Srsly Risky Biz: Tuesday, September 1

US exposes North Korea's cybercrime cash-out channels, NZ stock exchange crippled by DDoS extortion campaign, and the insider threat story of the year...

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

US exposes North Korea's cybercrime cash-out channels

The US Government has stepped up its campaign to expose North Korea's state-backed cybercrime operations, this week doxxing malware the DPRK uses to cash out attacks on banks and the techniques it uses to launder funds stolen from cryptocurrency exchanges.

Four US Government agencies co-authored an update to a 2018 report on how North Korea's "BeagleBoyz" steals funds from ATMs. “BeagleBoyz” is IC-speak for a cybercrime unit within North Korea's General Reconnaissance Bureau accused of stealing up to US$2 billion for Kim Jong-Un's regime.

The DPRK’s attacks on banks follow one of two paths. Once North Korean attackers find their way onto a bank's internal network, they either seek out SWIFT terminals to raise fraudulent interbank funds transfers, or they make a beeline for switch application servers to tamper with ATM cash withdrawals.

Switch application servers are a hub for real-time processing of payments made at ATMs and point of sale devices. Once in control of these servers, the attackers inject an executable ("FastCASH" malware) designed to identify, intercept and modify cash withdrawal requests. The malware manipulates return messages to ensure ATM withdrawal requests made by an attacker are approved, irrespective of account balance.

Up until 2018, the gang only attacked switch application servers running outdated, unsupported versions of IBM's AIX (Unix) operating system. After US authorities exposed FastCASH in 2018, BeagleBoyz retooled, returning with functionally equivalent malware that tampers with payments on switch application servers running on Windows, allowing for attacks on a broader number of smaller banks and credit unions.

The advisory provides indicators for detecting the Windows FastCASH malware, a revised Remote Access Trojan (RAT) and a network proxy tool. Cyber Command uploaded to VirusTotal executables for the latter two, adding to a long list of North Korean tools the US has doxxed in recent years.

US authorities also gave North Korea's campaign of cryptocurrency theft a thorough work-over. The Department of Justice moved to seize 280 financial instruments (cryptocurrency accounts and addresses) used by the DPRK to funnel digital currency stolen from cryptocurrency exchanges to money laundering services located primarily in China.

Most of the value stored in these financial instruments was already successfully laundered by the perpetrators’ Chinese accomplices (two were sanctioned in March 2020), so the forfeiture isn't likely to claw back much of the US$570 million worth of digital currency stolen from cryptocurrency exchanges over the last five years.

However, it demonstrates that the US now has the cyber forensics and chain analysis capabilities to connect North Korea's hacking program to other parties that launder funds for them, despite the DPRK's use of evasive measures such as 'chain hopping' (converting between different cryptocurrencies).

North Korea's cyber capabilities should not be underestimated. Nor should US determination to expose any party that -- witting or not -- helps fund Kim's empire. Consider this a shot across the bow of those people inclined to launder cryptocurrency: they might see this and decide they don’t want to deal with being sanctioned up the wazoo for helping this particular bunch of bad guys.

NZ stock exchange crippled by DDoS extortion campaign

Trading on the New Zealand Stock Exchange (NZX) was halted for most of last week in response to a DDoS extortion campaign.

Catalin Campanu at ZDNet reports that NZX was targeted by a DDoS-for-ransom group that was prolific during August. The group reportedly sent threatening notes to potential victims before flooding them with traffic (50 Gbps+) over an extended period, while demanding ever-increasing ransom payments. Campanu's piece attributed recent interruptions at payments company PayPal, its subsidiary Braintree and credit card processor Worldpay to the same attackers.

The attacks targeted the stock exchange's internet-facing infrastructure hosted on the Spark (NZ ISP) network, in bursts that exceeded 100 Gbps. The nzx.com website and the stock exchange's Market Announcement Platform were affected, disrupting the publishing of real-time market announcements. So while the NZX trading platform functioned as normal, the stock exchange couldn't meet its regulatory obligation to provide equitable access to market information and was forced to repeatedly suspend trading.

The attacks began on Tuesday afternoon (August 25). The stock market was open for trading each morning from Wednesday August 26 through to Monday August 31, but never for more than a few hours before trading had to be suspended again. The website was down again as we prepared this newsletter -- marking a full week of interruptions.

It appears the suspensions were prolonged by hastily-arranged upgrades to a new Akamai DDoS mitigation service. On several occasions, DNS servers for NZX.com previously hosted on Spark's infrastructure were redirected to the Akamai network, before rolling back to the (Spark-hosted) infrastructure attackers originally targeted.

Risky.Biz confirmed that after several days of attacks, the New Zealand Government activated its 'national security system' [pdf], in which a lead government agency coordinates an inter-agency response to critical events. In the case of cyber attacks, the Department of Prime Minister and Cabinet and the GCSB lead the response.

It looks unlikely that the Kiwis will cede to the attacker's ransom demands. The NZX plans to fulfil its obligation to publish market announcements by posting them to (as yet unnamed) third party sites.

Tesla employee turns down US$1m offer to infect the company network

Hats off to the Tesla employee who, upon being approached by an old associate from the motherland (Russia), turned down an offer for US$1m in Bitcoin to install malware on Tesla's corporate network in Nevada.

The nameless employee instead told the corporate security team at Tesla, who in turn contacted the FBI to organise a sting. Several FBI-intercepted conversations later, we have the insider threat story of the year and the arrest of a Russian national, Egor Igorevich Kriuchkov, a recruiter for a cybercrime group that claims to have pulled off ransomware operations against dozens of other organisations.

Recorded conversations between Kriuchkov and the Tesla employee lay out the workings of the scheme. The Tesla insider was first wined and dined over several days before being promised US$500k in Bitcoin for providing access to Tesla's network. He negotiated this fee up to US$1 million. He was asked to supply details about Tesla's internal network, which his handlers planned to turn over to a third party paid to develop targeted malware for delivery 10-12 days later. The insider was to be provided malware via a USB stick or email attachment and asked to install the files on Tesla's network. Kriuchkov assured the insider that most victims pay up, and that he would in turn be paid for his contribution within 12 days.

The attack on Tesla was delayed, ostensibly because the gang was still shaking down a previous victim. Kriuchkov fled by car to Los Angeles airport after being contacted by the FBI. He was arrested before he could board a plane.

The story is unlikely to end here. Thanks to the Tesla insider, the FBI now has recordings of Kriuchkov naming other companies his group attacked.

It's worth reflecting on what went right in this story. The Tesla staffer felt both a sense of loyalty to their employer and trust in its security team to report the offer, despite the promise of easy money.

The age of the insider with a million dollar motivation is here, but this story ended happily.

CISA’s plan to keep China out of 5G networks

The US Cybersecurity and Infrastructure Security Agency (CISA) has laid out the role it intends to play to keep Chinese components from 5G networks.

CISA's 5G Strategy [pdf] lists the economic incentives, outreach and education activities the agency intends to sponsor to counter the market dominance of foreign telecommunications vendors.

Roughly summarised (with some Seriously Risky poetic license):

  • We will fight them in the standards: CISA wants to participate in standards bodies as a counterweight to "technical standards contributions from adversarial nations" that try to incorporate technologies "unique to their systems" into standards.
  • We will fight them in the boardrooms: CISA will lean on a partnership with a consortium of US-centric IT and telecommunications service providers to educate clients on the risks of using "untrusted components" in 5G networks.
  • We will fight them in the labs: CISA will disseminate information from US security research bodies about vulnerabilities found in 5G equipment (and 4G downgrade attacks).
  • We will fight them with our wallets: CISA will fund domestic R&D (predominantly via prize competitions) that aim to develop 'secure and resilient' 5G capabilities, such as Open RAN kit or 5G-specific intrusion detection and prevention systems.
  • We will fight them in the classrooms: CISA will offer risk mitigation training and tools to critical infrastructure providers, local government, law enforcement, transport, healthcare and other industries rolling out 5G applications.

CISA made no mention of  sanctions, bans and other more punitive measures, which will probably be left to other agencies.

CISA argues that buying 5G components from untrusted vendors might be cheaper than vendors from allied countries, "but these low, up-front costs have the potential to accumulate into more long-term expenditures to address security flaws or interoperability issues."

This position runs contrary to the usual advice about how to contain supply chain risks in 5G networks. British and European standards bodies advise network providers to use a diversity of networking equipment [pdf] from different suppliers. They also recommend isolating untrusted vendors to the radio access network (base stations at the edge of the network), thereby keeping untrusted equipment out of the network core that runs authentication and routing functions. This is how the UK originally proposed to contain supply chain risks while taking advantage of Huawei's innovation at the network edge (such as Massive MIMO, which requires fewer antenna installations to get the same amount of coverage.)

A counterargument is that many of the functions that lived in defined parts of a 2G, 3G or 4G network can be virtualised in 5G networks. Networking devices at the edge of the network, like exchanges and base stations, won't be passive. They will have active computing components that can share network functions with the core.

US concerns don't end with the choice of supplier. "While 5G equipment may be from a trusted vendor, supporting components manufactured or handled by untrusted partners or malicious actors could negate any security measures in place," CISA's paper notes.

That leaves network operators in a frustratingly helpless position. If you're up for a long read, this feature in American Affairs Journal maps the path to Chinese dominance in the field.

Users can't handle the truth

One reason security awareness programs fail is the overwhelming volume of advice users are asked to absorb. A study [pdf] launched at the USENIX conference tested user and expert opinions on 400 separate statements scraped from trusted sources of security advice. It concluded that InfoSec teams fail to prioritise what advice is most important.

Asked which of the 400 advice statements they'd put in their "Top 3" recommendations to users, a sample of 41 InfoSec experts listed 25 between them. Asked what would make their "Top 5", they listed 118, and asked what would make their "Top 10", they listed 187.

It wasn't that the advice was harmful or completely useless (although, Seriously Risky Biz contends that much of it was of dubious value). It's that awareness professionals often expect too much of users. Much of the best advice isn't comprehensible and attempts to dumb it down often render it less actionable.

Cisco engineer burns it all down on the way out the door

A former Cisco engineer admitted to burning down 456 virtual machines four months after he left the firm. Indian national Sudhish Kasaba Ramesh logged back into his Cisco Google Cloud Project account in September 2018 and intentionally deleted VMs that powered Cisco's WebEx service. His act of sabotage shut down 16,000 WebEx Teams accounts for two weeks, causing US$2.4m in damages to Cisco and its customers. Ooph.

Two reasons to actually be cheerful this week:

  1. Uncloaking intelligence: Professors Bobby Chesney (University of Texas) and Matthew Waxman (Columbia University) published a series of talks on US national security laws, including those that apply to intelligence collection and covert action. The discussions made for excellent company while this author cooked dinners this week.
  2. Cracking down on BEC: Three more African nationals, this time from Nigeria (via UK), Ghana and Tamale, were each extradited to the United States to face charges over Business Email Compromise scams. US authorities have barely scratched the surface on the BEC ecosystem, but at least the United States is taking action.

China moves to scuttle sale of TikTok to US interests

Chinese authorities amended foreign takeover laws to give them authority to block the acquisition of TikTok's US, Australian and NZ operations by US-based suitors. TikTok's CEO resigned and its interim management says the company will "strictly" obey Beijing's orders. With only a fortnight until Trump's executive order comes into effect, Bytedance is preparing to shut down TikTok in the US and no-one is entirely sure what that means for existing users. Chaos.

Don't. Run. Electron. Apps

Risky Business host Patrick Gray warned Twitter followers not to trust Electron (desktop) apps in response to a remote code execution vulnerability disclosed in Slack's desktop app. Pat's tweet stirred up some thought-provoking responses from experts, including those running software security at Signal, Google Chrome and Slack. If clicking through hundreds of tweets isn't your thing, tune in for this week's podcast. I expect Pat and stand-in co-host Alex Stamos will have a few words to say about it.

InfoSec talent needed, apply downunder

The Government of New South Wales (Australia) plans to spend AU$240 million and hire 75 staff to centralise cyber security functions for smaller government agencies, in response to more than a few run-ins with internet nasties.

Bugs in Cisco, Pulse are worth a look

Cisco Systems released workarounds (but no patch yet) for customers at the big end of town after detecting active exploitation of a DoS vulnerability in switching gear that runs on the IOS XR operating system, which is used by carriers and data centres. There's also another bug in Pulse Secure VPN appliances to worry about, but at least this time it requires some user interaction (clicking on a phishing link).

Ouch, Visa.

Swiss researchers found a way to bypass security mechanisms on stolen Visa cards. No word yet on a fix.