You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.
Ransomware is officially on the board agenda
How’s this for a cogent data point: Catalin Cimpanu at ZDNet had the curiosity and foresight to search for the word ‘ransomware’ in recent SEC filings. Cimpanu found that over 1000 public US companies now list ransomware attacks as a forward-looking risk.
It wasn’t long ago that a company getting popped in a ransomware attack would rate a mention on the Risky Business podcast. Today, it takes a novel attack to raise an eyebrow.
The risk community commonly views human-operated ransomware as a high impact event - the cost of attacks on Norsk Hydro (US$75m) and Travelex (US$30m) ensured it - but until recently it didn’t score quite so high on the likelihood axis.
That’s changed. Ransomware is now a preferred business model for organised criminal groups. Online banking trojans have been re-engineered as generic RATs to support ransomware campaigns. There are 10-12 well-resourced gangs buying access to compromised systems at scale and using that access to pivot across networks and lock up data. They have grown brazen - publishing snippets of stolen data to demonstrate their intent and inflating ransoms every day a victim delays payment. Bleeping Computer reports this week that the average ransom demanded in attacks during the first quarter of 2020 exceeded US$100,000 for the first time.
‘Opt-in’ contact tracing apps creep into mandatory territory
Staring down another failed technology project, several governments are exploring subtle ways to compel citizens to use what are otherwise promoted as ‘opt-in’ contact tracing apps.
India has made its contact tracing app - the ‘Health Bridge’ app - mandatory for all employees returning back to work, despite initial promises of an ‘opt-in’ system. The Modi Government will hold employers accountable for compliance with the measure.
India’s Aarogya Setu (‘Health Bridge’) app uses Bluetooth proximity and GPS location data to trace possible exposures to people that later test positive to COVID-19. The app stores this data on user devices until an exposure event. While users are encouraged to self-report a positive diagnosis, authorities retain a technical capability to pull proximity and location data from an individual’s phone at their choosing.
The app has been downloaded by 83m users (6% of India’s population).
Udbhav Tiwari, a public policy advisor for Mozilla in India, urged authorities to release the app’s source code and pass laws that restrict how the data collected by it can be used. “Mandating installation of Aarogya Setu is an extreme measure that will dramatically increase the privacy and security risks faced by the average Indian returning to the workplace,” he told Risky.Biz.
Singapore’s pioneering TraceTogether app was also opt-in at release. Adoption peaked at 17%. Now there are calls for the app to be mandatory.
The Australian Government - whose COVIDSafe app is based on TraceTogether and has also been downloaded by 17% of the population - is employing more subtle means of persuasion.
In an effort to win trust, Australia’s Attorney General released an exposure draft of legislation that promises stiff penalties for anyone refusing employment or services to a person on the basis of whether they use the app.
Instead, authorities are framing adoption of the app as a precondition to lifting broader societal restrictions. “If you know someone that hasn’t downloaded the app, encourage them to do so,” the Prime Minister told the cameras.
That would be perfectly reasonable if - as Risky.Biz explored in our feature story this week - the data from the app was actually being used, the app actually worked on iPhones, and if the government responded well to bug reports.
Gapple: it’s our way or the highway
Apple and Google (hereafter, ‘Gapple’) have released sample code for the ‘exposure notification API’ the two companies propose for contact tracing, alongside a set of conditions they expect national health authorities to adhere to in order to use it.
Gaple will not accept any use of the API if contact tracing apps attempt to access location services on user devices. Apps that already do make use of location data - such as Israel’s ‘Shield’ and India’s ‘Health Bridge’ won’t be removed from app stores, but they also won’t be able to make use of the API, which means they won’t work properly on iPhones.
The new requirements could put the Gapple solution at odds with MIT’s PrivateKit - a contact tracing protocol being trialled in Massachusetts. Reuters expects a standoff between Gapple and several US States that wish to augment BLE proximity data with GPS location data.
UK authorities will launch a BLE-based contact tracing app tonight.
China puts the squeeze on network services, cloud services
China has updated its cybersecurity law with regulations that govern domestic purchase of network hardware (including security devices), cloud computing services and high-end computing equipment.
Companies operating in China will need to submit paperwork on purchases of IT equipment and services to the National Internet Information Office, who will determine if they are in China’s security interests. The regulator will decide within 10 days if the purchase requires a review, and will hold up the purchase by a further 45 days if it does require a review. Fines for non-compliance are up to 10 times the purchase price of the goods and services purchased and up to ~US$15,000 for individuals involved in the purchase.
Chinese authorities stressed that the law does not restrict or discriminate against foreign products and services, but the bill does note that “the risk of supply chain disruption due to political, diplomatic, and trade factors” will be factored into the regulator’s determinations.
Foreign suppliers cut off from US power grid
US President Donald Trump has declared the vulnerability of the US power grid a “national emergency” and signed an executive order that prohibits domestic power utilities from buying electrical equipment manufactured outside the United States.
The US Government fears that network-enabled electrical equipment manufactured overseas present opportunities for adversaries to remotely cripple the US economy.
The order requests the US Energy Department create an ‘allow list’ of electrical equipment manufacturers from allied countries that could be exempted from the program.
US agencies warned: don’t go alone on DNS over HTTPs
CISA, concerned that some agencies made use of third party DoH resolvers in the rush to configure remote working options for staff, has warned US government agencies that they must continue to use the government’s centralised DNS filtering service (E3A).
DNS over HTTPS (DoH) encrypts DNS requests sent between the web browser and DNS resolvers, making it difficult for a third party to observe what websites are being requested. The protocol is now supported in most browsers and is on by default in Mozilla Firefox, allowing users to circumvent network security controls configured by security teams.
CISA expressed concerns that using third-party DoH resolvers exposes users to known malicious sites that might otherwise have been filtered out. It also reduces visibility for common threat-hunting techniques.
CISA demanded agencies use Group Policy Settings to block DoH in the browser. It promises to eventually roll out its own DoH and DNS-over-TLS DNS resolution services for approved use in agencies.
SaltStack users attacked in crypto-mining operation
A large number of popular web services were attacked on Sunday by a crypto-mining operation exploiting newly-disclosed vulnerabilities in SaltStack.
SaltStack is a popular open source server management tool. As of May 1, 5100 vulnerable Salt servers remained exposed to the internet. Catalin Cimpanu is cataloguing exploits as the list of breached companies balloons. US-CERT is warning SaltStack users to patch ASAP. This could get messy.
Hacks heating up the South China Sea
The dispute between China and Vietnam over the Paracel Islands in the South China Sea continues to spill over into cyberspace.
Researchers at Anomali discovered phishing emails that targeted data centre staff at a Vietnam government agency located in Da Nang, the Vietnamese province closest to the islands.
One or more spear phishing emails were sent from fellow employees (suggesting a previous account compromise) and attempted to drop a Remote Access Trojan linked to Chinese state-backed hacking crew, Pirate Panda. Pirate Panda has been attacking Vietnamese Government officials for at least three years.
Five(!) reasons to actually be cheerful this week:
- ICANN blocks .org sale: ICANN has withdrawn its support for a plan by the Internet Society to sell management of the .org registry to venture capital firm Ethos Capital. Expect a legal challenge.
- Microsoft acts on email auto-forwarding: By the end of the year, Microsoft’s default Office365 config won’t allow users to set email forwarding to external recipients. It’s well overdue - auto-forwarding has long been abused by scammers that pop O365 accounts for Business Email Compromise attacks. As a bonus, Microsoft can profit from its sluggish response - admins that license Microsoft’s “Advanced” (Lol) Threat Protection will be able to toggle auto-forwarding on a per-account basis. Ka-ching!
- Chrome to crack down on extensions: Google is planning a long overdue cull of Chrome extensions, including bans on adware. It is ridiculous that rubbish toolbars from the likes of ‘Mindspark’ pass as legitimate extensions in 2020.
- Sleepy DreamBot: Researchers note that DreamBot, the banking trojan built on the leaked source code of Gozi, has mysteriously gone silent. It’s backend servers are gone and no malspam is being detected from infected machines.
- The NSA wants to help you collaborate: The NSA has published guidance on choosing video collaboration tools, including a simple table that compares security features. This would have been so handy in February.
Freight under attack:
Australian freight giant Toll Holdings has closed down several systems - including email servers - after a second major security incident in under five months. Further, the outage we previously reported at Mediterranean Shipping Company was - as expected - confirmed to be the result of a malware infection.
Indonesia’s mammoth data breach:
A data set related to 91m users of Indonesia’s largest online retailer, Tokopedia, is for sale on the dark web for US$5000. Lawrence Abrams at Bleeping Computer reports that while the data set is incomplete, a subset of entries include names, birthdates, email addresses and hashed passwords. Around 200,000 of these passwords have been cracked and made available for sale. There will undoubtedly be more.
Vietnam’s top APT crew getting great exposure:
Last week FireEye found Vietnam-linked APT32 lures in VirusTotal, this week Kaspersky found APT32 code in two more rogue Android apps on Google Play. These guys are getting totally famous.
Adult cam site CAM4 has exposed 7TB of sensitive user data on a misconfigured ElasticSearch instance. It included subscriber names, email messages and private conversations.
Third time unlucky:
Online education provider Chegg notified customers of its third data breach in three years after attackers made off with 700 records of current and former employees.
Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at firstname.lastname@example.org.