China flaunts its exploit prowess

The Risky Biz newsletter for November 10, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

China parades its exploit prowess

Exploits demonstrated at a China-based competition to poke holes in the world’s most popular technologies bode poorly for future US dominance in exploit development.

The CCP-endorsed 2020 Tianfu Cup paid out a US$1 million prize pool to domestic hacking teams that could exploit the world’s most popular operating systems (Windows, Android, iOS, CentOS), web browsers (Chrome and Safari), smartphones (iPhones and Samsung Galaxy), software infrastructure (VMware ESXi, Docker-CE, QEMU-KVM), apps and home routers.

Teams were given three five-minute periods to demonstrate an original technique for exploitation against 16 target technologies, which were chosen by organisers based on technical difficulty and “special effects on our country”. (This is from a rough translation: we’re not entirely sure what it means).

This year, competitors successfully cracked 11 of the 16 targets, and exposed vulnerabilities in two others. (We’ve summarised them here).

Policymakers in the West need to sit up and pay attention. These games aren’t just a bit of fun: the results are every bit as meaningful as the pretty matrices that rank state power in cyberspace. The Tianfu Cup has progressed from an effort to demonstrate that China can match global peers (it was founded in 2018 to “gradually create China’s own Pwn2Own”) to a demonstration of capabilities that exceeds what gets put on show in the West. Of course, what America and Chinese are each willing to demonstrate is likely to be a far cry from the capabilities they choose to keep hidden.

Where last year Tianfu Cup participants smashed their way through browsers, apps and routers, they gave up on some of the harder targets (iPhone 11 and Windows Server). This year, multiple teams conquered many of the most difficult “bonus” level targets. They were willing to burn some serious 0-day to earn modest cash prizes.

The Tianfu Cup has become, in cyber terms, the equivalent of watching an adversary parade a new missile through their capital. It’s a performance. “That capability you paid defence contractors millions for? Watch as we set fire to all these valuable bugs.”

So what’s an appropriate policy response? Stanford’s Alex Stamos argues that, for a start, security research in the United States should be subject to a modern legal framework, not something as outdated and open to interpretation as the CFAA. The United States needs to foster an environment at home that rewards, rather than shuns, security research. For now, we can no longer safely assume US superiority in exploit development.

Oh, and a fun afterthought: How many non-Chinese actors had their capability torched due to bug collisions? There’s bound to be some overlap in an exploit dump of this magnitude. We’re guessing quite a few people had their weeks ruined!

Australia’s hardcore critical infrastructure laws open to challenge

Australia’s Department of Home Affairs has yielded to pressure from industry and state governments, publishing an exposure draft of the bill that underpins its plan to directly intervene in the cyber security of critical infrastructure assets.

The draft of the “Critical Infrastructure” bill gives the Australian Government unprecedented powers over the security of assets owned and operated by private companies and state governments, and is even larger in scope than we first forecast.

Most of Australia’s largest companies will be forced to maintain asset registers and declare security incidents affecting those assets within 24 hours of discovery. During critical incidents, Home Affairs can direct them to make system changes, submit logs to the ASD or install ASD sensors on their systems.

We’ve summarised the enormous scope of the proposed laws in a standalone story at Risky.Biz.

Linux is fertile ground for ransomware crews

Catalin Cimpanu at ZDNet reports that two “big game hunting” groups have created Linux variants of their ransomware.

Kaspersky analysts have analysed samples of a Linux trojan that appears derived from the same source code as the Windows ransomware known as RansomEXX. Cimpanu learned that the actors responsible for Pyre ransomware have toyed with the same idea, but we are yet to hear reports of significant ransomware attacks that target Linux systems.

So what has changed that makes it worth the attacker’s investment to port Windows ransomware strains to Linux? A lot of corporate and web infrastructure runs Linux, and those environments often lack appropriate controls and monitoring. Whether future “big game” attacks against Linux environments yield the same impact as a Windows-based network is an open question, but seeing these types of samples surface gives us the creeps.

US Gov seizes US$1 Billion in BTC

The US Treasury is a tad richer after seizing US$1 billion in BTC from a Bitcoin wallet, the proceeds of a long-ago hack of online drug marketplace Silk Road.

According to the US Department of Justice, the wallet was “willingly” forfeited to the United States by a hacker that stole the 69,370 BTC from Ross Ulbricht, Silk Road’s administrator, in 2012. It’s unclear how US authorities tracked the hacker, but Andy Greenberg at Wired posits that they may have been identified through the seizure of the BTC-e exchange in 2017. (The hacker previously sent US$23k worth of the stolen Bitcoin to a BTC-e account in 2013.)

Our thoughts are with this particular hacker. Imagine stealing US$300k of Bitcoin and patiently watching its value grow to over US$1 billion over eight years. But every time you think about extracting it, that little voice in the back of your mind reminds you that it’s being closely watched. Agonising.

Three iOS zero-days chained in targeted attacks

Apple has patched three iOS bugs that were being used to target iOS users in the wild.

The front-end of these attacks is a font parsing flaw (CVE-2020-27930), which usually would only require the most basic user interaction to trigger remote code execution. The other two bugs were a memory leak (assumedly to bypass exploit mitigation) and a kernel privilege escalation (assumedly to get root). Google’s Threat Analysis Group detected the exploits being chained together in targeted attacks.

Social networks intervene as civil unrest threatens US

Facebook moved on Thursday to prevent some of the hate from spilling from out of its pages onto American streets. The social network removed the “stop the steal” group run by Trump associates on the basis that it promoted violent, physical intervention in vote counts that were still underway at the time in Georgia, North Carolina and Pennsylvania. The group had quickly amassed 360,000 members prior to its removal.

Facebook also announced it will put groups “on probation” if they are found to host content that violates community standards. Group admins and moderators will be forced to manually approve every submission on those pages for up to 60 days. If admins fail to moderate group behaviour, Facebook will shut the group down.

(Some of the shenanigans going on with Facebook groups are pretty funny. We haven’t verified the authenticity of this caper, but we figure you need a laugh this week).

Twitter, meanwhile, banned a Steve Bannon-run account after it published a video glorifying violent acts against two federal officials. The same Bannon rant was removed from Facebook, Spotify and – in a rare intervention – Google-owned YouTube.

Somebody still loves Solaris

Mandiant has warned about a new(ish) group with a penchant for hacking Solaris systems. In 2018, Mandiant analysts observed the attacker (dubbed UNC1945) attacking Solaris boxes that exposed SSH to the internet, but in more recent attacks the attackers exploited a zero-day in the Solaris Pluggable Authentication Module (PAM) to get in. PAM allows admins to log-in using ye olde authentication protocols like Telnet, FTP and rsh. UNC1945 are dropping all manner of malware on infected networks, without exhibiting any clear objectives. Opportunists that sell access to others, perhaps? If you’re a) letting these guys in and b) not detecting any of their activity, you’ve got Solaris-sized problems.

OAuth attack tools unleashed

MDSec released an open source project to help orchestrate OAuth phishing attacks against O365. It’s a big productivity win for red teams, and could deliver end users some teachable moments if used in simulations. It will also lower the (already low) cost of entry for real attackers, so sort out your OAuth access permission policies, pronto. We expect complaints from the usual quarters about the release of offensive tooling, but on balance, tools like these tend to accelerate the engineering of better platform controls.

Ransomware, everywhere

It’s hard to keep up. There are public reports of attacks on Brazil’s Superior Court of Justice, Taiwanese laptop manufacturer Compal, games company Capcom, Italian beverage giant Campari and GEO Group, a US operator of private prisons.

Russian hacker arrested!

Russian authorities arrested a 20 year old who made the rather unfortunate error of writing malware that infected computers in Russia.

GCHQ on the offensive over COVID-19 vaccines

The Times of London reports that GCHQ launched an offensive cyber operation to counter Russia-directed propaganda designed to cast doubt on the effectiveness of COVID-19 vaccines. Watch this news item spin uncontrollably into a “deep state conspiracy”.

Huawei gets rare Swedish reprieve

A Swedish court told the country’s telecoms regulator that it can’t make bids for 5G spectrum conditional on excluding Huawei kit.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.