Srsly Risky Biz: Thursday, September 16

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Don't Panic: More 0days Caught in Wild is Good News

It's counterintuitive, but it's likely the booming number of 0day exploits being captured in the wild is good news.

Security Week has documented 66 0days exploited in the wild so far this year; 15 targeted iOS and macOS, 20 affected Microsoft products including Exchange, Office, the Windows print spooler, etc. Just this week Google, Apple and Microsoft all patched 0days that were being actively exploited.

While the soaring number of critical security vulnerabilities being used for nefarious purposes might look like bad news, ironically it's probably a symptom of broader security gains.

Mark Dowd, the recently departed former Director of Research at L3Harris Trenchant and founder of Azimuth Security told Seriously Risky Business the surge in publicly reported 0days is rooted in better detections on the defender side and easier commercial access to exploits.

"I think the primary reason we are seeing 0day chains caught in the wild is because detection is becoming more sophisticated," he says. "Defenders' tools have grown more advanced over the years, as have techniques developed by groups such as Google's Thread Analysis Group (TAG)."

Overall improvements in security means that actors need 0days to succeed, too, which has driven proliferation. "There are more sellers in the market and basically these tools are easier to obtain than they once were," Dowd says, adding buyers are perfectly happy to pay as "a king's ransom for some tool might be a drop in the bucket compared to the expected payoff."

0days are increasingly being used sloppily, too. Dowd speculates that "a lot of the criminals and government actors who now have access to some of these tools are less sophisticated than the original players, and are more likely to get caught".

So in other words it's not 2005 again, the increased discovery of 0day attacks in the wild is good news. Underlying structural changes in the cyber security environment are driving the change, so Seriously Risky Business expects the 0day drumbeat to continue.

A Look At This Week's Bag of 0day:

There was a lot of 0day, but the Apple stuff got all the social media glory.

Apple patched a so-called "zero-click" attack discovered by The Citizen Lab which was apparently being used by NSO group to deliver its Pegasus malware.

The Twitter vibe of the day was "PATCH NOW" or else. It's a serious bug and definitely worth patching, but the truth is that the number of people that avoided being hacked because they patched quickly was probably zero. The bug was first discussed by Citizen Lab in late August, but was being used as early as February this year.

Apple's head of Security Engineering and Architecture, Ivan Krstić, took the unusual step of releasing a formal statement. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data".

That statement is true, but cold comfort if you are one of these "specific individuals".

In addition to the Apple patch:

• Google patched two 0days that were being exploited in the wild per Google's Maddie Stone.
• The Microsoft MSHTML 0day that this newsletter described last week was patched on Tuesday, but not before attackers started using it in various campaigns.
• A Zoho ManageEngine server 0day was exploited for about a week before a patch was released.

Ravens Come Home to Roost

The US government is placing stronger restrictions on the transfer of cyber espionage tools and tradecraft to foreign entities. This is a tricky issue, as tradecraft may not strictly be classified, but the US is making it clear that knowledge transfer falls under International Traffic in Arms Regulations (ITAR). You'll need a licence to teach NSA-style hacking.

Three former US military and intelligence personnel struck a deal with the US Department of Justice to avoid prosecution over their provision of hacking services to the United Arab Emirates' government.

The three -- Marc Baier, Ryan Adams and Daniel Gericke --  are accused of working for DarkMatter, a company that conducted hacking operations for the UAE government. The three knew that they were breaching (ITAR) by providing defense services without a licence and were also complicit in unauthorised access to US servers.

DarkMatter also hired a number of other former US intelligence community analysts to work on their clandestine hacking operation, Project Raven, although most of these hires thought -- or at least convinced themselves -- that they were working with the knowledge and concurrence of the US government.

Baier, Adams and Gericke appear to have been aware that the activities were illegal. They agreed to pay fines of USD$1.68 million in total and pinky promise not to be bad again in exchange for not being prosecuted.

Bobby Chesney, professor at the University of Texas School of Law said on Twitter "An important statement by DOJ that (1) such foreign service does implicate ITAR and thus does require a license, and (2) CFAA charges will come into play—license or not—if the services include targeting US entities (either as ultimate targets or as means to get to such)."

Although the action is significant the penalty strikes us as a bit weak. Gericke was, at least until recently, CIO of ExpressVPN, which was sold last week to British-Israeli firm Kape Technologies for USD$936m. So a million here or there doesn't seem like it might matter all that much.

(As an aside, Seriously Risky Business wonders how a VPN run by a former intelligence official without a moral compass might make money.)

Although 0days are the focus of media attention, tradecraft is at least equally important. In this case the iOS 0day that Project Raven used was bought from Accuvant, a US exploit developer.

Tradecraft is similarly important for other types of intelligence operations. The CIA has warned about former officers working for foreign governments, so this action is an example to those who might like to trade their expertise for $$$ overseas -- don't do it without the right export licence.

Don't Run, We Are Your Friends

Increasing transparency requirements from regulators will be awkward for many companies as they're forced to reveal cyber security policy and practice failings.

Companies are afraid that a Securities and Exchange Commission (SEC) probe into the SolarWinds Orion supply chain attack will expose them to liability as it discovers unrelated but previously unreported ransomware incidents and data breaches.

The probe, which began in June, appears to originally have focussed narrowly on whether companies had failed to disclose that they were affected by the SolarWinds breach. Recently, however, affected companies have been asked to voluntarily hand over records related to any data breach or ransomware attack since October 2019.

According to an SEC official the questions are to find other breaches relevant to the SolarWinds incident. The SEC has offered an amnesty if data related to the SolarWinds hack is shared voluntarily, but it is not clear if this covers information about other incidents that are later determined to have no connection to the SolarWinds compromise.

Companies are uncertain what the SEC will do with knowledge of all the unreported breaches that have occurred. After all, the SEC recently took action against eight firms for failures in cyber security policies and procedures that allowed account takeovers.

The SEC has provided advice on reporting of material cyber security risks and incidents in both 2011 and again in 2018. So there's no problem as long as companies are reporting their cyber security risks and incidents transparently. And companies and the SEC agree on what is material.

ACSC Threat Report: Carnage as Usual

The Australian Cyber Security Centre Annual Cyber Threat Report was released. Mostly, it is what you expect. The Covid-19 pandemic was used as a lure; one quarter of incidents affected critical infrastructure or essential services; vulnerabilities are rapidly exploited; supply chain compromise; ransomware and business email compromise.

But a couple of numbers leapt out to us.

The first -- self-reported losses from cyber crime were more than $33 billion, the first time that the threat report has taken a stab at quantifying costs across the economy.

The second -- the ACSC issued more than 7,700 takedown notices, although we are curious about the exact mechanism involved. Typically takedown notices to hosting services are too slow, working through reputation management denylist services is better. Perhaps this is an extension of the Clean Pipes initiative?

US on Ransomware: Self Regulation is Working!

Conflicting messages from senior US government officials indicate that their current ransomware strategy relies too much on Putin reining in the criminals. The US needs to stop waiting for Godot and to commit to stronger action.

FBI Deputy Director Paul Abbate recently said that there is no indication that the Russian government has taken steps to temper the actions of Russian ransomware operators. "Based on what we’ve seen, I would say there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they have created there. We’ve asked for help and cooperation with those who we know are in Russia who we have indictments against, and we’ve seen no action, so I would say that nothing’s changed in that regard,” he told a panel at the Intelligence and National Security Summit.

Other officials are putting on a brave face. Chris Inglis, National Cyber Director, at a panel discussion at the Ronald Reagan Institute noted a decline in attacks and some syndicates had "to some degree, deconstructed. But I think it’s a fair bet that they have self-deconstructed, essentially gone cold and quiet, to see whether the storm will blow over and whether they can then come back.” He said it was "too soon to say that we’re out of the woods".

The Biden administration appears to be in a holding pattern at present, but without Russian government action it seems inevitable that big ticket ransomware activity will pick up sooner or later. What then for the Biden administration?

Tidak Bagus!

Reports that Indonesian government systems have been compromised by Chinese APT actors are unsurprising but still significant. There is a real geopolitical contest occurring in Southeast Asia right now as the US and its allies contest China's rising influence in the region.

The Insikt Group found indications that the Chinese-based Mustang Panda group had compromised "at least ten Indonesian government ministries and agencies", including the Badan Intelijen Negara (BIN), Indonesia's primary intelligence agency. Despite reports that "authorities had taken steps to identify and clean the infected systems", a BIN spokesperson said later that the incident was a "rumour" and that BIN's servers "remain secure".

There are plenty of reasons for Chinese interest in Indonesia. Elina Noor, Director Political-Security Affairs at the Asia Society Policy Institute, and former commissioner for the Global Commission on the Stability of Cyberspace, said that "given geographical proximity, China’s stake in Indonesia through BRI projects (the Belt and Road Initiative), as well as the overlap between Indonesia’s EEZ in the North Natuna Sea with China’s 'nine-dash line', it’s only natural for China to be interested in Indonesia". Indonesia is also the world's fourth largest country by population, and the world's largest muslim country.

The Indonesian government won't like this espionage activity being publicly reported. In 2013 the Indonesian government reacted angrily when leaked documents purporting to show Australian espionage efforts targeting senior leadership figures were published. A former Chief of Army hand-delivered a letter from the Australian Prime Minister to the Indonesian President to calm the situation. In this case, though, Noor thinks "Unless there are further public revelations of similar serious breaches, I don’t think this particular incident will change the broader bilateral relationship."

Shorts

Microsoft Rot Extends to Cloud

Did you know when you spin up a Linux box in Azure, Microsoft silently deploys the Open Management Infrastructure (OMI) agent on it?

Well, the agent comes with a suite of vulnerabilities, including local privilege escalation and even unauthenticated root access. To exploit that one you just remove an authentication header.

You'll have to patch the bugs in this software -- that you didn't know you were running -- yourself. Microsoft can't fix this issue for its customers.

In other splendid Azure news, it's possible to exploit Azure Container Instances. Microsoft's Container-as-a-Service would allow attackers to run code on other people's containers and steal customer secrets.

Bruce Willis on Lazy Mode

Bruce Willis has authorised the use of a deepfake of himself for advertising the Russian mobile phone operator MegaFon. This is both cheaper than travelling to Russia and easier than acting.

What's Old is New Again

A draft of an updated OWASP Top 10, a list of the most critical security risks to web applications, has been released. It's interesting to observe the evolution of risks over time. What used to be a list of specific vulnerability types has evolved into a more category-oriented guide. That's both good and bad. Patrick and Adam spoke about it in this week's Risky Business podcast, at around the 36:45 mark.

WhatsApp has added end-to-end encryption for backups

WhatsApp is allowing users to end-to-end encrypt backups to cloud-based services such as Google Drive or iCloud. One of the ways that law enforcement can access the content of end-to-end encrypted messages is warranted access to unencrypted backups, so this'll add a bit more fuel to the "going dark" dumpster fire.

Crimephone Operation Nopes Out of Australia and USA

The crimephone company Ciphr is stepping out of the Australian market after the success of the An0m App sting. It's like geo-blocks on Netflix, what will Australian organised crime do?