Srsly Risky Biz: Tuesday, July 21

A long leash for CIA cyber ops, Emotet returns, Twitter hacks and the enterprise apps are revolting too...

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

The enterprise apps are revolting too

If it's any consolation, the most capable infosec teams in the world are having just as much trouble dealing with the current onslaught of high severity vulnerabilities as you are.

It's exceedingly rare for severe vulnerabilities in so many critical enterprise systems to be made public and actively exploited in such a compressed period of time.

As we discussed in our last newsletter ('the network devices are revolting'), attackers are getting easier wins when exploiting devices on the network edge rather than through the user's web browser. Five new remotely exploitable bugs have now been reported in Cisco VPNs and routers (each rated CVSS9.8), giving Cisco admins a taste for what Citrix, Palo Alto, F5 and Pulse Secure admins lived through in recent weeks.

July's Patch Tuesday was demoralising. Oracle, disclosing 284 flaws, won first prize for the sheer volume of critical and high severity bugs in its software. But the two vulnerabilities creating the most anxiety belonged to SAP and Microsoft.

A remotely exploitable bug in a common component of SAP NetWeaver (CVE-2020-6287) captured adversary interest so quickly, CISA warned that organisations that didn't patch or implement a workaround within 24 hours should assume they were compromised.

There's also a remotely exploitable and potentially wormable flaw in Microsoft Windows DNS (CVE-2020-1350) that affects all Windows devices released between 2003 and 2019. Exploiting it hands an attacker domain admin rights to a network and from there it's pretty much game over. In response, CISA issued one of its rare 'patch now' emergency directives to US government agencies. That's a card they try not to play often.

So within 15 days, at least half a dozen crucial enterprise systems were known to have critical, remotely-exploitable vulnerabilities with a CVSS severity rating above 9.8. In an environment in which ransomware gangs are cashed up to purchase access to previously compromised networks, the impact of any one of these bugs is off the charts.

Seasoned infosec practitioners exercise careful judgement about which of the hundreds of bugs impacting their organisation they should raise their voices about. This month they've been SHOUTING IN ALL CAPS every other day. Nobody could be expected to prioritise resources effectively under the circumstances.

Adding to the frustration, there's been a gradual trend toward vendors releasing less relevant technical detail about vulnerabilities in advisories. The worst offenders hide this information behind customer support contracts. This can inhibit the ability of the broader infosec community to analyse and remedy patches or mitigations that aren't effective.

While we aren't calling F5 out for this practice, it's worth noting that the initial set of workarounds suggested for the F5 Big-IP bugs earlier this month were bypassed within a day, before a second workaround was offered, retracted and re-published over the next 48 hours. That's a pretty good illustration of why publishing detailed information about a bug is important. The larger the community testing the efficacy of a patch or a workaround, the sooner IT teams will be comfortable with patching faster. Right now there is a trust deficit.

The CIA can YOLO their way into covert cyber ops

The CIA has a green light to engage in broad-ranging covert cyber operations against targets in China, Iran, North Korea and Russia without civilian oversight from the National Security Council, according to a report in Yahoo News.

The 'secret intelligence finding', reportedly issued by President Trump in 2018, isn't entirely out of step with his administration's approach to devolving authority for cyber operations. He's previously removed an Obama-era requirement for White House authorisation for covert cyber operations and authorised Cyber Command to "conduct time-sensitive military operations in cyberspace" (NSPM-13). Congress supported these changes in the 2019 NDAA, authorising Cyber Command to go for broke against the four adversaries in question if they are engaged in "active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace."

So why the hand-wringing now? Mostly because this is the CIA, not Cyber Command. And rather than authorising the CIA to engage in activities against a specific outcome, the 'secret' order reportedly green lights a broad set of activities against these countries, including offensive cyber operations that produce real-world 'effects'. The CIA could, for example, set up 'hack and dump' operations or attack critical infrastructure without needing a nod of approval from the White House.

There is a risk that these activities will erode America's moral authority. The United States can't criticise regimes that depart from normative rules of behaviour in cyberspace if the CIA is authorised to break them.

The report strongly implies, but doesn't confirm, that the CIA may have used these authorities in the March 2019 doxing of Iranian intel officers on Telegram and in hacks that exposed the work of FSB contractors in 2019 and 2020. To borrow a line from Australia's PM, the list of parties motivated, capable and authorised to conduct operations like these is pretty small. But it might just as well be Israel, or a competing Russian intel service for that matter, we just don't know. Maybe Trump will just blurt it out in a media interview some day.

If these operations were the work of the CIA, neither would represent an escalation. Doxing adversary intel analysts has been a feature of espionage since at least the 60s, and the US is barely through dealing with the fallout from the Shadow Brokers.

The most surprising thing about these authorities is that we haven't (yet) read anything about the CIA abusing them. Bad things can happen when Langley gets let off the leash.

Emotet crew return from summer holidays

After a five-month hiatus, the Emotet botnet fired up this week, spewing tens of thousands of malware-laced spam into inboxes across the globe.

Malware analysts tend to keep a watchful eye on Emotet: at its peak the Emotet botnet consisted of ~18,000 infected devices and sent up to 600,000 emails per day. Emotet infections are often the beachhead for banking malware, ransomware and other nastiness.

On Friday alone, the Emotet botnet sent around 250,000 malicious emails, according to Proofpoint. Some of the resulting Emotet infections are being used as a first stage for downloading TrickBot to infected machines.

This is the first Emotet campaign malware analysts have seen since COVID-19 hit the United States and UK in a big way. A lot of this malspam will probably be opened by people working from home,  making post-infection support a bit of a challenge.

Twitter insiders duped in high-profile account takeovers

Twitter is reviewing its internal security controls after miscreants "manipulated" several employees into providing access to internal systems.

The attackers modified administrative settings for 130 Twitter users and successfully compromised 45 accounts by forcing password resets and turning off multi-factor authentication. Compromised accounts, including Joe Biden, Elon Musk and Barack Obama, were used to post a cryptocurrency scam that earned around US$120,000 within a couple of hours. The attackers also downloaded the entire Twitter history, including direct messages, for eight of the compromised accounts. Attackers also  accessed the direct messages of 36 users, including an elected official in the Netherlands. The full extent of the breach remains unclear -- Twitter hadn't concluded its forensic investigation when we pressed send on this newsletter.

It's rare for a security incident to play out in real-time in front of the public. Journalists were writing and re-writing the story as events unfolded. Joseph Cox at Vice Media had the inside running after speaking directly with two attackers involved in the scam, before Brian Krebs weighed in with a great deal more evidence and -- in typical Krebs fashion -- doxed one of the alleged perpetrators. The most definitive account of the hack was later published by Nathanial Popper and Kate Conger at the New York Times.

At any given point in the unfolding drama, the official response from Twitter was never more than a few hours behind the leading journalists. All things considered, that's a pretty decent response.

UK issues half-hearted Huawei ban

The UK Government has banned Huawei equipment from its 5G networks.

UK telcos will no longer be allowed to purchase 5G telecommunications equipment from Huawei from December 2020, and have until 2027 to remove existing Huawei components from their networks.

This new policy is another political compromise. The 'ban' delivers the United States a symbolic victory in its campaign to convince smaller countries, especially those in the Indo-Pacific, to resist the offer of highly-subsidised network equipment from Chinese suppliers. UK telcos can sweat the 20,000+ Huawei base stations they've already acquired for seven years, which is close to the shelf life for many of those assets anyway. Six months provides enough time for telcos to stock up on spare parts, and Huawei has ample time to lobby for the policy to be reversed.

What the policy doesn't do, however, is address the (real or perceived) threats Huawei poses. The UK National Cyber Security Centre openly states that the only material change to the threat posed by Huawei since its last review was the impact of US sanctions.

Backdoors are the price of entry to Chinese markets

A large number of foreign-owned organisations operating in China were infected with malware that was secretly bundled with government-mandated invoicing software.

The Chinese Government requires organisations paying VAT (value-added tax) for domestic sales in China to use one of two legitimate invoicing apps: Aisino Corporation's 'Intelligent Tax Software' or Baiwang's 'Golden Tax Invoicing Software'.

In late June, Risky Biz reported on the discovery of a backdoor covertly downloaded by Aisino's package, which Trustwave researchers dubbed GoldenSpy. In the weeks since, researchers discovered that users of Baiwang's Golden Tax were also infected with a separate backdoor (which Trustwave calls 'GoldenHelper') that was active between January 2018 and July 2019. It looks to have been abandoned at about the time a larger number of AV programs started detecting it as malicious. Curiously, GoldenHelper was digitally signed by a subsidiary of Aisino Corporation.

Organisations from multiple industries have detected suspicious activity based on the indicators Trustwave released in late June. On June 28, the malware was detected retrieving a new file, which attempted to uninstall and remove all evidence of the malware's existence.

The story keeps snowballing. The evidence suggests this was a well-planned and resourced operation over at least four years.

Russia blamed for COVID-19 espionage, UK election interference

UK, Canadian and US intelligence agencies have called out a Russian APT crew for attacks on medical research organisations working on COVID-19 cures.

A UK National Cyber Security Centre advisory [pdf] claims Cozy Bear (aka APT29/The Dukes), a group typically tasked with matters critical to Russia's national security,  exploited vulnerabilities in the internet-facing infrastructure of multiple vaccine research bodies in the UK and North America throughout 2020 to spy on their progress.

Russian interest in COVID-19 vaccine data shouldn't surprise, but calling out Russia in isolation when so many other countries are engaging in the same activity is intriguing. It could be that the COVID-19 issue provided agencies a safe opportunity to signal to Russia that it's recent adventurism -- on several fronts -- is testing their patience.

The UK Secretary of State disclosed to Parliament this week that Russian actors "sought to interfere in the 2019 General Election through the online amplification of illicitly acquired and leaked Government documents", namely leaked files on the UK-US Free Trade Agreement.

Even BEC scammers are OAuth phishing

Microsoft has convinced a US court to let it seize the domains of a cybercrime gang that used OAuth Phishing to target executives in business email compromise scams.

The miscreants set up fake Azure apps and domains that abused Microsoft's 'Office' trademark (one of the offending apps was called '0365 Access', domains included  "officeinventorys[.]com', 'officesuitesoft[.]com', 'officesuited[.]com' and 'officemtr[.]com'). The attackers then sent phishing emails to victims in an effort to convince them to allow the app access to their O365 accounts, before abusing this access to concoct fraudulent requests for payment.

The domains were registered [pdf] between November 2019 and March 2020. The earliest of them was used in a BEC campaign analysed by PhishLabs in December 2019. Microsoft claims to have blocked the app used in those early attacks.

Microsoft VP Tom Burt said that the company only sought court approval to remove the domains six months after the first campaign because of fears the gang was finding ways to circumvent its controls.

"Microsoft takes many measures to monitor and block malicious web apps based on telemetry indicating atypical behaviour... In cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary."

What his post doesn't say is that Microsoft's legal and infosec teams are stepping in to address problems that could more easily be addressed in the Office 365 product. Seriously Risky Business has previously argued that Microsoft has several options at its disposal to protect customers from these attacks, but only if it's willing to forego revenue.

Microsoft could change the default settings for O365 to remove the ability of users to consent to integrate Azure apps. Microsoft could offer administrators a simple means of blocking or allowing apps in the base O365 product. Microsoft could bundle the relevant CASB smarts accessible by E5 license holders to all O365 users. Microsoft could take an 'app store' approach to content moderation by investing more in detection and blocking of malicious apps, in addition to retrospective hunts. (It claims to do this already, but the need to take legal action is sufficient evidence that it needs to do more). But all of these options cost Microsoft something and none of them result in the same spectacle as a takedown.

DoJ had Fxmsp in its sights before Group-IB report

US prosecutors have unsealed a December 2018 indictment against Kazakhstan national Andrey Turchin, the central protagonist behind the Fxmsp hacking operation doxed in a Group-IB report a week ago. Intel471, which assisted US authorities in tracking Fxmsp activity, accused Group-IB of complicating law enforcement efforts by releasing its report prematurely. Sources told Lawrence Abrams at Bleeping Computer that Turchin may already have been picked up by law enforcement in Kazakhstan. A US investigation into his accomplices is ongoing.

The Russians are moving in on BEC

A Russian cybercrime gang appears to be moving in on Nigeria’s favourite mode of cybercrime. A group of Russian origin, dubbed 'Cosmic Lynx' by Agari, has been pushing out some well-crafted Business Email Compromise campaigns. Attackers have posed as a third-party law firm in highly contextual lures sent in English and French, requesting large payments. The attacks have targeted firms with lax DMARC policies.  It's worth noting that the group shares some infrastructure with Emotet and Trickbot campaigns. IoCs are here [pdf].

Bring your own ATM

ATM vendor Diebold Nixdorf has warned banks that crims in Europe have copied the firmware used in one of its popular models of ATM for use in jackpotting attacks. During recent attacks, the ATM casing was removed to access the cash dispenser. The attacker then connected their own device running the stolen firmware to the cash dispenser via USB, sending it instructions to spit out the money. Catalin Cimpanu at ZDNet linked the new technique to the sudden removal of 143 ATMs in Belgium.

Four reasons to actually be cheerful this week:

  1. Is-this-Rotten-Or-Not: Malware reverse engineers Willi Ballenthin and Moritz Raabe have released capa, an open source tool that helps analysts quickly identify and extract 'features' from a binary that indicate malicious intent. The tool has been released under an open source license to crowdsource new rules for identifying malicious features. Kudos to Mandiant/FireEye for supporting their effort.
  2. So that's a plus: Office365 will soon support detailed addressing (subaddress extensions like firstname+riskybiz@example.org), some 12 years after Google introduced it to Gmail. It's a handy way to see which organisations are handing your contact details off to third parties.
  3. Nikulin guilty: Russian national Yevgeniy Nikulin was found guilty by a US court over his role in data breaches at LinkedIn, Dropbox and Formspring.
  4. Mule handler in the clink: A mule recruiter for an identity fraud scam that stole funds from US military veterans has been sentenced to 48 months prison. His conspirators are going through the courts or awaiting extradition from the Philippines.

More telcos held to ransom

Ransomware gangs ransacked several ISPs over the weekend. The REvil/Sodinokibi gang is reportedly seeking US$7.5m from Telecom Argentina, the country's largest ISP, after infecting 18,000 devices. A smaller ransomware attack against French telecom Orange resulted in the theft of data from ~20 Orange Business Solutions clients.

TikTok bans are all the rage

The US Government is following India's lead and mulling a very Un-American ban on one of the world's most popular social apps, TikTok. Wells Fargo got ahead of the trend and advised staff to uninstall it from corporate devices. Amazon issued the same request, before retracting the advisory a few hours later.

EU-US Privacy Shield struck down

The EU-US Privacy Shield, an arrangement that allows for American firms to transfer data about European users to the US on the condition that the data is protected according to European standards, was struck down by the European Court of Justice. The court was persuaded that the US prioritises national security and law enforcement over an individual's right to privacy.

Maryland grapples with US$500m welfare fraud scheme

Maryland is the latest US state to uncover a coordinated campaign of fraudulent requests for unemployment payments that use data stolen from previous data breaches. Over 47,000 fraudulent requests for benefit payment have been intercepted in Maryland alone, which would have earned attackers US$500m. State authorities claim the majority of the applications were unsuccessful.

Things keep blowing up in Iran

Power plants, petrochemical plants, a missile facility, a nuclear enrichment facility, a port and a half-dozen other facilities have mysteriously exploded in Iran since late June. We're still unsure if this is the usual state of things in Iran or acts of sabotage.

Spain outed as NSO Group customer

A former NSO Group staffer told Vice Motherboard that Spanish authorities used NSO Pegasus malware to hack the cellphone of the President of the Catalonian Parliament. So NSO tools aren't only for dictators and tyrants, after all? (Catalans might disagree on this).

VPN provider, your pants are on fire

Seven VPN providers that claim they don't log user traffic have been telling porkies. The 1.2 terabytes of user logs left exposed to the public internet in an ElasticSearch cluster kind of gave it away.

Some housekeeping

The Risky Business podcast returns July 29. In the meantime, we recommend a listen to our Soap Box interview with Facebook engineers or a read of Daniel Gordon's guest column on Winnti. Is Winnti a group? Is Winnti malware? What even is Winnti?

Update, July 23, 2020:

Twitter has acknowledged that attackers also accessed the direct messages of 36 users, including an elected official in the Netherlands.