Srsly Risky Biz: Tuesday, June 2

Court forces Capital One to hand over IR reports, Sandworm is tapping unpatched mail servers, Apple's second OAuth clanger...

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

Court forces Capital One to hand over IR reports

A US District Court has challenged the long-standing practice of using legal privilege to protect documents created during investigations into security incidents, by ruling that Capital One hand over a Mandiant IR report into its 2019 data breach.

Capital One argued that because its legal counsel commissioned the Mandiant report, the report's findings should be subject to legal privilege.

This week Risky.Biz spoke to legal experts about whether the Capital One case will set a new precedent, and what missteps organisations that want to use legal privilege need to avoid.

You can read our story here:

Russia's best are tapping your unpatched mail server

The NSA warns that Sandworm, one of Russia's most formidable offensive cyber operations, has been exploiting a known flaw in the Exim mail transfer agent (MTA) in attacks for at least 10 months. Sandworm - part of Russia's GRU intelligence unit - were fingered for NotPetya and crippling wiper attacks on Ukraine's power grid. You don't want these guys up in your business.

Exim is a common MTA that ships with many Unix-like operating systems. The CVE-2019-10149 flaw in Exim is discoverable via an internet scan and requires only a specially-crafted email to grant a remote attacker the ability to execute commands on a vulnerable server. Despite numerous warnings by national CERTs in the many months since its discovery, tens of thousands of publicly-observable systems remain exposed.

The NSA published indicators of compromise from the Sandworm activity in its advisory. Happy hunting.

Apple pays $100k for another OAuth clanger

Apple paid a US$100k bounty to a bug hunter that discovered an embarrassing flaw in the 'Sign in with Apple' service. The service allows users to authenticate to third party web services such as Dropbox, Spotify and others using their Apple ID.

Researcher Bhavuk Jain discovered that an attacker logged in using a legitimate Apple ID could request access to the third party app on behalf of any Apple ID (any Apple user).

It's the second OAuth implementation error from Apple in recent months. In January, an off-hand remark on Risky Business gave researcher Thijs Alkemade the idea to check how users could authenticate to multiple Apple services from a TouchID or FaceID challenge in the Safari browser. He discovered that the service failed to validate that the reply URL request was the same as the one requested by the app - it only validated that the reply URL was an Apple domain. Let the Apple captive portal games begin!

When reached for comment by Risky.Biz, Alkemade said both bugs "show a security-critical check missing in the server side code of Apple’s OAuth procedure leading to account takeover."

Apple is yet to offer Alkemade a bounty payment. We hope these events prompt Apple to take a deep dive on all its OAuth implementations.

Do ransomware crews have supply chain issues?

Ransomware actors that buy access to previously infected systems might be running out of fresh supplies.

Proofpoint reports that there still hasn't been an Emotet malspam campaign since February 9. That might help explain why some leak sites are pasting data from a larger number of smaller organisations that don't make for juicy headlines. Sources tell Risky.Biz access to systems via Emotet compromise has been a major funnel for ransomware crews. Are these crews now scraping the bottom of the barrel from a list of previously-compromised victims?

While we’re talking ransomware, Risky Business founder Patrick Gray had a firecracker of an interview with Lawfare founder Bobby Chesney which outlined what case would need to be made before the capabilities of certain three-letter agencies could be used against non-state ransomware actors. Spoiler: the case is already pretty solid.

Australia's agencies are sub-par on security, attacks against USG are down

Only 1 in 18 large Federal Government Agencies have fully implemented the ACSC's Essential Eight security controls, according to an Australian National Audit Office report. All but one agency failed to consistently apply application hardening and email filtering controls, and the majority haven't consistently implemented multi-factor authentication, timely patching or app whitelisting.

The scale of non-compliance across such large entities suggests that either the ANAO's scope is unrealistic or that agencies are incompetent. Maybe both.

Meanwhile, in America, a US Office of Management and Budget tally-up of security incidents at US Government agencies found that they actually fell in FY2019 compared to the year prior. There’s too much to cover in this newsletter, but you can grab the full report here [pdf]. We're unsure how much you should read into these numbers - security metrics can be pretty rubbery.

Trump threatens to turn Twitter into a publisher

US President Trump signed an executive order that asks regulators to review and recommend amendments to Section 230 of the Communications Decency Act - a law that provides civil liability protection for internet sites that moderate user-generated content on their platforms. Trump said the order was a retaliation against Twitter's labelling regime, which has twice been applied to Trump's account.

The implicit threat in the EO is that if a website “moderates” Trump, they will lose S.230 protections and be as liable as publishers are for defamation or hate speech. It's hard to know whether to take the threat seriously - while S.230 reform was already on the political agenda, the President's EO was clumsy and strikes us as an attempt to distract from 100,000+ COVID-19 deaths and nation-wide demonstrations against police perpetrated murder.

GitHub warns of software supply chain attack

GitHub has warned 26 software projects that their code contained malware after the popular Apache NetBeans software development environment was compromised in a supply chain attack. The malware - which was added to NetBeans’ own repository - searches for NetBeans projects on infected systems, then adds backdoors to projects as they are built.

As newly infected projects were pushed to GitHub, the cycle would begin again. GitHub has made IOCs available for broader threat hunting.

Picture your worst nightmare

Industrial firms in Germany, Japan, Italy and the UK are being targeted in fairly novel attacks that only execute on victim systems configured with specific localised language settings and evade detection using steganography (concealing strings within images), before settling into more conventional methods for credential dumping and lateral movement. Kaspersky did not attribute the attacks.

German utilities are on a bear hunt

Three German intelligence and civilian defence agencies warned operators of critical infrastructure about the ongoing espionage activity of Dragonfly 2.0 aka Berserk Bear - a Russian State-aligned group that has targeted power and water networks in Germany and the United States. The group's tradecraft is reasonably well understood - German news outlets described the alert as a plea for critical infrastructure owners to take the threat seriously.

A long weekend inside NTT

Attackers stole data on 621 clients of Japanese telecommunications giant NTT after gaining access via its Singapore-based network on May 7. The attack traversed servers in several countries and got as far as NTT's Active Directory server before it was discovered on May 11. NTT was previously the interest of Chinese state-sponsored attackers in the Cloud Hopper campaign, which ransacked service provider networks for close to four years. So four days to detection isn't the worst result.

Australia douses 5G conspiracy spot fires

Police in Victoria, Australia confirmed with Risky.Biz that the fire that engulfed a mobile phone tower in the Melbourne suburb of Cranbourne West is being treated as 'suspicious'. A (mercifully small) number of Australians believe 5G caused COVID-19, as demonstrated in several coordinated protests over the weekend. The Australian Government must have read last week's newsletter - they've started information campaigns to address the conspiracy theory.

Israel confirms attack on water utilities

Israel's cyber tsar publicly confirmed why the government asked all staff at water utilities to change passwords in April - it detected a coordinated attack designed to "damage" water treatment systems. In a speech, Israel’s National Cyber Directorate head Yigal Unna didn't deny reports that attacks on an Iranian port in the days afterward formed part of Israel's response. Unna predicted - with the sort of 'cyber pearl harbour' alarmism we've grown tired of - that "cyber winter is coming and coming faster than even I suspected.”

FIN7 hacker arrested

US authorities have arrested a Ukrainian man accused of being a malware operator for the FIN7/Carbanak cybercrime ring, after he was extradited from Thailand. Denys Iarmak is the fourth publicly-known arrest of a member of the gang. Stop going to Thailand guys. Seriously.


A short-lived jailbreak: Apple updated iOS to patch a single vulnerability - the one used in the unc0ver jailbreak released last week. That's a fast and pretty pointed response!

Cybercrime is boring: A University of Cambridge study confirms that working in cybercrime is boring drudgery that mostly involves tending to unstable systems and responding to unreasonable feature requests from customers.

That's not hacking: Brian Kemp accused political rivals in 2018 of hacking Georgia's voter registration system two days before he was narrowly voted into office as  governor. A subsequent investigation confirmed the 'attack' was actually an authorised vulnerability scan run under CISA's election security program.


...and while we are highlighting some boneheaded moves, how did you like my description of Mitsubishi as a Chinese company in last week's edition? [Sad trombone]. The Chinese were indeed, on the other end of that particular sequence of events. I also regret my choice of words on the UK's 'review' into Huawei. A ban hasn't been 'enacted' just yet - as we reported - even if it feels like a sure thing. This week's issue, by contrast, was prepared with great care at Rancho Risky Biz (Pat's house). So come at me, fact checkers!