Srsly Risky Biz: Tuesday, March 31

Chinese APT crew on a rampage, Data scrapers jostle to handle COVID-19 surveillance, Home routers targeted

US taps alternatives to Google, Facebook for COVID-19 monitoring

The US Government is tapping the data of mobile advertising companies to identify non-compliance with social distancing measures, according to the Wall Street Journal. The scoop follows reports last week that the White House sought assistance from the tech sector to help monitor quarantine compliance and perform contact tracing.

Last week Risky Business explored what measures might prove effective and published a guest column by Stanford Law’s Albert Gidari. We suggested Facebook and Google volunteer their expansive reach to offer privacy-preserving solutions. In the absence of either announcing initiatives, startups are stepping up to the plate.

Consent-based, bespoke solutions have proven more popular than we expected - 1.2m people in the UK have downloaded the  ‘COVID symptom tracker’ app, 1m Israelis have downloaded Hamagen (‘The Shield’) app, 600k Singaporeans have downloaded the ‘TraceTogether’ app, and 500K Americans have downloaded the MIT-developed PrivateKit app. Unfortunately these early offerings have been beset with issues . ‘The Shield’ was released under open source licensing after disclosing an issue with false positives and some iOS compatibility issues, while TraceTogether users report that the iOS app is largely impractical because it only works when running in the foreground. The promised release of TraceTogether under open source licensing appears to have stalled.

Meanwhile, medical professionals have warned that pervasive cell phone tracking for contact tracing in Israel was both inaccurate and damaging public trust, while Facebook is investigating third party developers that scraped public Instagram data to generate reports about non-compliance.

Did we get the remote working thing right?

Two weeks ago Risky Business explored the predictable mistakes to avoid in the rush to embrace remote working. As expected, there’s been a surge in the use of RDP (up 41% according to Shodan) and VPN  (up 33%).

Microsoft is reporting 300% growth in the use of Windows Virtual Desktops and a 775% increase in use of cloud services like Office365 and Azure. Unfortunately, a disrupted supply chain and outsized demand has also crimped the ability of cloud service providers to spin up new capacity in some regions. As forecast on the Risky.Biz podcast last week, Microsoft is implementing “temporary restrictions” on free accounts and some ‘soft quota limits’ on others, while prioritising workloads for healthcare and emergency services.

If the current growth in remote access continues, we might find ourselves in some uncomfortable territory - with some workloads being deemed less essential than others - leaving some organisations with fewer options to choose from.

Now you know who was knocking

One Chinese APT crew had a prolific and very noisy start to 2020. In a campaign stretching from late January through to mid-March, FireEye detected APT41 attempts to exploit newly-discovered vulnerabilities in Citrix gateways, Cisco routers and Zoho ManageEngine Desktop Central against 75 of its clients. The attacks used publicly-available penetration testing tools Cobalt Strike and Meterpreter. Separately, FireEye analysts have made much of detecting commercial testing tools such as Immunity’s Canvas and Core Security’s Core Impact in use during attacks on industrial control systems.

Home routers targeted in COVID-themed scam

Attackers are performing opportunistic brute force attacks on Linksys and D-Link home routers and changing the DNS settings in the devices to redirect every browser session to a COVID-19 themed malicious web page.

Reports started trickling in from March 18 that user browser sessions were being redirected to web pages that imitated the World Health Organisation and urged victims to download an app called the ‘COVID-19 Informer’. Lawrence Abrams at Bleeping Computer identified the attacks as DNS redirection, before Bitdefender released a root cause analysis. Intriguingly, the attackers hid payloads in a BitBucket repo. Bitdefender told Risky.Biz that most of these repos are now closed down, but they expect new ones to emerge.

Is South Korea in your threat model?

South Korean state-based attackers continue to demonstrate strong offensive cyber capability. Google has published a report about one campaign its Threat Analysis Group tracked against targets in North Korea that used five zero-day vulnerabilities in operating systems and web browsers. Andy Greenberg at Wired checked in with AV vendors, who claim it was most likely the work of DarkHotel - an APT attributed to South Korea. If that’s true, we’d be wise to take more care when accusing them of being global supervillains - wiser heads have cast doubt on whether the South Koreans tried to hack the World Health Organisation.

Tracking Fancy Bears

US Defence contractor Booz Allen Hamilton has comprehensively catalogued over 200+ GRU cyber operations to assess Russia’s broader motivations and predict future operations. This morning our expert panel discussed what security teams should take out of the 80-page report in the Risky Business livestream (see below).

Mailing USBs like it’s 1999

Cybercrime gang FIN7 has added some old school tools to its arsenal - sending US targets malware-infected USB keys in the post. Expect the FBI’s warning on the subject to feature in future Powerpoint pitches for USB lockdowns. Is it now time to start including USB drops in the pen test scope again?

Three reasons to actually be cheerful this week:

  1. ROP attack mitigation on the way - Future versions of the Windows OS will include an Intel-designed capability to mitigate ROP-based attacks that hijack an app’s code execution flow. Protection will require a generational-shift - the latest Intel hardware, OS and support from new apps.
  2. Zoom cleans up iOS app - Video conferencing giants Zoom killed a feature in its iOS app that submits a wealth of user data to Facebook even if the user doesn’t log-in using their Facebook ID. It came clean in response to a Vice Motherboard investigation.
  3. Russians bust carding ring - Russian Police have arrested 25 individuals accused of operating the ‘BuyBest’ marketplace for stolen credit card data and filmed the operation. It’s estimated that somewhere between US$14m and US$20m passed in illicit funds passed through the group.


Ransomware source code unleashed: Researchers have noted that the source code for Dharma ransomware - which extorted at least US$24 million from victims last year alone - is for sale online for US$2k. Variants of Dharma already abound, but there’s naturally concern for how many bad actors might have it now.

Hot Plastic - Attackers installed a web skimmer to steal customer credit card details from the Tupperware website last week. Tupperware didn’t respond to warnings from security researchers for five days, but removed the code once ZDNet journalist Catalin Cimpanu published a story.

Instagram stars hacked - The account details of over 200,000 ‘influencers’ were dumped on the web after their broker Social Bluebook was hacked. Thankfully all passwords were hashed with SHA-2.

Unconfirmed industry schadenfreude of the week is that Chubb, a provider of cyber insurance, was compromised by a ransomware gang. The company denies all. Vulnerable Citrix gateways and RDP endpoints suggest if it isn’t owned now, it likely will be before long.