When Regulation Encourages ISPs to Hack Their Customers

When Regulation Encourages ISPs to Hack Their Customers
South Korean city at night, Stable Diffusion

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Rad Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

‎Risky Business News: Srsly Risky Biz: When hacking customers is good business on Apple Podcasts
‎Show Risky Business News, Ep Srsly Risky Biz: When hacking customers is good business - 3 July 2024
South Korean city at night, Stable Diffusion

KT, formerly Korea Telecom, has been accused of deliberately infecting 600,000 of its own customers with malware to reduce peer-to-peer file sharing traffic. This is a bizarre hack and a great case study of how government regulation has distorted the South Korean internet.  

South Korean media outlet JTBC reported last month that KT had infected customers who were using Korean cloud data storage services known as 'webhards' (web hard drives). The malware disabled the webhard software, resulted in files disappearing and sometimes caused computers to crash.  

JTBC news says the  team involved "consisted of a 'malware development' section, a 'distribution and operation' section, and a 'wiretapping' section that looked at data sent and received by KT users in real time". Thirteen KT employees and contractors have been referred by the police for prosecution. 

The company‬ ‭claims that the people involved in the webhard hack were a small group operating independently. It's just an amazing coincidence that they just happened to invest so much time and effort into a caper that aligned so well with KT's financial interests!‬‭

The exact mechanism of compromise is not known. In South Korea, however, peer-to-peer file sharing is popular and is facilitated by webhard services. These services not only provide cloud storage but also facilitate BitTorrent transfers and host dedicated seed files, for example. 

Webhards rely on a BitTorrent-enabled 'Grid System' and it appears KT delivered malware to its subscribers through this Grid System. 

Internet regulation plays a role here. (Thanks to this YouTube video for highlighting this link). South Korea has a 'sender pays' model in which ISPs must pay for traffic they send to other ISPs, breaking the worldwide norm of 'settlement-free peering', voluntary arrangements whereby ISPs exchange traffic without cost.

The sender pays model is attractive because stakeholders such as governments and telecommunications operators would like internet giants such as Facebook, Google and Netflix to pay for telecommunications infrastructure. However, South Korea's rules have not yet extended as far as content providers. 

However, Carl Gahnberg, who has written papers on South Korea's sender pays interconnection rules, told Seriously Risky Business that "the bottom line is that it is very costly to operate data-intensive services in South Korea, and peer-to-peer solutions [like webhards] would be a workaround for that". 

These rules strongly encourage ISPs not to host popular content. For example, prior to the enforcement of South Korea's sender pays rules, KT hosted a Facebook cache. The cache provided low-latency access to content for South Korean Facebook users via free peering arrangements with other large Korean ISPs. 

Once the sender pays rules were enforced, however, KT was left with large bills from its peer ISPs for the Facebook traffic sent from the cache in its network. KT tried to recoup costs from Facebook, but negotiations broke down and Facebook disabled the cache. South Korean users were instead routed over relatively expensive links to overseas caches with increased latency.

Facebook was fined USD$328,000 by the regulator KCC for disrupting its services, although this was subsequently overturned on appeal.

So although there are no official rules that content providers must pay network fees, there are unofficial mechanisms that encourage dealmaking. Streaming site Twitch pulled out of South Korea in February this year with its CEO saying it was "prohibitively expensive" to operate there. 

These sender pays rules may also encourage peer-to-peer file sharing relative to more centralised pirate content operations. South Korean TV piracy site Noonoo TV shut down last year citing "the outrageous traffic charge problem". 

An unnamed sales manager from a webhard company told TorrentFreak torrent transfers saved them significant bandwidth costs, but as long as traffic flows between ISPs, someone will pay. KT is South Korea's largest broadband provider, so since it has more customers, peer-to-peer file sharing means that the company has to pay fees to its competitor ISPs. 

Ironically, KT won a court case in 2020 over its throttling of webhard traffic, but it's not clear why that wasn't sufficient for it to manage the demands of peer-to-peer traffic.

Either way, this is just a great example of where unusual regulation can produce unusual results. 

State-backed Hackers Drop Turds On the Way Out

A new report indicates state-backed cyber espionage groups are increasingly deploying ransomware when they're wrapping up their on-target operations.

In collaboration with Team T5 and Recorded Future, security firm SentinelOne took a look at two separate state-linked clusters of ransomware activity associated with suspected Chinese or North Korean APT activities.

It says one of these clusters, which it calls ChamelGang and describes it as a "suspected Chinese APT", deployed CatB ransomware on the networks of the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution, and the Presidency of Brazil (the Brazilian Federal Executive Branch). 

Another cluster SentinelOne identified as regularly deploying ransomware has links to suspected Chinese and North Korean APT groups.

The report suggests a range of reasons why state-backed actors might want to deploy ransomware: for financial gain, disruption, distraction, misattribution or for removal of evidence.

Unfortunately, from the perspective of a poorly paid, freelance cyber espionage contracting company, many of these motivations are entirely logical. The I-SOON leaks from earlier this year show there is a tier of Chinese companies with 'hack first, find a customer later' business model. If you are strapped for cash and aren't sure intelligence collection will pay off, why not deploy ransomware and increase your chances of a worthwhile payday?

From a state's point of view, although it might be nice to be able to masquerade as a common ransomware criminal, there is the possibility of unwanted escalation.

The 2022 attack on the All India Institute of Medical Sciences (AIIMS), for example, disrupted patient care and laboratory services. Delhi Police called it an act of "cyber terrorism". Fingers were fairly quickly pointed at China and a senior Indian politician described it as a potential "hostile cross-border attack". 

India-China relations are not good. In 2020 Indian and Chinese soldiers along the disputed Sino-Indian border fought in hand-to-hand combat resulting in scores of deaths. Given that background, Chinese operators deliberately destroying Indian healthcare IT systems is unfathomably stupid. 

Given the loose operational control of these types of contractors, and their poor pay, we don't expect change any time soon. 

Three Reasons to Be Cheerful This Week:

  1. 4,000 scammers detained: Interpol says that a global police operation in 61 countries targeting online scam networks has led to the arrest of nearly 4,000 suspects and the seizure of assets worth USD$257 million. Operation First Light also froze 6,745 bank accounts and identified over 14,000 possible suspects. 
  2. Cyber insurance works and is cheaper: A Sophos report into cyber insurance indicates it 'works', in the sense that it acts as both a 'carrot and stick' for security investments. Many organisations improve security to meet minimum requirements for insurance coverage. And another report from insurance group Howden says insurance pricing is down 15% from its peak. 
  3. Sanctions and stories sting spyware: CyberScoop reports the group behind Predator spyware has been far less active after being sanctioned by the Biden administration and being the subject of several investigative reports. Although they are not completely gone, these actions are at least having a measurable impact. 

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Jimmy Mesta, CTO and Co-Founder of Rad Security (formerly KSOC). Jimmy explains how Rad Security has replaced signature-based detections with a new concept the company calls "behavioral fingerprints" or "verified runtime fingerprints," which can detect malicious activity in cloud environments using a wider set of indicators.

‎Risky Business News: Sponsored: Rad Security describes its concept of “verified runtime fingerprints” on Apple Podcasts
‎Show Risky Business News, Ep Sponsored: Rad Security describes its concept of “verified runtime fingerprints” - 30 June 2024


The Wild World Of Cryptocurrency Kidnappings 

Wired has an eye-opening report into a particular gang's violent home invasions, burglaries and kidnappings carried out in an attempt to coerce victims to hand over cryptocurrency.

Amazingly, despite extreme tactics the group had relatively little success. Per Wired:

In their first break-in, according to the prosecution's plea document, the group targeted the same victim from whom [gang member] Seemungal had already stolen more than $3 million via SIM swapping, seeking to steal another $500,000 in crypto that she had managed to retain. At 11:30 pm on September 12, 2022, [the gang's ringleader] St. Felix and at least one other member of the group, wearing masks and armed with handguns and a rifle, broke into the woman's living room by shattering a sliding glass door. After struggling with the victim and another member of her household who suffered from Parkinson's disease, they put the woman on her knees, held a gun to her head, and demanded the password to an account on the Gemini crypto exchange.
She refused to give up her password, and was, according to the prosecutors' description, so demoralised by the earlier hacking theft of the majority of her funds that she told the men to simply shoot her. Instead, they stole her engagement ring, two iPhones, a laptop, the charger for the neurostimulator used by the other member of the household as a treatment for Parkinson's disease, and whatever cash they could find, then left. 

Other acts of violence Wired reports also belong in a Coen brothers film. 

Indictment Of Russian Hacker Draws A Line 

The US Department of Justice has indicted Russian national Amin Timovich Stigal for conspiring with Russian military hackers to destroy Ukrainian computer systems. The DoJ points out that some of the targeted systems had "no military or defence-related roles" and "later targets included computer systems in countries that were providing support to Ukraine". 

The indictment appears to be an attempt to draw a distinction between destructive military hacking, which could be legal in a justified war, and destructive indiscriminate civilian action. 

TeamViewer Breach One To Watch

Remote management software TeamViewer says its corporate network was breached by  Russian state-sponsored group Midnight Blizzard (aka APT29 or Cozy Bear and associated with Russia's SVR foreign intelligence service).

The impact so far appears limited to TeamViewer's corporate network and not its separate production network. However, in a breach of Microsoft corporate email systems last year, Midnight Blizzard attempted to gain access to customer systems by finding emails that contained customer secrets such as passwords, API keys or access tokens. 

Memory Safety a Long Term Project

CISA and other cyber security authorities have followed up on a push for the use of memory safe languages by reporting on the use of memory safe languages in critical open source projects. 

The top-level takeaway is that right now there is a lot of memory-unsafe code around, and even notionally 'safe' projects often depend on code written in languages that aren't memory safe. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about why governments have failed to protect the private sector from state-backed cyber espionage.

‎Risky Business News: Between Two Nerds: Private enterprise is on its own on Apple Podcasts
‎Show Risky Business News, Ep Between Two Nerds: Private enterprise is on its own - 1 July 2024

From Risky Biz News:

Unauth RCE in OpenSSH—a scary combination of words

There's an unauthenticated remote code execution vulnerability in OpenSSH. We're all gonna d... Nah, I'm kidding! It's actually not as bad as that combination of words makes it seem.

The vulnerability was discovered and disclosed on Monday by security firm Qualys. It is tracked as CVE-2024-6387 and is also known under the name of regreSSHion.

It impacts all OpenSSH versions released since October 2020.

Qualys says the bug is a new version of an older 2006 vulnerability (CVE-2006-5051) after OpenSSH devs accidentally removed an older protection. Technically, all OpenSSH versions before 4.4p1 are also vulnerable to regreSSHion—but if you're using an OpenSSH version from 2006 and earlier, there's a special place in IT hell for you, and you deserve everything bad that's coming.

[more on Risky Business News]

Crypto-heist numbers: Hackers have stolen more than $570 million worth of assets from crypto platforms in the second quarter of the year. According to blockchain security firm Immunefi, this brings the year's total to just over $920 million. Fraud accounted for only 1.5% of the stolen funds, while the rest was lost to platform hacks. This year's largest hack remains the $305 million heist of Japanese cryptocurrency trading platform DMM Bitcoin.

GUR hacks in Crimea: Ukraine's GUR military intelligence has launched a series of cyber operations that disrupted IT services across the Russian-occupied territory of Crimea. DDoS attacks targeted local ISPs, Russian propaganda sites, and the traffic control systems on the Kerch Bridge. The attacks took down internet connectivity and restricted car traffic on the Kerch Bridge. GUR also says it worked with an independent hacker group named BO_Team to attack Russian companies supporting the Kremlin's war in Ukraine. This included hack-and-leak attacks against Russian military equipment suppliers and DDoS attacks on Russian telcos.