Srsly Risky Biz: Tuesday, February 9

Hackers attempt to poison American town's water supply, Consensus forming on hound release, SolarWinds still hunting for SVR's initial access 

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

Hackers attempt to poison American town's water supply

Hackers have attempted to poison water supplies in Oldsmar, Florida after accessing a control system at its water treatment plant, according to the town's local sheriff.

A plant operator monitoring the control system watched as a user twice initiated remote access to it during his shift on Friday. The operator first assumed it was his supervisor, who often uses the TeamViewer remote access tool for troubleshooting, but grew concerned a few hours later when he saw the mouse cursor navigate through several program functions before dialling up the amount of sodium hydroxide (lye) the system distributes into the water supply to dangerous levels (from 100 parts per million to 11,100 parts per million).

The plant operator immediately reversed the change, well before the higher mix of lye entered the water supply. It would typically take up to 24 hours for a change of that magnitude to take full effect. Oldsmar Sheriff Bob Gualtieri told reporters that automated safety systems would also have kicked in before the concentration of the chemicals in the water reached dangerous levels.

Gualtieri said the attackers accessed the City of Oldsmar's water treatment plant via the city's computer network, but to his knowledge didn't access any other city systems. The city has called in the FBI and Secret Service to investigate.

Attribution is everything on this one. Florida Man or Iranian APT? Either is possible, but one is a curiosity and the other is an international incident.

Joe Slowik, a former ICS security specialist, writes that successful state-backed attacks on industrial control systems have typically removed the operator's visibility or control and been far more precise about making changes that wouldn't trip additional controls. This attack didn't include any of those measures.

In mid-2020, attackers targeted water supplies in Israel in a similar fashion in a campaign Israel attributed to Iran. In the interests of geopolitical harmony, we really hope that's not the case here, and that the perpetrator is some random idiot doing a spot of Shodan-dorking. Hopefully investigators figure it out quickly, the sabres are already rattling.

Consensus forming on hound release

Former CISA chief Chris Krebs is the latest to voice his support to the idea of authorising Cyber Command to launch offensive cyber operations against ransomware crews.

Speaking to Britain's Financial Times, Krebs suggested USCYBERCOM should be authorised to monitor and "dox" (publicly identify) individuals known to be involved in ransomware campaigns. Krebs argued that some actors might be deterred if they realised they'd been identified by the US government.

Other ideas that have been floated (some by us) include:

  • Forcibly seizing cryptocurrency wallets used to facilitate payments to suppliers of ransomware crews;
  • Proactive disruption of the technical infrastructure used by ransomware actors;
  • Identifying and seizing the funds of institutions and individuals that sponsor or shelter ransomware crews, and applying sanctions that limit their investment opportunities abroad;
  • Applying diplomatic pressure to countries that give shelter to ransomware crews.

In every one of those proposals, a small number of interventions could inflict a lot of pain, whether we're talking about interfering with cryptocurrency laundering services, ransomware affiliates, C2s and supporting infrastructure or corrupt officials.

It's an opportune time to put these ideas forward.

A new US administration is finding its feet on cyber policy, and has asked a selection of prominent cyber security experts to appear before an anxious Congress on Wednesday to provide their views on the SVR/Holiday Bear espionage campaign.

The broader cyber policy community is also still on a high over the Emotet takedown, which demonstrated exciting possibilities for future multilateral action against cybercrime groups.

"Offensive capabilities can work against criminals and should be deployed when they can," tweeted Krebs' UK counterpart, former NCSC CEO Ciaran Martin.

Dmitri Alperovitch at Silverado Policy Accelerator says that while policymakers need to promote stronger defences, there isn't a policy solution that guarantees a consistent baseline of defensive capabilities across the huge number of ransomware targets in the US.

There are 100+ executive agencies in the US Federal Government and literally millions of businesses in America to protect, but a far smaller number of actors command most of the profits by attacking them.

"We will not be able to deter everything, but we may be able to increase the costs for adversaries or corral them into spaces where we have an intelligence advantage," Alperovitch said in a recent online debate.

"There is a lack of symmetric and sufficient defenses across the potential victim landscape," agreed CrowdStrike analyst Alex Orleans, writing in his personal blog. "The defensive challenges are so great, that one can’t help but look for a potential offensive alternative."

In other words: release the hounds.

SolarWinds still hunting for SVR's initial access

SolarWinds has narrowed down the list of potential mechanisms by which Russia's intelligence services (SVR) broke into its network, promising to publish a comprehensive post-incident report within a few weeks.

SolarWinds Chief Executive Sudhakar Ramakrishna told customers that the initial access was most likely attained through a compromise of user credentials or through 0day in a third-party application.

A few executives in Redmond no doubt choked on their chia seed parfaits when WSJ's Bob McMillan reported in January that SolarWinds was investigating whether the attackers abused a Microsoft service for initial access to its network. But we now know the Holiday Bear attackers performed a dry run against the vendor's Orion Platform software build in October 2019. That dry run predates the compromise of SolarWinds' Microsoft 365 accounts in December 2019, so it's unlikely Microsoft's cloud services were the initial attack vector.

"In our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials [to SolarWinds] in some other way," Microsoft wrote in a February 4 blog post. "We have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials."

It's been an unhappy week for SolarWinds. Reuters reported that a flaw in its software was abused for lateral movement by suspected Chinese attackers during a separate 2020 raid on the payroll agency for the US Department of Agriculture. SolarWinds was at pains to point out that its software wasn't abused for initial access in this incident.

Days later, researchers at Trustwave discovered two 0days in the SolarWinds Orion User Device Tracker (patches are available) and another in its Serv-U FTP client (hotfixes are available), any of which an attacker could use for access to the underlying Windows host.

Lawsuit filed as more Accellion targets named

A Seattle law firm has filed a lawsuit against Accellion, arguing that it knowingly sold a product that failed to live up to its purpose when it licensed a "secure file transfer appliance" to the Washington State Auditor's Office (SAO).

The lawsuit seeks class-action status on behalf of the 1.4 million people whose personal information was stolen when the SAO's file transfer appliance was hacked last month. The SAO has used Accellion's product for 13 years and paid US$17,000 in maintenance fees during its last billing cycle.

Accellion announced this week [pdf] that it will end-of-life these FTA appliances on April 30, 2021, after which time it won't allow customers to renew licenses.

Washington State is one of 50 Accellion clients compromised in recent attacks, according to the lawsuit. Bloomberg journalists have identified Boston-based law firm Goodwin Procter as another US-based victim. Goodwin Procter hires around 1400 lawyers, representing firms in life sciences, financial services, private equity, technology companies and real estate. Its file transfer appliance was reportedly hacked on January 20, 2021.

We should also clarify something: last week this newsletter noted that cloud-based alternatives to FTA "cared enough about security" to offer bug bounties. It turns out Accellion's cloud-based alternative kiteworks does in fact offer bug bounties. That was our mistake, apologies.

Signal offers DIY guide to evading Iran's censors

Signal has published a how-to-guide for a simple HTTPS proxy, in a temporary effort to help users in Iran defeat a government-imposed block of Signal traffic.

The latest beta version of Signal's Android app will support connections through these proxies, which were designed to blend into the background of regular encrypted web traffic.

Signal recommended the activists setting up these proxy servers advertise their services discreetly (in DMs, private messages etc.) to make life harder for censors.

There are concerns however, that while the proxies will provide a secure messaging service for Iranian users, the country's censors won't have to do much homework to identify and block them, or alternatively to identify the IP addresses of Iranians using the blocked service.

So in a sense, Iranians have to trade off their need for private messaging against the risk of being identified as somebody that wants to avoid censorship. It's the same, difficult risk calculation they'd have to make to use alternatives such as TOR.

Sadly, most people aren't equipped to weigh these risks.

UAdmin phishing kingpin arrested

Ukraine's cyberpolice (Kiberpolicziya) have arrested a 39 year-old accused of authoring and selling the UAdmin phishing kit, which was used to steal tens of millions of dollars from online banking customers across the globe.

While the Kiberpolicziya didn't name the phishing kit, malware researchers speaking to Risky Biz identified UAdmin panels in footage of the raid. They also noted that administrators of the hacking forum where the kits were sold had disabled the account of its primary seller, kaktys, immediately after the raid.

UAdmin consists of a back-end administrator panel that interacts in near real-time with bank-branded phishing pages, enabling crooks to request second-factor codes from victims as they attempt to log-in. Affiliates buy the UAdmin framework on a per-brand basis: a kit that targets Santander costs ~US$200, a kit that targets National Australia Bank would be another U$200, and so on.

The Kiberpolicziya said the raids in Ternopil, Western Ukraine, were conducted in partnership with law enforcement peers in Australia and the United States. UAdmin was used in "more than 50 percent of all phishing attacks" directed at Australians in 2019, according to their press release.

Unfortunately, taking out UAdmin's developer isn't the end of UAdmin. The source code for the PHP-based software has been widely distributed for several years. Risky Biz spoke to several malware analysts that had their own copy. Other malware authors have improved on UAdmin in recent years and published clone frameworks.

Footage of the raid provided yet more insight into the life of cybercrime: lots of Benjamins were counted out on the arrested man's bed, but he clearly wasn't spending it on the decor. One eagle-eyed commentator watching the video noted that his laptop was powered on with his cryptocurrency wallet app open. That's got to hurt.

0day? Where we're going we don't need 0day

Vice Motherboard and Citizen Lab have exposed a spyware operation that uses mobile device management profiles to (presumably) load malware onto targeted iOS devices.

The researchers and journalists joined forces to investigate phishing pages that encouraged targets to download WhatsApp for iOS from a non-official app store.

They discovered that if you click through to download the app, it takes the target through the process of downloading an MDM configuration file to the iPhone. The profile collects data about the device (its UDID and IMEI), which is returned to the attacker's server.

But Citizen Lab couldn't say -- and nor can we after a quick chat with them -- exactly how the attack would proceed from there. It's assumed that the attacker's MDM server would push malware onto a target's device, most probably in the form of a cloned version of WhatsApp, which would probably require a developer certificate obtained from Apple.

It's not unheard of for spyware tools to abuse legitimate security tools like MDM to get execution on a target's device, but we aren’t sure what controls Apple has in place these days to prevent MDM from being abused for that purpose.

In any case, the hacking involved is pretty arduous: you really need to have your social engineering game on to land the attack.

Vice Motherboard traced ownership of the phishing page to Cy4Gate, a private company in Italy that sells spyware to law enforcement agencies. If we are to believe Cy4Gate's marketing materials, the attackers are cops and their targets are run-of-the-mill criminals. If they're selling good old fashioned copware that's used under court supervision then more power to them. Let's just hope we don't find out the same stuff is being used against good people in shady places.

Fortinet catches up on networking bugs

Networking vendor Fortinet has patched critical bugs in its web application firewall (FortiWeb), and also finally got around to fixing flaws in its SSL VPN (FortiProxy) that were first identified in other Fortinet products back in 2018.

The bugs were disclosed by the team at Taiwan's Devcore (Cheng-Da Tsai and Meh Chang ) and at Moscow's Positive Technologies (Andrey Medov). Between them, these two firms have disclosed an epic run of bugs in VPNs that were all widely exploited in 2020:

Separately, Cisco Systems also disclosed critical bugs in its small business VPN routers this week.

Check Point has eyes on Iran's espionage crews

Check Point's research team has published comprehensive reports on two Iranian espionage operations. There's some flex on show here: Check Point analysts tore down the Iranian malware, exposed in-flight campaigns and demonstrated knowledge of who was targeted and compromised to date.

A high-level summary: Charming Kitten (aka APT-C-50) has gone after ~1200 dissidents inside and outside of Iran. The second group (Infy) feels more like a higher order foreign intelligence operation: it targets diplomats and Persian-speaking media located abroad, invests more in OPSEC and has exhibited "ties to the Telecommunication Company of Iran."

Sorry, there's nothing cheerful this week, thanks to:

  1. Jerk #1: Some clown is selling a stolen database of donors to Oxfam, a charity whose mission is to relieve and eliminate poverty.
  2. Jerk #2: An unnamed ransomware gang published data stolen from two US hospitals, including patient contact details and their medical diagnoses.

May justice be served swiftly and a little more thoroughly than usual.


Ransomware affiliates enjoy open relationships

Ransomware affiliates (the actors that rent malware and associated infrastructure to attack targets) aren't especially loyal to one malware operation over another, according to data from blockchain analysis firm Chainalysis. They might be an Egregor affiliate one day, a Doppelpaymer affiliate the next.

French network security vendor hacked

French cybersecurity vendor Stormshield, an Airbus subsidiary, has disclosed that the portal it uses to provide tech support for its network security devices was compromised. Attackers made off with customer data and some of the source code for its appliances. Stormshield sells network security devices (think Blue Coat, ZScaler) to the French Government, among others. The company has reset customer passwords for its portal and refreshed the certificate used to sign software updates.

Myanmar goes dark

Internet users in Myanmar weren't able to connect to the Internet for 42 hours over the weekend, a few days after the country's military detained the country's politicians and ordered ISPs to block traffic to WhatsApp, Facebook and Twitter and to VPN services in an effort to quell protests.

China bans Clubhouse

China has blocked access to social network Clubhouse, which offered a "brief window into unfettered social media", according to the New York Times. I don't know what's more sad: Chinese censorship, or my reliance on Chinese censors to keep me up to date with the hot new social networks.

This week's cheat sheets

SolarWinds has published a video discussion about lessons learned from the Holiday Bear campaign. There’s a bit of waffle in it (it’s close to an hour long), but there is good value in hearing (independent advisor) Alex Stamos' advice on cloud identity (start at 14:40), hardening software development environments (starts at 21:42) and incident response (starts at 32:05).

Peyton Smith and Mitchell Moser at CrowdStrike have also written a great paper on seven common Active Directory misconfigurations that are abused in attacks.