Srsly Risky Biz: Tuesday May 12

Attacks on healthcare cross red lines, CISA warns US States on internet voting, UK launches contact tracing apps...

Attacks on healthcare cross red lines

The ongoing march of destructive attacks on medical organisations and a frenzy of espionage interest in COVID-19 vaccine and treatment research is testing the restraint of several governments.

Brian Krebs reports that the Snake ransomware gang has locked up the network of European medical suppliers Fresenius. This follows attacks on healthcare providers including notable examples in the Czech Republic, UK and the US.

So pervasive is the Coronavirus to daily life that even ransomware attacks on unrelated businesses are impacting pandemic response - Risky.Biz can confirm that the latest ransomware attack on logistics giant Toll Holdings has held up supplies of influenza vaccines to medical practices across Australia.

Australia's Defence Minister previously warned that it is within the remit of the Australian Signals Directorate to conduct offensive security operations against non-state actors that target Australians. US Secretary of State Mike Pompeo also warned of 'consequences' for actors that impair hospitals and healthcare services during the crisis. Sources told Risky.Biz that those 'consequences' are now being dished out by several US agencies.

Policymakers now debate how to deter threat actors whose only motive is to monitor COVID-19 vaccine and treatment research. It's a tricky area of policy because - as the Risky Business podcast predicted in March - everybody's doing it.

Last week a joint statement by the UK and US warned pharmaceutical companies, medical research organisations and universities involved in COVID-19 research that they are being targeted. "I have likened this to the race to Quantum and the race to AI," CISA Director Chris Krebs told Risky.Biz in an interview. "Whoever gets the vaccine first can have a significant advantage both in the market and in domestic politics."

In this week's Risky Business livestream we discuss the ethical dilemmas this race poses. Is theft of medical research fair game for intelligence services? Should information about vaccine research - that could save lives - be protected as intellectual property? (Discussion starts at 35:00 on the video below)

Competency coming to contact tracing apps

The United Kingdom has released the NHS COVID-19 app for users on the Isle of Wight. The app features a crafty workaround for keeping alive connections between iOS devices running in the background. The Financial Times also reports that an alternative version based on the Gapple framework is under parallel development, should it be required. The client-side source code for the NHS app was released on day one alongside high-level security designs, as was a lengthy justification by NCSC Director Dr Ian Levy of why the UK opted for a centralised approach. (Spoiler: UK authorities want to know more than which user was in proximity to a person that later tests positive to COVID-19. They don't want to miss out on the opportunity to build a social graph from incidental data pulled from an infected user's device - see 'other interaction data' on this infographic).

In Australia, government agencies are responding with newfound maturity to bugs in the COVIDSafe app after being grilled in a Senate Estimates hearing on Wednesday. Risky.Biz is aware of a new set of security and privacy bugs in COVIDSafe. One is a Denial-of-Service condition that impacts all derivatives of Singapore's TraceTogether (including COVIDSafe and ABTraceTogether in Alberta, Canada). Encouragingly, Australia's Digital Transformation Agency responded to security researchers within a day, validated the bug within a further three hours and promised a fix in a future release. The DTA also released client-side source code for the COVIDSafe contact tracing app. It doesn't reveal much more than what could be gleaned from decompiled code - so it's only a half-step to transparency at this point.

Europe continues to be split down the middle between centralised and decentralised approaches: Switzerland pilots its decentralised contact tracing app (based on DP-3T protocol) on May 13, and will pass similar laws to Australia that ban employers or other parties from forcing people to use the app. Austria's second attempt at a contact tracing app - also based on the decentralised DP-3T protocol - launches later today.  France's centralised app won't be available until June 2, while Germany has only just commissioned SAP and Deutsche Telekom to come up with an alternative.

You've got mail

From: Charming Kitten, imitating Gilead's IT team
To: Gilead

Reuters reports that Iran's 'Charming Kitten' has been caught trying to get insight into Gilead's remdesivir, a drug that some politicians hope will inhibit COVID-19. In January, Risky Business reported on Iranian campaigns against big pharma and “life sciences” companies that commenced in late 2019. The targeting hasn't changed, but now there is far more interesting stuff to steal.

From: Charming Kitten, imitating the American Foreign Policy Council
To: World Health Organization

Bloomberg reports that Charming Kitten is also having a solid crack at the World Health Organisation. One link between both Charming Kitten campaigns is their discovery by Israeli threat intel researcher Ohad Zaidenberg. He told Risky.Biz that after three years of monitoring Charming Kitten's attacks on Israel, he's come to be rather familiar with them.

From: Naikon, from a compromised diplomat's inbox
To: Western Australia's Department of Premier and Cabinet

Chinese State-backed actors have again revealed their hand in a foiled attack on the Western Australian Department of Premier and Cabinet. Attackers sent a spear-phishing email that - if opened - would have dropped the Aria-Body RAT. The phish was addressed to a user at the wrong government department, exposing the campaign. Check Point researchers attributed it to Naikon, which typically targets governments in South East Asia. Western Australia is the source of most of Australia's mineral wealth and agricultural products such as barley, much of which is sold to China. This week China threatened to slap an 80 percent tariff on Australian barley exports, probably in response to calls by the Prime Minister for an international investigation into the origins of COVID-19.

Twitter, US State Department at odds over Chinese disinformation

Twitter's Trust and Safety team has disputed US State Department claims that Chinese authorities set up a vast network of inauthentic Twitter accounts to amplify CCP propaganda about the Coronavirus.

According to Twitter, Chinese authorities don't need bot accounts to spread misinformation: they have plenty of genuine accounts willing to do it for them. The social media company’s  initial analysis found that while misinformation was promoted by the Twitter accounts of embassy officials, pro-government journalists and other state-backed entities, this doesn't fit the pattern of 'coordinated inauthentic behaviour' that would be deemed an abuse of its terms of service.

In related news, Twitter released a new labelling scheme that will mark-up tweets that conflict with globally agreed COVID-19 medical advice. SAD!!!

CISA warns US states on internet voting

Kim Zetter at The Guardian got her hands on CISA guidelines on electronic voting systems, which lays out a pretty clear case for why internet technologies shouldn't be used for remote marking of ballots.

The document weighs up the risks associated with using internet technologies for electronic distribution of ballots (low risk), marking of ballots (moderate risk) and return of marked ballots (high risk).

Cyberscoop reports that the guidelines were signed off by the US Election Assistance Commission, the FBI and standards body NIST, and distributed to US states on Friday.

Here's the Risky.Biz take on internet voting:

Counting the cost of the Cognizant attack

IT outsourcer Cognizant expects to incur costs of between US$50m and US$70m from a ransomware attack in April.

The company told investors during an earnings call that attackers targeted its VPN infrastructure and didn't touch client data. These claims deserve scrutiny - ZDNet was told Cognizant's larger clients were initially kept in the dark and had to pull their own threads to figure out what was causing issues.

One client told Risky.Biz that Cognizant's response could be summed up in a single word: "clueless". We wonder whether the US$50m-US$70m factors in the cost of clients showing Cognizant the door...

Zoom buys Keybase

Video conference startup Zoom has acquired encrypted messaging service, Keybase. It's part of a 90-day security makeover whipped together by our sometimes co-host Alex Stamos.

Keybase engineers will be working on a paid Zoom service that offers end-to-end encryption for meetings between users running Zoom software on their endpoints.

Zoom will announce a new crypto design on May 22 . Stamos gave us a preview in this week's Risky Business livestream.

Three reasons to actually be cheerful this week:

  1. Early scans catch the bugs: GitHub switched on a code scanning feature that uses semantic analysis to search for common patterns in code suggestive of vulnerabilities. It uses queries submitted to the open source CodeQL project, of which there are currently ~1700. It looks like a smart way for devs to clean out basic bugs prior to manual testing. GitHub is also opening up its secrets scanner (a tool that searched for exposed secrets in code) to private repos.
  2. Five fewer fiends: Polish Police arrested five individuals associated with the Infinity Black hacking group, who were accused of brokering the sale of stolen user credentials.
  3. Google Authenticator is portable: Ever tried to move to a new phone and found that Google Authenticator codes no longer work? PITA. Now they're portable on Android phones. Alas, there are no plans to bring portability to iOS - iPhone users will still have to manually delete and re-establish codes for every app.


BEC blame game: A Singaporean real estate mogul is suing Australian law firm Mills Oakley over a $1m loss from a business email compromise scam. Victim Harry Chua says the law firm should never have paid out funds from his trust account on the basis of an email, the law firm claims that an email from his domain should be trusted (they assume his email system was hacked).

Twin Taiwan ransomware attacks: Taiwan's two largest fuel companies: CPC Corporation and Formosa Petrochemical Corporation (FPCC) - were both hit with ransomware attacks one day apart. That's some coincidence!

Double trouble at Pitney Bowes: It's pretty common for organisations that have let attackers into their networks once to get attacked a second time shortly thereafter. Shipping software company Pitney Bowes got hit by Ryuk in October 2019 and this week is under attack by the Maze gang.

Samsung patches interaction-less zero-day: Samsung patched a zero-click vulnerability that would allow an attacker to compromise any Samsung mobile phone dating back to 2014.

WeChat censorship teardown: CitizenLab published a detailed analysis and a quick explainer on how content is censored on Chinese social network WeChat.

Defcon is not cancelled: Hacker conference DEF CON is experimenting with a virtual conference this year - cheekily titled 'Safe Mode'. Black Hat is doing the same thing but offered us no puns to work with.