This week
US Treasury sets out stance on ransomware payments and sanctions
The Office of Foreign Assets Control (OFAC), part of the US Treasury, issued an advisory this week on the payment of ransom demands to individuals, groups or regions that are subject to US sanctions. It comes in the wake of Garmin’s ransomware demands from the EvilCorp group (vol. 3, iss. 31) and increased scrutiny of companies paying up to avoid their data being released in ‘breach-and-leak’ ransomware campaigns.
“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the advisory notes. Going on to point out that paying up ‘emboldens’ attackers to carry out more attacks.
Sanctions are a tool used regularly by the US against organised criminals and as diplomatic measures against foreign powers. Increasingly they are being levied against cyber-criminals, including Evgeniy Mikhailovich Bogachev, the developer of Cryptolocker, Maksim Yukabets and EvilCorp, for the Dridex malware, and all of the Lazarus Group, linked to North Korea and WannaCry.
The advisory sets out the risks of payment, including that individuals will be held ‘strictly liable,’ meaning they face penalties even if they did not realise at the time they were engaging with a sanctioned individual. Any US person who instructs a non-US person to do so will similarly be covered.
Bruce Schneier also has a summary of, and links through to, an interesting article on the pros and cons of ransomware payments in discussion with negotiators.
For me, the important part of the advisory, and where I believe we will start to see change, is how the message is targeted at service providers. The advisory makes it clear that those offering support to firms that have been victims of ransomware, and that enable or facilitate payments, are also on the hook. Cyber insurance companies are explicitly called out.
By increasing the compliance risk to insurers OFAC are hoping to help reduce payments which, in many cases, may entirely cover the ransom demands asked by attackers. Digital forensics and incident response firms are named, as are money transfer services.
Ultimately OFAC wants to hear from victims up-front where they think their maybe a ‘sanctions nexus’ and considers a “self-initiated, timely, and complete report” to be a “significant mitigating factor in determining an appropriate enforcement outcome.” OFAC will consider each case with a ‘presumption’ that payment will be denied.
treasury.gov (PDF), arstechnica.com, schneier.com
Interesting stats
$16 — $25 the price being asked for RDP credentials on the dark web, according to research by Armor zdnet.com
38% of public sector, and 36% of private sector respondents have privileged access to sensitive data above what is required for their roles, according to research by Ponemon of over 1,800 US and UK workers for Forcepoint theregister.com
“Our systems are getting more and more complex so we have to invest more and more time into studying them like nature” — Daniel Gruss, Graz University of Technology theregister.com
Other newsy bits
Singapore considers need for security on-par with fresh water, is introducing consumer security labels
Singapore now considers providing digital security for its citizens to be on par with that of fresh drinking water, according to Brigadier General Gaurav Keerthi, Deputy Chief Executive of Singapore’s Cyber Security Agency.
Keerthi’s comments were during a presentation at Black Hat Asia this week during which they also discussed a new voluntary labelling scheme. IoT devices, such as smart home devices and wifi routers will be rated on a 4-star scale.
Security labels are seen as an easy way to help consumers make better security choices when buying smart devices. Labels adopt concepts from food nutritional information labels, carrying red/amber/green ratings, or ‘best before’ dates after which the company does not guarantee to support the device. theregister.com
Match phishing tests to your (communicated) threat profile
There have been a few examples recently of ‘poor taste’ phishing campaigns. One at Playstation offered a flu jab, another at the Chicago Tribune announced bonuses (after just laying off lots of staff).
Both have stirred debate within the infosec community that boils down to ‘threat actors do not pull their punches’ and, on the other side, it being ‘a terrible way to try and build trust with your users’. SC Magazine got in touch with some phishing simulation providers that pointed out their tests use real-world examples (both examples fall into this category).
Security teams are often seen as ‘the department of no’ and so I think it is more important to be building trust than proving that an enticing email is, well, enticing!
Match your security training not to other real-world examples, but to the things that are relevant to your organisation. You must communicate the nature and level of the threat your organisation faces too, so that staff are more understanding of the tactics and techniques that may be employed against them.
Tim Ward of ThinkCyber participated in a Security Watercooler event with Cydea earlier in the year. We discussed alternative ways to educate users and how the best learning and training occurs from positive achievement, rather than negative avoidance. scmagazine.com, cydea.com
Huawei code still bad, no intentional backdoors, according to HCSEC
The annual report from the Huawei Cyber Security Evaluation Centre (a joint effort from NCSC and Huawei in the UK) has found the software development processes at the Chinese telco giant continue to be sub-par. For another year running no evidence of intentionally introduced backdoors was found, however coding errors are common and the sprawling size, and variety, of supported codebases, mean that security vulnerabilities proliferate. This is unsurprising, given the previous reports (vol. 2, iss. 13; vol. 1, iss. 5). The company promised to spend $2BN over five years following last year’s report: little progress seems to have been made. scmagazine.com, ft.com
Why are the NHS Track and Trace barcodes so big?
Dave Groves reverse engineers an NHS Track and Trace barcode to understand why they are so big. He found the large size is partly due to the data being base64 encoded twice, and roughly half of the QR code is due to a cryptographic signature. facebook.com
In brief
Attacks, incidents & breaches
- Blackbaud says personal and financial info, passwords, accessed in ransomware attack in stock market filing, having previous denied any access (vol. 3, iss. 30), theregister.com
- FBI investigating Business Email Compromise campaign that netted $15M from 150 victims zdnet.com
- Despite promises from ransomware gangs to avoid healthcare targets, attacks continue with Universal Health System, who run 400 medical facilities, the latest victim techcrunch.com, and…
- Phishing email led to University Hospital New Jersey paying $670,000 to prevent patient data being released after ransomware group gained access to two servers bleepingcomputer.com
Threat intel
- Phishing campaign used captured creds to login and reply to email threads for propagation in similar manner to a ‘worm’ zdnet.com
- Turla/APT28 linked to commercial exploit sellers Volodya and PlayBit by CheckPoint zdnet.com
- ESET publish details of XDSpy group with cyber-espionage objectives against Eastern-European countries including Belarus, Moldova, Russia, Serbia, and Ukraine zdnet.com
Vulnerabilities
- HP Device Manager, used on many of the firms ‘thin client’ devices, has an update to prevent three bulbs that, when chained together, allow gaining ‘SYSTEM’ privileges bleepingcomputer.com
- NVIDIA’s Windows display driver patched against local escalation of privilege bugs bleepingcomputer.com
Security engineering
- Revision 5 of NIST publication 500-83 Security and Privacy Controls for Information Systems and Organizations published (H/T Niall!) nist.gov (PDF)
- GitHub rolls out code scanning tools that check for vulnerabilities in commits, pull requests zdnet.com
- Make sure your API only responds to search or lookup fields advertised to prevent enumeration and consider rate limiting to prevent someone making off with your whole user database (ahem Gravatar) bleepingcomputer.com
- Cloudflare adds API firewall to range of free services zdnet.com
Law enforcement
- A jury has sentenced Yevgeniy Nikulin to seven year prison sentence for LinkedIn and other breaches cyberscoop.com
Mergers, acquisitions and investments
- Cisco acquires PortShift to bolster Kubernetes, DevOps security capabilities techcrunch.com
- Imperva to acquire jSonar for database security tech zdnet.com
And finally
Grinding away at password resets
“The World’s Largest Social Networking App for Gay, Bi, Trans, and Queer People,” Grindr, was exposing password reset tokens on their forgotten password page. If you knew a user’s email address you could submit the forgot password request and find the token returned in the response. This should be a secret key, typically embedded as a long string of characters in the link to create a new password. The logic goes that, because you need access to the email account, you’re pretty likely to be the account owner. By being able copying and pasting this key into the forgot password page you could reset their password without having access to their email account, and login as if you were the victim. Short of just displaying the user’s password, I think this is the worst thing a password reset page can do. troyhunt.com