Home / Robin's Newsletter

Robin’s Newsletter #138

SolarWinds caught up in second campaign against U.S. gov tied to China. Plus an interview with a ransomware operator and Canada declares Clearview AI is 'illegal'.

 Vol. 4  Iss. 6  07/02/2021   Robin Oldham  ~7 Minutes

Subscribe to Robin's Newsletter

SolarWinds Orion ‘high-value target’ for multiple threat actors

A second group are believed to have used vulnerabilities in the SolarWinds Orion platform to attack U.S. government networks.

The suspected Chinese group used bugs in SolarWinds code to move laterally around their victim’s network, having already gained access through other means. Their victim was the Department of Agriculture.

“But Robin,” I hear you ask, “what’s so important about the Department of Agriculture’s National Finance Centre?” Well, it turns out the National Finance Centre does lots for government agencies. The FBI, State Department, Homeland Security and Treasury, are amongst the 160 agencies relying on it to run payroll for 600,000 federal employees.

Side note: Perhaps that’s why Secretary of Agriculture makes such a popular choice for designated survivor, who are chosen to sit out of high profile events, such as the States of the Union, as a contingency plan to secure the presidential succession. (second only to Secretary of the Interior (see wiki)).

The payroll information would be valuable to a foreign intelligence agency looking to identify U.S. national security staff and improve intelligence collection.

China was also attributed as the source of a 2015 data breach at the Office of Personnel Management that exposed details of over 4 million U.S. civilian staffers.

Meanwhile, SolarWinds released patches to address three vulnerabilities in its code found by researchers from Trustwave. Trustwave has said they will release a proof of concept exploit on 9th February to strong-arm encourage users to patch quickly. Malicious actors will undoubtedly be quick to reverse-engineer the POC.

The adoption of similar technology helps improve interoperability and offers the ability, in theory, to use purchasing power to negotiate better pricing. In practice, perhaps encouraging interoperability through common protocols (such as the web’s HTTP and email’s POP, IMAP and SMTP) may help reduce aggregation risk, at the cost of reducing economies of scale.

On the subject of securing your software development, NCSC published a blog post this week with advice on defending software build pipelines from attack.

reuters.com, wired.com, cyberscoop.com, wikipedia.org (designated survivor), ncsc.gov.uk

Interesting stats

1.4M reports of identity theft in the U.S. during 2020… 2X increase over 2019, driven in part by a massive increase in benefits fraud, 394,280 in 2020 versus 12,900 in 2019, according to the Federal Trade Commission (FTC) ftc.gov

$154,108 average payment made following a ransomware attack in Q4 2020, down from $233,817 in Q3 2020, as less victims pay up, according to Coveware zdnet.com

21% of 500 U.S. and 500 U.K. survey respondents trust an established large brand to keep their data secure, according to Entrust entrust.com

Other newsy bits

Interview with a ransomware operator

Cisco’s Talos Intelligence unit made contact with and interviewed a LockBit ransomware operator during the Fall of 2020. While it is a single individual, it makes for fascinating reading. From personal reasons to get into cybercrime and a feeling of under-appreciation when legitimately reporting security issues, to some of the details on margins charged by different ransomware developers (Maze charge 35%). “Aleks” says that European victims are encouraged to pay because of data protection regulations (only the case if the organisation are also willing to cover-up the breach), while American organisations aren’t because breaches should be reported in company fillings. “For a cybercriminal, the best country is Russia”. (H/T Rob C) talosintelligence.com, amazonaws.com (direct link; PDF)

Clearview AI ‘illegal’ according to Canadian privacy body

Clearview AI, the start-up indexing public social media posts to profile individuals and sell that information to advertisers and law enforcement, has not been without controversy since the New York Times ran an expose a year ago (vol. 3, iss. 4). Now the Office of Privacy Commissioner, Canada’s data protection regulator, has ruled the company’s services ‘illegal’. The Commission’s investigation found that “Clearview had collected highly sensitive biometric information without the knowledge or consent of individuals. Furthermore, Clearview collected, used and disclosed Canadians’ personal information for inappropriate purposes, which cannot be rendered appropriate via consent.” Interestingly they also rejected arguments from Clearview AI that consent was not required because the information was ‘publicly available’. techcrunch.com, priv.gc.ca

Failing safe: it’s all spam to SpamCop

SpamCop, a service from Cisco that helps determine if emails are likely spam or not, failed last weekend after someone at Cisco forgot to renew the domain spamcop.net. It turns out the service works by doing a DNS lookup on the reverse IP address .bl.spamcop.net (e.g. 4.3.2.1.bl.spamcop.net). If the IP address is known to Cisco as a source of spam then the DNS resolves then it’s taken as being likely spam. Only when the domain wasn’t renewed it became a landing page for the DNS registrar and resolved ANYTHING-dot-spamcop.net. That meant every email was being marked as spam by the service. Better, err, safe than sorry!  theregister.com

In brief

Attacks, incidents & breaches

  • File transfer appliances from Accellion are being compromised with large quantities of data being exposed. The legacy devices were design as ‘secure file transfer’ gateways in an era before the likes of Dropbox, OneDrive and the like. In this example, apparently 1.4M unemployment claims from Washington state were exposed seattletimes.com, H/T risky.biz
  • Oxfam Australia investigating breach after database of 1.7M sold online bleepingcomputer.com
  • StormShield, security provider to French government, reports data breach and theft of source code zdnet.com

Plus lots of automotive stuff this week…

  • Car dealership supplier DriveSure breached, data on 3.2 million users leaked, including name, address, car make/model, VIN numbers and service records scmagazine.com
  • Insurance startup Metromile’s website leaked driver license numbers, personal info, according to S.E.C. filling techcrunch.com
  • Trucking company Forward Air suffered $7.5M loss of revenue from ransomware incident zdnet.com

Threat intel

  • Highly targeted campaign targets Asian gamers using the NoxPlayer emulator cyberscoop.com
  • Ransomware operator targeting two vulnerabilities (CVE-2019-5544 and CVE-2020-3992) in VMware ESXi to gain access to hypervisor to encrypt virtual disks zdnet.com
  • Spanish certificate authority Camerfirma to be distrusted by Google Chrome, Mozilla mulling same steps, for compliance failures and issuing certificate for domain that doesn’t exist theregister.com
  • Kobalos malware targeting high-performance and supercomputers worldwide, isteals SSH credentials zdnet.com
  • TrickBot testing new network scanning module, built on MassScan, to provider operators with more info about infected networks (but also presumably extremely noisy!) bleepingcomputer.com
  • Plex Media Servers being used in DDOS amplification bleepingcomputer.com

Vulnerabilities

  • Upgrade to iOS 14.4 now to mitigate against three vulnerabilities being actively exploited zdnet.com
  • Cisco patch remote code execution vulnerabilities in SMB router lineup theregister.com
  • Zero-days and confusion reign at SonicWall as the company deals with being compromised by their own remote access product (vol. 3, iss. 4) NCC Group have discovered what they believe to be the vulnerability used to compromise the vendor zdnet.com

Security engineering

  • U.S. federal courts reverting to physical document filings for ‘Highly Sensitive Documents’ (HSDs; anything that “contain information that is likely to be of interest to the intelligence service of a foreign government”) in wake of Solorigate attack theregister.com
  • Google are funding a project to replace the Apache web server module mod_ssl with a Rust-based mod_tls zdnet.com
  • Microsoft Defender for Endpoint now supports macOS bleepingcomputer.com

Internet of Things

  • Industrial goods and services targeted in 29% of 2020 ransomware attacks, according to Digital Shadows zdnet.com

Privacy

  • Apple/Facebook app-tracking spat escalates with speech from Tim Cook on International Privacy Day: ”If a business is built on misleading users on data exploitation, on choices that are no choices at all, then it does not deserve our praise. It deserves reform… Too many are still asking the question ‘How much can we get away with?’ when they need to be asking ‘What are the consequences?’” inc.com
  • Meanwhile, Google is considering similar ‘app nutrition labels’ for Android arstechnica.com

Public policy

  • Safe Connections Act is an interesting bill aimed to help victims of domestic abuse escape burdensome mobile phone plans that allow their abuser to monitor calls, text messages cyberscoop.com
  • Former U.S. Cybersecurity and Infrastructure Agency (CISA) chief, Chris Krebs, has called on Cyber Command to help tackle the growing ransomware problem, by using their capabilities to disrupt, or ‘dox’, ransomware operators ft.com

Law enforcement

  • U.K. National Crime Agency confirms arrest of 20-year-old suspect from Birmingham for running a high-volume smishing (SMS phishing) site called SMS Bandits krebsonsecurity.com

Mergers, acquisitions and investments

  • Rapid7 acquires Alcide to bolster capabilities to identify and respond to risk in containerised Kubernetes workloads for $50M techcrunch.com

And finally

CORRECTION: In last week’s And Finally I linked to reporting that aa railway in China had stopped running after Adobe Flash went end of life. Subsequent reporting in China has confirmed that it was internal traffic statistics system running Flash, that stopped working, not core railway control systems.

What do you think happens if you pay millions in ransomware demands, but don’t fix the issues?

Yes - you guessed it - you get pwned again two weeks later. Always work out, and address, the root cause. ncsc.gov.uk