Srsly Risky Biz: Tuesday April 21

Gapple's global progress, CISA's warning on patched VPNs, BEC scam targets COVID relief payments

Governments gravitate to Gapple contact tracing standard

Health authorities are revisiting plans to release hastily-developed COVID-19 contact tracing apps that are unsupported by Apple and Google, now that the tech giants are promising developers a built-in contact tracing framework.

Several countries have released, piloted or approved apps that use Bluetooth Low Energy for contact tracing well in advance of the Google-Apple (hereafter 'Gapple') announcement. Their experiences are instructive.

Inspired by Singapore's TraceTogether app, the Czech Republic released the eRouška Android app on April 11. It did not release an iOS version for the same reason TraceTogether struggled with adoption - Apple does not support the use of Bluetooth Low Energy advertisements while apps run in the background, and won't until apps conform to the Gapple framework. The Android app attracted 100,000 users (1% of population) in its first week.

NHSX - the digital arm of the UK's NHS - is currently piloting a contact tracing app, but appears likely to pivot to make use of the Gapple framework. The UK Information Commissioner's Office has signalled conditional support for it.

The UK wouldn't be first to flip. ProteGO, an open source app endorsed for release by the Polish Ministry of Digital Affairs was iced within a day of the Gapple announcement, opting instead to wait for operating system support.

Denmark also appears unlikely to introduce contact tracing into its COVID-19 iOS app until Apple can enable BLE to work in the background.

The Australian Government has announced plans to release a COVID-19 contact tracing app based on Singapore's OpenTrace framework. Australians will be asked to provide their name, age-range, postcode and phone number upon enrolment. This data - and the details of other users captured by proximity-tracking smarts - will be stored in encrypted form on user devices (decentralised) until an infection event. When a user tests COVID-positive, they can upload the data to health authorities - the sole party that can decrypt the data - for use in manual contact tracing. In some evasive emailed responses to Risky.Biz, the government's Digital Transformation Agency committed to publishing the app's source code, but won't commit to sharing it prior to the app's public release or to making use of the Gapple APIs - which doesn't inspire confidence.

On this week's Risky.Biz livestream, we discussed the false dichotomy between rolling out bespoke apps and using the Gapple framework, and detailed how health authorities could easily adapt it to their unique requirements.

As discussed on our livestream, there are no technical impediments to capturing enrolment data in apps that make use of the Gapple API. Developers could feasibly link contact details captured at enrolment to notifications generated through the Gapple API to support existing manual contact tracing processes. The only change use of the Gapple framework imposes on an app is the order in which an at-risk individual is notified - first by the Gapple OS feature, followed by a call from health authorities.

This analysis assumes Apple and Google won't block apps that include these additional features. It's incumbent on the mobile OS companies to provide assurance to health authorities by clearly elucidating to the public what would constitute abuse of the service.

More broadly, the EU announced a minimum set of requirements for all contact tracing apps across Europe, insisting on user consent, no location tracking, anonymised data and a post-pandemic plan for switching off tracing features. EU academics are meanwhile split over whether to take a decentralised approach to contact tracing (using the DP-3T contact tracing protocol) or to allow health authorities greater control and access to data (the ROBERT protocol).

Did attackers own you before you patched your VPN?

Ransomware actors continue to penetrate networks that use Pulse Secure VPNs, including those that patch their VPN servers in a (relatively) timely fashion.

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of a surge in human-operated ransomware attacks that use Active Directory credentials stolen many months ago in attacks that abused the CVE-2019-11510 arbitrary file reading vulnerability.

CISA fears that some administrators have grown complacent after patching the gateway devices, unaware that attackers already had a foothold in the network. It recommends Pulse Secure VPN admins run a CISA-developed tool to check for signs of compromise.

If there is any evidence of compromise, the agency recommends the reset of passwords for all Active Directory accounts,  including admin and service accounts.

Pompeo warns of 'consequences' for attacks on US allies

US Secretary of State Mike Pompeo has threatened to 'hold accountable' threat actors planning destructive malware attacks against critical infrastructure in the Czech Republic.

In the absence of further context or actor attribution, Pompeo's blusterous response comes off as disproportionate to the threat. The Czech warnings appear related to analysis of spear phishing emails linked to destructive malware - which while concerning, aren't entirely uncommon.

Operators of critical infrastructure in the region have been instructed to watch for spear phishing emails with double file extensions and to run and test offline backups.

Pompeo's choice of works will be of interest to policymakers. The recent Cyberspace Solarium Commission called on the administration to 'signal' to adversaries which lines it would not allow them to cross without retribution. Risky.Biz covers this in detail this week in the first of our feature series on the Commission:'Deterrence in cyberspace isn't working. What next?'

COVID-19 relief scam reaches epic scale

The German state of North Rhine-Westphalia may be exposed to significant fraud losses after failing to authenticate the identity of constituents applying for pandemic relief.

Attackers set up two imitation websites to collect payment requests, and simply changed the bank account details on any requests victims submitted before re-submitting them to the official government site.

The state government is yet to fully tally its losses - local newspapers report that around 4000 payments were redirected, and local police have received 576 reports of fraud from the public so far.

New Emotet variant worries researchers

Malware analysts are on alert after a redesigned Emotet downloader - which exhibits new anti-analysis capabilities - was pushed out to botnets in advance of anticipated malspam campaigns.

In the recent past, Emotet was used as a loader for TrickBot infections. TrickBot - traditionally used for injecting into online banking sessions - was repurposed for use in lateral movement and manual download of post-exploitation tools like BloodHound, Cobalt Strike or PowerShell Empire.

In related news, an analysis of Microsoft Office365 filters finger Trickbot as the most prolific malware operation using COVID-19 themed phishing lures.

Pastebin sets a higher premium for intel shops

Pastebin, an online service synonymous with data breach dumps, doxing and ransom demands, has removed a 'data scraping API' it previously sold PRO users for a 'lifetime' price of US$50, blaming "active abuse by third parties for commercial purposes".

The pasting site is popular with cybercrime gangs and the people that track them. It is now asking threat intel shops to apply for an 'Enterprise API' at an undisclosed (undoubtedly higher) price.

Pastebin is offering angry independent malware researchers - who paid for a now-useless 'PRO' membership - opportunities to 'volunteer and collaborate' with the company. Brave.

Three reasons to actually be cheerful this week:

  1. Not for (ICANN) profit - ICANN's proposed sale of the .org registry to a private equity firm has again been postponed, thanks largely to a damning letter penned by the Attorney General of California.
  2. Zoom security sprint, Week #2: Zoom has hired Risky.Biz regular guest Alex Stamos as a security advisor, is replacing its encryption cipher with AES-256 GCM ahead of a comprehensive crypto overhaul, has commissioned BishopFox, NCC Group and Trail of Bits for security audits and Luta Security to design a new vulnerability disclosure program. Big guns. Pew Pew.
  3. Phishing kits are getting expensive again - The average and median price advertised for phishing kits grew in 2019. Catalin Cimpanu explores why over at ZDNet.

Shorts:

Cognizant hit with ransomware: IT outsourcer Cognizant is limping back into operation after a ransomware attack attributed to the Maze crew. Cognizant provides services to some of the biggest IT shops in the world, recording in excess of US$16 billion in revenues last year. Forensics and law enforcement teams have been called in.

Hunt Norks for cash: The US Government is will pay up to US$5m for assistance that helps thwart or bring to justice actors hacking for North Korea - many of whom are assumed to operate from outside the hermit kingdom.

Twitter transparency blocked: The US District Court has ended Twitter's six-year long quest to be transparent with the public about how many national security letters (warrant-less US law enforcement requests for user data) it is served each year.

Patch everything: Sending thoughts and prayers to all the enterprise IT teams recovering from Patch Tuesday last week. Darkreading tallied up 567 patches - 400+ in Oracle apps, 100+ in Microsoft products, and a smattering of Adobe, Intel, SAP and VMWare.

Your wallet or mine: Google has removed 49 Chrome extensions that posed as legitimate cryptocurrency wallets, but existed only to steal any value stored in them.

Slow to connect: Linksys has asked users of its Smart WiFi accounts to reset passwords in response to a month-old attack that redirected customer web requests to malicious sites.