Just another Tuesday on the Internet

The Risky Biz newsletter for November 5, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

US election sees lots of voting, very little cybering

You might have noticed this newsletter has arrived later than usual. We held back this week on the off-chance something big would happen during the election, but it turns out it was for nought. The result is looking clearer by the hour and we can confidently say that cyber shenanigans played no part in the outcome.

Officials from CISA, the agency charged with overseeing election security, described election day as “just another Tuesday on the Internet.”

There wasn’t a repeat of 2016, largely because significant players in America’s information landscape – its televisions and newspapers, social media platforms, technology companies and the states holding the election counts – were better prepared and coordinated to combat foreign interference.

On the domestic front, Twitter engaged in aggressive filtering that slowed the spread of election falsehoods. And while Facebook applied less obtrusive notifications, it provided links to voices of reason.

While we shouldn’t overstate its influence in a large and complex system, CISA made strong contributions to that coordination. As Lily Hay Newman writes in Wired, CISA’s election security remit was funded via a 2017 decision to designate election systems as critical infrastructure. CISA has since established itself as a trusted channel for getting a sanity check on claims of foreign interference. CISA made the election look boring. Elections should be boring.

Fears of Russia playing its hand went unrealised. The only election shenanigans of note were half-baked attempts to discourage turnout via dodgy robocalls (these pre-date the internet). Hyper-partisan trolls and fringe media did their best to inject chaos into the discourse, but that’s hardly a recent development.

In disputing the electoral count, President Trump has handed foreign adversaries an opportunity to wage information operations over the days and weeks ahead. But our hunch is that they won’t bother turning up, and even if they do, they won’t be effective. This party’s over.

US hospitals fend off Ryuk attacks

Last week’s reports of a deliberate, coordinated ransomware attack on US hospitals has again raised questions about what sort of drubbing the United States is prepared to withstand before authorising covert action against those responsible.

Last Monday, US-based researcher Alex Holden told his partner in e-crime investigations Brian Krebs that a Russia-based group was planning a Ryuk ransomware campaign that would target over 400 US healthcare facilities.

Hospitals in Minneapolis, New York and Oregon reported ransomware infections the following day, prompting CISA and the FBI to warn of “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers”.

Holden later told the New York Times that over 30 hospitals were infected. Risky Business could only find public reports of 11 hospitals in total (from a total of five healthcare providers). Sources that specialise in coordinating responses to security incidents in healthcare told Risky Business that there was “no noticeable uptick” in ransomware infections.

Let’s take a moment and let that sink in: 11 US hospitals were disrupted by ransomware by the same crew within three days, but that represents “no noticeable uptick” in activity. Ambulances in New York were redirected, cancer patients in Oregon were denied radiation treatments and elective procedures in Vermont were rescheduled. Other hospitals had to proactively shut down all email communication to prevent infection. That’s now so “normal” that in the media business we’d call this story a “fizzer”.

Somewhere along the line, the daily onslaught of ransomware operations has numbed our senses to how warped this situation is. A few weeks ago, ransomware attacks compelled UHS to shut down systems at 250 hospitals for over a week. A week prior a hospital redirection in Germany arguably contributed to a loss of life.

On the plus side, a collective abhorrence of attacks on hospitals bound the cyber security community to a common purpose. Indicators and TTPs associated with a Russian group that has attacked several hospitals (UNC1878) were published by Mandiant/FireEye, RiskIQ, Red Canary, Swisscom and others. Mandiant and Red Canary managed to convince the US Government that the initial CISA/FBI advisory neglected critical information about UNC1878’s latest tradecraft. The advisory was updated promptly.

So while the coordinated attacks on hospitals were nowhere near the scale anticipated, threat analysts alarmed by UNC1878/Ryuk capabilities seized the moment to share and educate.

We’re wondering if it’s also a moment for lawmakers: a moment to think very seriously about imposing real costs on ransomware gangs. The needle on that issue appears to be shifting. This campaign provoked far more anger and resolve than what we observed after the UHS attack. People want action.

Blowing on the embers of the Dual_EC_DRBG trash fire

Reuters’ Joseph Menn has added a postscript to the enduring question of why the flawed Dual Elliptic Curve (Dual_EC_DRBG) algorithm came to be standardised and used by several US technology vendors.

Dual_EC_DRBG was a cryptographically secure random number generator (CSRNG) endorsed by NIST in the early 2000s. From the earliest stages of its development, security researchers raised concerns that the algorithm could be used as a kleptographic backdoor, whether by the NSA (using the default parameters it put forward for Dual_EC_DRBG to NIST) or by a technology vendor (via modification of those parameters in a product).

Menn authored one of the most integral chapters to the Dual_EC_DRBG story. In late 2013 he reported that the NSA paid RSA Technologies to use Dual_EC_DRBG by default in a line of products and to modify it in ways that sped up decryption of intercepted communications.

In 2015, Juniper revealed that a third party had tampered with the parameters it chose to use for Dual_EC_DRBG in a popular line of network equipment, making communications vulnerable to decryption. The RSA and Juniper events seemed to align with hints found in GCHQ memos leaked by Edward Snowden that referred to an NSA capability to decrypt VPN communications. Together, these stories made Dual_EC_DRBG part of infosec folklore. It became the quintessential example of why crypto backdoors are a bad idea: adversaries can discover and exploit them.

Menn’s postscript to the Dual_EC_DRBG saga comes in the 11th paragraph of a new story. In it, a spokesman for US Congressman Ron Wyden claims that the NSA authored a “lessons learned” report about the Dual_EC_DRBG fiasco, but when asked to produce it, the NSA couldn’t locate it.

Menn also sighted a 2016-era message between an unnamed person at Juniper Networks and a security researcher, in which it was claimed that Dual_EC_DRBG was used in Juniper equipment to meet a “customer requirement”. He understood the customer to be the NSA. Two anonymous sources also told Menn that the Chinese government discovered and compromised the backdoor in Juniper’s kit.

Unfortunately, the existence of a “report into lessons learned” doesn’t tell us much. There are plenty of reasons the NSA might lament the Dual_EC_DRBG saga, irrespective of whether Dual_EC_DRBG was a deliberate backdoor. For its part, NIST has already authored several “lessons learned” reports (1, 2) about Dual_EC_DRBG and the NSA has expressed regrets about advocating for it. Nothing new there.

We also don’t know for certain whose “customer requirement” was met when Juniper made some very suspect choices of configuration in its equipment. Dual_EC_DRBG was required for FIPS compliance, so it could have been any number of parties. In any case, this alleged email exchange adds to manifest evidence that Juniper’s chosen configuration (which bypassed a separate, primary number generator to rely exclusively on Dual_EC_DRBG) couldn’t have entirely been an accident. Juniper and RSA were either complicit or incompetent, and neither is a good look.

Cyber Command gets one back on the FSB

US Cyber Command has uploaded six samples of ComRAT and two samples of the Zebrocy implant to VirusTotal, and linked both malware families to Russian intelligence services.

The ComRAT implant has been used by Russia’s Turla group (aka Waterbug) in targeted espionage operations against governments, NGOs and aerospace organisations, predominantly in Europe and Central Asia. The Estonian Government has formally attributed Turla to Russia’s FSB [pdf].

The ComRAT samples published by USCYBERCOM were used in attacks on “foreign affairs ministries and at least one national parliament”. ESET analysts noted that the samples were over two years old. Turla is still very active, however: a new Accenture-authored report attributed the recent compromise of a European Government entity to the same group.

Curiously, ComRAT’s origins lie in Agent.BTZ, a malware implant that was reportedly used to compromise US military operations in 2008. That infection was reported to have inspired the creation of US Cyber Command in the first place.

Zebrocy, meanwhile, is a malware implant used by GRU’s Military Unit 26165 (aka APT28, Fancy Bear, Sofacy). USCYBERCOM annotated the two samples it published on VirusTotal as malware “used to target victims in Eastern Europe and Central Asia, including embassies and ministries of foreign affairs.” Kaspersky analysts noted that these samples were used in attacks in April and June 2019.

Considering the age of the samples, this smells like a one-finger salute to some old friends.

CISA, FBI tear down Iran’s voter registration attack

US officials told the Washington Post that US Cyber Command conducted an operation against Iranian actors in response to Iran’s ham-fisted attempt to interfere in the US election.

While we don’t know what the USCYBERCOM operation was, we do know a lot more about Iran’s attacks than when we first reported them. According to an updated CISA/FBI advisory, the attackers used the commercially-available Acunetix vulnerability scanner to probe the websites of 10 US states between September 20 and September 28, 2020, before attempting to exploit identified vulnerabilities (SQLi, XSS etc.) in these sites between September 29 and October 17, 2020.

On at least one occasion, the actors exploited a misconfigured website and used cURL to iterate through voter records. These were the records exhibited in a video the attackers linked to its voter intimidation emails (see last week’s item, “Iranian front company sanctioned…“).

The advisory also included a list of recent queries the attackers ran in search engines, revealing where they felt the need to brush up on their hacking skills. Burn!

Calls to limit use, improve oversight of Australia’s metadata retention scheme

A joint committee of the Australian Parliament has recommended 22 changes to the country’s mandatory data retention laws, after discovering they were often abused by government bodies that arguably shouldn’t have been able to access them.

The PJCIS final report was highly critical of the limp oversight of the metadata retention regime by Australia’s Department of Home Affairs. Only 21 agencies were directly authorised to access the data when the laws were introduced in 2015, but the report found that over 100 have accessed intercepted metadata, mostly through the use of legal loopholes. Local councils, a state fisheries department and even the RSPCA got in on the action. Several agencies were also a bit YOLO about authorising entire ranks or categories of staff to request intercepted data.

The committee now wants the government to repeal the section of Australia’s Telecommunications Act that many non-law enforcement bodies relied on to make requests. It recommends new access requirements that specify which individuals are authorised to request the data, and some basic reporting requirements to track its use.

The committee did not recommend metadata retention be restricted to requests backed by a warrant. But as a half-way measure, it called for limiting the scope of requests to those required for the investigation of serious offences.

Attackers bypass Oracle’s WebLogic patch

Oracle has botched a patch for a critical RCE bug in WebLogic, prompting a new CVE and a second, out-of-band patch.

Oracle’s first patch fixed a path traversal bug in the console of WebLogic Server (CVE-2020-14882). Attackers could get remote code execution with a simple GET request. About a week after the patch came out, SANS Institute’s Johannes Ulrich warned that unknown parties were scanning the internet to discover vulnerable WebLogic servers.

But folks that miraculously patched on-time weren’t safe for long. The patch introduced code that would deny percent encoded path traversal in a query. But this blocklist wouldn’t pick up on an attacker query that simply swapped out an uppercase ‘E’ for a lowercase ‘e’. An out-of-band patch has been issued to address the bypass, which was assigned a new CVE (CVE-2020-14750).

Open season on Chrome

Google has patched three separate zero day vulnerabilities in Chrome, and dropped a zero day in Microsoft Windows in the process. On October 20, Google patched a memory corruption bug in Chrome (CVE-2020-15999) that was chained with a sandbox escape in Windows (affecting Windows 7 - Windows 10) in recent attacks. Google Project Zero gave Microsoft just seven days notice before disclosing the Windows sandbox escape, which remains unpatched as we sent this newsletter. On November 2, Google patched a second zero day in Chrome that was detected in the wild by Google’s Threat Analysis Group (TAG), and five hours later patched a heap buffer overflow in the Android interface for Chrome.

Vastaamo board fires CEO over alleged breach coverup

We were appalled to learn last week (see “Another new low…“) that extortionists had threatened clients of Vastaamo, a privately-owned provider of psychotherapy services that was hacked (twice) a few years ago. A Finland-based _Risky Business _reader tipped us off that while the attackers were scum, Vastaamo might have its own case to answer. He’s probably right: Vastaamo’s board has since fired the company’s CEO, claiming that news of a second breach was withheld from them and a VC firm that acquired the company.

Wisconsin Republicans lose millions in BEC scam

The biggest cybersecurity incident of the US election will probably wind up being a Business Email Compromise scam. The Wisconsin GOP were duped into paying US$2.3m to an attacker in response to a “sophisticated” attack: a doctored invoice from a supplier.

string.replace(“maze”, “egregor”)

The Maze ransomware gang claims to be “closing” its project. They’ve made some great coin over the last 18 months, so it wouldn’t be the dumbest move to pull their heads in before the hounds can be released. Some of the folks involved with their operation appear to have moved on to a related operation, ‘Egregor’. Same slime, different label.

Crime doesn’t pay (unless you own it)

A US court has sentenced a Russian-born data analyst to eight years in prison for the role he played in a cybercrime business, for which he earned just US$137,000 over three years. By contrast, his boss ran a botnet of 500,000 computers, earned millions of dollars and lived a life of luxury, and only got nine years prison [pdf]. It looks like late capitalism has finally come for cybercrime!

UK telcos place their bets

The UK’s Huawei ban is taking effect. BT has signed deals with Nokia and now Ericsson to build its 5G access network. The Financial Times reports that Vodafone UK is taking the same path as Spain’s Telefonica: betting on smaller manufacturers rolling out ‘Open RAN’ technology. Meanwhile in Europe, Huawei appears to be preparing a legal challenge against bans imposed in Poland and Romania.

“Soon we’ll be chipbuilding”

In related news, Huawei commissioned Shanghai-based IC R&D Center to experiment with the manufacture of 45nm semiconductors, according to the Financial Times, and hopes to create 28nm chips by this time next year for use in IoT devices and 20nm chips by late 2022 for use in its telecommunications business.

UK reduces fine over Marriott/Starwood Hotels data breach

The UK Information Commissioner’s Office fined Marriott Hotels £18.4m (US$24m) over the breach of Starwood Hotels Group, an event that started two years before Marriott acquired Starwood in 2014, but wasn’t remediated until four years later in 2018. The fine was a generous “COVID discount” on the£99m (US$130m) penalty the ICO initially proposed. The ICO gave a similar discount to British Airways last week.

Chrome to launch its own certificate root store

Google announced plans to run its own certificate root store for the Chrome Browser, rather than trusting the root store of the operating system the browser is running on (Windows, MacOS etc.) The exception is Chrome on iOS, because Apple’s platform restrictions won’t allow it.

The many personalities of Lazarus

We’ve published a quick snapshot of who’s who in DPRK’s hacking scene. It’s the result of many hours of scrupulous analysis by threat researcher Daniel Gordon, and a few lame jokes from us.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.