Srsly Risky Biz: Tuesday, June 30

Decrypting America's new push for lawful interception, Backdoor found in China's mandatory tax software, Assange gets a longer, juicier charge sheet

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

Decrypting America's new push for lawful interception

Three US Senators have put forward a bill that apes the powers of the UK Investigatory Powers Act and Australia's Assistance and Access Act, while omitting many of the (albeit weak) safeguards that protect that power from being abused.

The Lawful Access to Encrypted Data Act of 2020, introduced by Republican Senators Lindsay Graham, Tom Cotton and Marsha Blackburn, compels device manufacturers and digital service providers to provide access to user data when served with a warrant. It’s the Nike approach: Just do it!

Arguing that an "individuals' right to privacy has never been absolute", the bill [pdf] would force US-based technology companies to re-architect applications and services so they can recover user data -- whether at rest or in real time -- on request.

The bill is framed by technology companies as an attack on E2EE (end-to-end encryption). In practice, the proposed law is agnostic to how tech companies deliver on law enforcement requests. Lawmakers don't seek to ban or degrade any form of encryption, they want the industry to find creative ways to circumvent it altogether. It will be up to each service provider to work out how: whether it be silent app updates for targeted users, access to decrypted backups, whatever it takes to provide the data sought under a warrant in an intelligible form.

Risky.Biz suspects it’s unlikely that a Democrat-controlled House would support the legislation in its current form. But if the November general election flips the House to the Republicans and they hold the Senate, a large number of US-based technology companies would be subject to the same sorts of lawful intercept demands faced by US telcos under the Communications Assistance for Law Enforcement Act (CALEA).

If passed, the law will have global ramifications. Law enforcement agencies in non-US jurisdictions will likely seek to make use of whatever interception capability was designed to accommodate requests in the United States. Lawmakers will also have to grapple with offshore service providers that refuse to cooperate with requests for data about US users. On that issue, US authorities might choose to simply step around offshore providers by imposing technical requirements on device and platform manufacturers. Can’t get Signal messages from Signal? Force Apple or Google to remotely extract them from a target device instead.

If that’s too difficult, US authorities may take a leaf out of China’s book. There, any application deemed a national security or law and order risk is just blocked altogether.

The proposed bill offers very few opportunities for service providers to appeal a notice for technical assistance. If a US law enforcement agency can prove that a technology provider's assistance is required for execution of the warrant and that new capabilities aren't required to render it, a court would have no power to deny an order to provide that assistance.

A company can challenge an order to create a new interception capability, but under very few conditions - they'd have to argue that the directive is unlawful or that it is technically impossible to provide the assistance.

Under Australia's AA Act, by contrast, the safeguards are more specific. A service provider can't be asked to introduce a 'systemic weakness'. That is, they can't be asked to weaken existing methods of authentication or encryption, to introduce or leave exposed a known vulnerability or otherwise to act in a way that makes it easier for unauthorised third parties to access the data. A service provider can refer a request for a new capability for review by a government-appointed panel (consisting of a technical expert and a retired judge) before the Attorney General makes a final determination.  The warrant must relate to a criminal offence for which the minimum penalty is at least three years in prison. None of these protections are offered under the bill being put forward in America.

Technology companies can't claim to be surprised by the bill. Senator Graham threatened Apple and Facebook execs at a Senate Judiciary Committee hearing in December 2019 that if they didn't "find a way" to solve the problem of lawful access to encrypted data by the end of 2020, lawmakers "will impose our will on you."

"You're going to find a way to do this, or we're going to do it for you... my advice to you is to get on with it," he said at the time.

This is the ‘big one’, folks. This bill is the worst-case, overkill scenario privacy advocates have worried about for years. Take it seriously.

And if you think there’s no way the Republicans can hang on to the White House and Senate and flip Congress when Biden has such a commanding lead in the polls, it might be time for you to take a walk down memory lane.

Backdoor found in China's mandatory tax software

At least two Western companies operating in China were infected with malware after being asked by their Chinese bank to download tax software required for compliance with local tax regulations.

Trustwave claims that when one of its clients set up a new office in China, its Chinese bank directed it to use a software package called 'Intelligent Tax', produced by the Golden Tax Department of Aisino Corporation.

A retrospective threat hunting mission discovered that several hours after this legitimate tax software was installed, the Aisino application silently called out to a new domain to download a backdoor (which Trustwave calls 'GoldenSpy') on the device. The backdoor offers remote attackers full command and control of the system, isn't deleted when the tax software is removed from a target system, and features several clever persistence mechanisms.

The Trustwave client in question is a UK technology company that serves US, UK and Australian defence agencies. Trustwave claims that another company - a large financial service provider - was infected by the same malware. It released indicators of compromise for the malware and continues to investigate whether the attack was targeted or part of a broader surveillance campaign.

Aisino Corporation and the Chinese company that signed the digital certificate for the malware did not respond to researchers or media inquiries.

Assange gets a longer, juicier charge sheet

The US Government has broadened its case against Wikileaks founder Julian Assange, filing a second superseding indictment that -- while not increasing the number of charges against him -- connects him to a broader pattern of illicit hacking activity than just the assistance he provided whistleblower Chelsea Manning.

Assange was originally indicted for computer crimes in April 2019 before a superseding indictment a month later accused him, more controversially, of crimes under the US Espionage Act.

The second superseding indictment released this week makes the case that Assange collaborated with and incited the LulzSec/AntiSec hacking collective, encouraged teenage hacker Sigurdur Thordarson to compromise the government systems in Iceland and assisted in the flight of Edward Snowden. The evidence for much of this activity comes from megasnitch Sabu, a LulzSec co-founder who helped authorities nail his fellow miscreants in exchange for a lighter sentence.

Most importantly -- for the crimes in question -- the superseding indictment alleges that Assange knew and accepted the consequences of publishing unredacted documents that exposed human sources in places like Iraq and Afghanistan.

It further reveals that prosecutors intend to use Assange's tendency for self-promotion to build a stronger case for conspiracy. The indictment cites numerous occasions in which Assange publicly claims to have exploited vulnerabilities in government systems and solicits others to break the law.

India bans Chinese apps

India has banned 59 Chinese-owned consumer apps, including TikTok and WeChat. Officials told the Wall Street Journal that the ban was enacted to counter the "stealing and unauthorised surreptitious transmission of users’ data to servers outside India."

The urgency with which authorities acted is telling. Tensions with China have worsened in recent months after military clashes on the border between the two countries.

India is TikTok's second largest and fastest growing market. While estimates vary, around one in three smartphones in India -- at least 100m devices -- have downloaded TikTok. This ban is going to hurt.

India is shaping as a reliable partner for the US campaign against Chinese companies. In February - just prior to a visit by US President Trump - India's telecommunications regulator was granted the power to ban the use of network equipment from suppliers based in countries that don't provide fair market access for Indian products.

Patch your Palo Alto boxes, pronto

Researchers at Australia's Monash University have discovered a critical authentication bypass in Palo Alto Network’s implementation of SAML in PAN-OS -- the operating system that runs most Palo Alto network security devices.

The bug is configuration dependent. It’s seriously risky business if admins have enabled SAML but haven’t enabled (checked the box for) ‘Validate Identity Provider Certificate’. If that’s you, the folks at US Cyber Command urge you to patch.

Risky.Biz notes that attackers were quick to exploit bugs in Citrix, Fortinet and Pulse Secure VPNs in December 2019 and January 2020, and we are still dealing with the fallout of those attacks in June. Many of the ransomware attacks and APT activity reported in recent weeks stem from exploitation of those devices earlier this year. Let's avoid having to talk about this bug in November 2020.

Karma police, extradite this man

Prosecutors from multiple countries are seeking to get their hands on a BEC fraud kingpin arrested in Dubai earlier this month.

Ramon 'Hushpuppi' Abbas and 11 other men were arrested in six simultaneous raids in Dubai. Dubai Police claim Abbas’ gang was responsible for US$430m of fraud from scamming over a million victims. The self-proclaimed real-estate mogul (lol) wasn't shy about flashing his eye-popping wealth on Instagram.

UAE authorities seized US$40m in assets during the raid (captured on video), including 13 cars worth US$6.8m. The big question now is who gets their hands on the gang. News reports from Abbas' native Nigeria claim that both Nigerian and US authorities are seeking extradition.

In related news, fellow Nigerian Obinwanne Okeke pleaded guilty to running a BEC scam that stole US$11m from Caterpillar subsidiary Unatrac during a four-year crime spree. Okeke ran a front company (Invictus Group) for his BEC schemes, gave motivational speeches and even made Forbes' Africa's 30 under 30 rich list. Forbes might need to do some vetting.

Patch remote workforce systems with Automox

Managing and securing your remote computers during the COVID-19 crisis is the challenge de jour. Endpoint management is still harder than it should be, particularly when it comes to patching.

Risky.Biz associate Dmitri Alperovitch ("Associate" = he's in our Slack) recently joined the board of endpoint management company Automox and suggested they'd make for a good newsletter sponsor.

Automox makes a cross-platform, cloud-managed endpoint management agent that's capable of performing numerous management tasks for multi-OS endpoints, regardless of their location. But its patch management capability is what's most appealing to buyers right now. Automox claims its platform can deliver critical patches within a single day across remote Windows, macOS, and Linux endpoints, as well as patching applications further up the stack.

With a substantial chunk of your workforce now working from home, this is the sort of software people are investing in right now. So, add Automox to the eval list.

Automox has published a guide [pdf] to securing a remote workforce that includes some survey data that's worthy of your presentations to the higher-ups. But if you want to cut right to the chase, click through to the pricing page to see a feature list and the pricing tiers and read up on their free trial.

RDP-trick pony Fxmsp gets doxed

Russian researchers have doxed a prolific hacker responsible for popping over 135 companies and selling access to the compromised networks to other attackers.

Using the handle Fxmsp, the actor spent several years scanning for devices that expose Remote Desktop Protocol, brute forcing access using lists of common passwords, before pivoting to domain controllers to create memory dumps of user credentials for later decryption.

The actor started out compromising corporate networks for crypto-mining, but expanded into selling access to hacked systems to drive higher earnings - yielding about US$1.5 million. Fxmsp hasn't advertised any stolen access credentials since claiming to have hacked three antivirus companies in May 2019. Researchers at  Group-IB used patterns in forum and domain registrations to finger a man from Almaty, the largest city in Kazakhstan.

Evil Corp is now into human-operated ransomware

Evil Corp, the Russian gang responsible for the Dridex trojan and Locky ransomware, has shrugged off US indictments and sanctions and made a big splash in the human-operated ransomware business. The group's new malware, which Fox-IT and Symantec analysts call WastedLocker, has been used in highly targeted, deep penetrations into large US companies since May 2020. Attackers accessed and deleted backups, encrypted production databases and made multi-million dollar ransom demands. Threat hunters can check out IoCs released by Symantec and Fox-IT.

ASD gets funding boost

The Australian Government plans to divert AU$1.35 billion of its Defence budget into cyber security over the next ten years, with AU$470m to be spent hiring 500 new ASD operatives. The government has been drip-feeding spending promises in advance of a revised 2020 cyber security strategy. The new funding package is called CESAR (short for 'cyber enhanced situational awareness and response'). So now there's Caesar (ciphers), CISA and CESAR. Pity the podcaster trying to distinguish them.

Three reasons to actually be cheerful this week:

  1. Russian ringleader gets nine years: Alexi Burkov, an admin of several key Russian cybercrime forums arrested in Israel in 2015, was sentenced to nine years in a US prison. This is the guy that ran 150,000 stolen credit cards through CardPlanet and set up the invite-only DirectConnection cybercrime forum.
  2. Guilty plea for Russian carder: Fellow Russian carder Sergey Medvedev pled guilty in a US court after being extradited from Thailand. Prosecutors say his activities tallied up to US$568m in losses.
  3. Herder in the clink: A US man charged with creating and selling access to multiple botnets from IoT devices was sentenced to 13-months in prison.

US designates Huawei, Hikvision as under the control of the PRC

The US Government officially designated telecommunications equipment supplier Huawei and video surveillance company Hikvision among a list of 20 entities owned or controlled by the Chinese military. The designation supports a US campaign to convince allies to reduce their technical and supply-chain dependency on Chinese firms.

Card schemes brace for skimming attacks

From tomorrow, Adobe will no longer produce security updates for web sites using version 1.x of Magento e-commerce software. Catalin Cimpanu at ZDNet reports that Visa and Mastercard are begging the 110,000 merchants still running the software to upgrade, particularly in light of ongoing web skimming attacks.

Bipartisan push for White House cyber director

Six US lawmakers from both sides of the aisle have put forward a bill to create a Senate-confirmed National Cyber Director in the White House. The idea got a lukewarm reception from the Armed Services Committee and hasn't caught on in the White House itself -- but then again, there's been a rotating cast of characters to pitch to lately.

Browsers win war over certificate lifespans

Apple, Google and Mozilla will require digital certificates to be refreshed every 398 days to help weed out rogue certificates faster. Certificate Authorities aren't pleased, but as ZDNet’s Cimpanu (again) reports, they are powerless to stop it.

Twitter blocks DDoSecrets account

Moderators blocked the Twitter account for activist group DDoSecrets, on the basis that its BlueLeaks campaign links exclusively to materials stolen from US law enforcement agencies. It's surprising only because of the many similar accounts that have never been blocked.