Using Exploits to Steal Exploits Is as Old as Time
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by GreyNoise.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Google has discovered exploits developed by commercial spyware vendors being used by Russian government espionage groups.
Per Google's Threat Analysis Group (TAG):
… TAG observed multiple in-the-wild exploit campaigns, between November 2023 and July 2024, delivered from a watering hole attack on Mongolian government websites… We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29. In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group.
TAG does not know how these attackers acquired these exploits. However, by the time attackers used them, they had been patched and were no longer 0days.
Even though they were n-day exploits at the time, TAG pointed out they could still be effective when deployed at watering holes. If a watering hole brings in large numbers of visitors, then there will still be at least some potential victims running unpatched browsers.
The malware used in the campaigns was designed to steal browser authentication cookies for a range of online email providers so the attackers could access those accounts.
The author of TAG's post, security researcher Clement Lecigne, told TechCrunch that based on the technical similarities between the exploits, they don't think the actor recreated them. Rather, he said Russian services may have bought or simply stolen them.
An NSO Group spokesperson told TechCrunch "NSO does not sell its products to Russia. Our technologies are sold exclusively to vetted U.S. & Israel-allied intelligence and law enforcement agencies."
And why buy when you can steal? There is a long history of hackers stealing exploits and tools directly from other hackers’ computers or via unauthorised access to research communities and mailing lists. Now states are mimicking this behaviour.
For example, North Korean groups have been targeting security researchers working on vulnerability research and development. This is to take advantage of vulnerabilities the researchers discover before they are disclosed and patched.
States have also demonstrated they are motivated to take advantage of an in-depth understanding of offensive tools developed by other groups.
In 2018, the GRU (Russian military intelligence) attempted to disrupt the opening ceremony of the PyeongChang Winter Olympics with a destructive cyber operation. The malware used in this operation was deliberately constructed to make it look like a North Korean effort, including a data-wiping function that mimicked North Korean techniques.
And in 2019 the UK's NCSC reported that a Russia-based group called Turla (attributed to the Russian Federal Security Service or FSB) had developed such an in-depth understanding of Iranian cyber espionage infrastructure that it was able to hijack it to run its own campaigns. This required deep technical knowledge of and access to the Iranian tools, including relevant cryptographic key material and knowing enough about its control software to issue legitimate tasking.
This type of activity isn’t limited to authoritarian states. In 2023 the US government carried out a disruption operation against Snake, malware Russia's FSB had been using for nearly two decades. From our description of the take down operation:
According to court documents, the FBI and US intelligence agencies had been studying the malware and its inner workings for at least eight years, since 2015, ever since they found it on the networks of several US organisations.
Officials worked with the entities to watch how the Snake malware worked, its custom modules, how it established encrypted communications, and how it exfiltrated data from infected hosts.
The FBI used this in-depth understanding to get Snake malware to effectively 'eat itself'. It sent computers infected with Snake malware commands that resulted in it overwriting some of its own core components.
States have the motivation and the resources to develop an astoundingly in-depth understanding of malware used by other actors. And at times they'll take advantage of that knowledge.
A Diabolical Iranian Counterintelligence Program
Google's Mandiant has identified what appeared to be a long-term campaign run by the Iranian regime that attempted to identify individuals within the country who could be counterintelligence threats.
This is entirely different to the way Western security agencies operate. These agencies typically run insider threat detection programs that look inwards and focus on security culture, constant vetting, and auditing of internal systems.
By contrast, this Iranian effort takes an outside-in approach and is the kind of broad based campaign a state can run when it is not worried about proportionality or entrapment.
Mandiant says it has "high confidence the campaign was operated on behalf of the Iranian regime". It observed a weak overlap between this campaign and operations from APT42, an Iran-linked group that its analysts believe works for the Islamic Revolutionary Guard Corp's intelligence organisation.
The campaign started as early as 2017 and was still running in March 2024, per Mandiant:
The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers.
Mandiant says the campaign seeded links across multiple social media platforms such as X, formerly Twitter, and Virasty, a Twitter-like network commonly used in Iran. It described this as "cast[ing] a wide net" and says potential targets "may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran".
The fake websites Mandiant describes in the report target individuals affiliated with intelligence and security agencies.
For example, one site says its goal is to "recruit employees and officers of Iran’s intelligence and security organisations" and that it is aimed at people with "relevant documented experience… in the field of information and cyber [security] in related institutions and organisations".
There is evidence that Iranian intelligence agencies may have collaborated with allies in Syria and Lebanon on this. An earlier iteration of the campaign, from 2017 to 2022, targeted individuals affiliated with Syrian and Hezbollah security agencies.
The fake recruitment websites include forms that ask for name, birth date, email, home address, education, and professional experience.
Mandiant notes the collected data "might be leveraged in future operations against the targeted individuals". Given the campaign ran over five years, the data has probably been used against people, probably in a coercive or punitive way. Grim.
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- SBOMs coming to the US Army: The Army is putting in place rules requiring that vendors provide software bill of materials (SBOMs) in new contracts from early next year. Federal News Network says it took nearly two years of industry consultation to develop the SBOM rules. But SBOMs are a long-term project and the more adoption there is the more useful they will become.
- Goodbye to credit card numbers: Mastercard is expanding its efforts to replace credit card numbers with tokens for online transactions, and announced a pilot in India. The technology has been in development for a decade and Mastercard is now processing a billion transactions a week using it. The card provider is aiming for all online transactions in Europe to be tokenised by 2030.
- SEC penalises Equiniti Trust Co. for losing client funds: The US Securities and Exchange Commission announced settled charges against Equiniti, formerly the American Stock Transfer and Trust Company, after it lost millions of dollars because of lax security. In one incident, according to the SEC, a thief was able to "create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts". The thief then sold securities held by legitimate accounts and transferred the funds to external bank accounts.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Andrew Morris, founder of security firm GreyNoise. Andrew introduces Plasma, a new GreyNoise product that can allow customers to deploy custom GreyNoise sensors anywhere they want—on perimeters, on internal networks, on DMZs, or anywhere else.
In this demo, Andrew Morris, GreyNoise founder and CEO demonstrates how people use the GreyNoise sensor network.
Shorts
When You Know You Know
Politico EU reports the new Prime Minister of the Netherlands, Dick Schoof, has told ministers they cannot have smart devices present during cabinet meetings.
Previously, smartphones were only banned for certain security discussions. Schoof formerly ran the AIVD Dutch intelligence and security service. So he knows a thing or two about the risks.
How Special Forces Hack
U.S. Army describes how special forces used cyber capabilities in a training exercise:
During the exercise, the aforementioned ODA [Operational Detachment Alpha] team identified a target building and used a remote access device (RAD) to identify the networks coming from the facility. They were able to crack the WiFi password, enumerate the network, and run exploits on the target computer inside the building. This enabled the team to manipulate security cameras, door locks, and other security systems in the building.
Fun. Some of the scenario is straight out of a Mission Impossible scene, but for some operations accessing security cameras seems both plausible and very useful.
Holding A Mirror To Facial Recognition Technologies
The Record covers the story that US law enforcement are reluctant to use biometric face scans when providing security for National Football League (NFL) matches.
The NFL has a new league-wide policy requiring all stadium personnel, police and media to submit to face scans. These police concerns highlight that standards and practices surrounding use of the technology are not mature enough that regular people have confidence in them.
Sextortion Continues To Plumb New Depths
Krebs On Security covers how sextortion scam emails are now personalised with the recipient's full name and a Google Street View picture of their house.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk to Alex Joske, author of a book about how the Chinese Ministry of State Security (MSS) has shaped Western perceptions of China. They discuss the MSS’s position in the Chinese bureaucracy, its increasing role in cyber espionage, its use of contractors and the PRC’s vulnerability disclosure laws.
From Risky Biz News:
White House recommends prioritising RPKI ROAs: The White House has published a roadmap this week with its top recommendations for improving the security of internet routing protocols.
The document [PDF] specifically looks at ways of improving the security of the Border Gateway Protocol (BGP), the technology responsible for directing internet traffic between different networks across the globe.
The White House started looking into BGP security in 2022 as part of a concerted US government effort to secure internet routing and prevent foreign actors from hijacking traffic from American networks using attacks known as BGP hijacks.
[more on Risky Business News including the White House's recommendations and a description of the technology involved. ]
US charges swatters who terrorised government officials: The US Department of Justice has charged a Romanian and a Serbian man for a years-long swatting campaign that terrorized US citizens, including multiple senior government officials.
Officials say a 26-year-old Romanian named Thomasz Szabo was the moderator of an online chatroom called "Shenanigans," where he planned swatting and fake bomb threats since December 2020.
Szabo allegedly worked closely with a 21-year-old from Serbia named Nemanja Radovanovic.
According to court documents [PDF], the two collected the personal information on well-known figures and then called authorities to report shootings, kidnappings, or bombs at their homes, hoping for an armed police response that would scare or even harm the victims.
[more on Risky Business News]
Iranian APT moonlights as access broker and ransomware helper: An Iranian cyber contractor has been moonlighting as an initial access broker and providing support for ransomware gangs as a way to fill their personal coffers.
In a joint report published this week, CISA, the FBI, and the DOD's cybercrime division say that an Iranian group tracked as Pioneer Kitten (Fox Kitten, UNC757, Parasite, RUBIDIUM, Lemon Sandstorm) has created successful personas on the criminal underground where it sells access to the networks of hacked companies.
The group has operated using hacker names such as "Br0k3r" and "xplfinder" and has been observed selling access to affiliates for the AlphV, NoEscape, and RansomHouse ransomware operations.
US officials say this part of the group's activity is separate from their main operation, which is to conduct cyber espionage and hack-and-leak ops for the Tehran regime.
[more on Risky Business News]