Srsly Risky Biz: Tuesday, May 19

Ransomware goes to Hollywood, Wuhan Lab dossier debunked, European supercomputers hacked for crypto-mining...

Srsly Risky Biz: Tuesday, May 19

Wuhan Lab dossier debunked

Russia has some competition in the disinformation game.

The US administration's claim that the COVID-19 outbreak was caused by a laboratory accident was based on a report that has now been thoroughly debunked.

The Daily Beast asked Bellingcat and the Middlebury Institute to analyse a leaked 30-page report produced by DoD contractor Sierra Nevada Corporation, which circulated - and appears to have been taken seriously - by the White House and multiple Congressional committees. The Sierra Nevada report mined commercially-available cell phone location data to conclude that a disruptive event occurred at the Wuhan Institute of Virology in October 2019.  It casually attributed it to a coronavirus outbreak.

The report's claims were promulgated by Senator Marco Rubio (R, Florida), Senator John Cornyn (R, Texas), Senator John Cotton (R, Arkansas), Fox News and Breitbart.

Privately, US intelligence sources distanced themselves from the report from the get-go. But as The Daily Beast story demonstrates, you don't need privileged information to dismiss the report's findings. The Sierra Nevada report relied on statistically irrelevant data - an analysis of just seven mobile phones out of hundreds of lab staff. It sought no alternative theories on roadblocks erected in Wuhan at the time (which could more easily be explained by roadworks) and claimed a major conference was cancelled that attendees from around the globe can personally attest went ahead. They even posted selfies from the event to social media.

Sierra Nevada's discredited conclusions were curiously similar to a dossier News Corp Australia used to stand up front-page stories about the Wuhan Lab theory in early May. It's unlikely the News Corp story came from a FVEY-produced intelligence brief, as reported, and more likely from a source at the US Embassy trying to peddle the theory in the Australian media. It all comes off as a clumsy disinformation campaign from The White House, which only serves to erode confidence in otherwise judicious calls for an independent investigation into the origins of the pandemic.

European supercomputers hacked for crypto-mining

Dozens of supercomputers across Europe were taken offline over the weekend in response to a crypto-mining attack.

Malware infections were discovered in research institutions across Germany, Switzerland, Scotland and Spain. There are unconfirmed reports of compromised hosts in Canada and the United States.

The attack abused sloppy security controls at the University of Krakow in Poland, Shanghai Jiaotong University and China Science and Technology Network to connect to affected supercomputers over SSH. ZDNet reports that the attack exploited a known bug in the Linux kernel to gain root access to the machines and deploy a Monero crypto-mining app. The attacks used Linux rootkits, SOCKS proxies, TOR and schedulers (CRON jobs) to hide the operation. All of this, just for crypto-mining? We expected something bigger.

The breaches were discovered at a sensitive time for the academic community - just as the FBI and CISA warned them they would be the targets of state-backed attacks. Several affected HPC clusters (the Jülich and Leibniz Supercomputing Centres in Germany and the CSCS in Switzerland) were prioritised for exploratory research into potential COVID-19 treatments.

Links to COVID-19 research appear tenuous at this stage. Some compromises date back to early January and used similar tradecraft to attacks found in September 2019. A large number of the compromised machines haven't been used for medical research purposes. There's been no evidence of data exfiltration in the limited number of post-incident reviews published to date.

Ransomware goes to Hollywood

The hacking of a Hollywood law firm by a ransomware gang could blow up into a real blockbuster.

Earlier this month the REvil ransomware gang stole 750GB of data from GSMLaw - a  firm that represents Lady Gaga, Madonna, U2 and many of the world's top celebrities.

Trawling through the stolen data, the attackers claim to have found compromising data about US President Donald Trump, and offered to sell it to a one-time buyer for a hefty US$21m. GSMLaw claims Trump isn't a client, but hasn't responded to inquiries about what interactions clients may have had with him.

To show it means business, REvil leaked 2.4GB of contracts and other data related to GSMLaw's work for Lady Gaga. It then published ~160 emails that relate to Trump. Bleeping Computer described the contents of those emails as 'harmless'.

REvil has a reputation for following through on threats. It's no less unsettling to think that compromising data about the US President might be in the hands of cybercrime gangs than if it were leveraged by a state-backed actor.

The GSMLaw attack also brings mainstream attention to an uncomfortable trend: most ransomware gangs will now steal a victim's data before encrypting it, and threaten to publish the stolen data to entice victims to pay up.

Two separate analyses by Catalin Cimpanu (ZDNet) and more recently Lawrence Abrams (Bleeping Computer) chart the trend in some detail. The Maze gang started dumping stolen data in November 2019 - and it's a practice now copied by most of its peers.

In some cases, the data leaks are retaliatory - triggered when a victim refuses to pay a ransom. The Ako gang is the most heinous: it demands two ransoms be paid - one for the key to decrypt files on the victim's network, and a second as blackmail for the stolen data.

The only good news is that the data exfil stage might give defenders half a chance to detect and block an attack before files are encrypted.

Unemployment benefits targeted

The US Secret Service has warned states that organised fraud groups are using personal information stolen in previous attacks to file fraudulent claims for unemployment relief, according to a memo seen by Brian Krebs.

The scale of the fraud - if we are to extrapolate based on the volume of fraudulent applications reported to date - will cost US taxpayers tens of millions of dollars.

Washington State stopped processing relief payments for two days after detecting close to US$2 million in fraudulent applications.

There have been over 4000 complaints of fraudulent claims in Oklahoma. Rhode Island officials also pressed pause after receiving around 2000 similar complaints - but noted that the volume of fraud is proportionate to the unprecedented increase in Americans filing for unemployment benefits.


Antivirus vendors were tripping over each other to report 'air-gap hopping malware' this week.

ESET researchers discovered (on VirusTotal) previously unknown malware designed to aid the theft of data from air-gapped systems. 'Ramsay' scans for and copies documents to a hidden storage folder on an infected device before a 'spreader' module copies the volume to any removable drives or network shares attached to the device thereafter. The stolen files can then be sent to the attacker the next time the removable media is inserted into a computer connected to the internet.

Trend Micro published a detailed update on the USBFerry malware used by a Chinese state-backed group ('Tropic Trooper', APT23, 'KeyBoy' or 'Pirate Panda') in recent attacks on air-gapped military and government networks in Taiwan and the Philippines.

Kaspersky chimed in with analysis of COMpfun - a RAT used by a Russian state-backed group (Turla, Snake, Waterbug, Venomous Bear) in attacks on foreign embassies. It also copies stolen files to a victim's USB storage when it can't connect over the internet.

Fraudsters get US$10m payday from Norwegian fund

Fraudsters have extracted US$10 million from Norfund, a Norwegian Government fund that invests in developing countries, in what appears to be a classic case of Business Email Compromise (BEC). The attackers compromised Norfund's email system, intercepted emails between the fund and a project in Cambodia, and sent emails to Norfund's bank to change the beneficiary details of a future payment to the Cambodian institution. Norfund described the attack as an 'advanced data breach'. No comment.

Scope creep for NHS COVID-19 app

Documents inadvertently disclosed to Wired reporter Matt Burgess reveal that in late March, UK authorities proposed adding features to the NHS COVID-19 contact tracing app. It was proposed that the app collect demographic information at registration - just as Australia's COVIDSafe does - and include a 'status' function, which would mimic a core feature of China's Health Code app. In China, a person's movement was restricted based on what colour the app displayed - red for those that should be in quarantine, yellow for those self-isolating, and otherwise green. NHS officials didn't rule out future changes to the app, but stressed the app would remain opt-in.

Four reasons to actually be cheerful this week:

  1. Germany unveils contact tracing source code: Deutsche Telekom and SAP published the proposed server-side source code for Germany's Gapple-powered contact-tracing app ('Corona-Warn-App'), well in advance of the app's release.
  2. COVIDSafe bugs squashed: Australia hasn't published the server-side source code for its non-Gapple COVIDSafe app yet. But a second update fixed two privacy bugs and a DoS condition previously described in this newsletter, while Australia's Parliament passed a law that offers substantive privacy protections for users.
  3. Redmond's corona-themed treasure trove: Microsoft published file hashes for over 200 COVID-19-themed malware campaigns on GitHub.
  4. Toggle off those junk apps: Microsoft also announced it will block the download and/or execution of apps deemed to have a poor reputation if Windows 10 users choose to opt-in.


Chips off the old bloc: Taiwan Semiconductor (TSMC) stopped taking orders from Huawei to comply with new US export regulations. Huawei had already flagged it would switch to a domestic supplier if the regulations kicked in. Executives from Intel and TSMC also confirmed they are in talks with the US Government about building new foundries in the United States to ease future supply-chain security concerns.

ISPs tapped for vulnerability data: A bill that gives the US Critical Infrastructure Security Agency (CISA) authority to subpoena ISPs for information about vulnerable systems detected on their networks now has bipartisan support. You can read more about the rapid expansion of CISA's remit in this week's Risky.Biz feature.

Germany mulls new sanctions against Russia: Germany Chancellor Angela Merkel raised the prospect of further sanctions against Russia if her intelligence services keep catching Russian hackers all up in the Bundestag's business.

This week's big game: Attacks on BlueScope Steel, Magellan Healthcare and Elexon - the administrator of the UK's electricity networks - were all disclosed this week. Magellan was a ransomware attack and it's a safe bet the others are too.

Outrunning the bear: CISA and FBI published a list of the top 10 software vulnerabilities routinely detected in attacks over the past four years.