Srsly Risky Biz: Wednesday, May 27

UK changes course on Huawei, Australia exposes ATT&CK-aligned TTPs, US tells telcos to prepare for 5G conspiracy nutters...

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

UK changes course on Huawei

The United Kingdom has bowed to pressure from at home and abroad and agreed to remove Chinese vendors from its mobile telecommunications networks.

Prime Minister Boris Johnson's conservative government confirmed it will ask telcos to remove all Huawei equipment from UK networks by 2023. The move was motivated - in part - by US sanctions against Huawei, which are likely to force the company to swap out US and Taiwanese components in its equipment for Chinese-made chips.

The decision caps off a year of headaches for the three UK mobile carriers (BT-owned EE, Hutchison 3 and Vodafone) that use Huawei equipment in their mobile networks. It's especially grim news for British Telecom. BT negotiated deals in which its subsidiary (EE) uses Huawei equipment at home in the UK, while China granted BT the only foreign license to provide telecommunications services to companies operating in mainland China.

Johnson has been under pressure from his allies in the US and conservatives within his own government to enact a ban. The US has hounded Huawei in just about every foreign market it operates in - enacting rules that cut Huawei's supply lines and crimp its ability to win customers.

In January 2020, the UK opted to cap Huawei involvement at an arbitrary "35%" of any network and instructed telcos not to use Huawei equipment in the network core. But that failed to appease US President Trump, who was reportedly 'apoplectic' with his UK counterpart for giving Huawei a whiff of a chance.

This week US Secretary of State Mike Pompeo even threatened to "disconnect" the US from any network that connects to infrastructure associated with China's Belt and Road project - calling out a MOU signed between China and the Australian State of Victoria in 2019. The US ambassador to Australia casually reminded everyone to cool their jets, as Australia's States and Territories have no say in telecommunications regulation or SIGINT collection.

Apple and Google clear a path for contact tracing switch

Apple and Google (Gapple) have agreed to meet governments halfway on contact tracing apps.

The mobile OS giants launched their long-awaited 'Exposure Notification API' late last week, which 23 countries are enrolled to use as a framework for new contact tracing apps. Austria, Germany and Switzerland are certainties to roll out apps based on the API.

Public health authorities that use the 'Exposure Notification API' in their apps are now permitted to collect personal information as part of the registration process, on the condition that users must be offered the choice of whether to provide it and still get the benefits of exposure notifications.

Many existing contact tracing apps - including Australia's COVIDSafe - demand a combination of user names, phone numbers and postcodes at enrolment. When a user marks themselves as COVID-19 positive in the app, proximity identifiers captured by the app over the previous 14 days are submitted to their health authority, which is able to decrypt the information to access the names and phone numbers of users that had been in close proximity to the infected user.

Under the decentralised framework Gapple originally proposed, a central authority couldn't identify a user via these proximity identifiers. Health authorities would simply control the parameters of what constitutes an exposure event - and the app would notify users based on those parameters.

Gapple has now altered the API's terms to better accommodate manual contact tracing procedures. Developers are permitted to ask users to "voluntarily [in]put additional information that would allow the health authority to follow up directly with the individual, if that's the model they want to pursue," a Gapple spokesperson said, but "by policy, the application has to allow the user the option of not providing that information." The consent has to be specific to the collection of the data, a spokesperson said, and can't be assumed as part of the broader terms and conditions for using the app.

As it stands today, a person must enter this information to register for Australia's COVIDSafe app. It is not a voluntary act. So the Australian Government will need to update the app to include this consent before COVIDSafe developers can make use of the API. Risky.Biz discussed with a Gapple spokesperson what would make for an acceptable compromise: an updated registration process could, for example, briefly explain how health authorities would use the personal information it requests, accompanied by a 'skip this step' option. But an asterix and fine-print probably wouldn't.

The good news this week is that COVIDSafe has finally been used to successfully trace and quarantine a person in Victoria, and an overnight update squashed another privacy bug.

The New Zealand government, meanwhile, asked NZ businesses to set up posters with QR codes on buildings and public spaces, such that users can 'sign in' using a simple contact tracing app each time they enter. Docs released with the app hint that New Zealand may add BLE-based contact tracing at a later date, if indeed the Kiwis require it - they're doing a pretty spectacular job of containing the virus without it.

Telcos beef up security to counter 5G conspiracies

Internet historians may remember 2020 as the year millions of people that rarely use the internet were forced indoors and logged on for long enough to believe that a biological virus can travel over radio waves.

The Cybersecurity and Infrastructure Security Agency (CISA) has warned telcos across the US to prepare for attacks on mobile telecommunications equipment, over concerns the anti-5G conspiracy theories that festered in the UK and New Zealand in recent weeks might take hold in the US. It recommends the use of physical barriers, alarm systems and CCTV and systems for monitoring drone activity as countermeasures.

Bizarre conspiracies that link 5G to COVID-19 resulted in 80 arson attacks on telecommunications equipment in the UK over the last fortnight and 17 in New Zealand. UK service technicians have encountered intimidating behaviour and verbal abuse. Even in Australia, where one suspected case of arson is under investigation, 1 in 8 people told pollsters they believe the virus spreads via 5G.

Physical security leads at large telcos told Risky.Biz this week that they were already planning further physical security measures, but faced an arduous task prioritising where they are best applied. Attackers in the UK clearly couldn't discern between 5G and other telecommunications equipment and attacked anything that looked like a mobile cell tower. By necessity, mobile cell towers are broadly distributed and often located on private property.

So here's a thought: a public advertising campaign that points out how utterly stupid this stuff is might be a cheaper investment.

Australia next in line to talk tough on healthcare hacking

The Australian Government has urged state-backed actors to retrain from attacks on medical research facilities in attempts to aid their COVID-19 response.

A joint statement from Australia's Defence and Trade departments warned that cybercrime and state-backed actors are "seeking to exploit the pandemic for their own gain".

Dr Tobias Feakin, Australia's Ambassador for Cyber Affairs at the Department of Foreign Affairs and Trade, told Risky.Biz that while Australian research bodies haven't been specifically targeted, it was important that Australia called out attacks levelled elsewhere in the world.

"It's not a leap of faith to understand why we should be upset," he said. "It's abhorrent, to be frank, that someone would take such crude advantage of other people's suffering."

Dr Feakin said the statement serves to "remind countries of the commitments they've made, so that if they are engaging in these activities, they cease it straight away."

In early May, CISA and the UK NCSC warned healthcare organisations that they were "investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organisations, and universities." Two days later, the ACSC elaborated with more specifics, warning medical researchers that state-backed actors are "seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak, as this information is now of higher value and priority globally."

The activity doesn't appear to have slowed. The Canadian Centre for Cyber Security released a threat bulletin overnight that confirmed a Canadian biopharmaceutical company was compromised by a foreign threat actor in mid-April, "almost certainly attempting to steal its intellectual property."

The FBI also shared more details this week about ongoing state-backed operations, while a bipartisan group of US Senators told the FBI and CISA that they are willing to provide whatever tools or authorities are required to combat the attacks.

Australia on the ATT&CK

The Australian Cyber Security Centre released a detailed ATT&CK-aligned breakdown of TTPs (tactics, techniques and procedures) they've seen used in attacks on Australian networks over the last 12 months.

The document strikes a careful balance between being descriptive and transparent enough about attacker tradecraft to be useful to defenders, without revealing too much of what the ACSC knows about state-backed actors that are targeting Australia. The report doesn't differentiate between TTPs used by state-backed actors for espionage versus those used for cybercrime, for example.

My advice to readers: Don't bother trying to overlay the TTPs in the report against public data on known actor groups. After spending way too much time down that rabbit hole, I recommend you do something more useful with your life. Plenty of the TTPs in the report are commonly used by ransomware gangs like Maze, but some of the same are used by state-backed actors like APT41. There is some nexus between the reports' contents and public information about attacks on the Australian National University and the Defence Force Recruiting Network (DFRN) - both of which would have been investigated by the ACSC. The report also suggests the Blue Mockingbird botnet targeting ASP.NET apps has snared some Australian victims.

The ACSC report raises the bar for public sharing of threat intelligence out of a government body. It will be useful for retrospective threat hunting - but without knowing the context of which of the 50+ TTPs are related (i.e. which were used in the same attack) and who those attacks targeted, it arguably won't help to prioritise scarce defender resources.

Jailbreaks and leaks spoil Apple's week

Apple took a battering this week. First, Lorenzo Franceschi-Bicchierai at Vice Motherboard reported that a preview of Apple's next mobile operating system - iOS14 - is being openly traded online, some eight months in advance of its expected release.

Lily Hay Newman at Wired subsequently reported the release of a jailbreak for all versions of iOS from v11 through to the current version (13.5). The jailbreak abuses a previously undisclosed vulnerability in the operating systems.

These days a jailbreak is of interest to security researchers but is of limited value to users. The majority of iPhone users ran the latest major iOS update (v13) within a month of its release.

Secretive weapons system targeted in Mitsubishi attack

A mid-2019 attack on Japanese defence contractor Mitsubishi Electric aimed to steal the designs of hypersonic glide missiles, according to a report in Japanese news outlet, Asahi Shinbun. You may recall that this attack reportedly exploited a zero-day vulnerability in Trend Micro antivirus software. In January, Mitsubishi acknowledged that the attack led to the compromise of more than 10 devices and theft of just 200MB of sensitive data.


Ransomware gang dumps Toll files: A ransomware gang is progressively leaking stolen files of Australian logistics giant Toll Holdings after the company refused to pay up. The attackers claim to have stolen 200GB of data from the company. Lucky for them their files are as boring as bus travel.

Banco de Costa Rica calls BS on Maze gang claims: The Maze ransomware gang  published a small sample of the 4 million customer credit card numbers it claims to have stolen from the Bank of Costa Rica (BCR). BCR maintains that Maze never compromised its systems.

Republican's sue California's Governor to block mail-in voting: The Republican National Congress sued California Governor Gavin Newsom, seeking to block his use of an executive order to enable Californians to vote-by-mail in the November 2020 election.

Trump tweets labelled as misinformation: A Twitter algorithm applied misinformation warning labels to tweets posted by US President Donald Trump that disparaged mail-in voting. Readers were urged to 'get the facts on mail-in ballots' and directed to a fact-checking page.

Thai telco posts real-time user browsing data to the web: Thailand mobile carrier AIS exposed an ElasticSearch database of all user DNS requests and NetFlow data to the public internet for three weeks. The database - which contained 8 billion records and was adding 200m new rows a day while exposed - was finally locked down after a security researcher and journalist Zach Whittaker tipped off ThaiCERT.

ATM skimmers are a protected species in Mexico: A gang of Romanian cybercriminals running ATM skimmers in Mexico appear to have friends in high places.

EasyJet faces class action over breach: UK-based budget airline EasyJet faces a class action lawsuit after revealing that the personal details and itineraries of 9 million customers were stolen in an attack.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

Correction: The original newsletter erroneously described Mitsubishi as Chinese! We apologise to Mitsubishi (and Japan, generally) for the brain explosion.