Exclusive: Sandworm's Exim hacks reveal wider Russian activity

The Risky Biz newsletter for June 16, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

EXCLUSIVE: Threat hunters study a shape-shifting Sandworm

Three indicators of compromise released in the NSA’s May 2020 advisory [pdf] on recent Sandworm activity reveal a lot more about Russia’s formidable military hacking teams than a one-off, opportunistic campaign to hack vulnerable Exim mail transfer agents (MTAs).

Threat hunters studying those IoCs have used them to identify a large amount of infrastructure that looks custom-made to conduct credential phishing attacks against email and social media accounts used in Western countries.

Sandworm - the GRU Main Center for Special Technologies Unit No. 74455 - is the military unit that turned out the lights out in Ukraine, unleashed a globally-destructive worm, destroyed systems and ran a false-flag operation at the Winter Olympics in South Korea and interfered with the 2017 French election. It’s not an actor typically associated with indiscriminate credential harvesting campaigns.

Dragos analyst Joe Slowik counted ~70 distinct domains, based only on running the three IoCs in the advisory and analysing the malicious bash script linked from the NSA’s document. He found many of the domains using free public tools like VirusTotal and passive DNS in his spare time. It looks like the folks at ThreatConnect are pulling at some of the same threads.

These Sandworm-linked operators appear to be setting up phishing sites in deeply-nested subdomains of compromised infrastructure. Slowik noted that while in 2018 and 2019 this phishing infrastructure was set up to target users of services like Russian social network VK and Bulgarian email service ABV, more recent campaigns target users of Google and Yahoo.

Slowik has since used the patterns of behaviour observed in these campaigns to hunt for additional, related and more recent infrastructure. While he can’t definitively attribute them to Sandworm, he found a large number of phishing campaigns targeting Office 365 and OneDrive users that use the same tradecraft.

At this point it’s difficult to pinpoint Russia’s motivations. Is it preparing to take over a large number of social media accounts for use in disinformation campaigns, for example, or is it simply harvesting credentials to sustain ongoing operations? In the context of a fractured United States that is only five months out from an election, the activity is foreboding. We’re interested to hear from other researchers that have gone down the NSA’s IoC rabbit hole.

Tech giants ask Congress to regulate facial recognition

IBM, Microsoft and Amazon have amplified calls for governments to regulate the use of facial recognition technologies by law enforcement agencies.

IBM announced June 8 that it “no longer offers general purpose facial recognition or analysis software” and asked lawmakers for a “national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies.” (Big Blue actually made that decision some time ago - Rebecca Heilweil at Vox Recode noted that IBM deprecated the ‘Detect Faces’ feature of its visual recognition API in September 2019.)

Shortly afterwards, Amazon announced it would stop selling facial recognition services to law enforcement agencies for one year, in the hope lawmakers use the 12 months to pursue regulatory reform. Microsoft - which started a conversation about the need for regulation in mid-2018 - reaffirmed its long-standing commitment to stop selling facial recognition tools to law enforcement agencies.

In response, Richard Grenell - who up until June was President Trump’s acting Director of National Intelligence - tweeted that the Federal Government should rip up all Microsoft contracts. We’re awfully glad he’s a nobody again right about now.

All eyes are now on Japanese giant NEC, reportedly the world’s largest provider of facial recognition tech. The company has expressed opposition to law enforcement using its technology to “persecute people for exercising their First Amendment rights”, but has made no commitment to discontinuing sales to law enforcement. NEC appears increasingly isolated. Even Axon, manufacturer of tasers and body cameras used by US law enforcement, opted against adding facial recognition capabilities to bodycam systems in mid-2019 after citing ethical concerns.

Chinese disinformation drive was big, loud and dumb

The People’s Republic of China (PRC) has again been sprung pushing out a disinformation campaign that failed to hit its mark.

Twitter has discovered and blocked 23,750 related accounts, most of which were registered in January 2020, that used a further 150,000 bot accounts in an attempt to amplify PRC propaganda to users in Hong Kong and the Chinese diaspora. Twitter attributed the campaign to the same PRC-backed actors behind the 1000 accounts the social network banned in August 2019.

Data from the campaign was provided to Stanford’s Internet Observatory and the Australian Strategic Policy Institute for additional analysis. ASPI said [pdf] the campaign aimed to “weaponise the US Government’s response to domestic protests and create the perception of a moral equivalence with the suppression of protests in Hong Kong.”

ASPI discovered that the same actors and campaign are active on Facebook. Researcher Elise Thomas told Risky.Biz that Facebook was informed, but as of publication the social media giant has only taken action on a subset of the accounts ASPI identified. Here’s one that is still active. Is it just me, or is Facebook a little on the slow side when it comes to snuffing this stuff out?

A six-month tango with an APT, without data loss? That’s an A1 story you got there, Wolfgang

Austria’s largest telco, A1, claims it managed to prevent a state-backed actor that was on its network for six months from accessing any customer data.

A1 was breached by an unknown entity in November 2019, in an attack the telco couldn’t fully remediate until May 22, 2020. A1 told tech news site Heise that the COVID crisis disrupted opportunities to remediate the breach any faster.

The extent of the breach is disputed. The agreed facts are that attackers gained initial access to a single workstation, pivoted to a server and gained administrative privileges, before dropping web shells in a few dozen locations across the network.

In A1’s version of events, the attack was detected just prior to Christmas, and a team of over 100 security specialists set about ring-fencing assets the attacker could access.

A1 chief security officer Wolfgang Schwabl told Austria’s public broadcaster ORF that such were the ninja-like skills of his blue team, the attacker (which already had admin credentials on several systems) didn’t notice that most of the network was obscured and was busy “making targeted SQL statements” - purportedly looking for a database of radio mast locations in Austria.

A separate version of events - as explained by an anonymous insider to an Austrian tech blogger - is that the telco was owned sideways, and that the attackers knew precisely what A1 client they were after.

In May, A1 completed a reset of all credentials on its network and is now confident the attacker has lost all access. Hokay then.

Zoom succumbs to Chinese censorship demands

Video conferencing juggernaut Zoom is again facing scrutiny after blocking a live Zoom event memorialising the Tiananmen Square massacre under the instruction of Chinese regulators.

Chinese state officials notified Zoom ahead of time that activists from mainland China planned to attend the online events. Zoom monitored the metadata associated with the call in real-time and switched off the event when a substantial number of users from mainland China connected. It also blocked the accounts of the event’s hosts, who were based in the US and Hong Kong.

Zoom now concedes it “fell short”, not because it participated in China’s censorship regime, but because it blocked non-Chinese users in the process. The company is developing features that “remove or block at the participant level based on geography”.

It’s a bad look. Ultimately, if Zoom doesn’t play at least some ball with the Chinese government, its entire service will be blocked within China. Regime control of the Chinese domestic internet is near complete.

Congress slams telco security oversight

The US Government exercised “minimal oversight” of Chinese telecommunications companies operating in America over the past 20 years, according to a report by a US Senate Committee, and in the process “undermined the safety of American communications and endangered our national security.”

The report found that a working group seconded from DoD, DoJ and Homeland Security to provide oversight of foreign-owned telecommunications providers (‘Team Telecom’) had only 3-5 staff at any given time, lacked statutory authority and “no formal, written processes for reviewing applications or monitoring compliance with security agreements.” The team only conducted physical audits of Chinese-owned telcos twice in the last ten years, despite widespread anxiety over how the PRC might influence their operations.

In April 2020 the Trump administration set up the EO Telecom Committee to replace ‘Team Telecom’. It’s made up of senior representatives from the same agencies, but this time with some standard processes.

US wants more eyes on FVEY allies

A FY21 intelligence appropriations bill before the US Senate asks the CIA and NSA to monitor and report on the use of Chinese network equipment in Five Eyes countries.

The report must include “an assessment of US intelligence sharing and intelligence and military force posture in any Five Eyes country that currently uses or intends to use telecommunications or cybersecurity equipment or services provided by a foreign adversary of the United States, including China and Russia.”

In related news, US Secretary of State Mike Pompeo told UK Prime Minister Boris Johnson that US suppliers will gladly sweep in and build nuclear power plants and 5G networks for the UK if China pulled out of these projects to protest against a Huawei ban. How heroic!

Let’s call it the Khashoggi bill

The aforementioned ‘Intelligence Authorizations Act’ also asks the US intelligence community to report to Congress on what commercially-available spyware is used by various governments. The bill recommends the use of export controls, diplomatic pressure and trade agreements as levers to pull to reign in rogue activity. NSO Group might need to invest in more well-connected lobbyists.

Six shady, shady reads:

  1. eBay security team charged: The former heads of eBay’s physical security and threat intelligence teams were charged with cyberstalking and witness tampering offences after they waged a bizarre and disturbing campaign of harassment against the authors of a newsletter critical of eBay practices. A criminal complaint accuses six members of eBay’s security team of sending everything from bloody pig masks, boxes of live insects and sympathy wreaths to the victims. They also sent the victims’ neighbours pornography - addressed to the victims. Four members of eBay’s team even flew interstate and attempted to break into the victims’ garage and plant tracking devices on their vehicles. The accused were reportedly instructed by eBay management to “take down” and “crush” the newsletter authors, and maybe took the advice a little too literally.
  2. Inside job costs Postbank US$58m: A malicious insider stole US$3.2m from South Africa’s Postbank after abusing access to a very important encryption key and using it to make 25,000 small, fraudulent transactions. Postbank must now spend US$58m replacing all the credit cards generated using the key. Ouch.
  3. Crypter authors sprung: ZDNet’s Catalin Cimpanu wrote about links between a malware crypting service, a seemingly legitimate source code protection service and the GULoader (malware) downloader. Shady. Expect arrests.
  4. Kingpin gets 25 years: Cryptographer-cum-crimelord Paul Le Roux was sentenced to 25 years in prison over drug sales, murders and other crimes. He wrote the code that eventually became TrueCrypt and some people believe he is Satoshi Nakamoto. Even if he’s not, expect a movie. He’s basically a real-life Bond villain.
  5. The wrong way to be forgotten: A convicted fraudster tried polite requests, bribes and eventually DDoS extortion to convince news outlets like the CBC and Sydney Morning Herald to take down stories about his shady past. He got himself five more years in the slammer instead.
  6. …but this scam takes the prize: Brian Krebs regales the story of Privnotes, a website set up to imitate ephemeral messaging service Privnote.com. Krebs was tipped off that any Bitcoin wallet address included in an ephemeral note on Privnotes was automatically substituted with the attackers’ Bitcoin address in the recipient’s inbox. It would then revert back to the original for the rest of the thread. Sneaky! Researcher Allison Dixon told Risky.Biz those ‘features’ were removed immediately after Krebs posted his story.

Shorts

Germany demands EU sanctions over Russian hacking

Germany is pressing its EU peers to impose sanctions on Russia over an APT28 attack on the Bundestag (German Parliament) in 2015, from which 16GB of data was stolen. Germany argues that the Bundestag network was so riddled with APT28 malware that it had to be taken offline and rebuilt, pushing the attack above the threshold for acceptable forms of espionage.

Overdue reminder: Congress wants answers on NetScreen fiasco

A group of 13 US lawmakers - all but one of them Democrats - demanded Juniper Networks finish its homework on how backdoors wound up in its NetScreen firewalls and VPNs back in 2015. Opponents of the EARN IT Act are seeking the information to demonstrate what can go wrong when governments pressure technology companies to include backdoors.

Maybe an NSO Group customer found cheaper spyware?

Citizen Lab and Amnesty International analysed spear phishing campaigns directed at nine prominent human rights activists involved in a protest movement in India. The latest attacks dropped the NetWire spyware - a RAT more typically used in Business Email Compromise scams. Curiously, three of the nine activists were previously attacked in campaigns that used NSO Group’s Pegasus malware. We’ll be talking about these campaigns in tomorrow’s episode of the Risky Business podcast.

WeTransfer banned in India

India’s Government instructed ISPs to block file sharing site WeTransfer, reportedly because the sender name can be spoofed. Risky.Biz can say with high confidence that something else must be afoot there, otherwise an infinite number of popular web services would also be banned.

Capital One appeals

The folks at Cyberscoop note that Capital One “asked a federal court to overturn” a decision that would compel the bank to hand over a forensic report into its 2019 data breach. We’ll keep you posted on that one.

Twitter warns: did you actually read the article?

Twitter is piloting a feature that prompts a user if they are about to retweet a link that they haven’t themselves clicked on yet, as a way to nudge users that are at-risk of sharing disinformation.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.

SUBSCRIBE NOW:
Risky Business main podcast feed:
Listen on Apple Podcasts Listen on Overcast Listen on Pocket Casts Listen on Spotify Subscribe with RSS
Our extra podcasts feed:
Listen on Apple Podcasts Listen on Overcast Listen on Pocket Casts Listen on Spotify Subscribe with RSS
Subscribe to our newsletters: