil a lot of fun with their honestly earned money". They stopped short of being boneheaded enough to directly threaten the US government.

At least one gang took the action against REvil seriously enough to do more than just sh*tpost. The Darkside group moved Bitcoin reserves worth USD$6.8m, splitting it into smaller chunks, perhaps as a step to laundering or converting to fiat currency.

Meanwhile the LockBit group, in an interview with The Record's Dmitry Smilyanets, spoke of the threat of being hacked.

This is one of the most effective methods to deal with us; no one is immune from hacking infrastructure with the help of 0-days. Using NSA hardware backdoors, it is possible to access any server on the planet. Therefore, the risk of being hacked is always present

Coveware, an incident response firm, also reports a shift from 'Big Game Hunting' to 'Mid Game Hunting' — ransomware actors appear to be avoiding larger targets that attract significant national security and law enforcement responses. Average ransom payments are down as more payments come from mid-sized companies. This is based on data from the last quarter, so it isn't the result of the action against REvil, but may reflect a response to increasing government and law enforcement actions in recent months.

Coveware's blog also compares the economics of ransomware to that of 1990s Colombian cocaine cartels. The comparison shows ransomware is as fantastically profitable as the drug trade but carries fewer risks. The chance of getting killed during a ransomware operation is about 0, and the risk of arrest is also relatively small.

One counter-ransomware cyber operation won't change the economics, but at least governments have started to use more of the tools they have available. Let's see where it goes.

Open source software hijinks

Events in the open source software supply chain are worrying.

The UAParser.js javascript library for parsing User Agent strings was hacked and malicious code added, perhaps by hacking the developer's npm account. Linux users would get a Monero cryptominer; in addition to a cryptominer Windows users also got a password stealing trojan.

This is bad enough that CISA issued a warning. UAParser is downloaded around 7 million times per week and is used in over a thousand other projects including at Microsoft, Facebook, Slack, Amazon and tons of other companies.

A cryptominer is about as benign as it gets these days, so we shudder to think what could happen if serious adversaries start undermining various software repos in earnest. This is a problem.

Github (owned by Microsoft and owner of npm), has already started to move away from password-based authentication. Perhaps moving faster and giving free FIDO2 security keys to developers would save some grief in the longer term.

Three Reasons to be Cheerful this Week:

1. Ransomware wins: Kiwi company Emsisoft found that BlackMatter's ransomware encryption was faulty, so files could be recovered without paying the ransom. Emsisoft secretly helped dozens of victims before BlackMatter fixed the flaw.
2. Laundering arrests: Ukrainian police arrested a group suspected of stealing cryptocurrency and laundering funds for Russian cyber criminals. This was part of a joint investigation with US authorities.
3. Not quite bulletproof: An Estonian and Lithuanian man were sentenced to multi-year prison terms for operating bulletproof hosting services used to deliver Zeus malware. The two and four years prison terms, respectively, don't seem like a lot considering Zeus stole over USD$100m from victims, but the pair were lackeys. And we are trying to be cheerful here.

Shorts

Iranian fuel disruption

An apparent cyber attack on Iran's fuel payment system caused major disruption and long queues at petrol stations. Digital billboards were also hacked to read "Khamenei, where is my fuel?", referring to Iran's Supreme Leader Ayatollah Ali Khamenei. Drivers trying to pay were shown "cyberattack 64411" as an error message. The number is the phone number of Mr Khamenei's office.

A wiper attack in July disrupted train services across Iran and also directed passengers to call 64411 for more information. There's a lot of speculation that Israel is behind the attack. We don't know if that's true, but we'd suggest that attacking civilian infrastructure probably isn't a norm we want to establish.

China Telecom gets the Boot

The FCC has revoked China Telecom Americas' license, with Commissioner Brendan Carr — one of five politically appointed commissioners — citing "substantial and unacceptable national security and law enforcement risks associated with China Telecom Americas' continued access to US telecommunications infrastructure." These include providing "opportunities for Chinese state-sponsored actors to engage in espionage and to steal trade secrets and other confidential business information."

Carr is also concerned about the drone company DJI. "After all, we do not need a Huawei on wings."

The end of PAX Floridania?

Brian Krebs reports on the curious raid of Chinese Point-of-Sale device provider PAX Technology's Florida offices. According to Kreb's sources, PAX terminals were being used for malware staging and command and control. It's not unusual for point-of-sale systems to be compromised by cyber criminals, so perhaps the government has some other suspicions about PAX that would justify a search warrant involving the FBI, Customs and Border Protection, Department of Commerce and Naval Criminal Investigative Services.

A $2m Bounty Payment

Polygon, an Etherium blockchain technology company, paid a USD$2m bug bounty to a researcher who discovered that deposited funds could be not only double spent, but spent up to 233 times. An attacker using this bug could potentially turn $200,000 into $44.6m.

The researcher, Gerhard Wagner, wrote in his blog "If I had to guess why the bug happened, I would say it might be due to using someone else’s code and not having a 100% understanding of what it does… It’s OK to use existing building blocks when you write smart contracts, but you must understand all implications of doing so."

US Seeks Cyber Ambassador

The US Department of State will establish a Bureau of Cyberspace and Digital Policy, to be led by a Senate-confirmed ambassador. It also plans to establish a special envoy for critical and emerging technology. Shutting the State Department's cyber coordinator office in 2017 was just dumb.

When Affiliates Cost Too Much

FIN7 created a fake security firm, Bastion Secure, to hire penetration testers and trick them into taking part in ransomware attacks. Apparently for FIN7 paying a pen tester for a 'real' job is cheaper than paying affiliates.

ISPs and Privacy

An FTC report into ISP privacy practices is at least slightly alarming. For example, a significant number of the ISPs the FTC examined shared real-time location data with third parties for god knows what purposes. Oversight and regulation of ISPs was effectively neutered during the Trump administration and off of the back of this report FTC Chair Lina Khan is arguing that the FCC be given a stronger role

China is Devastated

The Commerce Department has announced new rules aimed at stopping the export of hacking tools to undesirable countries. This will align US policy with the Wassenaar Arrangement, a voluntary 42-nation export control agreement that covers conventional weapons and dual-use technologies (such as IT and cyber security products).

China will be devastated. Or perhaps not.

Nice Chart

Here is a nice chart of the Initial Access Broker landscape.