Sanctions abound, but the hacks keep coming

The Risky Biz newsletter for August 4, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

TikTok review reduced to meaningless farce

Donald Trump’s personal involvement in threats to ban TikTok is distracting from any legitimate national security concerns the video sharing app might present to the United States.

What started as some half-hearted sabre rattling after he was thoroughly punk’d by TikTok teens at his Tulsa rally in late June has spiralled into a theatre of the absurd.

We have written a feature all about the ban and you can read it on Risky.Biz.

EU sanctions Russian, Chinese and North Korean hackers

The European Union Council has imposed its first ever sanctions in response to malicious cyber activity.

The Council voted to freeze any European assets and ban EU travel for six individuals and three institutions associated with the NotPetya, WannaCry and CloudHopper cyber attacks, as well as the GRU officers that attacked the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands.

EU sanctions against the Chinese, North Korean and Russian entities were first flagged by Radio Free Europe last week in a report that foreshadowed all but the OPCW-related sanctions.

Most of the individuals and groups affected are already the subject of US sanctions and indictments and unlikely to be booking holidays in the Mediterranean anytime soon. The EU’s decision is significant, however, in the context of building global coalitions against the use of destructive malware, theft of intellectual property and state-sponsored cybercrime.

Sanctions against Russia included:

  • A specific GRU unit: the Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, aka Unit 74455 or ‘Sandworm’. Authorities in Australia [pdf], Canada, New Zealand, United States and the United Kingdom blamed this GRU unit for the 2017 ‘NotPetya’ attacks, which cost victims a cumulative US$10 billion.
  • Four GRU officers: Alexey Valeryevich Minin, Aleksei Sergeyvich Morenets, Evgenii Mikhaylovich Serebriakov and Oleg Mikhaylovich Sotnikov. All four were previously added to the US sanctions list in December 2018.

Sanctions against North Korea included:

  • Chosun Expo, which was outed in a 2018 US indictment as a front company for North Korea’s offensive hacking unit (Lazarus Group). It was blamed for the ‘WannaCry’ ransom-worm, SWIFT heists against Bangladesh Bank and Vietnam’s Tien Phong Bank, the destructive malware attack on Sony Pictures Entertainment and the watering hole attack on the Polish Financial Supervision Authority, which very specifically targeted European interests.

Sanctions against China included:

  • Tianjin Huaying Haitai Science and Technology Development Co. Ltd., long accused of being sponsored by the Chinese Ministry of State Security to conduct espionage. It was blamed for the decade-long ‘CloudHopper’ campaign of IP theft that compromised targets by attacking their managed IT service providers.
  • Two employees of Huaying Haiti: Zhang Shilong and Gao Qiang, both previously doxed as MSS operatives by the Intrusion Truth blog.

The EU chose not to sanction specific individuals working for Chosun Expo, whereas the US put one face to the name. And while Zhang Shilong was named by both the EU and the United States, they each indicted a different accomplice (Gao Qiang in the EU, Zhu Hua in the US). If you’re clued in on why these details vary, we’d love to hear from you.

US to make a man of the skid that hacked Twitter

US authorities have arrested a 17-year old from Tampa, Florida for hacking Twitter in July, and announced charges against two of his young accomplices for helping him profit from it.

In an attack that started as early as May 3, recent High School graduate Graham Clark is alleged to have tricked Twitter employees into providing him access to the social network’s internal systems.

Several months later, on July 15, Clark was alleged to have pretended to be a Twitter employee, telling other users on the OGUsers channel of Discord that he could provide access to any Twitter account for a fee, and demonstrating that he could reset the email address and security settings for Twitter accounts from the company’s administrative panel. The charge sheet claims that he initially sold access to several accounts through two brokers, both of whom were also charged, earning him US$33k and one of his associates US$7k.

From there, 130 accounts were compromised and 45 were abused in a bitcoin scam that reaped a further US$117,000.

Authorities did not release the details of how Clark was identified as the culprit. Recent news stories suggest he was known to law enforcement.

His two associates, Mason Sheppard (19) of Bognor Regis, UK and Nima Fazeli (22) of Orlando, Florida, were identified when investigators checked their OGUsers forum handles against a copy of the OGUsers database stolen in May 2020. That database, which the FBI had conveniently hoovered up from a rival site, listed IP addresses and email addresses for every handle on the forum. Sheppard and Fazeli had also re-used the same Bitcoin addresses in the Twitter scam as they’d previously used to receive payments on OGUsers. Both registered for their respective Bitcoin addresses with Coinbase using their driver’s licenses for identification. Detectives didn’t have to work that hard.

The investigation utilised the resources of the FBI, the US Secret Service, Internal Revenue Services, and local law enforcement in both California and Florida.

The Sheppard indictment mentions a fourth person of interest: a minor from California that also helped sell access to stolen accounts and has been interviewed by law enforcement. Hillsborough state attorney Andrew Warren told reporters that investigations are continuing.

Authorities are throwing the book at Clark, charging him on 30 felony counts including hacking, identity theft and communications fraud. Federal authorities deemed it appropriate he be tried in Florida because under Florida state law, a minor can be tried as an adult for serious financial fraud, whereas under Federal law a minor can only be treated as an adult for violent crimes.

A new chapter in Russia’s active measures playbook

There are fears that disruptive information operations Russia waged in Eastern Europe could be a practice run for future campaigns against the US and UK.

Mandiant’s threat intelligence team pieced together a coordinated disinformation operation [pdf] directed at audiences in Lithuania, Latvia and Poland in which anti-NATO narratives were injected into the news cycle through the hacking of news websites and use of spoofing in forged emails sent to journalists.

Analysts identified over 20 examples of Russia-aligned actors hacking into content management systems to modify news content. Attackers either published fake news articles [pdf] on the hacked sites, or added inflammatory quotes or paragraphs of text within existing stories. Mandiant analysts linked the hacking campaign to a broader set of doctored images and falsified email correspondence from military and political figures that were sent to journalists. The consistent theme across all activities was that the presence of NATO and US troops was a burden, if not dangerous, for local populations.

The analysis didn’t rely on a forensic examination of the compromised systems or spoofed emails, and didn’t attribute the activity to a specific agency or actor group. It was described as an “activity set” called “Ghostwriter, and made distinct from Russia’s Secondary Infektion disinformation campaign on social media, which first exposed [pdf] by the Atlantic Council’s DFRLab and definitively catalogued by Graphica in June 2020.

FireEye Intelligence Analysis lead John Hultquist told Risky.Biz that Russian agencies tend to act most aggressively and experiment with new tools and techniques in Eastern Europe before using them in campaigns against Western targets. For example, the first information operation attributed to APT28 (Fancy Bear/Sofacy), the agency accused of hacking the DNC to disrupt the 2016 US Election, targeted Poland and was also connected to a NATO exercise.

As if the United States didn’t have enough domestic misinformation campaigns to worry about already.

If there’s one issue 100% of IT shops struggle with, it’s getting consistent, timely patching across all of your endpoints.

Our newsletter sponsor Automox obsesses over making patch management easier. This refreshed technical guide [pdf] tells you exactly how it’s done: with lightweight agents on every endpoint (Windows, Mac, Linux) that can be administered from an AWS-hosted management panel. That document is a rare thing in infosec – it actually tells you what the product is and how it works.

Updates can automatically be fetched from the Automox cloud or your own local server according to simple policies, or you can write custom rules for each OS and application. It comes with all the reporting you’d expect out of the box, plus there is an API for third-party reporting tools.

Take a look and drop us a line with any feedback.

How to pay a ransom to a sanctioned entity

It looks very likely that Garmin paid some or all of the US$10m ransom sought by Evil Corp to decrypt files locked up in a recent ransomware attack. In a groundbreaking piece of reporting, Lawrence Abrams at Bleeping Computer demonstrated that Garmin was using a WastedLocker decryptor to unlock devices, before sources told Sky News that the ransom was paid through an incident response firm, Arete IR.

It’s worth noting that Arete published a blog post [pdf] on July 24 – two days after Garmin staff uploaded a WastedLocker sample to VirusTotal – that argued it had insufficient proof WastedLocker campaigns were managed by the same sanctioned entity (Evil Corp) that created Dridex. Sneaky…

Meanwhile, American corporate travel firm CWT paid a US$4.5 million ransom to attackers, which was apparently a ‘discount’ on the US$10 million in Bitcoin originally sought. Reuters’ Jake Stubbs viewed and published screenshots from the chat log used in the negotiations, which ends with the attackers offering advice on how the company could better secure its network. So helpful!

You’ve got mail

To: Vatican City
From: China
Subject: We said loaves and FISHES
Malware analysts discovered a series of phishing attacks in which members of the Hong Kong Catholic Church, and possibly a broader set of targets within the Vatican’s network, were targeted by PRC-linked actors. Catalin Cimpanu at ZDNet first broke news of the attacks in mid-July, before the New York Times tried to claim it as an exclusive.

To: US Defence and Aerospace contractors
From: Hidden Cobra (North Korea)
Subject: Best job work from home
The Dear Leader’s top hacking team sent staff at US defence contractors spear phishing messages that used the ever reliable ‘fake job offer’ routine on email and via direct messages on social networks.

Three reasons to actually be cheerful this week:

  1. Cancel your weekend plans: The bad news was DEF CON was cancelled. The good news is ‘DEF CON: Safe Mode’ will stream presentations free of charge from this Thursday (US time). Check the schedule.
  2. Get on the election security train: The organisers of DEF CON’s voting village asked the US infosec community to volunteer for a temporary infosec help desk to help state election officials. CISA has also published a guide [pdf] for election officials on how to set up a vulnerability disclosure program.
  3. Know your phishing: A year-long study of phishing attacks [pdf] against a financial institution analysed over 20m user visits to 400,000+ phishing pages. It revealed that a typical phishing campaign snares over 60% of its victims in the first nine hours of the campaign.

China sprung getting jump on the jab

The two MSS-linked Chinese hackers indicted by US authorities last week were apparently cyber-casing (conducting reconnaissance against) Massachusetts-based vaccine producer Moderna, and very likely snooped around California-based antiviral producer Gilead and Maryland-based Novavax, according to exclusive reporting by Reuters Chris Bing and Marisa Taylor.

Reuters: Russia hacked UK MP to disrupt US trade deal

Russian-aligned actors hacked the email account of former UK Trade Minister Liam Fox to access documents on the US-UK trade deal, according to a Reuters report by Jack Stubbs and Guy Faulconbridge. The stolen documents were then leaked as part of the Secondary Infektion disinformation campaign. The UK government officially recognises the ‘hack and leak’ operation as a Russian attempt to meddle in last year’s UK election.

UK Labour was breached in Blackbaud attack

The UK Labour party was among the 100+ Blackbaud clients affected by a July 2020 data breach. Blackbaud claims to have paid off the attackers, and takes them on their word that stolen data has been deleted.

Norks to receive second Risky.Biz participation award in as many months, lifetime participation award under consideration

In early July, we awarded North Korea’s Lazarus Group with the inaugural Risky.Biz participation award for ‘having a go’ on all fronts: SWIFT hacks, ransom worms, hacking cryptocurrency exchanges, BEC scams and most recently Magecart-style web skimming. Now Kaspersky reckons the Norks are jumping into human-operated ransomware, just to tick every box of the Magic Quadrangle for cybercrime.

You can LAED a bill to the House…

… but can you convince Democrats to support it? Republican representative Ann Wagner has introduced the House equivalent of the Senate’s Lawful Access to Encrypted Data bill. Attorney General William Barr applauded her effort, which at this point is probably the kiss of death.

Bootloader patches causing issues

A vulnerability disclosed in GRUB2, a component used in the boot process for most Linux distributions and sometimes in other operating systems, is proving cumbersome to patch. Expect a few outages from cloud providers.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.