Srsly Risky Biz: Tuesday, February 16

Accellion customers are getting ransom notices, EGregor affiliates busted, French industry targeted by Sandworm crew and more.

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

Accellion customers are getting ransom notices

The five most recent listings on the leak site of the CL0P ransomware group have two things in common. One, and most obviously, they are being extorted. And two, they've deployed Accellion file transfer appliances to send large files in their recent past.

Singapore's state-owned carrier SingTel, the American Bureau of Shipping, global law firm Jones Day, Netherlands-based Fugro and life sciences company Danaher were  added to CL0P's leak site over the last week.

All five companies have historically published web portals where customers or third parties could send or receive large files using an Accellion file transfer appliance.

At this point, we don't know what role the CL0P group played in the attacks on Accellion customers. The ransomware gang might only be helping other attackers monetise the theft of data.

Either way, it's a foreboding sign for Accellion customers. This week, SingTel, America's University of Colorado and Australian medical research organisation QIMR Berghofer made public disclosures about attacks on their file transfer appliances.

QIMR Berghofer provided a model public response to the incident. QIMR's statement reassured medical research participants that all data had been de-identified prior to being sent or stored using the FTA. QIMR's statement was also candid about the research institutes' own culpability: the impact of its breach was exacerbated because data was stored in the file transfer appliance for far longer than it should have been.

French industry targeted by Sandworm crew

French authorities have documented a long-running intrusion campaign, attributed to Russia's Sandworm team, that compromised customers of Paris-based IT monitoring vendor, Centreon.

French cyber security agency ANSSI disclosed [pdf] that several Centreon customers, most of them managed IT and web hosting providers, were compromised in attacks that started in late 2017 and continued into 2020.

Centreon is an IT monitoring tool that ships as a CentOS-Linux based virtual appliance. The commercially-supported version of the software is used extensively in France's defence, aerospace, telecommunications and energy sectors.

ANSSI attributed the attacks to the "Sandworm" activity set based on the use of two malicious programs: the PAS PHP-based web shell and a Linux version of the Exaramel backdoor, as well as a shared set of C2 infrastructure.

The cyber security agency didn't provide crucial details on how the customers were compromised, or how and when the intrusions were discovered. The most likely scenario are attacks that exploited vulnerabilities in the web interface of individual Centreon servers, as opposed to a supply-chain attack.

EGregor affiliates busted, and there's more to come...

A group of hackers that use the EGregor ransomware service to lock up corporate networks were arrested in Ukraine.

The news was broken by French radio station France Inter before Lawrence Abrams and Catalin Cimpanu each connected that news to some bigger happenings: EGregor's Tor-hosted leak site and (known) C2 servers were offline this past weekend.

Abrams reports that there has been a notable decline in EGregor attacks since mid-December, while Cimpanu's sources told him that French and Ukrainian law enforcement agencies are part-way through some sort of joint operation.

EGregor affiliates have attacked several French companies, and just last week infected the Center Hospitalier de Dax-Côte d’Argent (a French hospital).

Myanmar turning into a surveillance dystopia

Military leaders that seized control of Myanmar in early February are pulling out all stops to control and monitor the country's electronic communications.

Leaders of the coup have revoked laws that shielded Myanmar's residents from mass surveillance, announcing that the military is now authorised to intercept electronic and other communications without a warrant.

On February 9, Myanmar's Ministry of Transport and Communications sent the country's four telcos and 140 ISPs a draft of proposed "cyber security" laws that are described by Human Rights Watch as "the dream of despots everywhere".

According to a translated copy of the draft laws published by activists, the laws would provide the military government absolute control over communications in Myanmar. It would order ISPs to record the username, IP address, telephone number, ID card number and residential address of subscribers, as well as a record of their use and "other information as directed".

The Ministry would then dictate where ISPs store that information and have the authority to temporarily ban a service or "control devices related to online service provision" at its discretion.

The laws also prohibit content that censors deem to be inciting protest against the military. It can order the removal of content that "disrupts the unity, stabilisation and peace" of Myanmar, or that the government decrees is "misinformation and disinformation with the intent of causing public panic, loss of trust or social division".

Control of telecommunications has been a central theme during the coup. Myanmar's deposed leader Aung San Suu Kyi reportedly destroyed her phone prior to the arrests, and military leaders charged her with illegally importing six unlawful communication devices (reportedly, handheld radios) that were "used without permission by her bodyguards", an offence that reportedly carries a sentence of up to two years in prison.

The military ordered that Internet services be shut down over two consecutive weekends in an attempt to disrupt a burgeoning protest movement. Access to social media apps like Facebook, Instagram and Twitter are banned.

Some of Myanmar's 22m internet users and 68m mobile phone subscribers are finding ways to overcome these challenges by using VPNs and mesh networking apps that don't require internet connectivity after initial installation. Mesh networking apps like Bridgefy and FireChat use Bluetooth to send text-based messages between users less than 100m from each other.

Newly-minted British skids face extradition to the US

We don't typically link to stories about kids arrested for sim-swapping attacks, but this one is exceptional.

Ten hackers in three countries were arrested after using sim-swapping to steal US$100 million in cryptocurrency from (yet to be named) American celebrities. It's pretty common for sim-swapping miscreants to target people with large holdings of cryptocurrency (1, 2, 3, 4, 5), but stealing US$100m from America's A-listers feels pretty Hollywood.

Eight of the 10 lads arrested were Brits aged between 18 and 26. They face hacking, fraud and money laundering charges at home and extradition to the US.

Unfortunately it's common for sim-swapping groups to recruit staff at mobile phone companies to help facilitate the swaps. In a separate story this week, a former Verizon customer service rep was charged with conspiracy to commit wire fraud after accepting bribes of around US$500 a day to perform SIM swaps on behalf of a US-based fraudster.

California-based Calvin Cheng, meanwhile, is suing his mobile network (T-Mobile) for failing to prevent a SIM-swapping attack that resulted in the loss of US$450k worth of cryptocurrency.

Save yourself the frustration

There's a few breathless stories doing the rounds that aren't worth burning cycles on. It's safe to ignore news stories that claim:

  1. The FBI can intercept Signal messages: No, the FBI in this case had physical access to an iOS device and the means to unlock it. That case has as much to do with Signal as it does with Apple's weather app.
  2. Chinese spies compromised Super Micro devices: Bloomberg is flogging the skeleton of a dead horse, publishing a third piece about tiny secret chips on Supermicro devices that spy for China. The updated story cites dozens of confidential sources, none of whom have spoken out over the two years since Bloomberg's first foray into Supermicro's supply chain security. It adds new allegations about compromised firmware but, in our opinion, the sourcing doesn't stand up to scrutiny.
  3. SolarWinds attacks required 1000 software engineers: It looks like Microsoft's Brad Smith may have been the source of the New York Times' assertion that SVR required 1000 software engineers to write the malware used in the Holiday Bear operation. Smith told 60 Minutes that the "1000 engineers" estimate came from an internal Microsoft analysis.

China's stealthy malware is giving analysts a hard time

A Palo Alto analyst stumbled onto a malware sample that, assuming it was attributed correctly, reinforces China's superpower status in the production of stealthy malware.

Unit 42 researcher Mike Harbison got his hands on a stager that tries every trick in the book to evade detection and analysis. It's the sort of thing you really don’t want to find on your network, and it looks like the authors did their level best to make sure you won't.

The stager Harbison analysed:

  • Is fileless (loads into memory) and transmits payloads in modified RC4-encrypted chunks,
  • Checks for debugging,
  • Changes its runtime footprint during execution to evade memory analysis and render signatures pointless (polymorphic),
  • Encrypts and decrypts function blocks during runtime,
  • Uses position independent code to evade static analysis, and
  • Creates unique session keys for each C2 connection.

On their own, none of these capabilities are novel, but Harbison was impressed to see them all used in one sample. He described the stager as being "in a class of its own” and “exceptionally difficult to detect".

The stager connected to a malicious C2 domain that Taiwan's Ministry of Justice attributed to China's BlackTech group in August 2020. BlackTech is an espionage operation that usually goes after targets in Taiwan and Japan.

Hacked psychotherapy business is Finnish'd

Finland's Vastaamo, a psychotherapy company hacked in November 2018 and again in March 2019, has applied for bankruptcy.

Vastaamo's reputation took a huge hit in 2020 when hackers published data stolen in those attacks and attempted to blackmail the company and its clients.

In response, holding company PTK Midco took Vastaamo to court, seeking the return of the €10m it paid for 70 percent stake in the company in May 2019. PTK Midco claimed that Vastaamo's CEO didn't disclose the breaches during deal negotiations. Finnish regulators are also investigating whether Vastaamo was in breach of data protection laws by failing to protect sensitive client data and (allegedly) attempting to conceal the breach.

Mercifully, arrangements are being made for other healthcare providers to hire Vastaamo's remaining staff and treat its remaining clients.

Shared passwords. Drink! Windows 7. Drink! TeamViewer. Drink!

It turns out last week's story about the hacking of a US water treatment plant was a painfully familiar InfoSec story.

It was the story of a team sharing the same password for remote access (via TeamViewer) to a control system that runs on the (unsupported) Windows 7 OS.

The scary part of the story wasn't how close the hacker got to poisoning water supplies. The scary part is that this sort of thing is business as usual for critical infrastructure in the United States.

CISA has seized the opportunity to provide advice on how to use TeamViewer (more) securely.

Two reasons to actually be cheerful this week:

  1. #sharethemicincyber: The folks at #sharethemicincyber are again elevating the profile of Black Women in Security and Privacy on March 19. They're looking for Black practitioners to come forward and make their voices heard.
  2. The first step is to admit you have a problem: Microsoft introduced two new Azure AD roles to help manage administrative permissions: Auth Policy Admin and Domain Name Admin. Admins have long sought ways to perform various critical tasks without elevating to Azure's god mode (Global Administrator). Read this Mandiant report [pdf] or listen to yesterday's special feature on the Risky Business podcast and you'll understand why.

It must be bonus season in North Korea

Hackers from North Korea's cyber army continue to hit their KPIs: the United Nations fingered them for stealing US$300m+ of cryptocurrency between 2019 and November 2020, adding to the estimated US$2 billion already nicked in previous attacks.

Yandex insider sells inbox access to third parties

A technical support admin at Russia's Yandex was accused of selling access to close to 5000 user inboxes to third parties.

Sweden's Police service fined for using Clearview AI

Sweden's privacy regulator found that the Swedish Police Authority was in breach of the Swedish Criminal Data Act when it used facial recognition software from Clearview AI, a tool that scrapes the web for photos posted on social media. The police authority was fined SEK2,500,00 (US$300k). Investigations into use of Clearview AI continue in Canada, Australia and the UK.

Abusing Chrome sync for C2

Catalin Cimpanu's story about attacks that abuse Chrome's sync features to exfiltrate data out of a network is well worth a read. We discussed this at length in last week's podcast.

This week's long read

Alex Birsan's paper on "Dependency Confusion" is also worth checking out. Birsan searched through millions of online repos to discover where developers included the name of a private software package in the code. He then created a public version of the same software package and found a way to trick the build process into choosing his public version over the intended private one. The technique worked against lots of big names that run large, complex software projects: Apple, Microsoft, PayPal and Shopify among them.

...and some housekeeping.

There won't be a newsletter next week! You won't miss much: you'll only have to wait one day to get all the news you need from the Risky Business podcast.