GRU uses Linux rootkits, everyone else is OAuth phishing

The Risky Biz newsletter for August 18, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Blue team gurus snared by OAuth Phishing

The NSA’s exposure of Linux malware developed by Russia’s GRU is capturing the lion’s share of attention this week, but the issue affecting everyone right now is something less flashy but a lot more urgent: OAuth phishing.

This week we learned that attackers stole 28,000 emails from the SANS Institute after tricking one of its employees into installing a malicious Microsoft 365 app that allowed access to their mailbox.

The SANS Institute is arguably the largest provider of specialist training for blue teams. For it to fall victim to this type of attack should be a wake up call to all blue teams, to Microsoft and even to legislators and regulators of the serious risks OAuth phishing poses to Microsoft customers.

Malicious OAuth/Azure app attacks are simple and scalable enough for BEC scammers and effective enough for espionage operations. As we described in our June 23 and July 21 newsletters, Microsoft has many options available – but little commercial incentive – to reduce the threat posed by rogue Azure apps.

The growing number of CISOs voicing their concerns isn’t likely to force Microsoft’s hand: the Azure/365 ecosystem is sticky by design. Academically speaking, it’s a case of ‘market failure’. Plainly speaking, it’s a case of negligence.

If you’re defending one of the many organisations on Microsoft 365 (formerly ‘Office 365’), your controls need to account for this gigantic attack surface. Unless you’re an E5 license customer with access to Microsoft’s ‘Cloud App Security’ tools (which provides an ability to set policies on cloud app usage), allowing users to install these apps in anything approaching a safe way is close to impossible. Let’s put it simply: Microsoft has exposed its customers to serious risk while withholding compensating controls from anyone who can’t pay for 24-carat, diamond-set E5 licenses.

One sub-E5 option is to force all user app requests through an admin consent workflow, with administrators granting approval every single installation. If you want to automate this with policy, that’s too bad. That’s an E5 exclusive.

If you’re running phishing assessments to educate staff, you absolutely must also simulate rogue 365/Azure app attacks and drill staff on the importance of reporting suspicious ones to security staff.

Australia puts “critical infrastructure” on war-footing

Anyone interested in radical policy approaches to protecting critical infrastructure from cyber-attack should pay attention to what’s happening in Australia, where the government has unveiled plans for unprecedented interventions in the operations of its critical infrastructure providers.

A new discussion paper [pdf] by Australia’s Department of Home Affairs fills in the blanks in Australia’s otherwise vacuous 2020 Cyber Security Strategy. It recommends amending the Critical Infrastructure Security Act to provide authorities easier ways to respond to aggression by a foreign adversary, irrespective of whether the impacted assets are owned and operated by private interests or state governments.

Up until now, ‘critical infrastructure’ in Australia was a select club: electricity, gas, water, ports and telecommunications. The paper proposes broadening that definition to include banking and finance, tech companies, defence contractors, education and research providers, energy, food and grocery, healthcare, space and transport companies.

Many of those will be shocked to learn the steep price of membership. In this week’s Risky.Biz feature, we spoke to CISOs about what the government will expect of them if the Act is amended as described. You can read the full story on our website.

NSA doxxes GRU malware

The NSA and FBI have published a detailed teardown of some malware tools used by Russian military intelligence in espionage campaigns targeting Linux-based systems.

The malware was attributed to Military Unit 26165 of Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), whose previous activities were clustered by threat intelligence vendors as ‘Fancy Bear’ or ‘APT28’. These are the folks responsible for hack and leak operations against the DNC prior to the 2016 US Election, the 2015 attack on the German Bundestag and botched attempts to snoop on the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands.

GRU operatives are known to call this Linux malware set ‘Drovorub’, which means “driver slayer,” according to Dmitri Alperovitch. Running over 39 pages of technical analysis [pdf], the NSA/FBI document describes how each component of the malware set functions on both an infected host (an implant and a rootkit to evade detection) and on attacker-controlled infrastructure (a C2 server and agent used by operators).

The NSA/FBI writeup demonstrates the software engineering prowess of Russian attackers and hints at the visibility NSA has into its adversaries’ operations. We don’t know how they got such deep insight, but we sure have been having fun making some semi-educated guesses. Some of Russia’s finest malware authors just had summer holidays cut dramatically short.

The advisory lists several methods defenders can use to detect Drovorub activity. Traffic to a C2 server can (for now) be detected with network intrusion detection rules (Snort, Suricata etc). These rules will trigger by detecting the C2’s message format, so of course the caveat is that the malware authors are likely to have reformatted these messages to avoid detection before you read this, now that their handiwork is out in the open.

Detecting Drovorub on endpoints also has its challenges: the rootkit is fairly stealthy. Derek Betker from Linux security specialists Cmd told Risky Biz that YARA rules supplied in the advisory will only work against files on disk, which are likely to be hidden by the rootkit. Finding them requires a forensic image of a hard drive, which is not entirely practical unless you’ve been alerted to signs of malicious activity.

Admins are advised to prevent Linux systems from running untrusted kernel modules to prevent installation of the rootkit. That means enabling UEFI Secure Boot in “full” or “thorough” mode to verify the boot-up and drivers, and using kernel signing (available for systems running Linux Kernel 3.7 and above) for signature enforcement from there. It’s fiddly work. Godspeed.

Researchers blunted Emotet for six months

For 182 days between February 6 and August 6, malware researchers and defenders very discreetly shared a small PowerShell script that effectively ‘vaccinated’ Windows machines against Emotet infections.

‘EmoCrash’ was the work of James Quinn, a researcher at Binary Defence. Quinn discovered he could exploit a persistence mechanism Emotet authors added to their malware in a February 2020 update to (safely) make it crash when it runs on an infected device.

Quinn continually refined the technique to keep pace with changes in the malware and worked with the CSIRT assistance program at Team Cymru to distribute the script to blue teams, under conditions that wouldn’t permit public disclosure.

Unfortunately, an August 6 update to Emotet removed the persistence mechanism Quinn’s script had subverted, such that he could give a green light to ZDNet reporter Catalin Cimpanu to tell his story to the masses. It’s a fun read.

UK, North America launch second wave of contact tracing apps

Several US States and the United Kingdom are having a second look at contact tracing apps now that global infection numbers are back on the rise.

Apple and Google claim that around 20 US States are experimenting with contact tracing apps using the ‘Exposure Notification’ framework created by the two smartphone giants. The United Kingdom is piloting its second contact tracing app, which (this time around) is based on the exposure notification API.

Canada is also revisiting the idea. Alberta, the Canadian province that jumped out of the gates early with a solution based on Singapore’s TraceTogether, announced it will jettison that app to back COVID Alert, a national effort built on the Gapple framework. COVID Alert was rolled out first in Ontario, where 2 million (~14% of the total population) have downloaded it since July 31. Pre-release polling suggests Canadians are enthusiastic about the technology.

Health authorities in these countries can learn a great deal from the failings of their predecessors.

The first lesson is the pressing need to counter lingering doubts about whether the apps are effective. Unfortunately, early experiments with contact tracing apps that weren’t directly supported by Apple and Google have eroded user trust in the technology. Australia’s COVIDSafe app, for example, quickly racked up an impressive 7 million downloads (28% of the total population), but it has taken three months for state health authorities to derive value from it.

In Italy, the ‘Immuni app’ (launched July 23) was only downloaded by ~12% of the population. Italians that chose not to download the app were more concerned that the app didn’t work (44% of respondents to a recent survey didn’t think it would be effective and 19% were worried a false positive could subject them to further quarantine) than about security and privacy issues (29% called out security and privacy concerns).

The second lesson is to ensure users that download the app also know how to use it. A recent Swiss Government survey found that at least half of Swiss respondents didn’t realise they had to do more than download the app to activate its contact tracing functions.

Ireland, Switzerland and Germany have arguably set the high watermark for apps based on the Gapple Exposure Notification API so far. Ireland’s COVID Tracker app has been downloaded by 1.6m users (over 30% of the population) since early July. Users of the app were given the choice of how much data they wanted to share with authorities, based on privacy and security advice that was clear, consistent and concise. Switzerland’s SwissCOVID app was downloaded by 2.15m residents (25% of the population) since launching in late June, while 17 million Germans (20% of total population) downloaded the Corona-Warn app.

But while 1700+ Irish have tested positive to COVID-19 since the app’s launch, only 159 have uploaded their positive diagnosis to the app. Encouragingly, Ireland’s Health Service Executive told Risky.Biz that (as of August 14), some 414 users chose to report to health authorities that they’d received proximity notifications.

And while 5000+ Swiss have tested positive to COVID-19 since the app’s launch, only ~500 reported their positive diagnosis in the app. The same applies in Germany, where 17 million (20% of total population) have downloaded the Corona-Warn and only 1400 have reported a positive diagnosis in the app.

Researchers in the German state of Lower Saxony have commissioned a study to understand why so few COVID-19 patients choose to notify other users. What is the overlap, for example, between those that test positive to COVID-19 and those that download and use contact tracing apps?

The technology is improving, but there’s a lot more to the story than technology.

TikTok owner ByteDance must drop US assets within 90 days

The US Government has ordered Chinese company ByteDance to divest its US assets and destroy data on US users of TikTok (and its predecessor, within 90 days.

The Executive Order [pdf] wraps up a nine-month investigation by the US Committee on Foreign Investment in the United States (CFIUS), which satisfied President Trump that ByteDance could use TikTok to “take action that threatens to impair the national security of the United States.”

The Wall Street Journal reported that TikTok was one of 350 apps Google slapped for collecting the MAC addresses of devices, and that ByteDance had obfuscated that collection in some way.

The US continues to offer ByteDance an “off-ramp”: it can sell its US operations and data to Microsoft or some other US entity.

“Israel looks like a soft target, what could go wrong?”

Let’s give the North Koreans one final round of applause for the “have a go” attitude of their hacking operations. They’ve continued to target Defence contractors, most recently in Israel. We’re sure that will end well for them.

This mob holds sick people to ransom

Brian Krebs reports that R1 RCM, a US medical billing payments company, took systems offline to respond to a ransomware attack that very potentially exposed the sensitive medical and financial data of tens of millions of Americans.

You’ll have to delay that COVID cruise

Cruise-line giant Carnival Corporation told the SEC it suffered a ransomware attack in mid-August, hot on the heels of a data breach in March. Konica Minolta was also added to the list of printer vendors (Canon, LG and Xerox) attacked by ransomware operators over the last month.

Get the bigger picture

The United States is in great power competition with a country that operates under a concept of “military-civil fusion”. How can America compete without embracing the same paradigm? The Heritage Institute’s Klon Kitchen and James Jay Carafano wrote a guest column for Risky.Biz on what they think tech companies and the US Government each need to do about it.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at