UK's Investigatory Powers Proposal: Don't Believe the Hype

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by Stairwell.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple Podcasts:

Fears that proposed amendments to the UK's Investigatory Powers Act will prevent vendors from issuing software updates are overblown.

Early last month the UK government opened a consultation period on proposed changes to its Investigatory Powers Act (IPA), the legislation that governs law enforcement and intelligence agencies’ use of intrusive investigatory powers such as telco-mediated lawful interception.

The IPA has been in force since 2016 when it combined existing statutory powers granted to UK authorities into a single piece of legislation. It also strengthened approval and oversight processes, with use of the most intrusive powers requiring a 'double-lock' approval from a government minister and an independent judicial commissioner.

One of the proposed changes to the IPA is that telecommunications operators be required to notify the Secretary of State of planned changes to their services that could negatively impact investigatory powers. (Telecommunications operators include anyone providing a telecommunications service in the UK, including apps like WhatsApp and Signal.) Per the consultation document:

This would be intended to facilitate early engagement between operators and the government so that, where necessary, appropriate steps can be taken in good time to ensure that any negative impact on investigatory powers is fully considered, and so that we can ensure continuity of lawful access to data against a background of changing technology.

Some commentators have suggested that this forewarning could be used with other IPA coercive powers to stymie security updates to messaging apps. The IPA already contains powerful provisions for the government to issue various notices that can compel operators to take particular actions. Probably the most extreme, National Security Notices (NSNs), requires that operators do anything that the Secretary of State considers "necessary in the interests of national security".

Another proposed change to the IPA is to strengthen its extraterritorial provisions to make it clearer that overseas operators offering services in the UK cannot avoid obligations by using complex corporate structures.

Commenting on the proposed new provisions in Just Security, Ioannis Kouvakas, Senior Legal Officer at Privacy International, writes:

While the proposal does not specify what technical changes would require notification, these may include changes in the architecture of software that would interfere with the U.K.’s current surveillance powers. As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.

Kouvakas thinks that the extraterritorial provisions could breach international human rights. Stopping security updates worldwide, for example, might not be necessary or proportionate, he says.

Kouvakas is stretching here. For a start, one of the goals of the IPA is to ensure that intrusive powers are used proportionately and only when necessary. The safeguards here include the previously mentioned double-lock approval process and an independent commissioner who oversees operation of the Act.

Speaking of the proposed notification obligation, the consultation document states "we fully acknowledge the need for strong safeguards that deliver the IPA's fundamental ​​principle of necessity and proportionality". It continues:

…we intend to develop a series of thresholds that would also trigger the notification requirement, for example, if a technical change could substantively impact existing IPA capabilities or the availability of communications and communications related data for a certain number of users or a certain percentage of the market. We welcome comments from respondents on this approach, including potential thresholds.

The thresholds cited here look to be much more about big picture architectural changes like the rollout of end-to-end encryption or switching from SMS to RCS, rather than the minutiae of security updates that are rolled out all the time. How would service providers know beforehand which security updates fix vulnerabilities that the government is currently exploiting? And how would they know whether that crossed any kind of threshold in terms of the number of affected users?

We think a more likely scenario is that a notification from a telecommunications operator about a significant upcoming change results in a back and forth discussion with the UK government about the implications for investigatory capabilities. This could ultimately result in some response that tries to maintain capability, such as an IPA Technical Capability Notice that requires the development of something that would allow the UK government to maintain the access it needs.

The proposed changes to the IPA are not about halting security patches—they’re about being better prepared for the future when an operator plans to flip an important switch.

More on China's Barracuda Exploitation. A Lot More.

Mandiant has published more details about a "Chinese-nexus" espionage group that engaged in an extensive campaign that compromised Barracuda Email Security Gateways (ESG). Back in June we described this campaign as "just plain rude":

The polite thing to do when your APT operation is discovered by your adversaries is to pack up, go home, and ready your next campaign. What you shouldn't do is escalate in response to discovery, dig in, and turn thousands of expensive email gateway appliances into boat anchors.

But this is exactly what a Chinese APT group did in response to one of its recent campaigns being rumbled.

Mandiant thought the group, which it called UNC4841, was engaged in fairly targeted espionage and was prepared from the get go to dig in when it was discovered.

The report provides an exhaustive timeline of the group's Barracuda exploitation activity in a nice chart (below) that plots group activity and the cumulative number of victims compromised over time. The chart illustrates that once Barracuda discovered the campaign and issued remediation advice, there was a lot of activity from UNC4841, but not many new victims were compromised.

This activity involved maintaining access by deploying additional malware or moving laterally. In its first post describing this campaign, Mandiant detailed various persistence mechanisms used by UNC4841. This new report describes a "second wave" of new malware families also used in an attempt to maintain persistence.

Despite this, the campaign was relatively targeted and Mandiant thinks only about 5% of Barracuda ESGs worldwide were compromised. And, Mandiant says, additional malware to maintain persistence was deployed on only a small percentage of these compromised devices. For example, the most broadly used malware families used in this second wave, which Mandiant calls SKIPJACK and DEPTHCHARGE, were only deployed to 5.8% and 2.64% of compromised ESG devices respectively.

Mandiant thinks that the speed of malware deployment and the number of different varieties used indicates UNC4841 expected to be caught at some point and had prepared tooling in advance to dig into high-value targets when that happened.

The cyber security firm also expands on the group's targeting:

A deeper examination of identified affected organisations showed a recurring targeting of sectors that are key to global governments maintaining a competitive technological and economic edge in the face of impending strategic state deadlines. Entities were observed within the semiconductor, public health, aerospace, artificial intelligence/autonomous vehicles, and rare earth metal production sectors. Further, religious based organisations were impacted by UNC4841 campaigns. A cluster of organisations with mission-based aid or stated evangelical missions that impact China (and Chinese claimed geographies such as Hong Kong and Taiwan) were observed being targeted with the initial stages of malware utilised by this threat actor. Unlike numerous impacted organisations that align with traditional espionage requirements, these entities only received early stage implants such as SALTWATER, SEASPY, and SEASIDE. This may suggest a lower priority among UNC4841 collection requirements with evidence of deeper compromise, persistence, and exfiltration being observed among entities aligning with more conventional geopolitical, defence, and technology related mandates.

Overall, Mandiant notes it has observed higher level trends in Chinese cyber espionage "toward more purposeful, stealthy, and effective operations that avoid detection and complicate attribution."

Listen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business podcast:

Three Reasons to be Cheerful this Week:

1. FBI dismantles Qakbot botnet: The FBI announced that it had disrupted the Qakbot malware botnet in a "multinational cyber takedown". Qakbot had facilitated ransomware attacks that caused hundreds of millions of dollars in losses and the FBI had identified over 700,000 infected computers worldwide. The operation redirected Qakbot traffic to FBI-controlled servers that instructed infected computers to uninstall the malware. Further coverage at Risky Business News.
2. WebDetetive spyware taken down: Hackers claim to have breached Portuguese-language spyware WebDetetive and removed the spyware from victim devices. The hackers also said they had downloaded data about those who had paid for the spyware and shared that data with leak archive site DDoSecrets. WebDetetive was used extensively in Brazil and had been used to compromise more than 76,000 Android phones.
3. US FedGov Vulnerability Disclosure Program Works: CISA says that its Vulnerability Disclosure Program (VDP) platform is being used by 40 federal civilian agencies. These agencies have collectively received over 1,300 valid reports, over 1,100 of which have been remediated. The platform provides a common interface for vulnerability reports across agencies.

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Chris St. Myers, Threat Intelligence Lead at Stairwell, on how the company Inception platform can be used for finding old or new threats that sometimes may go unnoticed.

And in this video Stairwell's Mike Wiacek demonstrates Stairwell's file analysis and threat detection platform to Risky Business host Patrick Gray. Stairwell helps you monitor and analyse every executable file in your organisation, automatically collecting crucial intelligence and providing your security team with in-depth visibility and detections.

Shorts

Meta Removes Largest Influence Campaign

Meta announced that it had taken down a large Chinese influence campaign that the company described as "largest known cross-platform covert influence operation". It involved over 7,700 Facebook accounts and at least USD$3,500 in advertising spending.

Despite the size of the campaign, Meta's quarterly Adversarial Threat Report says "despite the very large number of accounts and platforms it used, Spamouflage consistently struggled to reach beyond its own (fake) echo chamber."

UN Treaty on Cybercrime

UN negotiations for a cybercrime treaty are continuing in New York this week. US negotiators are hoping for an agreement that represents an advance on the Budapest Convention, which is ratified by 50 countries only and not by China, Russia, India or Brazil.

Human rights and civil liberties groups are concerned that the treaty may be used for surveillance and repression. It is a worry as that is exactly the sort of treaty that China and Russia would like.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion, Tom Uren and The Grugq look at how asset inventory tools aren’t a substitute for knowing what a business values.

From Risky Biz News:

WinRAR 0-day used to hack stock and crypto traders: Hackers have used a zero-day vulnerability in the WinRAR file compression utility to install malware on user devices and steal funds from stock and cryptocurrency trading accounts.

The 0-day was discovered by security researchers from Group-IB, who spotted the attacks while investigating a DarkMe malware campaign. Researchers tracked the earliest exploits to April this year.

All the attacks appear to have been focused on the brokerage and crypto-trading communities, with booby-trapped ZIP files uploaded on eight popular forums.

[more on Risky Business News]

Malware found on Rust's Crates repository: Seven malicious packages have been found and removed from Crates, the official package repository for the Rust programming language, marking the second time malware has been found on the portal. [This is the first-known incident, if anyone's curious.]

The packages were discovered by DevSecOps company Phylum, which described them as showing "the hallmarks of early preparations for a broader campaign."

[more on Risky Business News]

Incident disrupts Polish railway: Suspected Russian saboteurs have disrupted the services of Poland's national railway system. Officials say the attackers broadcast an emergency stop signal on a frequency used by the country's train system. The signal caused around 20 trains to come to an emergency stop for a few hours near Szczecin, a port city near the German border. Officials say the emergency signal was mixed with Russia's national anthem and a speech by President Vladimir Putin. [Additional coverage in the BBC]