Srsly Risky Biz: Tuesday, September 8

Ransomware takes down state-owned bank, DDoS extortion surge, Norwegian Parliament inboxes under attack, US weighs up cost of replacing Huawei, and more...

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

Ransomware takes down Chile's state-owned bank

Chile's national CSIRT placed the country on 'high alert' yesterday after one of the country's largest banks was crippled by a ransomware attack.

On Sunday, Banco Estado announced that malicious software has been detected on its systems over the weekend. The bank reassured clients that digital channels (ATMs, websites, apps) were unaffected but encouraged them to avoid branches the following day. Despite these assurances, hundreds of users complained on social media that some online banking features were not working.

On Monday morning, the bank told clients that only 21 of its 400+ branches would open, and these would only offer a limited range of services. It told customers that "there has been no impact on the funds of our clients or the assets of Banco Estado".

Chile's national CSIRT has shared file hashes of Sodinokibi Ransomware (commonly used by the REvil cybercrime gang) used in the attack.

DDoS extortion is back in a big way

Internet service providers across Europe have been targeted in DDoS extortion campaigns in recent weeks using the same methods employed against financial service providers like the New Zealand Stock Exchange.

Over a dozen ISPs in Belgium, France and the Netherlands have been targeted in attacks, according to ZDNet.

Attackers sent emails demanding large ransom payments in Bitcoin before swamping the ISPs’ DNS infrastructure with amplified traffic. Some of the attacks in Europe peaked at 300 Gbit/s. In most attacks, services were impacted for up to 24 hours.

Even in the absence of firm attribution to a single actor group, ZDNet's Catalin Cimpanu makes a strong case for linking the numerous attacks spanning the globe to the same actor, based on the timing of attacks and tradecraft used. The US Cybersecurity and Infrastructure Security Agency (CISA) agrees: it advises that DDoS extortion campaigns are currently affecting "multiple sectors".

This week the New Zealand Cyber Security Centre published an update to the ASD's long-published advice on how to fend off DDoS attacks. It makes for timely reading.

Forty-seven inboxes popped. No big deal, right?

Back in April 2020, Risky.Biz wondered aloud (on air) why the New South Wales Government made such a song and dance about unauthorised access to the email accounts of 47 Service NSW staff.

Now we know. A forensic investigation found that attackers made off with 3.8m documents (738GB of data) from the 47 email accounts.

Investigators spent the last four months identifying 186,000 people whose data was stolen in the attack. Each will be contacted using registered post (so as to limit the success of attackers using the notifications as phishbait).

Service NSW continues to describe the incident as a "criminal attack", probably to ward off any impression that the attack was part of an espionage campaign. It’s messaging has some downsides: the government's political opponents say "heads should roll" if it can't defend systems from garden-variety phishing attacks. If only they knew that garden-variety is also the mainstay of many an espionage campaign.

It’s a bad time to be a Norwegian inbox

Norway has revealed that its parliament (the 'Stortinget') was subject to an attack in which adversaries stole data from the email accounts of elected representatives and parliamentary officials.

Norway's internal intelligence service (the Police Security Service) told local media it is investigating whether the attack was the work of foreign intelligence services from an aggrieved state actor.

You don't need to look far to Norway's east to find an aggrieved actor. In August, Norway expelled a Russian diplomat accused of spying, and Russia returned fire with the expulsion of a Norwegian diplomat on August 28.

Separately, administrators of an email system that serves Norway's municipal councils blocked all incoming email to 10,000 staff in response to an attack detected September 1, in which malicious emails were sent to victims from the compromised accounts of trusted colleagues.

Norwegian authorities have not revealed if the events are related.

Denmark's intelligence chiefs stood down over domestic collection

The head of Denmark's Defence Intelligence Service (FE), his predecessor and two colleagues were stood down after a whistleblower informed the Danish government that several SIGINT collection operations had been withheld from a government-appointed oversight panel.

An unclassified statement [pdf] released by the Danish Intelligence Oversight Board (TET) accused FE of withholding crucial information and providing bogus information on its collection activities for up to six years. Specifically, it was alleged that FE "initiated operations in violation of Danish law", including the collection and dissemination of intelligence about Danish citizens.

Feature stories in Denmark's Weekednavisen and DR reported this weekend that the FE worked with a private company to tap cables transiting Danish territory in order to collect information of foreign intelligence value. The collected data was shared with foreign allies, including the US National Security Agency (NSA). The whistleblower expressed repeated concerns that the FE had insufficient controls to prevent information about Danes being inadvertently shared with allies in the process.

The oversight committee at the TET consists of a judge, a lawyer for local government, the chair of a university board and two academics. It's relatively uncommon for a panel conducting oversight of intelligence practices to include so many unelected members of civil society. Imagine introducing similar oversight to NSA: it’d go down a treat!

The TET has asked the government, which has to date supported its investigation into the FE, to consider setting up a formal whistleblower program to prevent abuses earlier.

Replacing Chinese kit in rural US networks will cost US$1.8 billion

The US Federal Communications Commission tallied up how much it would cost rural American telcos to rip and replace Huawei and ZTE kit from their networks: US$1.837 billion.

The regulator declared both vendors a 'national security threat' in June.

The FCC also calculated [pdf] that a proposal to reimburse 50+ rural telcos for the cost of replacing Huawei and ZTE kit would cost American taxpayers US$1.62 billion.

US puts the squeeze on China's SMIC

The United States has threatened to place trade restrictions on China's largest semiconductor firm, Semiconductor Manufacturing International Corporation (SMIC).

The US Department of Defence put forward the idea to an inter-agency panel that decides which foreign companies can't be supplied with US technology without government permission, arguing that SMIC supplies technology to the Chinese military. SMIC denies the accusation.

If other key agencies agree with the DoD, SMIC will join 275 other Chinese companies on the 'entity list', including Huawei and Hikvision. SMIC shares dropped 23% when Reuters broke the story.

SMIC's largest competitor, Taiwan Semiconductor (TSMC), is prohibited under US export restrictions to supply technology to Huawei.

FVEYs combine for incident response and breach remediation advice

Cyber defense teams from Australia, Canada, New Zealand, the UK and the US have shared advice on how best to detect and remediate malicious activity on a network.

Published in a 'Joint Cybersecurity Advisory', the word doc(!) is tightly packed with sage, straightforward advice on what to do when the brown stuff hits the fan. The advisory begins with an unstructured grab-bag of indicators that would typically be worthy of analyst investigation, followed by a list of common mistakes made during incident response. The bulk of the remainder is devoted to mitigations and configs that ideally might have prevented the incident in the first place.

CISA directs .gov owners to offer safe harbor to bug hunters

The United States' Cybersecurity and Infrastructure Security Agency (CISA) has directed US government agencies to publish a vulnerability disclosure policy (VDP) within six months.

Risky Business previously reported on CISA efforts to promote VDPs in government agencies. The news here is the release of a binding operational directive: a policy truncheon CISA uses sparingly.

Under the directive, agencies must publish a VDP at a CISA-specified address for every .gov website, listing what systems are in scope, what testing is permitted and prohibited, where to send vulnerability reports, whether there is any bounty involved and a commitment to not take legal action against researchers that adhere to it. The VDP must also set expectations for how bug reports are triaged and when a valid report will be publicly acknowledged.

CISA wants all new internet-facing systems to be in-scope by default, and all internet-facing systems to be in-scope within two years. CISA’s VDP template has been revised and is available on the CISA website.

Web skimming is about to go gangbusters

Magecart-style web skimming infrastructure is now available as-a-service to lesser-skilled attackers.

Recorded Future is tracking groups that sell or rent 'customised payment sniffers': snippets of JavaScript injected into ecommerce websites (usually via cross-site scripting attacks) to steal payment card details from the target's customers. The code is reportedly available for between US$1000 and US$3000.

In related news, Visa's security team warned online merchants [pdf] about a new skimmer that removes itself from a web server's memory after data has been exfiltrated or if it detects the use of dynamic analysis tools.

Australia launches IoT code of practice

The Australian Government published a voluntary security code of conduct [pdf] for the tech industry to consider when developing internet-connected devices and associated services. Under the code, IoT vendors are asked to voluntarily indicate compliance with 13 high-level principles. Separately, the ACSC released its first annual report [pdf] after a gap of several years, revealing the volume and severity of incidents it responded to during FY20. Tl;dr: The report lines up with media reporting from the corresponding period and contains some useful, broad observations.

Critical Jabber XSS to RCE bug is almost a perfect 10

Cisco patched multiple vulnerabilities in the Jabber messaging tool, including a cross-site scripting flaw (with a CVSS of 9.9) that can provide an attacker remote code execution on the target's machine.

Another WordPress plugin gets some action

A vulnerability found in WordPress' File Manager is being exploited in the wild. The plugin is installed on 350,000+ Wordpress instances.

India bans another 118 Chinese apps

India added 118 Chinese apps to the 96 already banned in the country. Most were gaming and dating apps that, according to India's technology ministry, were promoted by "elements hostile to the national security of India" for the "mining and profiling" of user data.

Fake news app targets Belarusian protesters

Google pulled an Android app from the Play store that masqueraded as the NEXTA Live Telegram channel used by protesters in Belarus to share their struggle for free and fair elections with the world. The trojaned app appears to have been designed to identify and locate protesters.

A short history of the ASD's mission

Rachel Noble, Director-General of the Australian Signals Directorate, gave a compressed history of the signals intelligence agency in a speech just as our last newsletter was sent.