Srsly Risky Biz: Tuesday April 28

US to kickban Chinese telcos, Vietnam sprung hacking for COVID-19 secrets, Sophos firewalls exploited, plus the latest on contact tracing apps

Chinese telcos threatened with US expulsion

It's seriously risky business to shut the world's second-largest economy out of your telecommunications sector altogether.

This week the US Federal Communications Commission ordered three Chinese State-owned telcos to 'show cause' for why it shouldn't expunge their license to operate in the United States.

FCC previously banned Chinese networking equipment, blocked China Mobile from entering the US market and blocked Google from connecting undersea cables between the US and Hong Kong.

China Telecom Americas, China Unicom Americas and Pacific Networks each have 30 days to prove their operations and subsidiaries are "not subject to the influence and control of the Chinese government." Among other demands, each must detail affiliations between directors/employees and the CCP/Chinese Government, provide network diagrams, list interconnections with other service providers, provide inventories of network equipment and hand over US subscriber information to avoid license revocation.

Their imminent exile is close to a foregone conclusion. Chinese-owned companies are compelled by the Chinese Government to adhere to its 2017 National Intelligence Law, which demands that "any organisation or citizen shall support, assist and cooperate with the state intelligence work".

While the FCC muddied the waters on its motivation - one Commissioner blaming China's role in the COVID-19 crisis - the nub of the issue is made obvious in specific orders against China Telecom Americas.

CTA is accused of failing to comply with US security and privacy laws, attempting to mislead local authorities "regarding its cybersecurity practices" and providing "opportunities for increased Chinese state-sponsored cyber activities, including economic espionage and the disruption and misrouting of U.S. communications traffic."

This suggests the networks were used in intelligence-gathering attacks by actors aligned with CCP interests, and that the companies were uncooperative in subsequent investigations - a far more serious allegation than playing fast and loose with BGP announcements. Risky.Biz understands China Telecom has indeed been "well leveraged" by state security agencies.

Analysts don't expect a 'tit for tat' retaliation from Chinese authorities, as very few non-domestic operators are licensed to deliver services in mainland China. UK's British Telecom is the exception, in a deal proudly brokered by the UK Government - which might explain the UK's reticence to ban Huawei from UK networks.

Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations told Risky.Biz that the only retaliation he would expect is "pressure to be directed at the foreign operators of data centres" in China.

Risky.Biz notes that AT&T, Equinix and Australia's Telstra offer such services.

"They were already in the crosshairs with the cybersecurity law, and now pressure will be turned up," he said.

Advanced Persistent Irony: Vietnam/China edition

Weeks before the true nature of the Coronavirus outbreak in Wuhan was fully appreciated outside of China, intelligence agencies from several nations were all up in Wuhan's business seeking to monitor its response.

FireEye-owned Mandiant has revealed a set of spear phishing attacks sent to Chinese emergency management authorities and the local Wuhan government. The attacks began in early January 2020 - before any COVID-19 infections were recorded outside of China - and continued into March.

Mandiant attributed the attacks to APT32, an actor group with strong links to Vietnam. Analysts note that Vietnam was among the first countries to introduce lockdowns to prevent the spread of the virus.

Mandiant doesn’t know if the phishing campaigns were successful, but told Risky.Biz that it found one of the emails after it was “uploaded to a multi-scan service with full headers”. The things you find on VirusTotal!

Our favourite part of the story is seeing countries with fledgling offensive cyber capabilities repeatedly use the same one-liner China used whenever the latter was caught red-handed.

Compare:

"The Chinese government is opposed to all forms of cyber attacks." (2015)
“Vietnam forbids all cyber attacks, which should be denounced and strictly dealt with by law”. (2020)

Australia launches digital contact tracing

The Australian Government has launched its voluntary COVIDSafe digital contact tracing apps for Android and iOS, based on Singapore's TraceTogether app.

The government claims COVIDSafe includes a workaround for iOS restrictions that would ordinarily require users to run the app in the foreground to detect proximity to other users.

Initial analysis suggests that BLE advertisements between two locked iPhones running COVIDSafe won't work, but a locked iPhone might still exchange keys with an unlocked iPhone or Android device.

COVIDSafe users on iOS are nonetheless sent reminders to 'keep the app running' when they leave home. So whether the iOS app works as intended is an open question that the government doesn’t seem eager to answer. The fact we can’t tell is telling in itself!

The Australian Government says it is open to remedying this once Apple and Google's contact tracing framework (hereafter, 'Gapple') is made available. Authorities won't release source code for COVIDSafe for another two weeks - 'for security reasons'.

While Australian authorities made some poor technical choices, they compensated with some prudent legal ones. The Minister for Health made a (temporary) determination under Australia's Biosecurity Act to restrict access to data collected by the app to state and territory health officials, for the sole purpose of contact tracing, which he promised to legislate at a later date. "Not even a court order during the investigation of a crime" could force its release, he promised. Users can also register with a pseudonym, and by law, no party can compel users to use the app.

Around 2 million Australians (8% of the population) downloaded the app within its first 24 hours.

Australia's determination to release a substandard contact tracing app without the Gapple framework will be watched closely by its FVEY allies. The centralised collection and storage of user data sets a lower threshold for security and privacy than the Gapple framework, but Apple and Google did not impede its release.

The UK's NHSX now appears set to follow a similar path.

Europe the next battleground for contact tracing

Elsewhere in the world, health authorities continue to gravitate towards decentralised solutions after some false starts.

The Austrian Red Cross - who delivered the first contact tracing app in the EU in late March - will now completely redesign it after disparaging reviews and a discouraging security audit.

The first version was contracted to Accenture Austria and endorsed by the Austrian government. It used p2pkit for automatic handshakes (sending unencrypted exchanges of public keys), which couldn't work when the iOS app was running in the background. As a fallback, it used the Google Nearby Message service for manual exchange of public keys. This introduced US cloud storage to an app designed for EU users, and an awkward request that users allow the app to access their onboard microphone to pick up 'near-ultrasound' beeps.

Users subsequently had to manually connect with other users - the app would merely record the proximity and duration of contact when two users made deliberate choices to record them. Users reviews on the Google Play and iOS app stores were predictably poor. Bewildered by requests to access their microphone and occasional high-pitched squeals, they complained of reduced battery life from constant bluetooth scanning. The Austrian Red Cross will now switch to a completely decentralised system - name-checking the DP-3T protocol, and leaving the door open to using the Gapple framework.

In neighbouring Germany, authorities have also decided to switch from a centralised solution developed by the Fraunhofer Institute under the auspices of the Pepp-PT consortium, to instead favour the decentralised model promoted by DP-3T and Gapple.

Germany's decision aligns with health authorities in Poland, who made the switch last week, and Switzerland, where health authorities will initially roll out a contact tracing app based on the DP-3T protocol and "leverage the new Google and Apple Contact Tracing APIs as soon as they are available."

France, like the UK, remains committed to a centralised solution, demanding Apple allow for Bluetooth to run in the background without implementing any of the security and privacy goals Gapple put forward to mitigate the associated risks.

Apple and Google, meanwhile, announced updates to the contact tracing framework. The new specs use random key generators for proximity keys rather than deriving them from temporary tracing keys, and metadata associated with Bluetooth connections is now encrypted. The spec also allows developers to adjust thresholds for exposure events in increments of five minutes, with a cap on maximum exposure time at 30 minutes.

Gapple also made a semantic change: it now wants its framework and API to be described as 'exposure notification' rather than 'contact tracing'. The revised language changes nothing about the technology, but illustrates that public health authorities demand to be seen 'driving' contact tracing efforts, with technology companies relegated to supporting roles.

Economic stimulus plans used as phishbait

Several security vendors warned of an extraordinary (but predictable) spike in phishing campaigns this week that use economic stimulus packages as bait.

Where scams in early March imitated the World Health Organisation, FSIs and other globally-recognised bodies, a growing number of more recent scams brazenly imitate the government agencies that manage stimulus payments.

Some of the figures bandied about by vendors sound fanciful, but a cursory glance at newly-registered domains that combine words like "Corona" and "COVID" with language associated with relief payments supports their assertions.

Of the 153,000 suspicious top-level COVID-19 domains released by DomainTools, Risky.Biz found over 1000 that use the word 'relief', another 1000 that use the word 'Fund' (or German 'Fonds'), 900 that use 'Claim', 745 that use 'Loan', and several hundred each for 'Check', 'Stimulus' and 'Payment'.

A few TLD registrations directly abused the names of payment bodies - 28 used 'Schutzchild' to imitate Germany's 'Protective Shield' program, 9 abused 'KfW' and 5 included the UK's 'HMRC' (Her Majesty's Revenue and Customs).

Anecdotally, these domains appear to be registered within 48 hours of major announcements about stimulus funding.

If this continues, expect more calls from lawmakers for offensive operations to be unleashed on cybercrime operators.

Hotfixes available for Sophos' hot mess

Sophos has warned customers that a previously-undisclosed SQL Injection vulnerability in Sophos' XG Firewall is being abused in active attacks.

Its first bug report said the vulnerability would allow remote attackers to retrieve usernames and hashed passwords for administrators. The company has since noted that compromise can lead to full Remote Code Execution on the device.

To Sophos' (sorely-needed) credit, it quickly published hotfixes and a detailed breakdown of the malware dropped on compromised devices, including indicators for threat hunters to use in investigations.

Independent security analysts have determined that at least a few thousand devices have been compromised so far.

The attack doesn't bode well for AV vendors that - until recently - weren't often held to account for the quality of their code. This attack - and the exploitation of vulnerabilities in Trend Micro used to attack Mitsubishi Electric in January - suggest things are about to get pretty wild.

When is an iOS 0day an iOS 0day?

The vulnerability that got a disproportionate amount of chatter this week was an alleged interaction-less, zero-day exploit in iOS that could reportedly be triggered by sending a maliciously-crafted email to users of iOS' native Mail app.

You’ll notice we’ve used some pretty hedged language above. Read on.

A boutique mobile forensics company led by former IDF office and Zimperium chairman Zuk Avraham claimed the discovery after a forensic investigation of client iPhones that were behaving erratically. The report somehow deduced that attackers sent emails that contained no visible content, but consumed enough memory to trigger a heap overflow condition, providing attackers access to the victim's inbox.

Apple has responded, saying the bug poses "no immediate threat" to users, and would have to be chained to other novel exploits to take over a device. Further, Apple claims it was unable to find evidence of the vulnerability being exploited in the wild.

Statements from both parties leave room for scepticism. Stay tuned because our spidey sense says there's more to play out here.

The bug is patched in the current beta release of iOS - a longer-term fix will follow.

NSO Group's 'sovereign immunity' unravelling

Facebook-owned WhatsApp has filed intriguing evidence in its case against Israel's NSO Group, revealing that the privately-held spyware specialists attacked hundreds of US WhatsApp users from servers registered with (at least five) US hosting providers.

NSO previously argued that it should be entitled to ‘sovereign immunity’ - a protection typically only offered to states, on the basis that it’s only customers are the intelligence and law enforcement agencies that ultimately drive NSO's Pegasus spyware after NSO agents compromise a target.

The company refuses to name any states that use Pegasus. It has historically been identified in attacks attributed to authorities in Saudi Arabia and the United Arab Emirates.

WhatsApp asserts that NSO Group is a "for-profit" company, and that its US hosting arrangements would allow for logging the use of hosting infrastructure by third parties - making it responsible for abuse of those services.

NSO Group is subject to a separate FBI investigation, according to Reuters.

Three reasons to actually be cheerful this week:

  1. Detecting web shells: The ASD and NSA have released a handy cheat sheet for defenders seeking to detect web shells, including sample scripts for log analysis on common platforms, network signatures and HIPS rules.
  2. Scanning for badness: Greynoise has added a free (albeit hobbled) alerting service for malicious behaviour found to be pinging out from your network. The alerting service essentially provides for a set of IP addresses what ShadowServer provides for owners of an ASN. The usual caveats apply -  alerting services are often noisy and lack context.
  3. Recon on Azure AD: Here's another plain-English cheat sheet we liked this week - it details  new tools and techniques red teams might use to perform reconnaissance on Azure AD, which by extension makes it a good read for blue teams. You can usually trust a red team to document a new service better than a vendor.

Shorts:

Trouble at Travelex:  Imagine the assets of your parent company were seized, your chairman quit, and the market you operate in (travel) is crippled by a pandemic. There's never a good time to be a ransomware victim, but the timing for Travelex couldn’t be worse. The attack cost them ~US$30m, and they're now up for sale.

Nintendo users hacked: Nintendo is resetting the passwords of 160,000 users whose accounts were compromised after attackers abused a weakness in a legacy authentication system.

Quarantine surveillance in check: Israeli intelligence agency Shin Bet has been ordered by the High Court to halt its cellphone-data based quarantine surveillance program until the Knesset (parliament) passes laws to permit it.

Getting .gov.au in order: The Australian National Audit Office is scheduled to audit the security posture of nine critical government agencies over the coming months. Bring popcorn.