Another online voting system teardown, Big game hunters net Honda and Lion, and more...

The Risky Biz newsletter for June 9, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Why governments hack for medical data

At the onset of the COVID-19 crisis, Risky Business predicted then tracked an increase in cyber-enabled espionage of medical research institutions.

We’ve been doing a lot of thinking about why. The urgent search for vaccines and treatments for the coronavirus appears a globally-organised, open and collaborative effort. Why do national governments feel compelled to hack research institutions to get the jump on progress? What national advantage does that information get them?

So over several weeks we’ve done a deep dive on pharmaceuticals and biotechnology. We’ve interviewed C-Level execs at multinational pharmaceutical companies, CSOs at medical research facilities, patent lawyers, academics and analysts. And we’ve discovered that geopolitics impacts the pharmaceutical supply chain in myriad ways and that information about the progress of medical research can be abused in competition between states.

We’ve summarised it all here:

Honda, Lion among big game snared this week

Ransomware attacks appear to have halted manufacturing at automobile giant Honda and at Australian beverage supplier Lion. We’re also aware of a suspected ransomware attack on a large New Zealand-based company which has some serious implications for the company’s ongoing operations. Stay tuned.

Online voting system knows too much, cares too little

Researchers have exposed gaps in the security and privacy design of another online voting system used in the United States.

Mike Specter (MIT, the author of a previous unauthorised teardown of Voatz) and J. Alex Halderman (University of Michigan) reverse-engineered Democracy Live’s OmniBallot Online client software. OmniBallot is slated for use in the Delaware and West Virginia primaries and in New Jersey for November’s Presidential election.

OmniBallot Online has no public privacy policy restricting the use of data it collects - a troubling oversight considering the app collects political preferences and can be used to uniquely fingerprint users. Curiously, the app sends user voting preferences to a central server even when a user chooses to print out a completed ballot to return by mail. (Maybe Democracy Live should commission an end-to-end security audit of its system as Voatz did.)

The researchers found that - like all remote voting technologies - OmniBallot Online could not verify whether a user’s votes had been modified on the client-side (in the web browser). They repeated previous warnings that mobile apps should only be used for ballot distribution, not for remote marking of a ballot.

Did Gapple arrive too late on contact tracing?

Contact tracing apps are unlikely to play a significant role in the global recovery from COVID-19.

Many of the countries that responded best to the coronavirus built contact tracing apps for populations that now need them the least, while in countries with the most to gain from using an exposure notification system, governments aren’t trusted to get it right.

This week, two of the countries worst hit by COVID-19 released contact tracing apps. Italy launched ‘Immuni’, a decentralised contact tracing app built off the Gapple Exposure Notification API, while France launched a centralised contact tracing app called StopCovid.

France and India also announced bug bounty programs to respond to concerns about the centralised processing of data collected by the apps. Both programs pay modest rewards (~US$2000 in France, ~US$4000 in India) for a high severity vulnerability.

In the US, a bipartisan group of lawmakers put forward a bill that’s designed to limit the use of data the apps collect, prohibit users from being compelled to use them and require user consent before tracking location data. Similar laws were enacted in Australia prior to the launch of COVIDSafe.

It looks unlikely - however - that Americans trust authorities enough to embrace digital contact tracing right now. The Care19 app developed in North Dakota was found to share user locations with third parties. It only picked up 30,000 users before the state announced the development of a second app based on Gapple’s exposure notification framework. Utah spent US$3 million on the ‘Healthy Together’ app, which was downloaded by a mere 45,000 users (2% of the population) in its first week.

Downloads of Australia’s COVIDSafe now appear to have topped out at 25% of the population (6.1m users), just as the country edges toward zero community transmissions of the virus. There haven’t been many opportunities for contact tracers to put it to the test.

Wanted: a “true and faithful” partner for China

A jilted China threatened to abandon construction projects in the United Kingdom - including work on nuclear power plants and a high-speed rail network - if the Johnson-led government pursues its plan to phase out Huawei networking equipment. Liu Xiaoming, China’s ambassador to the UK, said the Huawei decision was a “litmus test of whether Britain is a true and faithful partner of China.”

Chinese ambassadors previously threatened to cut imports of German automobiles if Germany excluded Huawei from its 5G networks.

The Chinese Communist Party - which influences all aspects of Chinese industry - can and often does follow through on threats. In the weeks since Australia led calls for an international investigation into the origins of COVID-19, China placed demonstrably unfair tariffs on Australian agricultural products and warned students enrolled in Australian universities to expect racist attacks if they return to their studies at the end of the crisis.

Australia tightens rules on foreign investment

Australia plans to apply a national security test against all foreign investment into Australian businesses, as it seeks to protect undervalued assets from foreign ownership. From 2021, Australia’s Foreign Investment Review Board will be asked to review any deal with ‘sensitive national security’ implications, such as those in telecommunications, technology, energy, transport and defence, and Australia’s Treasurer will have authority to impose conditions or block bids altogether.

Previously, investment in companies below a AU$275m threshold (or below $1.2 billion for signatories to free trade agreements) were not subject to review. Those thresholds were temporarily reduced to zero in the early stages of the COVID-19 crisis, following similar decisions in France, Spain, New Zealand, India, Canada and Sweden. Japan is mulling similar changes.

Introducing the news laws, Australia’s Treasurer expressed concerns that foreign investment is being used as a “tool to advance strategic objectives”.

NetWalker campaigns lock up universities

Ransomware-for-hire gang NetWalker must be doing business with somebody who popped some serious shells at American universities earlier this year. NetWalker malware was used in attacks on Michigan State University, Columbia University of Chicago and the University of California San Francisco in the last fortnight alone.

Security researcher Troy Murch noted that UCSD and MSU both exposed vulnerable Citrix NetScaler gateways up until mid-January 2020. While we can’t be sure this was where these victims came unstuck, it’s again worth checking whether you are vulnerable or were previously compromised using the open source tools listed in this advisory.

Aren’t you glad you patched that SMBGhost flaw?

Researchers have published Proof of Concept code that demonstrates how to abuse the SMBGhost flaw (CVE-2020-0796) to achieve remote code execution on Windows 10 devices. The PoC demonstrates that, as initially feared, a crafty attacker could use SMBGhost to worm through unpatched Windows boxes. This bug was never likely to create a WannaCry-like event, due to SMB not being reachable on Windows 10 by default. Here’s Microsoft’s emergency patch, released back in March, in case you missed it.

Maze gang targets small aerospace contractors

The Maze ransomware gang breached Westech International, a Northrop Grumman subcontractor in the US Air Force’s Intercontinental Ballistic Missile program, and started leaking files and emails stolen in the attack. It also breached aircraft maintenance company VT San Antonio Aerospace and tried to hit the European operations of IT services firm Corduant. Meanwhile the DoppelPaymer gang breached NASA contractor, Digital Management Inc. The skies aren’t even the limit.

Facebook follows Twitter on state-owned media

Facebook plans to designate on its platform whether a media outlet is ‘state-owned or controlled’ in an effort to educate users about influence operations, and will no longer accept ads booked by those outlets “wholly or partially under the editorial control” of a government. Twitter started banning ads from the same organisations back in August 2019. We’re guessing Facebook will manage to boot Xinhua and Russia Today while still doing business with the BBC or Australia’s ABC - the whole thing is going to be quite the policy dance.

Spotlight on social manipulation as US protests enter second week

Researchers are yet to find compelling evidence the protest movements in the US stemmed from coordinated misinformation campaigns. There is nonetheless evidence of covert campaigns designed to use the protests to amplify divisions in America.

US Presidential campaigns targeted by state-backed actors

Unsuccessful phishing attacks against the campaign staff of both US President Donald Trump and contender Joe Biden were detected and attributed to China’s APT31 (attacks on Biden) and Iran’s APT35 (attacks on Trump). Funny how this sort of news gets kicked to the bottom of a cybersecurity newsletter these days. It’s hardly ‘man bites dog’, is it?

Flawed UPnP is ripe for DDoS

A flaw in the Universal Plug and Play (UPnP) protocol makes IoT devices more susceptible to being used in DDoS attacks. Long-delayed research reveals the SUBSCRIBE function of UPnP can be abused to send traffic to arbitrary destinations. Vendors are being urged to update their devices to revised UPnP specifications. Carnegie Mellon published IDS signatures to help defenders check for abuse.

Your WordPress blog is actually very interesting

Opportunistic attackers attempted to download the config files of over 1.3 million WordPress sites between May 29 and 31. Check your logs for entries that queried wp-config.php and returned a 200 response code. If you’re running one of the 300,000 sites using bbPress for forums, that plugin is also worth an update.

One dollar dirtbags

Australia’s largest bank discovered over 8000 examples of abusive messages hidden in the description fields of low value transactions.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at