Russian bears all up in your VMwares

The Risky Biz newsletter for December 8, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

WeChat gags Australia’s Prime Minister

WeChat censors in China have removed a post by Australia’s Prime Minister Scott Morrison as diplomatic tensions between the two countries dramatically escalated this week.

Morrison’s Chinese-language WeChat post, addressed to Chinese Australians, had attempted to defend Australia’s handling of an inquiry into war crimes committed by its special forces in Afghanistan. WeChat is the primary way the Chinese diaspora communicates with family and friends, as it’s among the few messaging apps allowed to traverse China’s “great firewall”.

Morrison’s note to Chinese Australians was an indirect response to an inflammatory social media post by China’s foreign ministry spokesman Zhao Lijian in late November. Condemning Australia’s actions in Afghanistan, Lijian posted a manipulated image of an Australian soldier holding a knife to the neck of an Afghan child. Lijian’s post was roundly condemned by the European Union, France, Germany, Japan, New Zealand, the United Kingdom and the United States as a new low in international relations.

Morrison’s attempt to reach out to Chinese Australians on WeChat was cautiously diplomatic, factual and expressed “respect and appreciation for the Chinese community in Australia”. But Weixin (WeChat) censors removed it on the ridiculous pretence that it “involves use of content that incites, misleads, has non-objective facts” and “fabricates societal/historical issues”. Previous academic studies have found that any message sent over WeChat that cuts against Chinese Communist Party doctrine has been similarly censored.

Days earlier, Morrison asked Twitter to remove Lijian’s inflammatory post, without success. Twitter only removes content when it is “likely to impact public safety or cause serious harm”. Twitter also applies public-interest exceptions to posts by elected and government officials that might otherwise be removed, on the basis that they need to form part of the historical record. The contrast between Twitter, which pauses to consider whether to censor the most inflammatory content, and WeChat, which is quick to censor any content that contradicts its political masters, was stark.

The episode illustrates why ownership and control of social media and messaging services has arrived as a national security issue, even if its current state of play is a complete mess.

NSA warns: Russian bears all up in your VMwares

The NSA has warned that an unnamed Russian state-backed actor is actively exploiting bugs in VMware’s endpoint and identity management solutions.

The agency recommends network defenders immediately patch CVE-2020-4006, a command injection bug that affects a number of VMware tools. According to VMware, an attacker with a valid admin password to an affected web-based management interface can inject commands with “unrestricted privilege on the underlying operating system”.

The NSA observed a highly capable adversary using this bug in the wild and reported the bug to VMWare. It’s noteworthy that Fancy Bear (aka APT28, Strontium) was observed using automated password-spraying and brute force techniques in September. This type of bug makes a password hit a whole lot more useful.

The attackers that abused this command injection vulnerability were observed installing web shells on compromised devices, generating SAML tokens and using those tokens in Active Directory Federation Services to allow access to other data sources on the same network.

For folks that can’t patch immediately, VMware recommends defenders temporarily disable the configurator service. The NSA also offers advice [pdf] on limiting access to the VMware management interface, securing SAML assertions and checking logs for signs of attack.

TrickBot scans for write-enabled BIOS

Threat researchers have discovered that TrickBot now scans compromised devices for firmware vulnerabilities.

A new TrickBot module checks the SPI controller on infected devices to check if the machine’s BIOS is write-enabled. Threat researchers said the module also checks for UEFI vulnerabilities and includes code that would enable attackers to read and write to a machine’s firmware.

That’s quite concerning. Devices with infected firmware become (more or less) permanently untrustworthy. Every time you rebuild an infected machine, it could be reinfected from firmware. These sorts of attacks have always been theoretically possible and make for popular topics at hacker cons. But the prospect of such an attack being operationalised by a formidable cybercrime gang is a bit of a “gulp” moment.

At this point, we can’t say what share of the fragmented device ecosystem ships with writable BIOS by default. The latest “feature rollout” for TrickBot means its operators likely have a better idea than we do. If they like what they see and start using this in anger, it’s going to cause all sorts of headaches.

UEFI attacks are a bit fiddly, so we agree with Advanced Intelligence and Eclypsium: this particular party trick will probably be reserved for high-value targets.

US Government to get National Cyber Director

US lawmakers are set to vote to establish the Office of the National Cyber Director, a politically-appointed position that will advise the US President on cyber policy and strategy.

Under the agreed text for the FY21 US National Defence Authorisation Act [pdf] the President can appoint a National Cyber Director, which can hire 75 staff to oversee and coordinate on cyber security issues across the US Government. The Office will track everything from:

  • The defensive posture and incident response plans of the US government (roles performed by CISA),
  • Efforts to deter malicious cyber activity (roles performed by USCC and the DoJ),
  • InfoSec policies and agency budgets (roles performed by OMB),
  • International norms development (a role performed by the State Department)
  • Supply chain risk management.

While the director will have the ear of one of the world’s most powerful people and a seat at National Security Council meetings, the role doesn’t modify any of the authorities of current officials.

Establishing the role was a key recommendation of the bipartisan Cyberspace Solarium Commission. The Commission’s Executive Director Mark Montgomery used the NDAA negotiations to lobby for Defence-related recommendations from the commission to be passed into law. His efforts appear to be bearing fruit, except that for the most part the NDAA asks the US Department of Defence to assess whether the ideas have merit and doesn’t instruct the DoD to put them into immediate practice.


Some of our American friends woke up to a Seriously Risky Biz newsletter that very prematurely called the FY21 NDAA “passed”. While both Houses of Congress have agreed on a text, both the House and the Senate won’t officially pass it until a vote is called over the next few days, before it then goes to President Trump. Apologies for the error!

We expect the NDAA bill has sufficient support from both R’s and D’s to override an attempt by President Trump to veto the bill.

DoD, CISA authorised to go hunting

Speaking of the NDAA, US lawmakers are also using it to give CISA and the US Department of Defence the green light to engage in threat hunting on .gov (CISA) and defence contractor (DoD) networks.

Under Section 1705 of the proposed FY21 NDAA, CISA will be authorised to conduct threat hunting on .gov networks (all civilian agencies) without necessarily giving target agencies a heads up. The bill also gives CISA the authority to demand ISPs notify critical infrastructure operators when CISA identifies vulnerabilities in their systems, and asks CISA to hire cybersecurity coordinators in each US state.

The US Department of Defence was asked (under S. 11739) to devise a model for performing threat hunting on the systems of privately-held defence contractors. It’s up to DoD to determine appropriate scope and decide who should conduct the testing (it could be Cyber Command, other contractors or subcontractors). If the Secretary of Defence deems this a good idea, the NDAA effectively authorises the department to go for broke.

The DoD was also asked to pilot the use of “speed-based metrics” to measure the maturity of the DoD’s security programs. This is based on ideas put forward to the Solarium Commission by Dmitri Alperovitch and Richard Bejtlich. Both posit agencies will make more prudent investments in security controls if the speed at which they detect and respond to incidents is measured.

For the record, Alperovitch highlighted four of the initiatives listed above (out of a list of 84 ideas recommended by the Cyberspace Solarium Commission) in Risky.Biz feature stories on securing .mil in April 2020 and securing .gov in May 2020. Dmitri’s chrysalis-like metamorphosis from next-generation cyber security entrepreneur to next-generation policy nerd is complete.

Here are a few other NDAA sections worth a mention:

  • S. 1256 permits the US Department of Defence to provide cyber security training to military officers in Vietnam, Thailand and Indonesia.
  • S. 1730 asks DoD to assess the viability of appointing cyber reserves where there are shortfalls in expertise and capability, to determine their scope and whether they should be uniformed, civilian or mixed.
  • S. 1260F asks the US Administration to report every two years on whether the US National Cyber Strategy is having any impact on deterring China’s campaign of “industrial espionage and large-scale cyber theft of Intellectual Property and Personal Information”.
  • S. 9005 asks the Government Accountability Office to assess if cyber insurance policies are affordable, and whether the government needs to intervene to “facilitate the growth and development” of more insurers with cyber policies.

It’s enough to give you the chills

An unknown attacker has attempted to compromise organisations involved in the cold storage and delivery of COVID-19 vaccines.

IBM observed phishing attacks against organisations linked to the cold storage of the vaccines in six countries across Asia (including Taiwan and South Korea) and Europe (including Germany and Italy) in September and October 2020. The attackers targeted entities linked to the Cold Chain Equipment Optimisation Platform (CCEOP) of Gavi, a not-for-profit that organises the distribution of vaccines to developing countries.

The same attackers targeted the European Commission, solar panel manufacturers that supply to the cold storage industry, a South Korean software development house, a German IT company with pharmaceutical clients and petrochemical companies (manufacturers of dry ice). IBM would not say whether any of the attacks were successful and could not say who was responsible.

The emailed attacks spoofed legitimate Haier Biomedical, a China-based company involved in cold chain distribution operations.

IBM is convinced, based largely on the targeting, that the attacks aimed to acquire knowledge of “how the vaccine is shipped, stored, kept cold and delivered”. It’s the next logical step for espionage actors that have been more than a little curious about medical research.

Some analysts have expressed doubts about IBM’s claims. DomainTools’ Joe Slowik isn’t entirely convinced the targets weren’t part of a significantly larger phishing campaign. CSIS analyst James Lewis told the New York Times that there’s very little intelligence to be gained from “hacking refrigerators”, and questions whether the campaign might be part of a targeted ransomware operation.


Australia’s Feds get new cyber powers

Lawmakers in Australia want to arm its Federal Police (AFP and ACIC) with new hacking and surveillance powers that compensate for blind spots caused by encrypted communications.

Today the Federal Police can apply for warrants to access data on a target device or tap the telecommunications of a target user. But the widespread use of burner phones, E2EE messaging and other communication services designed for secrecy and anonymity often limit the ability of police to turn that access into prosecutions.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 asks lawmakers to permit three new types of warrant: a data disruption warrant, a network activity warrant and an account takeover warrant, which are all designed for use in combination with existing computer access warrants and telecommunications interception warrants.

  • A data disruption warrant would allow police to covertly add, copy, modify or delete data on a target system if that’s the best course of action to frustrate or disrupt the commission of a serious offence. This might mean deleting harmful content from a CSAM chat group, denying access to an illicit drug market hosted using a TOR hidden service or redirecting traffic from one site to another.
  • A network activity warrant would allow police to discover the scope of activities and identify participants in criminal syndicates by covertly monitoring the communications platforms used to organise their activities. It could, for example, allow investigators to monitor encrypted chat rooms used by child sex offenders or covertly listen in on the encrypted WhatsApp or Telegram channels used by terrorists. It would provide for broad permission to access data on any device these groups use, including third-party devices that traffic passes through. If the data is stored on devices located in another country, the warrant requires police to obtain the consent of a foreign official in that territory. But there’s also a handy loophole: if the location of the data “cannot reasonably be determined”, no consent is required.
  • An account takeover warrant allows agencies to take covert or forced control of a suspect’s online account to gather evidence. Today law enforcement needs a suspect’s consent to access these accounts. This warrant is designed to support computer access warrants and is enabled through the “modification of data”. That probably means using existing access to a device to change the access credentials for apps and online accounts.

Account takeovers would require a warrant signed by a magistrate, while the other two new powers would require a warrant signed by a judge or member of Australia’s Administrative Appeals Tribunal. All three powers can only be exercised in the investigation of crimes for which there is a maximum penalty of at least three years prison.

The Commonwealth Ombudsman would provide oversight of how law enforcement uses account takeovers and data disruption warrants. But recognising that a network activity warrant is effectively an intelligence tool, oversight of these warrants would be provided by the Inspector General of the Intelligence Services (IGIS).

Data collected using a network activity warrant couldn’t be used as evidence in a court of law. It could, however, be used for derivative purposes, such as to support applications for computer access and telecommunications interception warrants. Data disruption warrants couldn’t be sought for the express purpose of collecting evidence, as these warrants would allow for data to be modified by police. But there’s also a loophole here: if evidence arose in the process of a disruption activity (see 65C), it could be used in court.

A former cybercrime investigator told Risky Business that the new powers would have been very useful in their prior work.

The new laws have been referred to a Parliamentary Joint Committee on Intelligence and Security (PJCIS) for further scrutiny.

Two reasons to actually be cheerful this week:

  1. Active Defence in action: The UK’s National Cyber Security Centre took down 166k phishing URLs last year and blocked 260 SMS Sender IDs used by actors to send COVID-19 related lures. The NCSC’s annual report [pdf] makes for good reading.
  2. Hardware companies step up on supply chain security: Dell introduced tamper-evident seals for use during physical transport of its computers, and a function that wipes and resets disks prior to customer deployment.


Kazakhstan tries SSL interception again

The Kazakh government has mandated internet users in its capital city install a root certificate on their devices if they wish to connect to internet services outside Kazakhstan. ISPs are redirecting web requests to a page with instructions on how to install the certificate. It’s the third time Kazakh authorities have made a play for mass interception of user traffic. Browser makers blocked two previous attempts.

EGregor getting very busy

The EGregor ransomware operation looks to be every bit as prolific as the Maze operation it replaced: this week alone it took down global recruiting firm Randstad, Metro Vancouver’s TransLink and US retailer Kmart. You might want to check out this Red Canary thread on QBot, a loader that’s often a precursor to EGregor campaigns, and recent posts by Recorded Future, Cybereason and SentinelOne on the ransomware strain. As always, ignore the “we detect 100% of infections” nonsense.

Phone calls add pressure to ransomware extortion threat

Catalin Cimpanu at ZDNet reports that victims of some ransomware gangs have since August received scripted calls that reinforce the attacker’s demands. The other big ransomware news this week was the compromise of Foxconn, the world’s largest contract manufacturer of electronics, which is being extorted for US$34 million.

Australia to overhaul its surveillance regime

The Australian Government plans to spend the next five years dispensing with a large number of outdated surveillance laws and replacing them with a single electronic surveillance act. It’s also proposing to remove the need for intelligence agencies to seek judicial sign-off to get a warrant. Australia’s Law Council expressed “grave concerns”, arguing that ministerial authorisation doesn’t provide sufficient oversight.

Playing on all the Teams

Microsoft has patched an interaction-free bug in the Electron-based desktop version of its Teams app. Any party in a Teams chat could abuse a relatively simple stored XSS bug to steal the access credentials of other participants simply by addressing them in a message. With those credentials the attacker could take over a victim’s Office 365, OneNote, Teams and other Microsoft app accounts. Pat is being insufferably smug about this.

That’s a wrap, 2020

Thank you for subscribing to Seriously Risky Business! I’m very grateful for the opportunity to bring it to you each week, and delighted by how much support and scrutiny it gets. This is our last newsletter for 2020. We’ve secured support for 2021 and will be back in early January. I hope you manage to squeeze in a safe and relaxing break over the coming weeks.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at