Home / Robin's Newsletter

Robin’s Newsletter #149

Ransomware in Apple's supply chain. Facebook seeks to 'normalise' scraping. The balkanisation of the Internet has intelligence agencies worried. Cellebrite's iPhone unlocking system is full of vulnerabilities.

 Vol. 4  Iss. 17  25/04/2021, last updated 30/04/2021   Robin Oldham  ~9 Minutes

Subscribe to Robin's Newsletter

This week

Quanta ransomware attack and questions to ask of supply chain security

Quanta Computer, a Taiwanese tech manufacturer has recently become a victim of the REvil ransomware group. The reason behind their targeting offers a glimpse at how ransomware groups are evolving their tactics.

Supply chains have been the security theme-de-jour since the Solarwinds attack in December 2020. That hasn’t escaped enterprise cyber-criminals either. While big brands like Apple may spend significant budgets on securing their networks, those of their suppliers may not be afforded the same luxury. Businesses benefit from outsourcing certain tasks (like manufacturing) and that naturally requires the exchange of information. While you may not have heard of Quanta before, you almost certainly have experienced their products. They employ 70,000 staff and makes over 30% of the world’s laptops. Their customers include Dell, HP, Amazon, Cisco, Microsoft and Facebook alongside Apple and a slew of other technology heavyweights.

In defence supply chain problems have been on the radar for some time: BAE Systems for example cites over 20,000 organisations in its supply chain. Some of them make nuts and bolts, others supply software and technology that controls sonar on submarines deep under the ocean surface. Understanding the provenance of what’s gone into a warship, fighter jet, or other ‘mission critical’ system is clearly desirable. Efforts have been underway to ensure these supply chains adhere to the U.K. government’s Cyber Essentials standard, as a minimum.

Other large, listed companies will have similarly sized supply chains of their own. That presents a great opportunity for criminals: extort the victim, then, or addition to, extort the victim’s customers too. Particularly secretive companies, like Apple, may be seen as particularly vulnerable or willing to pay up to keep innovations under wraps.

The scale of the problem is massive and it would be foolish to attempt to solve that independently. That is what lots of company supply chain security programmes currently do though: send out questionnaires asking tens, or even hundreds of questions that take ages to answer that may not discernibly improve the security posture of either organisation.

Promoting investment to raise the bar across your industry is a good first step. Basic cyber hygiene often gets overlooked in favour of newer, shinier technologies, but is critical to preventing these type of attacks. Ransomware groups are still getting in by using Administrator/123456 on Remote Desktop servers.

That just should be a thing, but without the right incentives from buyers or government-at-large, then supply chains may see it as a distraction as the same customers demand lower prices. Before commissioning a supply chain security programme businesses would be wise to get their basics in order (you are an important part of someone else’s supply chain, after all!) and consider the price that you are willing to pay for security.

theguardian.com, wired.com, ft.com, bleepingcomputer.com

Interesting stats

1,379,609 RDP credentials have been sold on a cybercrime forum since December 2018, secretly monitored by security researchers, who found that Administrator, Admin, User, test, scanner were the top five usernames, and… 123456, 123, [email protected]rd, 1234, Password1 the top five passwords, with… 15,114 appearing to relate to a default relating to MailEnable, a popular Windows email server bleepingcomputer.com

~10,000 Approaches by foreign intelligence over five years to recruit Brits for spying, warns U.K intelligence agency, MI5 theregister.com, ft.com That feels a little on the low side for me: equivalent of ~5.5 per day, across all foreign adversaries, though also equates to ~2% of the Civil Service.

46% of malware now uses TLS to secure command and control comms, according to Sophos scmagazine.com

Other newsy bits

Facebook wants to ‘normalise’ scraping, similar issue found that reveals private email addresses

Facebook accidentally (or, if you’re being cynical, deliberately) emailed an internal memo to a journalist in response to questions surrounding the social media network’s response to recent news that 533 million people’s personal data had been ‘scraped’ from their platform. Facebook is seeking to frame this as a regular industry occurrence. “Assuming press coverage continues to decline” reads the memo, “we’re not planning on additional statements on this issue.” The firm hopes that the public will move on and that it won’t have to answer more questions on why it was possible to upload address books containing every possible phone number on the planet that Facebook’s systems dutifully matched to personal profiles as friend suggestions. zdnet.com, theregister.com,

A similar issue in the way that the firm handles email addresses also surfaced this week after a security researcher was frustrated that the firm closed their vulnerability report and refused to patch the issue, despite it returning profiles where a user’s had set their email address information to private. wired.com

‘Moment of reckoning’ over ‘global operating system,’ says GCHQ

Widely reported interview with GCHQ director Jeremy Flemming this week covering the national security risks of not engaging in the development of new technology standards, such as 5G. The concerns are not new: ‘the West’ is giving up ground on the standards behind crucial new technology infrastructure implicitly to China, and they may not implement the same ideals of privacy or security (though the meaning of those terms doesn’t necessarily mean your privacy and security.)

The ‘Balkanisation of the Internet is progressing quite rapidly. Russia can ‘disconnect’ from the ‘net. China and other regimes have Great Firewalls that can control access. It is a far cry from the utopian vision that early academics had in mind of shared and open access to information.

The benefit of open over closed standards is obvious. This is about competing standards, their interoperability, and how the potential for misuse is minimised. The stakes are high - economically in terms of friction and market-size, ethically what is acceptable, as well as from a broader ‘security’ perspective - and it is easy to see why the sheer momentum of China, with almost one-sixth the world’s population would be a force to be reckoned with.

The next phase of digital transformation will be against a backdrop of increased government intervention and ‘sovereign technologies’. bbc.co.uk, theguardian.com, zdnet.com

Longer reads

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice looks at two-decades security policy and its seeming failure to move the needle on cyber-attacks. Also the concept of a “security poverty line,” which I like as a concept. (H/T Phil) hatofthespear.com

The Incredible Rise of North Korea’s Hacking Army on the people-side of North Korea’s cyber capabilities, the regime’s efforts to develop its talent and the International Math Olympiad newyorker.com

In brief

Attacks, incidents & breaches

  • Package delivery scam spread by malicious text messages to Android phones: don’t click the link, forward it to 7726 (SPAM) and delete the message bbc.co.uk
  • Geico’s sales systems allowed scammers to steal information on customers that is now being used to perpetrate unemployment fraud cyberscoop.com
  • Codecov’s devops ‘Bash Uploader’ tooling compromised in January, used to steal credentials and ‘raid additional resources’, customers urged to rotate passwords reuters.com
  • Click Studio’s software update process for Passwordstate password manager compromised, used to deploy malware to customers cyberscoop.com

Threat intel

  • Tag Barnakle group compromising ad servers to display malicious ads pushing dodgy VPN and security software arstechnica.com
  • It’s trivial to remove ‘external email’ warnings injected by email gateways using CSS in messages bleepingcomputer.com
  • Attackers spoofing messages from Michael Page recruitment group to lure victims into installing malware bleepingcomputer.com
  • Darkside ransomware gang courting stock traders for inside knowledge on victims, encourages them to short, in a move that would also amp up pressure on victims scmagazine.com

Vulnerabilities

  • SonicWall urges immediate patching of Email Security products after evidence of three vulnerabilities being exploited in the wild bleepingcomputer.com, sonicwall.com
  • Sticking with perimeter devices… Attackers have found a way to bypass multi-factor authentication on Pule Secure’s VPN products, U.S. CISA has mandated all government departments to have updated before the end of the week arstechnica.com, cisa.gov
  • QNAP removes hardcoded ‘backdoor’ accounts in backup solution following spate of ransomware infections bleepingcomputer.com, glitch in Qlocker ransomware allows victims to decrypt files cyberscoop.com

Internet of Things

  • Vulnerabilities in John Deere’s portal exposes details of ‘million dollar’ IoT devices: tractors and other farm machinery (H/T Matt) vice.com
  • Smartphones to be in-scope of new U.K. legislation covering security of IoT devices: bans default passwords, requires vendors to have a security point of contact and disclose, upfront, how long the device will be supported for techcrunch.com
  • “PATCH UP! PATCH UP!” Garmin GTS 8000 software incorrectly warns of impending airborne collisions theregister.com
  • Integrity of Tesla’s Autopilot checks called into question by Consumer Reports, crash investigators bbc.co.uk

Privacy

  • European Union proposal would place strict regulation on the use of facial recognition in public spaces arstechnica.com
  • You can work out an Apple AirDrop user’s email or phone number if they open the share sheet with you in range… or you’re already in their address book (remember, Facebook’s recent scraping incident was the result of uploading address books with every phone number in it!) arstechnica.com
  • Google’s FLoC a bit of a flop as Microsoft, Mozilla, Brave all reject Mountain View’s proposed replacement to ad targeting cookies theverge.com

Public policy

  • Consensus that GCHQ could have applied for warrant and scrubbed compromised Microsoft Exchange servers as the FBI did theregister.com
  • Private companies to play increased role in responding to future ‘significant cyber incidents’: White House’s lessons leaned from SolarWinds and Hafnium/ProxyLogon whitehouse.gov
  • U.S. State Department to get cyber bureau focussed on establishing cyber-norms through Cyber Diplomacy Act cyberscoop.com

Law enforcement

  • U.S. Department of Justice is setting up a taskforce to ‘pursue and disrupt’ ransomware groups cnn.com

Mergers, acquisitions and investments

Quite a lot of transactions this week, here’s a couple of them:

  • Mastercard snaps up Ekata for $850M to boost digital identity and transaction risk scoring zdnet.com
  • Rapid7 acquires open-source Velociraptor endpoint monitoring and response technology rapid7.com

And finally

Signal strikes back at Cellebrite

Cellebrite offer services to help law enforcement unlock encrypted devices. The firm was involved allegedly involved in unlocking the San Bernardino shooter’s iPhone, ending a legal standoff between the FBI and Apple. Their solution works by identifying and exploiting cryptographic weaknesses, or just brute-forcing the content. At the end of last year, Cellebrite claimed to be able to crack Signal and give law enforcement access to encrypted chat messages. Now the CEO of Signal has hit back, pointing out numerous vulnerabilities in Cellebrite’s platform, including ‘decades old’ open source components, that can be exploited to alter the reports generated by the system. That’s a big deal for Cellebrite’s law enforcement customers who need the integrity of the reports to be iron-clad if they are to be used as evidence in court. The tit-for-tat is sure to be an as unwelcome distraction to Cellebrite as their claims were to Signal. theguardian.com