Srsly Risky Biz: Thursday, October 21

Action against REvil and China proves it is a top-tier cyber power

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.


In the first possible sign of offensive cyber operations against ransomware crews, REvil's Tor payment portal and data leak site were hijacked. As a result REvil has again shut down its operations for a second time this year, hopefully for good.

REvil first disappeared shortly after its July mass compromise of Kaseya customers, after its leader and spokesperson UNKN disappeared and was presumed dead (or perhaps absconded with the group's money). REvil resumed operations after a couple of months using its previous infrastructure, including the same access keys, but now they've been spooked by someone compromising their servers, apparently in an effort to identify other gang members.

O_neday, the group's new administrator, called it a day on the Russian language XSS forum, "The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there… Good luck everyone, I'm off."

In our view it's likely that this is an offensive cyber or law enforcement operation.

The FBI reportedly obtained decryption keys for the Kaseya attack from REvil's servers in July and was planning to launch a disruption operation, but REvil disappeared before they could act. This could well be the same operation — being run by a US agency or an international partner — resumed after a hiatus. Although it looks like REvil pulled the pin on their own before this operation moved from the collection phase to the disruption phase.

Regardless of who is responsible, the incident demonstrates how offensive cyber operations could sow doubt and destroy trust within ransomware operations. Other actors on the XSS forum speculated that REvil's reappearance was all part of an FBI plot to catch affiliates with another saying "Something is rotten in the state of ransomware". Who cares if it's true? They're scared, and that's good.

Despite being technically straightforward, altering websites and Tor services, locking people out of accounts and making bogus forum posts could all be used to break apart the ransomware crew and affiliate model of operations. Let's hope we see lots more of this.

The Biden Counter Ransomware summit joint statement didn't quite endorse offensive operations, but certainly left the door open. "We will consider all national tools available in taking action against those responsible for ransomware operations threatening critical infrastructure and public safety."

In an interview with Seriously Risky Business, Bart Hogeveen, Head of Cyber Capacity Building at ASPI's Cyber Policy Centre, thought that the statement was trying to warn and deter, but at the same time reflected the relatively stringent legal frameworks some states have when countering crime outside their territory. "I'm not sure it's a strong statement but it may be as strong as it gets when considering fighting transnational cyber crime." He noted that beyond offensive cyber it also leaves the door open to economic pressure and sanctions.

Coordinating diplomatic action could be useful in applying pressure to Russia — one striking feature of the summit was that many if not all countries invited were suffering from the ransomware scourge. (We wonder about the risk/reward tradeoff when it comes to attacking Israeli hospitals. Do you want to get robot machine gunned? Because that's how you get robot machine gunned.)

Hogeveen, however, points out that Russia may be working to insulate itself from this kind of pressure. "UN-facilitated negotiations have started on 'a comprehensive international convention on countering the use of ICTs for criminal purposes'. This is Russia's attempt to codify a global legal treaty in parallel to, or to undermine, the Budapest Convention… So, this ransomware statement has undoubtedly also been intended to draw some red and blue lines for the outcome of these negotiations."

The summit also identified illicit finance as one strand of effort to counter ransomware. Demonstrating its own commitment to this effort the US government this week released a Financial Crimes Enforcement Network (FinCEN) report on recent ransomware trends.

The top line number was large but perhaps not surprising — FinCEN identified USD$5.2bn in transactions sent from ransomware-related wallets from the top 10 most common ransomware variants over their lifetime. The period covered differed per variant, but most were active from 2019 until present. It's hard to know how good a measure of the total ransomware market this is as it both under and overcounts ransom payments. It only captures the top 10 most common ransomware variants (the FBI tracks more than a hundred), but not all transactions from a wallet are guaranteed to be from ransomware payments.

The FinCEN report highlights the unsustainable trend in ransomware payments, noting a "continuing trend of substantial increases in reported year-over-year ransomware activity". At current trends this year's reported ransom payments will eclipse the previous ten years combined. This is consistent with trends reported by insurers, who report that claims are becoming both more frequent and more expensive as the average ransom demand increases five-fold to USD$5.3m.

Part of the measured increase can be attributed to improved reporting, but there is still a lot that could be done to encourage more. FinCEN noted that a small number of US-based DFIR firms submitted the majority of ransomware-related reports. This is a large opportunity for improved international collaboration.

FinCEN also identified that Bitcoin was still the favoured cryptocurrency for ransomware payments, although there was an increasing trend to "Anonymity-enhanced Coins" (AECs) or privacy coins such as Monero — some groups even offered discounts for payment in Monero.

Gurvais Grigg, Global Public Sector Chief Technology Officer at Chainalysis, a blockchain analytics company, told Seriously Risky Business that although cryptocurrencies are

liquid, instantaneous, and cross-border — the tradeoff is their activity is traceable and permanent. While some illicit actors including ransomware groups use AECs in an attempt to obfuscate their transactions, they haven’t been adopted to the extent that one may expect. One reason is they aren’t as liquid as Bitcoin and other cryptocurrencies.

Especially now that many exchanges have delisted AECs given regulatory guidance, they’re becoming increasingly impractical. Cryptocurrency is only useful if you can buy and sell goods and services or cash out into fiat, and that is much more difficult with privacy coins.

Grigg also expected that there would be "increasing regulatory guidance" on privacy coins and noted that "We have seen some enforcement actions against mixers, including Helix and Bitcoin Fog."

To us, this sounds like increasing global regulation will bring most exchanges "inside the tent", so that the small number remaining that facilitate ransomware payments will be targeted for sanctions or other enforcement actions.

Effective action that makes a dent in ransomware attacks can't come soon enough given increasing attacks particularly on critical infrastructure.

China is a Top Tier Exploit Superpower

A stunning display of 0day at the TianFu Cup leaves no doubt that China's exploit development workforce is among the best in the world.

In a competition modelled on the Pwn2Own hacking contest, Chinese security researchers successfully exploited 13 of the 16 possible targets and collected nearly USD$1.9m in prize money. Targets that fell included Windows 10, Chrome, Safari and Microsoft Exchange.

A remote jailbreak in iOS15 (on iPhone 13) stood out and earnt Team Pangu USD$300k.

At the end of the competition it was the prestige targets that fell, with less important technologies remaining untouched. No one cared enough to bother attempting to hack an unnamed Chinese electric vehicle that was entered into the competition, for example.

Last year, Seriously Risky Business wrote that the Tianfu Cup was "the equivalent of watching an adversary parade a new missile through their capital. It's a performance. That capability you paid defence contractors millions for? Watch as we set fire to all these valuable bugs."

Since then, however, there have been changes to Chinese vulnerability disclosure rules. Among other things, these rules ban the sale of vulnerability information and require bug reports be sent to the Ministry of Industry and Information Technology within two days.

One effect of these changes is to funnel China's domestic security research through Chinese intelligence agencies. As discussed previously in this newsletter (China wants 0days for the 0day gods) the Chinese Ministry of State Security gets a first look at vulnerabilities and is in a position to take advantage of the window between disclosure and vendor patching.

If there is any doubt that this can occur, there is now good evidence that a fully-patched up-to-date iPhone exploit that won the USD$200k top prize at the 2018 Tianfu Cup was used to spy on China's own Uyghur population, at least until it was patched. It is not known how PRC intelligence agencies gained access to that exploit in 2018, but now Chinese legislation spells out a pretty straightforward process.

Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations and an expert on Chinese cybersecurity policy told Seriously Risky Business that changes over time were also designed to keep a grip on private sector Chinese hackers.

The Chinese government prevented hackers from attending international conferences in part to prevent exploits from leaking to the West, to ensure that Chinese agencies would have first shot at them, and to cut the hackers off from outside sources of earning and draw them closer to China. The competitions still drive security, primarily within China, but also are about control.

It's not an original playbook. Similar competitions in western nations were fertile recruiting grounds for government agencies and their suppliers. Researchers who entered them motivated by a desire to improve security through breaking things eventually grow up and take on exploit development as a career. And where are those jobs? With governments and their suppliers.

Old Schooooooooool!

A pretty competent group has successfully compromised at least 13 telcos in the last couple of years. Dubbed LightBasin by CrowdStrike, it's been operating for at least five years and uses pretty good OPSEC.

LightBasin primarily compromises Linux and Solaris systems and avoids Windows systems if possible. CrowdStrike speculates that this is for both operational reasons, as telecommunications systems run those OSs, but also for OPSEC, as security controls and monitoring are not as good as on Windows systems.

In its recent telco hacks LightBasin hopped from one telco to another by compromising external DNS servers used in the telcos' GPRS networks. It also used an emulator to send command and control comms over GPRS tunneling protocol to make detection harder. Nice.

Some reporting has described the group as "China-linked", but we think that's shaky — that linkage relied on a single pinyin string and Crowdstrike's report is clear it "does not assert a nexus between LightBasin and China".

Three Reasons to be Cheerful this Week:

  1. Even more grave dancing: Microsoft will permanently disable Basic Authentication from October 2022.
  2. Arrested for stealing hearts and dollars: South African police have arrested eight romance scammers. They stole more than USD$6.85m and were arrested at the request of US authorities.
  3. Free Decryptor for BlackByte ransomware: Trustwave researchers discovered that BlackByte malware generated encryption keys from a 'forest.png' file it downloaded. They then figured out how to derive the decryption key when given forest.png and have released a free decryptor. The BlackByte gang is not happy, but in the longer term they'll change the way their malware works.


Mark Dowd Talks About Fight Club

Patrick Gray interviewed Mark Dowd for his podcast. Mark is a world-renowned security researcher and co-founder of Azimuth Security, which became a serious player in offensive security, selling exploits and other tools to government agencies in the Five Eyes countries. The interview touches on the history of Azimuth, what the public gets wrong when talking about 0day and surveillance and is well worth a listen.

Speaking of Fight Club...

Here is a list of companies that have links to state-backed operations, mostly through the sale of tools and techniques.

Russia is Coming to Ransomware Your Poop

The US government issued two joint security advisories that warned of threats to critical infrastructure. The first warned of threats to the water and wastewater sector (WWS) and revealed details of three previously unreported attacks. This brings to six (!) the number of publicly reported WWS incidents this year. It is not reassuring at all that the advisory states "although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others." The second advisory covered the BlackMatter Ransomware-as-a-Service group, noting multiple attacks on critical infrastructure including two food and agriculture sector organisations.

Although (arguably) not in the poop business, Sinclair Broadcast Group was also hit by ransomware this week, possibly from Evil Corp.

Alperovitch Institute

The Alperovitch Institute for Cybersecurity Studies was launched at John Hopkins University last week. It'll educate decision makers and practitioners to understand cyber security statecraft and policy and will conduct innovative research. It’ll be led by Dr Thomas Rid.

Zerodium Seeking VPN 0days

Exploit broker Zerodium is looking for 0day vulnerabilities in the Windows apps of ExpressVPN, NordVPN and Surfshark. They are after bugs that enable "information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope".

Money for Nothing and Your Clips for Free

A malware botnet that searches for cryptocurrency addresses in an infected computer's clipboard has earnt almost USD$25m by replacing pasted user addresses with one controlled by the malware owner. Sometimes we wonder why we have square jobs.

Argentina Gets Owned... Quite a Lot

A hacker has stolen Argentina's entire national ID database, RENAPER, or its National Registry of Persons. They are selling access to individual entries, perhaps to SIM swappers and for identity theft.

Kicking the Vulnerable

This is a well-written and personal story about how smaller organisations (a rural local government in this case) struggle with ransomware attacks when skilled specialists aren't available and being well prepared is nigh on impossible.

L0phtCrack is being open sourced

The L0phtCrack password auditing tool is now an open-source utility. It had been sold, but the original authors were able to buy it back thanks to a sneaky condition in the contract.