Three years on from NotPetya. BlueLeaks and sector-specific aggregation of risk. Minimising harm in breach notification comms. Exfiltrating data using Google Analytics.
Vol. 3 Iss. 26 28/06/2020, last updated 05/07/2020 Robin Oldham ~9 Minutes
Subscribe to Robin's Newsletter
Maersk, me & NotPetya
Saturday 27th marked three years since the NotPetya attack on Ukraine that went on to cripple computer systems around the world. MeDoc, a tax accountancy software package used by 90% of domestic Ukrainian companies, had been compromised and its auto-update mechanism had been used to deploy malware. Intelligence agencies would go on to attribute the attack to Russia’s foreign military intelligence agency, the GRU.
The malware used the leaked U.S. National Security Agency’s ‘EternalBlue’ exploit found in WannaCry, and presented symptoms like ransomware - encrypting data and presenting a screen demanding ransom payment - however, analysis quickly showed that there was no way to undo the process: it was designed to inflict damage rather than collect a ransom.
While 80% of victims were in Ukraine, international business was affected with food processor Mondelez, health and pharmaceutical companies Merck and Reckitt Benckiser and advertising agency WPP all being infected.
The highest-profile victim was the international shipping and logistics business Maersk.
Wired’s Andy Greenberg covers the whole story with his usual journalistic flare, during which IT staff in Maidenhead worked to rebuild 4,000 servers and 45,000 user devices. The rebuild was completed over a 10 day period, during which the business suffered a 20% drop in shipping volume while operating using pen-and-paper. It’s a frankly astounding feat, considering one of the companies blue ships docks somewhere in the world every 15 minutes, with anywhere between 10,000—20,000 containers needing to be unloaded.
Gavin Ashton, responsible for the companies identity services, published a long read this week covering his experience as part of that team. It’s a great read and includes some excellent lessons and perspectives on how organisations (large and small) can, and must, get their identity management and privilege access in order. And also how these events can present great opportunities to shake up established practices.
“One enormously positive thing to come about was the decision to accelerate a Windows 10 deployment… Maersk had almost overnight, completely overhauled the laptop estate. And all those instances of local admin privileges weren’t coming back.” — Gavin Ashton
Gavin also covers ‘the human cost’ of the cyber-attack: a topic close to my heart, having been involved in responding to more-than-a-few high-profile incidents. This ‘softer’ side of cyber incident response often gets overlooked and I make a point of touching on it in all board-level exercises I run.
These events are highly emotional for all involved. A blame-culture in your organisation will lead to people fearing for their jobs (is it my fault? should I have done something differently?) and focussing on covering their ass, or looking for a new job, rather than rallying together and responding to the issue.
Any athlete can tell you that, without water, food, and rest (nominally in that order!) performance will fade. Response teams are no different and, while perhaps not as physically demanding,
Related to that, you need to consider the ‘depth of your bench’ when it comes to the skills and knowledge you need. Outsourcing or whittling down teams may leave you in a position where you are overly reliant on individuals rather than able to spread the load across multiple team members.
One of the wake-up calls from the Maersk NotPetya incident for technology teams is, perhaps, blindingly obvious (but hindsight is a wonderful thing) that live-live replication is not a backup. It improves the resilience of services against failure and natural disaster, however, is not a countermeasure against digital threats. Replicated systems will exacerbate the problem as they operate like a force-multiplier.
Both Andy and Gavin’s reads are long ones, though it’s worth grabbing a cuppa and considering how the topics may apply to your own organisation.
75% of software vulnerabilities in open-source projects reside in ‘indirect dependencies,’ according to research by Snyk zdnet.com
Other newsy bits
Ten years of data from 200 U.S. police departments have been released by the Wikileaks-esque Distributed Denial of Secrets site, totalling nearly 270 gigabytes.
The data breach occurred at Netsentinel, a web development firm that provides services to law enforcement ‘fusion centres’ that allow the sharing of intelligence and information on suspects between local and state police and federal agencies like the FBI.
The group behind the leak say the files ‘reveal legal but controversial practices’ of police. The trove of information also contains personal and some finical information. That increases the potential harms to the safety of those individuals involved in on-going investigations or undercover operations.
It’s an interesting case study of the aggregation risk form sector-specific apps. Greater specialisation and structure of the data may lead to great efficiency within the target market that goes hand-in-hand with the increased threat from actors wishing to target that sector. (NotPetya’s spread via account software presents a functional equivalent.)
Twitter for Business leaks / minimising consequences in incident comms
I woke up to an email from Twitter this week about a ‘data security incident’ affecting Twitter Business customers that used the social media company’s ads or analytics services. A bug meant that email address, phone number, last four digits of payment cards and their billing addresses were cached in the web browser. It means that the data could have been accessed by other users on shared computers.
That greatly limits the number of potentially affected users, however, it was the month delay in notifying customers that I found most interesting part of this incident.
Most web browsers store cached information for a maximum of 30 days, before deleting it. By waiting for over one month to tell users Twitter hoped that most of the data would already have been purged from caches, further reducing the potential consequences.
It’s an interesting topic that I explored in a few tweets, which I think you can consider from a risk perspective, where the impact (data exposed) remains the same.
The ‘notify immediately’ approach results in a higher threat (where attackers are aware for the potential data to be found), but allows users to take action to minimise their own vulnerability by purging cached data themselves.
While the approach taken by Twitter in this instance reverses those parts of the equation: users remained at a higher level of vulnerability, however lower level of threat as details were not public.
TikTok / Copy + Paste notifications
It was Apple’s World-Wide Developers Conference this week, and one of the things they introduced was notification of apps accessing your clipboard. ‘Hardly the kind of groundbreaking feature we expect in 2020!’ I hear you cry. Me too, until I had a ‘holy shit’ moment at a video of TikTok’s app running on a beta of the new Apple operating system firing notifications every second.
Lots of apps scan your clipboard when you open/switch to them to check for relevant data: perhaps it’s a delivery tracking app looking for a tracking number, or a URL matching the publishers content.
But our clipboards also carry all sorts of other information (what’s your clipboard right now?) from highlighted text, to personal or financial information and passwords needed to login to services.
The feature was apparently catalysed by research originally posted in March by Talal Bakry and Tommy Mysk who looked at how apps were abusing user’s clipboards, centring on TikTok’s creepy (and seemingly unnecessary) access. mysk.blog, arstechnica.com
Using Google Analytics to steal credit cards
Magecart gangs have begun using a novel tactic to circumvent Content Security Policy (CSP) restrictions and exfiltrate data from compromised websites that use Google Analytics to track visitor metrics and advertising performance.
Modern, API-driven websites may not reload the whole page when a user interacts with its content and Google Analytics provides functionality to send event ‘beacons’ to be tracked by the platform.
Those beacons are typically legitimate business events such as checkout, or action taken by a user (liking, or interacting with a piece of content, for example.) Many sites, therefore, have Google Analytics explicitly included in allow lists for their websites.
The technique abuses this functionality to exfiltrate any data (for example payment card details, or usernames and passwords) from compromised pages to the attackers own Google Analytics account, faking a ‘hit’ on a particular page.
The attackers still need to plant malicious code on the website, either editing the site template or including it via another file loaded by the website, and matching the event tracking to the referring domain is one way Google could prevent the abuse of their system.
When assessing the risk associated with new services or functionality it’s always worth considering how they may be subverted and abused beyond their intended purpose. bleepingcomputer.com
- Sodinokibi (aka REvil) now scans infected networks for point of sale software, presumably seeking card data zdnet.com
- Magecart gangs hiding card stealing scripts in the EXIF data of favicon images bleepingcomputer.com
- ~300 Windows 10 executables vulnerable to DLL hijacking
- NCSC: ‘Cloud-first is not a security problem’ ncsc.gov.uk
Internet of Things
- Maze ransomware gang claim to have source code to devices manufactured by LG Electronics theregister.com
- We are a step closer to ‘privacy nutrition information labels’ with new visualisation of app permissions, and ability to opt-out of apps tracking you techcrunch.com
- Google will now automatically delete the data it holds on you after 18 months — still plenty of time to profile and track you though — and you still need to turn it on manually if you have an existing account wired.com, guide to limiting Google’s tracking of you
- Lawful Access to Encrypted Data Act introduced to U.S. Senate in bid to force companies to add backdoors to encryption algorithms that protect our lives online vice.com, theregister.com
- U.K. National Crime Agency may have infected Enchrochat (an ‘encrypted phone’ provider used widely by criminals) devices with malware to capture intelligence on criminal gangs vice.com
- Russian national Sergey Medvedev pled guilty to a involvement in ‘Infraud’ cybercrime operation that caused more than $568M in losses from stolen credit cards cyberscoop.com, while in related news…
- The owner of ‘Card Planet’ — used to sell over 150,000 stolen payment cards — Aleksey Burkov was sentenced to nine years in prison bleepingcomputer.com
Mergers, acquisitions and investments
- Apple acquires mobile device management company Fleetsmith for an undisclosed sum arstechnica.com
- Microsoft acquires CyberX, a security vendor focussed on IoT and ICS monitoring zdnet.com
Microsoft really wants you to patch your on-prem Exchange server
Email is arguably the most visible IT service that an organisation has. Despite this business criticality many organisations are yet to apply a patch to their on-premise Exchange servers released back in February. Now attackers are going after the ~350,000 exposed Exchange servers on the Internet. The patch fixed an issue present in all previous versions of the software that meant the backend control panel used identical cryptographic keys. A job for Monday morning, perhaps? microsoft.com
Get this weekly information security newsletter of cyber security and privacy articles, events and topics that have caught my eye, some intersting stats, plus a summary of other news.
There are hundreds of subscribers who get it direct to their inbox, every Sunday, at 7:00pm. They tell me it's pretty good, is an interesting read, and saves them time.