Srsly Risky Biz: Tuesday, July 7

The network devices are revolting, Apple embraces WebAuthn, EARN IT amended

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

F5: The network security devices are revolting

A critical, trivially exploitable vulnerability in the management interface of F5’s Big-IP devices (CVE-2020-5902) is the latest in a string of nasty bugs in networking equipment critical to enterprise computing.

Like last year’s Citrix NetScaler and Pulse Secure vulnerabilities, this one is going to hurt.

As enterprise workstations have become harder targets -- thanks to system hardening in Windows 10 and improved detections and controls -- we’re seeing more targeting of devices at the edge of networks. Security and networking equipment code quality is typically awful, and big companies are starting to pay the price for all the technical debt they’ve accumulated.

F5 Big-IP devices sit in front of huge transactional systems, handling everything from SSL/TLS termination to load balancing tasks. If an attacker has command injection on these devices, they pretty much own everything that sits behind it.

Exploit code for the F5 bug is so petite, it fits in a tweet. Within two days of F5 Networks' July 2 disclosure, attackers were detected scanning for vulnerable systems and exploiting them to extract administrator passwords. By the early morning of July 6, the exploit was available to every script-kiddie on the planet as a Metasploit module.

Ideally, the management interface of such a critical piece of infrastructure should never be exposed to an untrusted network. But up until a 2018 update, the management interfaces of Big-IP boxes were exposed to the internet by default when they were configured to load balance DNS requests across a global cluster. Over the weekend, researchers found over 8000 unique hosts that exposed the F5 management interface to the Internet, of which over 3000 were known to be vulnerable to the exploit.

The F5 bug joins a long list of network security devices found vulnerable to attack in what is proving fertile ground for security research. Many infosec teams were still patching Palo Alto boxes and putting out fires from previously compromised Citrix and Pulse Secure boxes when news of the F5 bug hit them.

A recent Fox-IT report detailed the ongoing carnage against Citrix NetScaler/ADC customers, many of whom assumed they weren't vulnerable after patching their Citrix devices. Unfortunately for them, attackers had already compromised these network gateways, stolen credentials, locked out other attackers and in some cases set up some rudimentary backdoors. A patch can’t fix that.

If there's one thing to take away from the Citrix debacle, it is that defenders should pursue an 'assume compromise' strategy if the management interface of their F5 Big-IPs was exposed to the Internet and vulnerable to CVE-2020-5902. Beyond applying patches or workarounds, administrator credentials should be changed and logs checked. If you’re feeling particularly twitchy about the idea of your F5 going rogue, there’s always the nuclear option of rebuilding it.

Networking equipment has been a constant source of stress in 2020, and it’s a trend we expect to continue and possibly even accelerate. Two of the bugs that caused the most disruption (the Citrix NetScaler/ADF bug and the F5 remote command injection bug) were both credited to the same young Russian researcher, Mikhail Klyuchnikov of Positive Technologies. There’s blood in the water. He can taste it, and so will others.

Disclosing the bug so close to the Fourth of July weekend looks like an “up yours” from our Russian friends, but a spokesperson for F5 (and other F5 staff on Twitter) insist that the timing of the company's disclosure was determined by the availability of the fix and not by the researcher.

To us, disclosing such a serious bug on the eve of a US long weekend — just as Citrix did on Christmas Eve last year — isn't something you'd do to customers without being under some form of duress. It's worth noting that Cyber Command and CISA called for administrators to ditch their Independence Day BBQs to urgently apply the patch. Joe Slowik may be onto why they’re so worried.

We can’t wait to see what Mikhail’s gift to the world will be this Thanksgiving!

-- With additional reporting by Patrick Gray

Apple clears a path to passwordless auth

They might be last to the party, but Apple's embrace of FIDO2 (and by extension, WebAuthn) heralds the beginning of in-earnest adoption of the web authentication standard.

Users of Mac OS (11/Big Sur), iPads and iPhones (iOS14) will be able to enrol and log-in to websites in Safari using nothing but a fingerprint (Touch ID) or facial recognition scan (Face ID).

The announcement makes good on Apple's long-promised commitment to the FIDO2 framework. FIDO2 combines WebAuthn, a W3C-supported API specification for how browsers authenticate users to web apps using public key cryptography, and the CTAP (client-to-authenticator) protocol, a spec that handles communication with physical authenticators like security keys or secure enclaves.

Microsoft has supported FIDO2 for well over a year. Windows users can already log-in to sites like GitHub and DropBox using an external security key or Windows Hello facial recognition as an authenticator, thanks to browser support for WebAuthn in Chrome, Edge and Firefox on Windows. Android also supports WebAuthn, insofar as Android Fingerprint can be used to authenticate instead of entering a password to log-in to a site.

But there is a subtle difference in Apple's stated approach that promises a unique user experience: its support for hardware attestation. This is where hardware, such as a secure enclave or a roaming physical security key, is used to sign a WebAuthn credential. It's a way for users to cryptographically prove they are connecting from a specific device.

Apple's peers have been hesitant to recommend hardware attestation to developers. It is easy to botch and introduces new privacy risks to manage, as hardware attestation makes it possible for users to be uniquely identified.

Apple claims its next generation of devices will be able to anonymise hardware attestation. The hardware will reportedly return a unique certificate every time it is queried. The specifics of how it works are still under wraps. What it heralds is a future in which all the benefits of multi factor authentication (something you have, such as your device, and something you are, such as your biometric) can be collapsed into a single gesture: a touch or a scan.

When you then consider Apple's unique potential for sharing private keys between MacOS and iOS devices, a longer-term strategy starts to emerge.

Nick Steele, co-chair of the W3C WebAuthn Adoption Community Group predicts that enterprise users will experience the 'passwordless' phenomenon before most consumers. Account recovery of FIDO2 keys remains problematic in the consumer context. Users are often asked to enrol two authenticators in case they lose one.

"As an enterprise you can rely on an IT help desk to fall back on if a user loses their phone or some other authenticator," Steele told Risky.Biz. "That level of friction is acceptable in the enterprise, but it's difficult to manage on consumer apps."

Large organisations arguably have the most to gain from eliminating the threat of  credential phishing. Once users experience a genuine ‘passwordless’ authentication into web sites, there'll be no turning back.

EARN IT is not the E2EE killer you're looking for

A bipartisan group of US Senators have abandoned a plan to use Section 230 protections as a bargaining chip to convince social media and online messaging providers to more proactively crack down on child sexual abuse material.

Section 230 of the US Communications Decency Act offers legal protection to technology companies that moderate user-generated content on their platforms. It prevents the likes of Apple, Facebook, Google, Reddit or Twitter being subject to the same legal liabilities as publishers.

Senator Lindsay Graham originally led a bipartisan group of Senators that wanted tech companies to "earn" this protection in their interactions with law enforcement. Specifically, platforms would have lost S.230 protection if they didn't live up to standards set by a government-appointed panel. Without S.230 protection, tech companies would have to spend a great deal more on content moderation and to fend off spurious lawsuits.

The S.230 threat was scrapped under a last minute amendment [pdf] by Senator Graham shortly before it was sent to the Senate floor for debate, and replaced with an entirely new threat. Under the amended act, the panel of experts would put forward non-binding 'recommendations', and the Federal Government would punt responsibility for taking legal action over inaction to individual states.

If EARN IT passes into law, states would be granted the power to sue technology platforms that "advertise, promote, present, distribute, or solicit child sexual abuse material." The odd thing is that advertising, promoting, presenting, distributing or soliciting CSAM material is already a federal crime in the United States. Tech companies have to act on this material when it's detected and S.230 offers no protection when they don't.

Another late amendment, this time by Democrat Senator Patrick Leahy, qualifies that a technology company can't be sued for facilitating child sexual abuse material solely on the basis of the encryption mechanism used to protect the confidentiality of user communications. As Risky.Biz described last week, Senator Graham has put forward the Lawful Access to Encrypted Data Act to deal with that particular grievance.

Sanctions limit UK options on Huawei

The UK's National Cyber Security Centre has reportedly advised the UK Government that it can't provide assurance about the security implications of using Huawei kit.

The NCSC's advice was sought by the UK Government to help it decide whether to ban Huawei from UK networks.

Numerous UK media outlets report that the NCSC is taking a long-term view of the problem: even if the NCSC could assure parliamentarians that Huawei products can be trusted today, US sanctions against the company will make it hard to predict whether Huawei's kit can be trusted in the future.

Now that US sanctions prevent companies like Taiwan Semiconductor Company (TSMC) supplying critical components to Huawei, the Chinese vendor has to source domestic alternatives. Last month the NCSC advised UK telecoms operators to stockpile spare parts to guard against further disruption to Huawei's supply chain.

Adding to the pressure, the US Federal Communications Commission formally declared Huawei and ZTE as threats to US national security this week. The designation prohibits the use of federal funding by ISPs building out broadband networks if they choose to use networking equipment from the two Chinese companies.

Nuke fuel factory go boom

Speculation is rife about an unexplained explosion at Iran's underground Natanz uranium-enrichment facility this week.

While there's no public evidence that the fire was caused by a cyber attack, the incident fits neatly with a broader pattern of conflict between Israel and Iran in which the latter has historically found itself taking a lot more punishment.

Iran was recently blamed for an April 2020 attack that compromised Israel's water treatment systems. The attackers tried, but ultimately failed, to increase the levels of chlorine and other chemicals mixed into Israel's water supply, making it dangerous for human consumption. Israeli's offensive cyber security teams hit back with a disruptive attack on the systems used to manage an Iranian port.

In the Israeli playbook, Iran would need to sustain far more damage than disruption to a single port to be deterred from future hostilities. Further, retaliation for the water treatment plant attack does not need to be constrained to the same domain. Israel has no qualms about launching airstrikes in retaliation for cyber aggression - a mid-2019 strike against the Hamas' 'cyber operatives' is a case in point. How Natanz caught on fire isn't really the point. The Israelis just want to make sure the Iranians feel that burning sensation.

Iranian officials say they will "respond" accordingly if the fire was anything more than an accident.

Welcome to the United States, Hushpuppi

The US Department of Justice has confirmed Nigerian BEC kingpin Ramon 'Hushpuppi' Abbas has been extradited from the UAE to the United States.

A DOJ indictment pins him for running a muling (money laundering) operation connected to a US$1m BEC attack on a New York law firm, another muling operation that laundered US$14.7 million in stolen funds from an attack on a non-US financial institution and a big game attempt to steal US$124 million from an English Premier League soccer club.

The indictment references access to phones and accounts of co-conspirators, so this might only be the first chapter of his charge sheet. Based on the current indictment alone, he faces a maximum of 20 years in prison.

US Army to allow access to classified info from home

The US Army will allow 2000 high-priority staff to access classified information from their home devices using a virtual desktop solution. Risky.Biz was initially sceptical, but upon investigation, the story actually checks out. Around 500 users will get first access from their homes in mainland USA, before testing performance for users based further abroad. Close to 800,000 US Department of Defence personnel have been teleworking during the COVID-19 pandemic, but until now none of them have handled classified information.

Is there anything the Norks won't nick?

We're happy to award Lazarus Group, the North Korean gang that brazenly stole millions from banks, released ransom worms and breached cryptocurrency exchanges, with the inaugural Risky.Biz participation award. This award isn't about winning, it's about having a go. A few weeks ago we learned about Lazarus Group's dabble in Business Email Compromise to make a few extra bucks at the back end of an espionage campaign. Now they're reportedly having a crack at Magecart-style web skimming. This is the type of modern, agile APT-ing we like to see!

This Chinese defence contractor hunts Uyghurs

Researchers at Lookout discovered similarities between several malicious Android apps that target the Uyghur diaspora, and upon probing some "unsecured" C2 infrastructure (lol) determined the authors were from a specific Chinese defence contractor in Xi'an.

University of California paid $1.4m ransom - while the BBC watched

The University of California paid a US$1.4m ransom to a ransomware crew that infected the university network with NetWalker malware. BBC journalist Joe Tidy watched the negotiations unfold on the dark web and reported the whole episode. Yeesh.

Fake Android apps hoover up Facebook IDs

Google removed 25 malicious Android apps from the Google Play store that popped a Facebook-themed login screen in the phone's browser whenever it detected the user opening the legitimate Facebook app. The 25 apps were collectively downloaded 2.34 million times. It's unclear how many credentials were stolen.

Organised crime takes a serious hit

Joseph Cox at Vice Motherboard has written an entertaining follow-up to his original reporting on the shutdown of the Encrochat encrypted phone network, which has resulted in the arrest of literally hundreds of criminals. We'll be hearing from Joseph about the story on tomorrow's Risky Business podcast.

CISA, FBI publish advice on TOR traffic

The US Government released advice on how to detect TOR traffic - or in the case of more permissive networks - how best to detect when it is being abused.

Here’s your long read

Alexa O'Brien has published a densely-packed, 7500 word analysis of the United States' case against Julian Assange. It lays bare the DoJ's theory on Assange's alleged crimes and offers genuine insight into how the case has been constructed. If you're interested in all things Wikileaks, it's definitely worth your time. You're just going to need a lot of it!

Correction

Russian cybercrime researchers Group-IB wrote to Risky.Biz to ask that we address them as 'Singapore-based Group-IB", as the company moved its global headquarters from Moscow to Singapore in 2019. The company's majority owner and at least one director have become permanent residents of Singapore and registered the company as GROUP-IB GLOBAL PRIVATE LIMITED with Singapore's regulator. Pozdravlyayu, team!