Srsly Risky Biz: Thursday, September 23

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Apple, Google and Telegram Turn to Water on Russia

The censorship battle between tech companies and illiberal governments is kicking off in earnest, and so far the tech firms are being completely pantsed.

The cold, hard fact is state power trumps technology companies' content policies. This week we saw this truth in action when Russian authorities forced tech platforms to take down apps and content promoting jailed Russian opposition leader Aleksei Navalny's election-related efforts.

Apple and Google removed how-to-vote apps that provided opposition supporters recommendations on who to vote for in different electoral districts in the upcoming Russian parliamentary election. Telegram blocked Navalny's smart voting chat-bot and YouTube took down a video listing the names of all 225 Navalny-endorsed candidates.

Per Wired, Google's decision to remove the app from its Play Store came after "Russian authorities threatened specific Google employees with serious criminal charges and prosecution". In other words, Russia can do this because Russia has hostages.

Silicon Valley's traditionally strong anti-regulation culture is now crashing head first into a pretty sober reality. Tech companies are now so important, both economically and in the ways their services inform and shape society, that illiberal governments realise they must shape how these companies operate. Thus, governments all over the world are passing laws to give themselves more leverage like data localisation requirements and even "hostage-taking laws" that require tech firms to employ local staff.

In case we're not being explicit enough, let's just spell it out: It's now impossible for the big tech firms to reconcile the values they project with the realities of state supremacy in illiberal countries.

The weight of the regulators' sticks varies from place to place; different governments care about different things. There's a single, straightforward motivation behind much of this regulation: governments want to maintain control and stay in power. The Chinese government blocks popular foreign messaging applications to funnel citizens into using surveillance-friendly, locally developed apps, the Russian government prioritises the suppression of opposition political parties (app, content and Telegram channel removal) and the Indian government suppresses political speech.

For these types of governments there is a straight line between what they want and how a tech company can help. Take down this app. Keep backups unencrypted. Silence these voices.

Other peripheral issues don't get the same state focus.

In Russia, for example, Telegram gets hit with a stick when it's useful to the opposition party around elections. But cyber criminals using it to share stolen data are ignored. Put differently, the Russian government is happy to let its citizens trade stolen credit cards, but not how-to-vote recommendations.

When it comes to engagement with authoritarian governments, tech companies have a few options.

One option is to simply not enter such markets in the first place. This is by far the cleanest choice, but forgoes the opportunity to provide valuable services to people. And perhaps also the opportunity to make vast sums of money.

For companies already entangled the nuclear option is to withdraw from these markets. Google operated a censored search engine in China from 2006 but decided to pull out of the country after the discovery of Operation Aurora, a Chinese state-sponsored effort to hack US private sector companies including Google.

A third option is to capitulate and tailor their services to suit various countries' regulatory demands.

Either way, companies must think about their red lines and what they can do if they are asked to cross them.

In the case of surveillance-related demands, liberal governments have occasionally helped to define these red lines. European Union sanctions, for example, "helped" Norwegian telecom company Telenor. Telenor has decided to withdraw from the Myanmar market after being pressured to install surveillance technology on behalf of the military junta, when doing so would break an EU arms embargo.

When it comes to content-focussed regulations the liberal countries that are home to these tech firms are unlikely to be able to do the same sort of thing. Tech companies are on their own with those three choices: don't enter these markets, withdraw from them if they're already there, or capitulate to the whims of authoritarians.

Ransomware 'Policy of Hope' Falls Over

Ransomware is back in US critical infrastructure and the US government needs to rethink its strategy before these reckless criminals damage something truly important.

BlackMatter, a ransomware group that claimed it would avoid targeting critical infrastructure, has ransomed New Cooperative, an Iowa-based farm services provider, asking for USD$5.9m. The company appears to have exaggerated its importance in the food supply chain as a negotiating tactic to emphasise the possibility of US government action. But the attackers were entirely unmoved, telling New Cooperative they were not critical infrastructure "You do not fall under the rules" and "No one will give you decryptors for free, look for money."

Negotiations on that one have taken a somewhat expected turn, too.

Thankfully, that attack will likely result in inconvenience rather than mass starvation -- farmers are simply recording their grain hauls on paper. It remains true, however, that American critical infrastructure is unacceptably vulnerable to these campaigns and ransomware operators have no qualms about attacking critical sectors to apply pressure. Without further action it's just a matter of time before another high-impact disruption such as Colonial Pipeline hits the headlines.

There has been at least some movement, with the US government taking action against cryptocurrency payments to cyber criminals on two fronts. One effort is to crack down on exchanges that facilitate ransomware payments. Russia-based Suex is the lucky first, with the US government claiming "analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors". It's likely that more exchange sanctions are coming.

The second effort is aimed at discouraging organisations from paying ransoms in the first place. It's "Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments" warns that paying ransoms could break sanctions and result in civil liabilities, even if the payer wasn't aware that they were breaking sanctions. But they'll be more lenient if you had good cyber security policies and procedures in place and reported the ransomware incident to US government agencies. In other words, do the right thing and you'll be ok; play stupid games and win stupid prizes.

Ransomware groups are already trying to get ahead of these efforts, warning victims not to contact the government or hire negotiators.

Dmitri Alperovitch, a friend of Risky Business, echoed a lot of our thinking in a New York Times opinion piece published this week. His argument: improving defences at scale just isn't viable, making cryptocurrency payments more difficult is part of the solution, but to have immediate impact the US needs to ask Cyber Command to directly interfere with ransomware operators.

There has been some planning for disruption operations. The FBI, in cooperation with "other agencies," planned to disrupt the REvil ransomware gang in the aftermath of its hack of Kaseya's clients, but REvil’s disappearance made the operation moot. Ironically, the FBI already had the decryption key and could have helped organisations affected by the Kaseya incident, but didn't release it to avoid tipping off REvil.

Australia should join in on such efforts, too. One of ASD's legislated functions is to "prevent and disrupt, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia". ASD has the legal mandate and this week's surprise announcement of a trilateral security partnership between Australia, the US and the UK (dubbed AUKUS) adds further motivation. Although media coverage of the announcement this week focussed on nuclear submarines -- and how upset the French were -- the agreement was at heart a commitment to increase technology sharing and supply chain integration. The joint statement specifically mentioned cyber capabilities, so there is an alignment at many levels. Let's have at it.

Actions Have Consequences. Who Knew??

Vulnerability researchers and exploit developers are shocked -- SHOCKED!! -- that their work can have significant geopolitical and human rights consequences. The degree of their surprise suggests cyber security education should cover the real-world implications of such work.

In an interview with Kim Zetter, former NSA analyst David Evenden recounted his time at CyberPoint, the American company that employed former US intelligence personnel to conduct cyber espionage operations in the UAE. (The CyberPoint contract was eventually awarded to a UAE-based company, DarkMatter.) The interview adds further colour to last week's news that the US was cracking down on citizens hacking on behalf of other countries.

One interesting tidbit -- the UAE "would regularly purchase new laptops and install them with malware, and [then they would] give them away as gifts". Amazingly, this works sometimes, even with US officials. Vice Admiral John Miller, for example, kept an iPad Mini "for official use only" after being gifted it by the UAE. This makes no sense and I don't understand.

A theme in Evenden's interview was that there were a "ton of red flags" but that he was "so naive" he didn't pay attention to them. It really shouldn't need to be said, but anyone working in cyber security, especially on the offensive side, should know that their work can have real impact both for good and for bad. A couple of examples from one excellent Tom Brewster article for Forbes: Luca Todesco, an Italian 0day developer found his techniques being used to hack Uyghur muslims after sharing them with Chinese contacts; and data on vulnerabilities from US company Exodus Intelligence appears to have been used to develop exploits that were deployed against China and Pakistan.

Three Reasons to be Cheerful this Week:

1. Secure open source software: Google is sponsoring security reviews of eight open source projects that were chosen based on the impact they would make on the open source ecosystem. This is part of Google's support for open source software which includes USD$100m to support open source foundations.
2. Mafia arrests: 106 Italian mafia were arrested for various cyber crimes including business email compromise, SIM swapping and phishing.
3. Buh bye: A man running a dark web hosting service has been sentenced to 27 years. His service hosted over 200 child exploitation websites, and at one point was believed to host over half of the dark web.

Shorts

Huawei's Smartphone Division: Naughty or Nice?

US Officials are unsure whether to remove Honor, the smartphone maker that was formerly part of Huawei, from an export blacklist. End user devices can still be compromised via supply chain attacks, but they are less of a concern than the risk of entire telco networks being compromised.

Circles Within Circles Within Circles… Now With Memes!

Intrusion Truth, the mysterious group that publishes blogs that dox Chinese intelligence operatives, has told the story of how Ren Yuntao, a possible Chinese Ministry of State Security official, contacted them on Twitter with a Lionel Ritchie meme. This newsletter suspects the meme was sent by a third party doxxing Mr Ren, but hopes it really is a disgruntled MSS meme artisan.

OMI? More Like OMG Amirite?

The Open Management Infrastructure (OMI) agent Microsoft Azure bug that this newsletter described last week is being exploited by DDoS botnets and cryptominers. Although OMI is notionally open source it was created by Microsoft and its contributors are Microsoft employees. The vulnerabilities were patched in August (publicly viewable), yet Microsoft didn't repackage the fixed OMI into their own Azure images and didn't update customer systems before an MSRC security bulletin.

Basically, Microsoft failed to coordinate patch management and security bulletins with itself.

Epik Data Crunching Continues

The controversial web hosting provider and domain registrar Epik, host of various far-right and conspiracy theorist sites, has been hacked and the data released. This could potentially be a goldmine for extremism and conspiracy theory researchers. One report, for example, ties 122 separate Epik-registered domains to Ali Alexander, a "Stop the Steal" campaign leader and one of the primary organisers of the 6 January Capitol riot. More than half of these domains were directly related to Stop the Steal. Some anti-extremism activists have leapt on the data set and even doxxed Proud Boys members.

That's… A Lot of Unlocks

AT&T was compromised for 3 years by a combination of insiders and malware to unlock subsidised iPhones for profit. Muhammad Fahd was recently sentenced to 12 years in prison for the scheme, which over that time unlocked 1.9 million phones and cost AT&T USD$201 million in losses. Fahd paid over USD$1m in bribes to improperly unlock phones and install malware onto AT&T's network.