Mandatory intel sharing won't cure Holiday Bear woes

The Risky Biz newsletter for March 2, 2021...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Mandatory intel sharing won’t cure Holiday Bear woes

Lawmakers are warming to a Microsoft request for Congress to pass laws that would compel private sector companies to notify the US Government about security incidents.

The full scope of the idea hasn’t to our knowledge been fleshed out in any meaningful way. The idea was put forward to a Congressional hearing by Microsoft’s legal and government affairs lead, Brad Smith, when he was asked how the United States could best defend itself against an actor like Russia’s SVR.

Smith turned to one of the oldest tropes in security: that SVR operators would have been thwarted by breach notifications and better intelligence sharing. It’s a trope because threat intelligence sharing is almost universally a good thing and it’s hard to disprove whether it would have made a difference in the adventures of Holiday Bear.

We can’t know, for example, what would have happened if Fidelis had shared information about an infection in May 2020, shortly after it evaluated SolarWinds Orion. We can’t know what would have happened if Palo Alto had joined the dots on two infections it detected in October and November of 2020, well before FireEye’s discovery and disclosure in mid-December.

But here’s what we do know. Microsoft, with all its visibility and cyber security talent, didn’t detect attackers on its network over days, if not weeks. Microsoft only knew where to start looking when FireEye tipped it off in December, and was still evicting the adversary well into January 2021. Microsoft also didn’t detect the presence of SVR in customer O365 tenants prior to FireEye’s advisory.

That’s no slight on Microsoft: SVR’s operation was well executed, with a high regard for operational security. There wasn’t a lot of context for analysts to pivot on until Mandiant performed a post-breach investigation at parent company FireEye. In yesterday’s (sponsored) Risky Business Soap Box podcast, we learned that NDR vendors absolutely detected some anomalous SolarWinds traffic, but their customers just thought it was their SolarWinds boxes acting a bit weird. They didn’t think they were looking at something as impactful and unlikely as a supply chain compromise.

Further, one could argue that threat intelligence sharing did, in fact, win the day, and we can thank FireEye exclusively for that. It was a FireEye staffer that first detected and pivoted off one of these infections, and it was FireEye that braved potential ridicule to publicly admit to being breached. That gave everyone else permission to look (and in most cases) disclose. What would have been gained by reporting to the government first?

Microsoft’s Smith says the company would willingly comply with new notification obligations if it was offered liability protection in return. But FireEye acted without concern for liability protection when it shared its breach with the public.

Smith knows that an honest, genuine exploration of how to protect against an actor of SVR’s proficiency is going to test the patience and focus of lawmakers in a congressional hearing. They’re seeking a gotcha moment, a simple fix or somebody to blame. And that’s what he’s serving up.

But it’s important the policy community resists the temptation to view breach notification and threat intelligence sharing as universal fixes to complex problems.

US Government agencies caught up in Accellion mess

US federal government agencies were among the ~100 organisations impacted in attacks that compromised Accellion File Transfer Appliances (FTAs), according to an official advisory.

The detail was contained in a joint advisory CISA co-authored with peers Australia, New Zealand, Singapore and the United Kingdom, which distributed IOCs collected during responses to attacks on organisations that used FTAs.

CISA says it observed “a large amount of data transferred over port 443 from federal agency IP addresses” during two incidents.

In each attack, hackers abused one of four vulnerabilities, uploaded a simple webshell, exfiltrated data and frequently threatened to publish stolen data if ransoms weren’t paid. As we reported last week, some of the data stolen in these attacks has been published by the CL0P ransomware gang on its leak site.

FireEye-owned Mandiant cautiously attributed the Accellion hacks to an uncategorised group (UNC2546) and the extortion emails to another (UNC2582). But the analysts also made note of several overlaps between the hacking, extortion attempts and FIN11, FIN11 is a prolific, profit-motivated hacking group that typically deploys the CL0P ransomware.

Mandiant is treading carefully on attribution for a few good reasons.

  • Most of the infrastructure-related overlaps relate exclusively to later stages of the attacks on Accellion clients.
  • In a typical FIN11 operation, attackers use initial access to move laterally on the victim’s network and deploy ransomware. To our knowledge, ransomware wasn’t deployed on any of the targeted networks.
  • Mandiant also notes that FIN11 was also on a “winter hiatus” at the time: the group hadn’t been sending its usual volume of malspam.

So as we speculated two weeks ago, these boxes might well have been popped by one actor, who sold the stolen data on to another.

Ukraine fingers Russia over document portal infiltration, DDoS attacks

Ukraine has accused Russia’s intelligence services of compromising an intra-agency file sharing portal used broadly across the Government of Ukraine.

Ukraine’s System of Electronic Interaction of Executive Bodies (SEI EB) is a web portal for sharing documents between government agencies. Attackers somehow gained access to the portal and seeded it with malware-laced documents.

An incident report shared by Ukraine’s National Security and Defense Council described the impact as a “mass contamination.”

Journalist Catalin Cimpanu concluded the attack was the work of Gamaredon, a Russian intelligence operation that often targets Ukrainian interests.

Earlier in the week, the same agency reported that government-run servers in Ukraine were compromised and being used as bots in DDoS attacks on a range of defence and security web sites across the country.

China takes its beef with India online

Threat analysts Recorded Future have observed an increase [pdf] in the Chinese state-sponsored hacking of Indian organisations over the last 12 months.

Since mid-2020, hackers using similar tradecraft to China’s APT41/BARIUM compromised at least 10 separate targets in India’s electric grid and two Indian seaports.

Unfortunately, the release of Recorded Future’s report was marred by some sensational news reports.

Reporters at the New York Times connected the research to a 12-hour power outage in Mumbai in October 2020, claiming it was proof that a Chinese cyber attack turned out the lights in India. The NYT ran with this angle even as Recorded Future protested that it had no proof the intrusions were used in attacks. The NYT report lit a grassfire of follow-up news reports in India, where a local politician came forward to say that “14 trojan horse programs” were discovered in the city’s power system after the outage.

The story has since been refuted by India’s Ministry of Power. Minister RK Singh told journalists that the outage wasn’t caused by “cyber sabotage”. Human error was to blame, he said.

DPRK: “A criminal syndicate with a flag”

The US Department of Justice has bound together a long list of cyber heists perpetrated by North Korea’s Lazarus Group into a single hacking conspiracy, doxxing two more of its operators in the process.

A freshly unsealed indictment names Jon Chang Hyok, Kim Il and Park Jin Hyok as members of North Korea’s Lazarus Group, aka APT38.

It charges the three operators (and other unnamed co-conspirators) with the attempted theft of over US$1.2 billion of funds using fraudulent SWIFT transfers from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa, as well as the hacking of cryptocurrency exchanges and the use of fake apps to steal cryptocurrency from the digital wallets of individual victims.

These thefts were appended to existing charges over Park’s involvement in the attack on Sony Pictures and its distribution partners, and the WannaCry 2.0 attacks.

Crucially, the DOJ attributes all the activity directly to the DPRK’s Reconnaissance General Bureau, which Assistant Attorney General John C. Demers dubbed “a criminal syndicate with a flag”.

The indictment notes that while the three hackers usually operate from North Korea, they also operated from China and Russia on occasion.

Separately, the DOJ announced a plea deal with Ghaleb Alaumary, a Canadian-American who laundered funds on the DPRK’s behalf.

In an intriguing bit of “six degrees of underworld separation”, Alaumary was accused of conspiring with Ramon Olorunwa Abbas (our friend “Ray Hushpuppi” from SRSLY RISKY BIZ #16 and #17) to launder funds the Lazarus Group stole from a Maltese bank in early 2019.

You’ve got mail

To: The aviation industry
From: LazyScripter (probs Iran)

Researchers at Malwarebytes traced the contours of a mysterious APT whose malspam campaigns drop one of several open source and commercial RATs, helping it blend in with the noise of eCrime actors. The hackers appear to be very interested in airlines and other travel firms.

To: The Tibetan diaspora
From: China

Proofpoint attributed a spearphishing campaign that targeted Tibetan organisations to Chinese state-sponsored attackers. The campaign tricked targets into downloading a malicious Firefox add-on, providing attackers access to a victim’s Gmail account. It also downloaded a keylogger to the victim’s device.


Been caught hacking: White House proposes sanctions over Holiday Bear

The Biden administration is reportedly preparing sanctions and other punitive measures against Russia in response to both the Holiday Bear operation and the poisoning of Putin’s political rival, Alexei Navalny. The administration’s argument seems to be that the scale of the SolarWinds compromise was beyond the pale. The US is compelled to respond, by virtue of SVR getting caught hacking at such a scale, even if the response has minimal deterrence effect. Patrick and Adam discussed this at length in the opening to last week’s podcast.

Patch your vCenter

Attackers are scanning the internet for VMware systems that aren’t patched against a critical remote code execution bug present in all default vCenter installs. Some simple, one-line Proof of Concept exploits for the bug are doing the rounds.

“These materials may have been obtained through hacking”

A hacker claims to have pulled 70GB of data from far-right social media network using SQL injection. The stolen data includes hashed user passwords and a few weeks worth of private conversations between users on the site. Activists at DDoSecrets plan to selectively leak the data to journalists and researchers. Given the propensity of Gab users to say absolutely disgusting (if not incriminating) things, we’re not sure “exposing” the equally awful things they say in private is going to change much.

Playing the ransomware crew’s game

Games company CD Projekt Red is conducting a public experiment in what happens when a victim of ransomware gangs plays the whole process out in public in near-real time. The studio announced it was hacked within a day of discovery, published the ransom note, and have been trying to use the DMCA to take down leaks of stolen source code as it gets published. They’ll probably lose this battle, but hey, points for trying.

RIPE for cred-phish

Attackers unsuccessfully tried to brute force their way into member accounts at RIPE NCC, the regional registry that assigns IP addresses and ASNs to networks in Europe. The attack caused availability issues for legitimate users, but the registry says it hasn’t detected any unauthorised access to accounts. So no joy for the spam operators this time.

It’s a good time to hack the Canadian government

Canada’s Public Sector Union claims that 2400 workers at the country’s SIGINT agency (the Communications Security Establishment) are going on strike over a pay dispute. We tried asking what days they’ll be on strike, but it’s some sort of secret.

Stop making sense

Australia’s federal opposition (the ALP) published a position paper on ransomware. It reads surprisingly well, and demonstrates how well versed MP and co-author Tim Watts is about the sort of muck we wallow in.

This week’s long reads

  • The Atlantic Council published a deep-dive on privately-owned offensive cyber capabilities that are routinely used in the service of various states. The report includes a case study on what they call ENFER, a private Russian firm which sounds kinda maybe like a company we’ve previously mentioned in this newsletter.
  • We liked what Catalin Cimpanu extracted from CrowdStrike’s annual threat report about the eCrime ecosystem.
  • Mandiant published a technical post on a ransomware affiliate (it calls UNC2198) that’s very prolific in North America.
  • Brian Krebs studied the economics (or lack thereof) behind browser extensions, and the shady operations that buy access to user traffic.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at