One thing Microsoft could do to avert state-sponsored attacks

The Risky Biz newsletter for June 23, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Australia fed up with Chinese espionage

The Australian Government has lost patience with the cyber shenanigans of its largest trading partner, prompting the Prime Minister to make it publicly known that government and industry are becoming more frequent targets of state-backed cyber espionage.

Prime Minister Scott Morrison told reporters that an unnamed state-based actor is engaged in a campaign targeting all levels of government and private sector entities. An accompanying set of indicators released by the Australian Cyber Security Centre left little doubt as to who is responsible for the attacks.

The PM didn’t call out China specifically or name their targets, avoiding any statement that would make it necessary for Chinese authorities to engage in the kind of ‘face-saving’ retaliations that hold up Australian exports at Chinese ports over “paperwork irregularities”.

In a far more subtle move, the ACSC released a summary of the actor’s tradecraft and technical indicators, which bear the fingerprints of the Chinese Ministry of State Security. The ACSC summary was further distributed by the NSA (retweeted) and the US National Counterintelligence and Security Centre.

China’s foreign minister denied responsibility and claimed the attribution was cooked up by defence think tank ASPI. ASPI’s Peter Jennings was among the first to blame China for the activity in media interviews immediately after the PM’s press conference - making APSI a convenient scapegoat. China saved face, and was able to blame the American defence sector - which helps to fund ASPI - for pushing sinophobic lies. Double win.

It was telling that the PM’s media event included Australia’s Defence Minister, Linda Reynolds - a signal to China that Australia views the increased activity as acts of military aggression.

Australia is in a tough spot. China buys around 40% of Australian exports. As a middle power, Australia lacks the leverage needed to rein in bad behaviour from its powerful “frenemy”, and usually relies on larger countries to enforce norms in the form of sanctions, indictments and extraditions. Sadly, Australia’s most steadfast partner on the rule of law is, at least temporarily, not entirely dependable.

In the absence of leverage, the Australian Government reportedly plans to achieve resilience by whacking businesses with the regulation stick. The Australian Financial Review reports that one proposed reform in the government’s imminent cyber security strategy is to hold companies to minimum security standards.

Opposition cyber security spokesman Tim Watts was quick to note the hypocrisy: a government that refuses to be transparent about its own security posture now wants to dictate a minimum bar for private sector entities.

“This would hold business to a higher standard than commonwealth entities who seemingly face no accountability for failing to comply with cyber security standards,” the MP tweeted. Watts ought to be worried - he’s likely to inherit those standards one day.

The proposal detailed in the AFR also asks private organisations to subsidise the cost of federal cyber security services - something of a socialist fantasy for an otherwise conservative government. Our sources suggest that while the government will pursue some light-touch regulations for operators of critical infrastructure, the policy won’t be nearly as crazy as the leak suggests.

MFA-bypassing Azure app phishing hits centre stage

Technical indicators released by the Australian Government on Friday reveal that state-backed actors are among the many attackers abusing OAuth apps to gain unauthorised access to cloud accounts.

OAuth phishing abuses user trust in third party apps created for productivity platforms like Office 365 and Google Apps. An attacker creates a malicious app that appears legitimate and convinces users (usually via a spear phishing email) to grant the app permission to access data in the user’s account.

The ACSC advisory noted that a state-backed actor (read: China) currently targeting Australian organisations “created a malicious Office 365 application, in addition to a suitable OAuth authorisation URL, to be sent to target users as part of a spear phishing link.”

A successful OAuth phishing attack typically needs to abuse the brand of a service the target user is familiar with - as the attacker must convince the user to enter their password and grant the app a set of permissions for what data it seeks to access.

The ACSC’s technical indicators included a top-level domain used to host this Office 365 token theft (mailguardonline[.]net) and an associated Azure App ID.

Based on the domain alone, it looks likely that a state-sponsored attack imitated MailGuard 365, an Azure app developed by an Australian software developer and Microsoft partner MailGuard, whose email filtering software is used extensively in all levels of government. (MailGuard CEO Craig McDonald - who is normally the media-friendly type, chose not to comment).

The fake app requested several user permissions: offline access, read access to user profile information, and the ability to read, move and delete emails. If successful, the attacker would have direct access to an email inbox, plus a trusted staging point from which to phish other targets.

OAuth phishing doesn’t run any malicious code run on the endpoint, so provides no signal for endpoint security software to detect. A malicious Azure app also provides an attacker persistent access to a user account, regardless of whether user access is protected by multifactor authentication or if they change their password. And once a user has granted access to the Azure app, there is no guarantee they’d know whether it is running. Consider a fake MailGuard 365 app, for example: most users expect email filtering to run in the background and wouldn’t think to check how it works. The only choke point that can weed out rogue apps are Cloud Access Service Brokers - and that’s where this story gets interesting.

Microsoft is in an awkward position. OAuth phishing is unaddressed in Office 365 because Microsoft sells a separate set of premium services that help large customers detect it. Since early May 2020, Microsoft has actively warned customers about what it calls ‘Illicit Consent Gains’ and published advice on how DFIR investigators can discover them after an attack. But if you’ve got the cash, Microsoft also offers a ‘behavioural analytics engine’ through which defenders can proactively audit and monitor for malicious Azure Apps. That feature is only available using Microsoft’s CASB product (‘Microsoft Cloud App Security’), which you only get with Microsoft’s top-tier ‘E5’ license. (You can buy the CASB product separately, but it’s so expensive that you may as well just stump up for the E5 license if you want it.)

Charging for a premium service would be all well and good if OAuth phishing was a theoretical security gap that could cause theoretical harm. But it clearly isn’t. This is a technique that attackers – especially those interested in espionage – are going wild with. The house is on fire and Microsoft is charging too much for the hose.

By default, Office 365 allows end users to enable Azure apps without the approval of administrators. Microsoft’s own documentation recommends admins change the default settings to switch off ‘User Consent to Integrated Apps’ for all Azure apps. Unfortunately that’s a blunt “all or nothing” option. When an administrator switches off ‘user consent’, the administrator must centrally manage all Azure apps from that point on. Risky.Biz has learned that Microsoft is changing the workflow for administrators that take this path to make the process more manageable.

If you consider the increasing frequency of OAuth token phishing, this change isn’t nearly enough. CIOs need to collectively lobby Microsoft into building security into its core services. Microsoft won’t risk the profits derived from E5 licenses unless buyers put its feet to the fire.

Hopefully this ACSC release will be the catalyst required to make that case. At the very least, ‘User Consent to Integrated Apps’ should be off by default.

Wait, did China hack the NSW Government?

Transport for NSW (TfNSW), the agency that runs public transit services in Australia’s most populous state, has managed twin crises over the last week: a ransomware attack, on the one hand, and media stories that erroneously linked that incident to the state-backed activity made public by the Australian Government.

Risky.Biz understands that a number of systems operated by TfNSW’s State Transit Authority bus service were compromised by ransomware actors. Initial access appears to (again) have been caused by a vulnerable Citrix NetScaler gateway. Thankfully, the bus services in question are that stone-age that they have little reliance on IT. No bus services were disrupted and affected systems are being restored.

The larger problem for TfNSW was the timing of the attack - journalists naturally conflated two breaking news stories and concluded that state-backed attackers were crawling the digital bowels of TfNSW in search of sensitive information, like whether the L190 Limited Stops to Palm Beach is running on time.

That said, something is definitely rotten in the systems of New South Wales. Phishing attacks. Ransomware attacks. Data centre outages. Big cyber cheques.

UK flips on contact tracing

The United Kingdom will abandon its centralised contact tracing app and develop a decentralised alternative based on the Apple and Google ‘Exposure Notification’ framework (‘Gapple API’).

It was a predictable outcome. Many countries ignored warnings that centralised contract tracing apps built without OS platform support would fail to perform. The NHS COVID-19 app piloted with 50,000 users on the Isle of Wight found that only 4% of contacts within the desired range were registered by the app. Australia’s COVIDSafe app, which next to Iceland has achieved the highest proportional takeup (25% of the population), faced similar issues. This week the ABC’s Ariel Bogle revealed that at launch, COVIDSafe didn’t perform much better. Third party testing commissioned by the government in late April found that two locked iPhones would only successfully exchange identifiers at somewhere between 0% and 25% of the time.

Note that 0% is a number between 0% and 25%.

Workarounds developed to overcome Apple’s platform restrictions have introduced myriad security and privacy issues. This week Australian researchers Jim Mussared and Alwen Tiu disclosed another privacy weakness in numerous contact tracing apps including Singapore’s TraceTogether, Australia’s COVIDSafe, Alberta (Canada’s) ABTraceTogether, India’s Aarogya Setu, Morocco’s Wiqaytna app and the UK’s now defunct NHS Covid-19 app. This time around a bug in Android clients provided an attacker long-lived tracking of users that come within 20m of their device. So far COVIDSafe, ABTraceTogether and Wiqaytna have updated their apps to close the gap. Singapore, India and the UK didn’t bother.

Amnesty International published an in-depth study into which contact tracing apps are most likely to compromise user privacy. The list of worst offenders is long, but you’ve really got to hand it to Qatar’s mandatory EHTERAZ app, which also managed to expose the personal data of over a million people.

Things appear to be going a little more smoothly for apps built with the Exposure Notification framework. Within one week, Germany’s Corona-Warn-App racked up 10.6m users (13% of the population), while Italy’s Immuni app attracted 3.3m users (5% of population). Both apps might be too late to make a big impact, but at least they didn’t trash user privacy in the process.

By comparison, France’s centralised app has been available for twice as long and was only embraced by 1.5m users (2% of the French population) among claims that it also doesn’t work correctly on iPhones.

Patch remote workforce systems with Automox

Managing and securing your remote computers during the COVID-19 crisis is the challenge de jour. Endpoint management is still harder than it should be, particularly when it comes to patching.

Risky.Biz associate Dmitri Alperovitch (“Associate” = he’s in our Slack) recently joined the board of endpoint management company Automox and suggested they’d make for a good newsletter sponsor.

Automox makes a cross-platform, cloud-managed endpoint management agent that’s capable of performing numerous management tasks for multi-OS endpoints, regardless of their location. But its patch management capability is what’s most appealing to buyers right now. Automox claims its platform can deliver critical patches within a single day across remote Windows, macOS, and Linux endpoints, as well as patching applications further up the stack.

With a substantial chunk of your workforce now working from home, this is the sort of software people are investing in right now. So, add Automox to the eval list.

Automox has published a guide [pdf] to securing a remote workforce that includes some survey data that’s worthy of your presentations to the higher-ups. But if you want to cut right to the chase, click through to the pricing page to see a feature list and the pricing tiers and read up on their free trial.

This newsletter will be running sponsored items like this from here on out. If you can think of tech or services worth promoting to Risky.Biz readers, let us know!

Permabugs in network stack to plague ICS for years

Security teams in multiple industries had a gruelling week trying to identify whether any of their internet-connected devices run a widely deployed code library called Treck. Treck is used in devices by dozens of companies including Braun (medical devices), Caterpillar, Schneider Electric and Rockwell Automation. It also contains numerous remotely-exploitable vulnerabilities. Many of the devices that run this software will be remotely-deployed and unpatchable, and the 10/10 CVSS bugs in the Treck code can be exploited when the device’s IP stack parses a single malicious packet. We’ll likely be talking about them for years to come.

DNS service for US Defence Industrial Base

Cyberscoop reports that the US National Security Agency (NSA) is sponsoring the pilot of a DNS resolution and filtering service for US Defence Contractors. If successful, the program would allow the DoD greater assurance when working with smaller defence suppliers.

BlueLeaks exposes US law enforcement files

Several hundred thousand documents shared by law enforcement agencies in an online ‘fusion center’ have been leaked and archived in unredacted form for public consumption. Brain Krebs confirmed that the ‘BlueLeaks’ material stems from the breach of NetSential, a small US hosting company. It includes 269GB documents from over 200 law enforcement agencies dating back over 20 years.

China’s QKD breakthrough

Chinese scientists claim to have transmitted simultaneous streams of entangled photons from a satellite to two separate ground stations to establish a secure connection that doesn’t rely on the satellite acting as a relay. Practical quantum key distribution isn’t looking so far off.

The law catches up to American crims

A 29-year old US man was charged with stealing 65,000 employee records from the University of Pittsburgh Medical Center some six years ago, and selling the ‘fullz’ to tax fraud scammers on the ‘Evolution’ dark market. Scammers used at least 1300 of these records to file fraudulent tax returns, costing the American taxpayer US$1.7 million. Meanwhile in Arkansas, a 60-year man was sentenced to 18 months prison and fined US$800,000 for burning down the network of his former employer a few months after he left the company. It appears that his admin credentials weren’t revoked in a timely manner.

Oracle’s fingerprints are all over this breach

Zach Whittaker at TechCrunch wrote a tome about a database containing billions of records collected by Oracle’s ‘BlueKai’ advertising tech that was left exposed on an internet-facing server. BlueKai is used by marketers to fingerprint and track web browsing activity. Do we file this under ‘negligence’ or is Oracle’s disregard for your privacy part of its business model?

Booter takedowns aren’t working

Takedowns of ‘booter’ or ‘stresser’ services don’t appear to dampen DDoS activity, according to Dutch and German academics. Their study found that if the number of vulnerable systems used in reflective DDoS attacks remain stable, the number of Booter services abusing them is largely irrelevant.

Webex to Zoom: Hold my beer

Cisco has patched two high severity bugs in its WebEx video conferencing desktop apps. They allow an unauthenticated, remote attacker to execute arbitrary code on a target’s device if they can trick them into clicking a link.

A former member of Maersk’s infosec team has written up an insider’s view of the lead-up and aftermath of the NotPetya attack. Settle in, it’s a long one.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at