GRU eyes US election

The Risky Biz newsletter for September 15, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

First, a correction

Despite repeated attempts by this newsletter to rename CISA the “Critical Infrastructure Security Agency”, the stubborn bureaucrats and LOSERS in Congress want to stick with “Cybersecurity and Infrastructure Security Agency”. Our name works better, but whatever. (Apologies for the repeated error).

GRU eyes US election

Eight weeks out from the 2020 Presidential election, the United States hasn’t had to contend with the ‘hack and leak’ operations that marred the lead-up to the 2016 election. Yet.

This week Microsoft exposed three separate intrusion and reconnaissance efforts against the Office365 accounts of American political campaigns, think tanks and advocacy groups.

Redmond outlined how Russian GRU military intelligence unit Strontium (aka Fancy Bear/APT28) has targeted 200 organisations of all political persuasions since September 2019, using password spraying and brute-force tools to try to break into Office365 accounts.

Microsoft says the attack drew on a pool of “approximately 1,100 IPs, the majority associated with the Tor anonymizing service”. We interpret this to mean the behaviour was mostly emanating from Tor exit nodes.

Microsoft also detected a Chinese state-backed group (APT31/Zirconium) trying to validate email addresses for election-related targets. The attackers sent emails to the Biden campaign and national security think tanks, such as the Atlantic Council and the Stimson Center, just to see which users would click through to attacker-controlled web pages.

Also announced: Microsoft’s takeover of 155 domains used in reconnaissance campaigns by an Iranian state-based group (Phosphorus/Rocket Kitty), whose targets include US administration officials and the Trump campaign.

It’s no great surprise that the GRU is again intent on hacking US political organisations. Fancy Bear interfered in the 2016 US Election and the 2017 French Election and Andy Greenberg at Wired warned of a ramp up in Fancy Bear activity in late July.

What’s different in 2020 is that major service providers like Microsoft are exposing state-backed operations to the public, loud and early.

It’s important for these platforms to be vocal, because history tells us the campaigns won’t volunteer information about attempted intrusions until after votes have been counted. Efforts to make the public aware of Russia’s hand in the hacks on DNC and DCCC in the lead-up to the 2016 election only seemed to matter to many Americans after the election didn’t go the way they’d hoped.

This time the US appears more prepared for what’s coming. CISA published new advice [pdf] for political parties, released in parallel with Microsoft’s report. CISA’s advisory takes a strong line on multi-factor authentication, recommending FIDO2-compliant hardware security keys as its top preference, time-based one-time-passwords (TOTM) authentication apps as the next best thing, and SMS or email-based authentication as a last resort.

In a media statement, CISA director Chris Krebs highlighted that none of the activity affected voting infrastructure and “there was no identified impact on election systems.”

When America was eight weeks out from the 2016 Election, the dirty laundry on the DNC had already been aired by DCLeaks and Wikileaks for well over two months. This time around, with many Americans choosing to vote early by mail, the window of opportunity for foreign adversaries to sow or amplify discord in ways that can shape the result is closing.

Then again, fostering discord is something the United States doesn’t need a lot of help with right now.

Much ado about scraping

On Monday, newspapers in Australia, India, the UK and the US all published stories about the leak of a massive database reportedly used by Chinese intelligence agencies to profile prominent people in Western countries.

The leaked database contained data about 2.3 million people, and was compiled by Shenzhen-based private company, Zhenhua Data, which advertises its data mining capabilities to private and public interests, including Chinese authorities.

Academic Christopher Balding claims to have received the data – in the form of an ElasticSearch cluster with corrupted indexes – from a ‘China-based source’. He shared it with Australia-based company Internet 2.0 for analysis. Internet 2.0 CEO Rob Potter told_ Risky.Biz_ his team spent two months using the metadata in each JSON file to reconstruct the database in Splunk. Once the data was intelligible he began sharing it with journalists.

The same database was passed to Australian-based InfoSec journalist Jeremy Kirk by a security researcher back in January 2020. The researcher found it during a scan for Elasticsearch clusters that didn’t have authentication configured.

Both Potter and Kirk said that entries in the database appear to be scraped from social media profiles (Facebook, Twitter, LinkedIn, Medium, Instagram, YouTube). Kirk told _Risky.Biz _that he didn’t see much of a story in the aggregation of scraped social media profiles into an insecure Elasticsearch install, and opted to let it go.

Potter says the database contains analyst annotations that ‘score’ individuals according to their political influence or importance. The entries also contained information about whether an individual was a Politically Exposed Person (PEP) or a Special Interest Person (SIP) subject to financial sanctions, which was more than likely purchased from Dow Jones’ “Factiva” service.

While the correlation of all this public information makes for an intriguing capability, it’s still just public data. The story is overcooked.

China’s Ministry of State Security are freeloaders

CISA has released a technical advisory on the techniques China’s state-backed hackers have used in recent attacks on the US Government.

The advisory reveals the extent to which attackers working for China’s Ministry of State Security rely on the work of independent security researchers and publicly available tools like Cobalt Strike and Mimikatz to achieve their goals.

Another interesting takeaway is the outsize impact two security researchers have had on cyber security in 2020. Of the four vulnerabilities MSS-backed attackers used most often for initial access to Federal Government networks, three were discovered by a pair of prolific researchers that have a knack for finding bugs in network devices.

Taiwanese researcher Cheng-Da Tsai (‘Orange Tsai’) discovered the CVE-2019-11510 flaw in Pulse Secure VPN servers, while Russian researcher Mikhail Klyuchnikov discovered the CVE-2019-19781 flaw in Citrix VPN appliances and the CVE-2020-5902 flaw in F5 Big-IP devices. (The fourth in CISA’s list was the CVE-2020-0688 flaw found in Microsoft Exchange Server in February 2020).

When Tsai or Klyuchnikov decide to give your kit a free security assessment, you’re in for a wild ride, as two more vendors learned this week.

Tsai found an RCE in MobileIron’s mobile device management suite. He went to considerable effort to find a way to crack MobileIron, purely because it’s a tool Facebook uses to manage its mobile workforce.

Klyuchnikov, meanwhile, was credited with finding four more bugs in Palo Alto devices. None were as urgent as the SAML bypass bug Monash University infosec’s team found in June 2020 (CVE-2020-2021) or the more recent CVSS 9.8-rated buffer overflow (CVE-2020-2040) discovered in Palo Alto’s PAN-OS. But once this guy picks up a scent, he’s not going to let go.

Don’t dawdle on your patches: Microsoft Netlogon bug is a real doozy

A critical flaw in Microsoft’s Netlogon Remote Protocol (MS-NRPC) allows attackers on a Windows network to quickly and easily take over a domain controller.

Microsoft fixed the flaw (CVE-2020-1472) in its August Patch Tuesday release, but didn’t provide much information at the time. While the bug achieved what we call the “Nadia Comăneci” – a CVSS severity score of 10 – Microsoft initially advised that it was ‘unlikely’ to be exploited. It was so inconspicuously described that it didn’t even make Brian Krebs’ monthly summary of notable patches.

That deflection was turned on its head yesterday. Researcher Tom Tervoort from Dutch firm Secura published a blog that revealed why his bug in MS-NRPC is so critical. A flaw in the cryptographic authentication scheme used in MS-NRPC allows an attacker on the network to take over the domain controller and access domain administrator credentials.

Exploit code was shared within hours of the Tervoort’s blog being published. CISA is pretty anxious about it. Big game ransomware crews could use this bug to turn a successful phish into a network-wide compromise in a fraction of the usual time.

Secura confirmed that Microsoft’s August patch prevents the flaw being abused to access domain controllers, and it shared a free vulnerability exposure tool for admins to check whether their network is vulnerable.

Huawei goes it alone on mobile OS

Huawei plans to release smartphones that run on a home-grown operating system from October 2021.

Huawei intends to repurpose HarmonyOS, first pitched in August 2019 for smart watches and other IoT devices, as a smartphone operating system, in response to US sanctions that prevent Google from partnering with Huawei on apps and services.

The US sanctions don’t prevent Huawei from continuing to release handsets powered by the Android open source OS (which runs on 85% of the world’s smartphones) and promoting Android apps via third-party app stores. But they reduce the incentive for Huawei to invest in US-led technology ecosystems.

Huawei has unparalleled government support in the world’s largest market for smartphones, where users now (thanks to Trump’s action against WeChat) have fewer reasons to purchase an iPhone.

Nobody is buying TikTok’s US operations

TikTok owner ByteDance won’t sell its US operations to Microsoft, and probably won’t sell to Oracle either.

The company is instead proposing an equity deal for Trump-favoured Oracle. Under a proposal it submitted to the US Treasury Department for review, Oracle would reportedly take a stake in a restructured TikTok and host TikTok’s US data, but TikTok’s IP would continue to be owned and developed by ByteDance.

We’re not sure whether to be as outraged as Alex Stamos, who described it as an “exercise in pure grift” with no security outcome, or as tickled as Alex Pinto, who coined the definitive one-liner on the subject: “I heard Oracle Cloud got their first customer today. Congrats!”

From the end of this week, Twitter will label, suppress or potentially even remove misleading information on the social network that attempts to interfere with the orderly running of the US election.

Twitter will act against content designed to suppress voter turnout or undermine faith in the democratic process, just as Facebook committed to do in October 2019.

Twitter will also label, suppress or remove posts that prematurely claim victory for a candidate before election results have been certified or that encourage Americans to reject a fair election outcome.

Who attacked Chile’s Banco Estado?

Chilean Bank Banco Estado continues to do the hard yards to recover from a malware attack that infected 12,000 devices on its branch network.

The bank revealed this week that it first learned of the attack from a staffer who turned on their computer last Saturday morning to see a generic ransom note.

Last week, Chile’s national CSIRT linked the attack with Sodinokibi malware used by the REvil human-operated ransomware operation. Strangely, the bank’s President has since told government officials that Banco Estado did not receive any requests for ransom payments after the initial infection. REvil also didn’t name the bank on its leak site.

Another interesting anecdote from the response is that it took the bank four days to get half of its 400+ branches operational again, and after nine days it’s still listing branches coming back online on a daily basis. (Still, that’s faster than the UK’s Newcastle University, which recently told students it doesn’t expect to recover from a ransomware incident for the next six weeks).

CajaVecina, a network of Banco Estado mobile banking terminals installed in third-party corner shops, played a big role in helping Chileans get through the crisis: where typically these terminals were used for 800k transactions a day, this week they were used 2.2 million times.

Equinix Australia hit with US$4.5m ransom

The corporate network of co-location data centre giant Equinix has been infected with Netwalker ransomware. Attackers threatened to release payroll data about the company’s Australian staff if the company doesn’t pay a US$4.5m ransom. Customer equipment hosted in Equinix data centres is (so far) unaffected.

Thai hospital struggles with ransomware attack

It’s pretty appalling to read the personal stories of Thai medics pleading for IT help after losing access to patient record systems in a ransomware attack. You would have to be a sociopath to hold hospitals to ransom at the best of times, but during a pandemic, it’s even worse somehow.

FBI warns banks about credential stuffing

The FBI is warning US banks of a spike in credential stuffing activity and the increased targeting of API credentials in these attacks. Catalin Cimpanu linked to the FBI’s TLP White advisory from this ZDNet story.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at