Join me on a look back through some of the biggest and most interesting infosec stories and 12 cyber stats that made 2021.
30% of Solorigate victims didn’t run SolarWinds software: password spraying and privilege escalation techniques used instead vol. 4, iss. 5
2021 started with the fallout from news that the Solorigate attackers had accessed Microsoft’s source code as part of the SolarWinds campaign. Microsoft regularly shares its source code with governments and agencies - there are easier ways to get hold of most of it, and makes it unlikely that there are any hardcoded credentials, cryptographic material or other security keys that you sometimes read about when companies push code to public repositories.
According to Microsoft, the on-premises portion of the attack (against SolarWinds Orion) was to gain access to ‘SAML’ authentication tokens needed to access off-premises cloud-based resources. Enterprise identity management is becoming more complex, with Active Directory often now shared and synchronised between on-premise and cloud-based hybrid deployments. Exploiting this trust in one to compromise the other (be it browsing up to the cloud or down into organisations’ networks) is something we’ll see more and more of.
“We are very satisfied” Fernando Ruiz, Europol’s European Cybercrime Centre (EC3) head of operations told ZDNet when describing the law enforcement action that resulted in the takedown of the notorious Emotet botnet. Cybercrime and botnets can seem nebulous, to put this operation into context: Europol estimates that Emotet is estimated to be involved in 30% of malware attacks. Operation Ladybird involved identifying and gaining access to every ‘command and control’ (C2) server used by the malware to receive its instructions.
A German retailer was fined €10.4 million (£9.3M; $12.5M) under GDPR for failing to provide a legal basis under which it kept staff under video surveillance. One aspect that the regulator took issue with jumped out to me: the company had not taken any preventative steps, such as random bag checks, before opting for “intensive video surveillance” that “[violates] the rights of their employees”. The continuous CCTV monitoring of behaviours was not considered warranted - and more impactful - because other, simpler, less invasive steps had not been taken.
18,000 vulnerabilities were published and given a ‘CVE’ number in 2019, just 2.6% (473) of them were actually exploited in the wild, according to Kenna Security, and 6% (~28) of those are ever exploited on a widespread basis. vol. 4, iss. 8
An excellent bit of research and write up from Alex Birsan on ‘dependency confusion’. His research looked at how the package manages for various programming languages - such as Python, NodeJS and Ruby - to install the dependencies and modules requested by software packages. He found that often the official repository was favoured over other sources, such as internal repos, that might be specified via command-line arguments. With a bit of digging, he was able to identify the names of internal packages written by the likes of Apple, Microsoft, Telsa, Yelp and dozens of other tech companies.
Poor user interface design on an internal application at Citibank led to the firm transferring almost $1 billion prematurely back to lenders. The transaction involved three people, who all thought they were doing the correct thing. While the bank noticed the error the following day, some of the lenders involved are refusing to return the early repayment, totalling more than $500 million. Well-meaning employees rendered ineffective be poor business apps and processes.
SolarWinds CEO blamed the intern for ‘password123’ being the password on a file server. Nothing says ‘good corporate governance’ like getting the intern to set up the build process for a ~$1Bn software company! Meanwhile, another group, aligned to Chinese interests, had also been exploiting bugs in SolarWinds products to compromise the Department of Agriculture. “But Robin,” I hear you ask, “what’s so important about the Department of Agriculture’s National Finance Centre?” Well, it turns out the National Finance Centre does lots for government agencies. The FBI, State Department, Homeland Security and Treasury, are amongst the 160 agencies relying on it to run payroll for 600,000 federal employees. Valuable intelligence for counter-intelligence operations.
A weak TeamViewer password led to the compromise of a Florida water treatment facility. Water treatment plant personnel immediately noticed the change in dosing amounts - in fact, they were watching the screen as the attacker adjusted the values - and quickly set the correct value even before the SCADA system detected and raised an alarm on the change. The plant continued to operate as normal and no poisonous water was ever released. Perhaps the most interesting thing is that we have heard about it at all. There are plenty of examples of these sorts of ‘human-machine interfaces’ (HMIs) accessible online, however, thankfully, mostly those who find them choose not to meddle with industrial processes they do not understand.
The FBI released its 2020 Internet Crime Report: 791,790 complaints received in 2020 (+69% on 2019) $4.2BN total value of reported losses $1.8BN (43%) attributed to Business Email Compromise (BEC) scams vol. 4, iss. 12
Over 30,000 US organisations, and 100,000 worldwide, were compromised after four vulnerabilities in Outlook Web Access had been chained together and exploited by a suspected Chinese-affiliated group - dubbed Hafnium - for espionage purposes. Researchers at ESET identified that six discrete threat groups were exploiting the vulnerabilities before Microsoft released the patch. This points to either an organisation selling the exploit to multiple parties, a common party sharing details to support the campaigns of these groups (as national security agencies share intelligence), or other shared source or forum where details are exchanged.
Then cybercriminal gangs got in on the act with Microsoft reporting the first detection of a new ransomware strain, dubbed DearCry or DoejoCrypt, capitalising on the vulnerabilities in Exchange to get a foothold within organisations.
Joesph Cox at Vice Motherboard shoed how a hacker was able to take over lots of his accounts for just $16 by exploiting lax security practices at commercial SMS companies. For a pinky-promise that they are the person in question, an SMS company will ask telco providers to reroute SMS messages to their service. Normal phone service continues unaffected. Being the recipient of SMS messages means that multi-factor authentication codes and, crucially, account recovery messages, can be intercepted, passwords reset and accounts accessed.
UK clothing retailer FatFace paid a £1.9M ($2.65M) ransom to cybercriminals and then gave a free lesson to the world in how not to handle a data breach. Two months elapsed between the breach and customer notification. When the company finally issued a breach notification to customers labelled ‘strictly private and confidential’ and requested that customers “please do keep this email and the information included within it strictly private and confidential.” The irony hasn’t been lost on their customers, with a backlash on Twitter and a string of negative reviews for the company on their Trustpilot site.
15% of people made up passwords containing their pets name, 14% use the name of a family member, and 13% use a significant date (such as birthday or anniversary), while 6% use their favourite sports team, according to research by the U.K. National Cyber Security Centre (NCSC) vol. 4, iss. 15
Facebook got semantic about breaches vs scraping following poor design and engineering decisions led to the details of 533 million people being posted online. A Facebook spokesperson said the company had no plans to notify users, as they were unsure exactly which users needed notifying, and that they could take no action to address the issue (i.e. change your name or DOB) and that it was “public information”. The source of the information appears to be the result of poor design and engineering practices. The ‘contact importer’ feature allowed users to upload their address book and find other people they know on the social network. (Side note: this also creates ‘shadow profiles’ for people not on Facebook). Here’s the thing: you could just put every possible phone number (+44 0000 000001, +44 0000 000002, …, +44 9999 999999) in your phone book, keep resubmitting it, and Facebook would tell you if it matched and who that user is. Unless you’re Tom from MySpace, you probably aren’t friends with everybody. The issue was reported to Facebook in 2017 but the company decided that it was ‘public information’ as users had opted to let themselves be matched via phone number.
The FBI became a Managed Security Services Provider as they obtained and executed a warrant to modify victims’ Exchange servers to remove web shells left by Hanfium/ProxyLogon exploitation. It creates an interesting point around liability - with some arguing (rather facetiously) that it discourages organisations from taking cyber security seriously. In undertaking this action I am sure that they will have to have been extremely confident in both the fix and also the harm that is being avoided as a result. Follow up (or indeed prior) notification to victims needs to be similarly robust so that the underlying issues can be addressed and avoid attackers simply re-exploiting the same issues.
Congratulations to the FBI for coming out on top in my inaugural Enchanted Boxywoxy of Managed Security Service Providers with a potent combination of vision and ability to execute.
The UK and US formally accused Russia of being behind the SolarWinds attacks and the Biden administration expels 10 Russian diplomats and introduces sanctions in response to the SolarWinds attack and disinformation campaigns.
36 days median time taken to conduct forensic investigation of a security incident, costing $55,960 on average, according to Baker Hostetler, whose clients faced litigation 3.7% of the time following notice (20/543 times) vol. 4, iss. 19
May was full of particularly audacious ransomware incidents…
The Washington D.C. Metropolitan Police Department (MPD) received an ultimatum from the Babuk ransomware group: pay us $50 million or we will release the details of confidential informants to criminal gangs.
Then the Colonial Pipeline, supplying 45% of fuel along the U.S. East Coast, shutdown due to ransomware as a precautionary measure. Critical infrastructure is, by its nature, heavily relied on and therefore more susceptible to disruption. In theory that makes it more attractive if you’re in the business of disrupting business operations and extorting the victims. However, by the same criteria, that critical infrastructure is more likely to invite government intervention and draw greater investigation from law enforcement. The DarkSide group behind the attack promptly went dark.
The Health Service Executive (HSE), Ireland’s public health service, temporarily shut down its IT systems following a human-operated ransomware attack. There are up to 2,000 systems that need checking and around 80,000 devices to check. Dublin’s High Court issued an injunction to prevent the ‘sharing, processing, selling or publishing any data stolen’. The move will prohibit legitimate websites, like Google, Facebook and Twitter, from hosting the content and therefore limit its exposure. The total cost of the incident would go on to reach an expected $600M, including $120M in response costs and professional services, and $480M in equipment and systems upgrades.
The operational security of U.S. nuclear weapons was put at risk by the use of online ‘flash card’ apps that allow students to create tests on different topics for each other. Unwitting squaddies turned to online flashcard apps to help them study for these tests and the services appear to have defaulted to making sets of flashcards public, rather than requiring sharing to be enabled by users.
80% of organisations that paid up during a ransom attack go on to experience a second ransomware incident vol. 4, iss. 25
Attackers compromised the network of games publisher Electronic Arts and stole over 780 GB of data, including source code for FIFA21 and the Frostbite game engine. The compromise appears to have circumvented extensive protections after attackers were able to buy a session cookie for $10 that let them impersonate an EA employee and convince the company’s Helpdesk to obtain a multi-factor authentication code because they had ‘lost their phone at a party’ and were unable to login. On invite-only marketplaces, cybercriminals are trading cookies and browser fingerprints to steal access and avoid multi-factor authentication.
The AFP, FBI and Europol ran an encrypted criminal communications network used by over 12,000 criminals from more than 300 gangs in 100 countries. While promising end-to-end encryption, the messages sent across the ‘An0m’ platform were encrypted using a master key known to the FBI and each message was essentially BCC’d to a service dubbed ‘iBot’ that decrypted and copied messages for law enforcement. 9,000 officers took part in coordinated raids that have resulted in more than 800 people being arrested and 32 tonnes of drugs and $484M of proceeds being seized. John McAfee was found dead in a Barcelona prison cell after a Spanish court approved his extradition to the United States on charges of tax evasion and breaking securities laws. McAfee made his fortunes with the eponymous antivirus software though since cashing out when his company was bought by Intel he’s led an oft-controversial life. Like or loath him, there is no doubting the impact he had shaping the early cyber security technology industry.
10x the price paid for domain admin vs user accounts, with $4,207 average asking price for domain administrator privileged accounts, and $406 average asking price for standard user accounts, based on analysis of over 500 listings by threat intel provider Kela vol. 4, iss. 28
The Kaseya remote management software was used to launch ransomware attacks. The timing is deliberate: taking advantage of the Independence Day public holiday in the United States of America, when many IT and security teams will be at reduced capacity. While fewer than 40 of Kaseya’s customers are reported to have been affected, at least eight of those are IT managed service providers that use the product to more efficiently manage their customer’s IT environments. In total, around 60 Kaseya customers were compromised, who manage approximately 1,500 different organisations’ IT environments. The attack was carried out by the REvil ransomware gang who claim that ‘more than one million systems’ have been affected in the attack. The cybercrime group posted on their ‘Happy Blog’ notification that they would provide a decryptor tool that works with any of the affected organisations in exchange for $70 million in Bitcoin. Fortunately, it seems that while REvil were able to encrypt data on a huge scale, there were unable to delete backups or exfiltrate encrypted data for double-extortion purposes. As a result, many managed service providers are restoring data and few victims opt to pay the criminal’s demands.
A vulnerability in the ‘print spooler’ (which handles interactions between the operating system and USB or network printers) for Microsoft Windows was identified that allows authenticated users to increase their permissions to those of IT administrators. The ‘zero-day’ vulnerability is commonly being referred to as “PrintNightmare” (or CVE-2021-34527) and affected almost every current version of Microsoft Windows. Microsoft released a security patch on 8th June, for a print spooler vulnerability tracked as CVE-2021-1675. Security researchers, believing it to be the same as a vulnerability they had identified, released their work, including code that can be used to exploit the bug. “Oops.”
Poor Google QA let a single character typo brick a load of Chromebooks as the company suggests users ‘not reboot’ their devices. Wonderful.
$9,640 mean price charged by ‘network access brokers’ to corporate networks on cybercrime forums, according to research by IntSights vol. 4, iss. 33
Apple unveiled two new features to help combat the spread of child sexual abuse material (CSAM). The first, built into its iMessage app, detects potential CSAM and presents warnings on children’s devices about sensitive images. The second feature involves scanning all of a user’s photos for CSAM using a technique called ‘NeuralHash’ and reporting the results back to Apple. This mass surveillance infrastructure gets pretty everyone riled up, questioning the efficacy of such functions and pointing out that is ripe for repurposing, misuse and abuse. ”Nuanced opinions on this are OK”
An ‘apolitical’ group compromised Belarusian government systems and stole data and records of security services personnel, along with other sensitive information on the locations of safe houses and vehicles registrations. The group are seeking to ‘disrupt’ the Lukashenka regime by de-anonymising and doxxing KGB leadership (such as releasing the passport of KGB Chairman Ivan Tertel) and rank-and-file agents engaged in the alleged kidnap and torture of protestors.
The UK government sets out a new direction for future data regulation regime that seems like a significant departure from current protection. A lot of the rhetoric builds upon a report from the “TIGRR team” report written by MP’s Sir Iain Duncan Smith, Theresa Villiers and George Freeman. These tech and data luminaries quickly concluded that ‘consumer data’ (note: that’s definitely not personal data) is “highly profitable” and that protecting individuals’ rights is just a bit ‘too burdensome’ for business.
1/3 people have tried to guess someone else’s password and of those 3/4 have succeeded, according to Beyond Identity vol. 4, iss. 39. (Hardly surprising given April’s stats from NCSC on use of family and pets names!)
Sometimes simple commercial pressure can get your government encryption backdoor into commercial security products. The NSA developed an encryption standard called ‘Dual Elliptic Curve Deterministic Random Bit Generator’ (Dual EC CRBG), got NIST to include it in a standard (NIST SP-800-90A) and then leaned on US network vendors like Juniper, RSA and Cisco to implement it in their products. The Dual EC DRBG algorithm contained a backdoor that, if you knew the ‘Q value’ used to create the encryption keys would allow you to recreate them, and therefore decrypt that data. The NSA specified a preferred value for Q.
Lots of people pointed out that Dual EC DRBG had a potential backdoor in it at the time though, as Mathew Green paraphrases, “well, that could be horribly exploitable but nobody would do that.” Bloomberg’s reporting ties a 2012 and 2014 breaches of Juniper to the Chinese group known as APT5. Having identified the Q value weakness, they compromised Juniper’s source code and changed the value so that they could decrypt traffic. The NSA thought they could implement a backdoor algorithm for their benefit and it was compromised and rekeyed by the Chinese for their own benefit. A “lessons learned” report was produced, though the NSA “now asserts that it cannot locate this document.”
The Open Web Application Security Project (OWASP) released a draft update to the ‘top 10’ vulnerabilities introduced by developers into software for the first time since 2017. Injection (such as SQL or XSS) falls from the top spot to third, while Broken Access Control is up five to take the crown.
With great power comes great responsibility. As an industry, infosec has focused a lot on building technical skills and less on the ethical and responsible use of those skills. This has resulted in many people in the same shoes as David Evenden, a former NSA employee recruited to a USE intelligence programme, whose talent has resulted in developing impressive technical capability in a much shorter time than it takes to develop a rounded world view on what’s being asked of them.
£1.09 per month the average amount a user would be willing to pay to Facebook or Google for a guarantee to receive generic, rather than targeted, adverts according to a survey of 4,000 UK consumers carried out by Which vol. 4, iss. 40
The intermediary certificate used by popular certificate authority Let’s Encrypt expired causing issues with some websites and security products and services. Vendors from Palo Alto, Bluecoat, Cisco, Catchpoint, Fortinet to Auth0 were all being caught out by the entirely predictable need to update their certificate chains with a replacement for ‘IdentTrust DST Root CA X3’. As more than 9-out-of-10 sites now use HTTPS, this kind of thing will only become more common and older devices that no longer receive support updates may be particularly badly affected.
Facebook accidentally disconnected itself from the Internet, causing all of its services to be unavailable to its three billion users for six hours, as engineers scrambled to fix the issue. The social network stopped advertising Border Gateway Protocol (BGP) routes that signpost how to get to its network. The company also hosts its Domain Name System (DNS) servers itself, and that meant that human-friendly names like ‘facebook.com’ couldn’t be resolved to the IP addresses used by devices to communicate. The impact to Facebook is reportedly going to cost the company $60 million, the total economic impact when considering all the businesses that rely on Facebook’s services, could be much higher.
Missouri governor, Mike Parson, united the infosec community with an absurd statement that a journalist was a ‘hacker’ worthy of prosecution for reporting that social security numbers of teachers had been leaked in the HTML source code of a state website.
The US Federal Communication Commission (FCC) voted unanimously to revoke China Telecom Americas license to operate. It’s the culmination of a request from the Department of Justice from April 2020 (vol. 3, iss. 15). The firm has 60 days to wind up its US operations and shut up shop and the decision is driven by national security concerns, with the FCC review finding China Telecom “is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight”.
57% of ICO penalties issued by the Information Commissioner’s Office since January 2020, totalling £5.1M remain unpaid, as many firms use appeals to delay the process or go into liquidation vol. 4, iss. 45
Law enforcement took action against REvil ransomware group. Two suspected REvil affiliates were arrested by Romanian law enforcement, and a further four suspected associates of the predecessor group, GandCrab, were scooped up by authorities in Kuwait. The US Department of Justice also charged a Ukrainian national, who was arrested entering Poland, for their involvement with REvil. DoJ also announced they had recovered over $6M cryptocurrency from another REvil partner.
The ‘Product Security and Telecommunication Infrastructure Bill’ was introduced to the UK’S House of Commons. The legislation, similar to California’s SB-327 IoT cybersecurity law, sets requirements on device manufacturers that “better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products,” alongside 5G and gigabit broadband rollouts. If passed, it will grant ministers the power to specify minimum security protections for consumer products, require manufacturers, importers and distributors to comply with the regulations, and enforce penalties where these are not followed.
Great research from Ross Anderson et. al shows how compilers treat Unicode characters, especially where they come across conflicting, bi-directional (e.g. both left-to-right and right-to-left languages) characters. The answer is that things that look like code comments to the human reader may be interpreted and compiled into the final application. Basic versions of this technique are already being used to help disguise malware from email gateways
11 top ransomware gangs claimed ~3,000 victims in 2021, according to Recorded Future vol. 4, iss. 49
The year ends with a bang…
Seven years since the introduction of the UK’s Cyber Essentials scheme the National Cyber Security Centre and their delivery partner, IASME, announced the first update to the scheme to address gaps in the scheme’s coverage for cloud services, and inflexible approach to remote work. The announcement has been met with more than a few raised eyebrows though: the go-live is just 36 working days from its announcement, on 24th January. That doesn’t give businesses up for their annual recertification in the first few months of the New Year much time to understand and demonstrate compliance with the new requirements.
It’s also been five years since the UK’s first cyber strategy was unveiled and its successor was released, setting aims and objectives for the UK government’s approach to, and £2.6B funding of, cyber through 2025. The University of Surrey’s Professor Alan Woodward commented to The Register on the changing definition of the problem scope: ”One other point that I thought was interesting is the way they have expanded the definition of the problem space into the user experience. Hence, this isn’t just about tweaking blue widgets to breach defences but includes scamming, disinformation, and the whole panorama of threats posed by content and its use.”
The UK will seek to take a greater role in defining international standards, too, (remember September when reporting emerged of the NSA using standards bodies to build encryption backdoors into commercial products?) as well as developing home-grown technologies (including the design of new AI microprocessor(!)). Meanwhile, on ransomware, there’s much stronger language on the payment of ransom demands: ”Law enforcement do not encourage, endorse, nor condone the payment of ransom demands.”
Amazon suffers three noticeable outages, in particular at the company’s US-EAST-1, North Carolina data centre. This caused disruption for a huge amount of companies, and their customers, that rely on Amazon’s cloud services: Amazon warehouse and delivery operations were affected, Netflix and Disney Plus were affected, Roomba vacuum cleaners stopped working, electric vehicles stopped charging, and many, many more sites and services. The outage of a whole region, rather than isolated service (such as S3 seen before) has reignited discussion about AWS as a single point of failure and the risk associated with a single organisation having such an outsize global impact.
A ‘zero-day’ vulnerability in the extremely common Java library Log4j has been discovered, and proof-of-concept dropped on Twitter, which gives remote attacks the ability to execute commands on computers running the code. Log4j provides developers with an easy way to generate and store log files for their applications and the flaw, dubbed Log4Shell, exploits functionality that allows for data to be enriched using custom code. For example, log files could be made to automatically look up a customer name and contact information from a customer number, and so on. Google’s open-source team have been scanning Maven Central, a Java package repository, and found that over 35,000 packages (around 8% of the ~440K in the repository) contain Log4j. 13% of those vulnerable have now updated their project to include a newer version of the Log4j library, but the nature of nested projects and dependencies complicates things: only 7,000 of those 35,000 packages contain Log4j as a direct dependency, the remaining 28,000 packages contain it as a dependency between two to nine levels deep.
In total, so far, three vulnerabilities and patches have now been released for Log4j. Log4j is everywhere and it is a really sucky way to end the year for many IT and infosec teams.
If you’re looking for more to read up, Motherboard’s ‘Cyber Jealousy List’ contains summaries and links to all the stories that they wish they had written. From Ramon Abbas, aka Hushpuppi, and his downfall to China’s hacking of Uyghurs’ mobile phones, to the ‘opportunities and obstacles’ women face at NSA and Cyber Command to Joe Tidy’s travels to Russia in search of Evil Corp members, there are plenty more brilliant stories that are well worth reading and reflecting on vice.com.
Plus allow me a little self-indulgence with burrowing beavers block browsing by breaking B.C. borough’s broadband backhaul and this excellent police analyswiss.
And with that volume 4 of Robin’s Newsletter comes to a close. Thank you so much for subscribing, for sharing your contributions, feedback and endorsements. And perhaps most importantly, thank you for the time you put into reading it: I hope it continues to be relevant, interesting and useful!
Happy Holidays and, however you’re celebrating, wish you a wonderful New Year.
See you at 7pm next
Sunday year :-)