Srsly Risky Biz: Tuesday, October 6

Ransomware attack cripples 250 US hospitals, Treasury warns against paying ransoms to sanctioned groups, Russia to ban TLS upgrades, Fresh evidence of APT40 attacks on Australia...

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

Ransomware attack cripples 250 US hospitals

Over 250 hospitals across the United States have resorted to pen and paper for the last nine days after the corporate network of Universal Health Services (UHS) was infected with Ryuk ransomware last Sunday.

The Wall Street Journal reported that UHS decommissioned systems used for "medical records, laboratories and pharmacies" at 250 US sites as a preventative measure after detecting the malware infection.

Kevin Collier at NBC spoke to several affected medical practitioners, who recounted stories of delayed medical treatment as staff were held up updating records and labelling drugs by hand.

UHS told the media this morning that nine days later, some hospitals are still using "offline documentation methods". The company promises to restore hospital access to critical apps, including its Electronic Medical Records (EMR) system, by the end of today. The back-loading of nine days worth of data may take a little longer. UHS claims that no patient or customer data was accessed in the attack.

It was one of several high-profile ransomware infections that made headlines in the US this week.

The New York Times also reports that a ransomware attack on eResearchTechnology on September 20 had an indirect impact on the work of at least two companies working on COVID-19 vaccine research.

Tyler Technologies, a company that provides technology services to all levels of government in America, was infected on September 23. While initially playing down the incident, Tyler later advised customers to reset credentials used for remote access to their networks or applications by Tyler staff, after suspicious login activity was reported among Tyler clients.

Tyler's ransomware incident made the front page of the New York Times on the basis of perceived risks to the US election: the company's data analytics dashboards are used for reporting purposes by election officials in several US states. A Tyler spokesman told Risky.Biz it hasn't seen any evidence these tools, which are hosted on Amazon Web Services, were affected by the attack.

Separately, CISA and MS-ISAC published timely, plain-English guidance [pdf] for state and local governments on how to prevent and respond to ransomware incidents.

Our opinion? It’s time to release the hounds.

Treasury warns against paying ransoms to sanctioned groups

The US Department of the Treasury has warned that it will levy fines on ransomware victims that make payments to entities subject to US sanctions.

The department warned [pdf] incident response companies, cyber insurance firms and the broader InfoSec community that several ransomware gangs are connected to sanctioned individuals and groups such as Evil Corp (in Russia) and Lazarus Group (in North Korea).

One case in particular drew the department's attention to the issue. In early August 2020, incident response firm Arete IR arranged a payment to the WastedLocker ransomware gang on behalf of American company Garmin to obtain a decryption key. The company made the payment under the pretence that it had 'insufficient evidence' to have confidence in documented links between WastedLocker and sanctioned Russian cybercrime group 'Evil Corp'.

But according to Treasury officials, ignorance isn't an excuse. "A person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws," it noted.

Tracking which groups are related to which sanctioned entities is a science. So the department offered a get-out-of-jail card: if victims feel they have no choice but to pay ransoms, they must let law enforcement know first. Treasury promised far more lenient penalties if victims demonstrate "full and timely cooperation with law enforcement" during and after a ransomware attack.

Risky Business believes it’s likely Arete IR's cute little fix for Garmin’s woes prompted Treasury's warning. But it doesn't make much sense to fine Garmin or Arete: the evidence that linked Evil Corp and WastedLocker was barely a month old when the ransom was paid. That provides Garmin some (albeit, weak) grounds for appeal. The more productive option was to issue a final warning and use the threat of future fines to compel victims to work closely with law enforcement. That’s what we think this is.

Russia to ban TLS upgrades

As Risky Business predicted in August, Russia has followed China's lead and will ban the use of privacy-preserving upgrades to internet protocol, including the ESNI extension to TLS1.3, DNS over HTTPS (DoH) and DNS over TLS (DoT).

Catalin Cimpanu at ZDNet reports that the Russian Government seeks to amend its laws to ban any protocol that hides "the name (identifier) of a web page" inside HTTPS traffic. Russia's intelligence and censorship regimes rely on extracting domain name information from DNS lookups and HTTPS Server Name Indications. DoH and DoT hide DNS information from a website request, while the ESNI extension to TLS1.3 (the E stands for “encrypted”) hides the SNI information from the TLS handshake that immediately precedes the encrypted connection.

In doing so, Russia and China seek to reshape the internet into two networks (a 'splinternet'): one in which user privacy takes primacy, and others that value centralised visibility and control. It leaves online service providers and browser vendors in an interesting position if they want to continue servicing China and Russia. If browser vendors, for example, prolong support for TLS 1.2 to appease authoritarian regimes, they also risk slowing the take-up of privacy-preserving technologies in countries that value liberty and privacy. The alternative would be for every global service provider to operate multiple infrastructure configurations for different jurisdictions.

Please handle election security threats with care

US intelligence and law enforcement agencies are working overtime to reassure Americans that the US electoral system -- while far from perfect -- is designed to be resilient to disruption from online threats.

On September 23, CISA and the FBI announced that they are yet to identify threats that would prevent a vote from being counted or the integrity of votes cast. "Any attempts tracked by FBI and CISA have remained localised and were blocked, minimal, or easily mitigated," the two agencies said.

Over the last week, the same agencies warned Americans to be wary of unproven claims that voter information had been compromised or that voting systems could be disrupted by DoS attacks. At this point, the FBI is more worried about voter suppression than about system compromise, and academics have proven that domestic disinformation is having a far bigger impact on voters than any nonsense launched from abroad.

Journalists and threat researchers are asked to resist the temptation to assume malicious activity that targets Americans is in any way related to the election. When the evidence a threat is election-related is conclusive, they are urged to take extreme care not to exaggerate its scale or effects.

Care is also required when reporting on information sourced via "hack and leak" operations. Washington Post editor Marty Baron has schooled his staff on the subject, using a template available from Stanford University.

Fresh evidence of APT40 attacks on Australia

Microsoft has published technical evidence that links Chinese group APT40 to the attacks on Australia that caused a diplomatic spat earlier this year.

In June 2020, Australia's Prime Minister announced that an unnamed state actor had persistently targeted organisations across the country, including state government agencies.

There were few doubts the state actor in question was China-related. Privately, threat analysts made note of overlaps between the technical indicators published by the ACSC (the 'copy-paste' attacks) and activity associated with APT40. But the Chinese Communist Party falsely claimed that this attribution was concocted by the defence-industry funded think tank, the Australian Strategic Policy Institute (ASPI).

Now, thanks to a Microsoft advisory on APT40 activity, that overlap is on the public record.

The ACSC indicators released in June detailed an operation that started with a spear-phishing email, from which attackers were able to invoke the theft of the user's Office 365 OAuth tokens. The indicators included an Application ID and a domain for the malicious OAuth app used in the attack. Microsoft's new advisory notes that it removed 19 Azure AD apps used in APT40 attacks in April 2020. Both advisories list the same set of email addresses used by the attackers. They are describing the same attacks.

GRU, China APTs called out for more bad behaviour

The United States continues to expose the cyber operations of its foreign adversaries, burning new malware samples and sharing tradecraft on recent attacks.

CISA published a detailed walkthrough of a successful compromise of a US Federal Agency. It didn't name the compromised agency, attribute the attack or date the alleged intrusion, saying only that it was detected using the EINSTEIN network intrusion detection system.

Several analysts told Risky Biz that the actor in question was Russia's GRU (Fancy Bear/Strontium/APT28, to be precise). Wired's Andy Greenberg is also reporting GRU is the threat actor.

Not to be outdone, US Cyber Command dumped a new Windows RAT on VirusTotal, which it joyfully named 'Slothful Media'. The RAT is unremarkable but for abilities to be removed on command or re-establish itself at reboot. Risky.Biz sources tell us the tool is in active use by a threat actor with a China nexus. Kudos to whoever designed the promotional image released with Cyber Command's announcement: it will be meme fodder for years to come.

You've got mail

From: Kimsuky (North Korea)
To: United Nations

North Korea's slapdash hacking team Kimsuky repeatedly tried to hack ~28 United Nations staff, including 11 on the UN Security Council.

From: Phosphorus/APT35/Rocket Kitten (Iran)
To: Saudi Arabia
Iranian hackers sent targets in Saudi Arabia's defence community a fake invitation to the 2021 Munich Security Conference, with a malware-laced PDF attached.

From: GRU (Russia)
To: Azerbaijan, possibly others
A NATO-themed phishing campaign that dropped GRU malware was sent to an Azerbaijan defence agency in August. At this point we don't know if Russia was trying to gather intel shortly before hostilities escalated between Azerbaijan and Armenia or if other NATO members and affiliates received the same lure.

From: Ivan (Emotet)
To: The United States
The Emotet botnet is being used to spew out campaigns with election-themed lures. One pretended to be a call for volunteers to help the Democratic Party's campaign.

Four reasons to actually be cheerful this week:

  1. Scan for low-hanging fruit: GitHub's code scanning feature, first previewed in May, is now generally available. You can switch it on in your settings.
  2. API protection: Cloudflare launched a service that simplifies use of public key cryptography to protect API servers from basic, automated attacks. They’re also facing heat this week for protecting Proud Boys websites.
  3. Any ransomware vaccine will do: Researcher Florian Roth released a hacky way of preventing infection from several ransomware strains: an app that kills any process that attempts to delete volume shadow copies on Windows. The disclaimer is that like any 'first stage' vaccine, there can be side effects (fatal ones for backups that rely on vssadmin.exe, for example). We're at the 'ingest bleach' stage of the ransomware pandemic.
  4. Iowa's VDP: The US State of Iowa discretely launched a vulnerability disclosure program last month, which means 50 security researchers have been helping to secure the internet-facing systems of this swing state in the lead-up to the election. Ohio did the same last month.

It's official: Netlogon bug is in the wild

Microsoft warned that the Netlogon bug we've warned about in our last two editions is being actively exploited in attacks, including attacks by Iranian APT MuddyWater/Mercury. CISA released a patch validation script for the bug late last month to help teams that patched sleep a little easier.

The sort of consular assistance you really don't want

Russian hacker Yevgeniy Nikulin was sentenced to seven years in a US prison for his role in hacking Dropbox, Formspring and LinkedIn. Nikulin was nabbed in Prague in 2016 and extradited to the US -- much to Russia's displeasure. According to this epic Jeff Stone profile of the colourful US-based lawyer originally appointed to defend him, Nikulin was routinely advised by Russian officials without his lawyer present and exhibited the behaviour of a man under significant stress. Can't imagine why.

Putin trolls the US in calls for a truce

Russian president Vladimir Putin offered the United States a truce, of sorts. If the US agrees not to meddle in Russian affairs, Russia’s intelligence services will pull their heads in. That’s what Vlad says, anyway.

Wall Street Market vendors rounded up

A US-led law enforcement operation made 179 arrests, seized 500kg of drugs and banked US$6.5m in currency, based largely on intel gathered from the servers of Wall Street Market, an online forum seized by German authorities in 2019.

Twitter tightens up after brush with script-kiddies

Twitter hired a new CISO, kicked off user access reviews, and "ramped up" a planned rollout of hardware-based multi-factor authentication, according to a post-incident debrief with Wired magazine.

CFIUS warns the valley to avoid Chinese investment

The US Committee on Foreign Investment in the United States (CFIUS) mailed dozens of Silicon Valley companies to inquire about historical investments by Chinese entities, according to The Washington Post, and sent in staff to educate startups on the risks of accepting Chinese investment. Proposed bans on WeChat and (temporarily) TikTok remain held up in US courts.

SMIC drop

US companies now need government permission to supply manufacturing equipment to Chinese chipmaker SMIC under newly imposed trade restrictions. It's mixed news for SMIC, which was previously nominated as a candidate for the US 'entity list' (an outright ban) after the US DoD accused the company of providing technology to the Chinese military.

Nokia replaces Huawei in BT rollout

Nokia won a deal to build the 5G access network and replace 2G and 4G antennas for British Telecom-owned EE Ltd. A large portion of the 4G access network was previously supplied by Huawei, which is now subject to US-led sanctions. The US-led campaign against Huawei now rolls on to Italy and Germany.

Huawei's awful code

The UK NCSC's Cyber Security Evaluation Centre found a bunch of bugs in Huawei networking equipment during 2019, according to its latest report [pdf]. They were the sort of sloppy bugs that result from poor coding practices, not from cunning spies. They weren't in Cisco's "static credentials" category of sloppy, but along those lines.

Pastebin: it's like Snapchat, for criminals

Pastebin added two new functions that malicious attackers are going to love: a 'Burn After Read' function that deletes a paste once it has been read, and a 'Password Protected' function.

Fourth shipping giant sunk by ransomware

French shipping company CMA CGM was infected with Ragnar Locker ransomware. Catalin Cimpanu points out that the world's four largest shipping companies have all been disrupted at some point in recent years. Little wonder the US is taking a close look at maritime cyber security right now.

Manage your thin client devices from anywhere!

HP Device Manager ships with a database account that provides system-level access if you type a single space character into the password field. HP initially ignored a disclosure about the bug, then begrudgingly acknowledged the problem once it was made known that the bug can be triggered remotely. CVSS 9.9.

MDM bug spits Facebook bounty cash and state-sponsored shells

That MobileIron MDM bug (found as part of a Facebook bug bounty) we mentioned in the September 15 newsletter (see "China’s Ministry of State Security are freeloaders") was used in state-backed attacks against Australian targets by September 19.

Former Australian PMs air their views on China

This week we posted an hour-long conversation between Risky Business host Patrick Gray and former Australian Prime Minister Malcolm Turnbull, talking in detail about the shape of cyber policy in Australia from 2013 to the present day. We also recommend this interview with fellow former Australian PM Kevin Rudd. He is a close observer of China and surprisingly astute on technology policy.