Robin’s Newsletter #256

14 May 2023. Volume 6, Issue 20
Russian APT malware disabled. MSI compromise included important crypto keys. EU CSAM plans may be unlawful.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Snake takedown deprives Kremlin of sophisticated espionage capability

  • The FBI announced this week that it has disabled the Snake malware used by Russian intelligence. The operation, dubbed Medusa, targeted the malware used by Turla, a unit of Russia’s Federal Security Service, to conduct espionage against government, military and defence targets on hundreds of computer systems in over 50 countries.
  • Since 2016, the FBI has been analysing how the malware works and building a tool called Perseus to identify Snake-related traffic and infections. The malware is sophisticated — an accompanying threat intel report from the NSA (PDF) is respectful of the systems architecture and capabilities — and used a peer-to-peer method of communication, similar to file sharing services or the Tor privacy network.
  • Ultimately, the FBI was able to identify weaknesses in the communication method that allowed them to issue a command as if they were the Kremlin causing the malware to overwrite part of its code on infected machines, essentially neutralising it on every infected computer around the world.

Interesting stats

$1.5 million (£1.2 million) the average ransomware payment, up from  $812,000 a year earlier, according to a Sophos survey of 3,000 senior IT and cyber security professionals.

Other newsy bits / in brief

MSI compromise included private keys 

  • Computer hardware manufacturer MSI (Micro-Star International) experienced a ransomware attack last month; now it’s been found that attackers stole two important digital signing keys. The first key is used by the company to sign their firmware so that users can verify the authenticity of any updates before installation. The second private encryption key is used in their implementation of Intel Boot Guard that prevents malicious firmware from being loaded. 
  • It’s been a bad year for MSI, with it coming to light in January (vol. 6, iss. 4 that the company had been shipping firmware with default settings that would nullify the Secure Boot, which protects against UEFI rootkits and sets up the ‘trust chain’ used by the operating system.

EU child sexual abuse scanning plans deemed unlawful 

  • Internal legal advice to the European Union over controversial client-side scanning (sometimes called ‘chat control’) for child sexual abuse material was leaked online this week. The legal opinion deemed it ‘highly probable’ that screening obligations would become “general and indiscriminate,” rather than targeted and proportionate, and “a particularly serious interference with fundamental rights”. 
  • A previous ruling from the European Court of Justice that screening communications metadata is “proportionate only for the purpose of safeguarding national security” was also cited, warning that the legislation would likely be annulled if challenged.
  • The undesirable effects of the pre-requisite weakening of cyber security measures, such as end-to-end encryption and the defacto need to profile every user to understand if they are a child or not, were also cited as significant issues with the proposed legislation.

In brief

  • The Eurovision Song Contest broadcast without a hitch on Saturday night, after the BBC and NCSC took steps to mitigate the risk of cyber-attack against the cultural phenomenon watched by hundreds of millions around the world. (In 2019 the Israeli TV feed was compromised and broadcast a fake missile alert.)

  • Toyota has admitted to exposing the personal data of over 2 million customers for a decade. The data, which includes email, vehicle location and timestamp, and some video, affects vehicles in Japan that used the car maker’s Connected Cloud and Lexus’s G-Link services. Toyota says that it has not seen any reports of the data being obtained following the misconfiguration and that it would introduce a system to monitor its cloud services, suggesting it may not categorically know.

  • Capita has said that the financial impact of its recent cyber attack is expected to be up to £20 million. The update to markets included a nonsensical statement that “less than 0.1% of its server estate” was affected, and the FT reports that Capita declined to confirm the number of servers or volume of data that was leaked. One Capita customer, Universities Superannuation Scheme, has said that details of 470,000 ‘active, deferred and retired’ pension scheme members may have been accessed.

  • An interesting integrity risk scenario here… Spotify has removed ‘tens of thousands’ of songs generated by AI and being boosted by bots faking listens. Moderation of such synthetic ‘user’ generated content will be an increasing problem, I think, for companies with a marketplace business model.

  • A former engineer at networking business Ubiquiti has been handed a six-year prison sentence. Nickolas Sharp tried to anonymously extort his employer, demanding $1.9 million, after stealing ‘tens of gigabytes’ of data (vol. 6, iss. 6). Having got caught, Sharp admitted that he did it for financial gain before also mounting a defence that his actions were an ‘unsanctioned security drill’.

  • Operational technology firm ABB has allegedly suffered a ransomware attack. The Black Basta group is believed to be responsible for the attack, with reports that the company’s office network and Active Directory servers were compromised.

  • Two million websites running the Advanced Custom Fields plugin for WordPress are susceptible to cross-site scripting (XSS). The vulnerability, tracked as CVE-2023-30777 (CVSS score 6.1/10), may allow attackers to steal information like administrator session information that can be used to take over the site.

  • Millions of cheap Android phones and smart devices from lesser-known brands ship pre-infected with malware, according to research presented at Black Hat Asia this week. 

  • The White House announced this week that leading AI companies will be making their systems available for public testing at DEF CON 31 in August this year. Top marks to everyone working behind the scenes at the White House, DEF CON, and OpenAI, Microsoft, Google, et al. behind the scenes to make this happen.

  • OpenAI is to offer a tailored version of ChatGPT with a privacy feature that will prevent data leakage. In less good news, it will be a premium feature, potentially costing up to 10x the existing ChatGPT Plus subscription fee of $20/month. (H/T Tim)

  • A certification scheme being developed by ENISA, the European Union’s cyber security agency, may require majority ownership of services to be EU-based, with employees residing within the bloc. Adopting a certified provider may, with time, be mandated for specific activities (e.g. in government, defence and critical infrastructure) and would mean that the ‘big 3’ of Amazon, Google and Microsoft would need to form a joint venture with a firm in-region to provide services to organisations mandating the certification.

  • The US has seized the domain of Try2Check, a criminal service used to validate if stolen payment cards have been cancelled, and issued a $10 million bounty on its operator, a Russian national called Denis Kulkov. Authorities say Kulkov has made around $18 million from the site over the last 18 years. Separately, the FBI, UK National Crime Agency, and other international law enforcement bodies also seized thirteen DDoS-for-hire platforms as part of a global crackdown call Operation PowerOFF.

And finally

  • Trust HP to find a way to make printers even worse by issuing a firmware update that makes customer’s devices refuse to print unless they are using genuine HP printer cartridges. Per The Telegraph, the update is to reduce the risk of malware attacks. (H/T Daniel).

  Robin's Newsletter - Volume 6

  Russia Federal Security Service (FSB) Turla Snake Advanced Persistent Threat (APT) Take down Micro-Star International (MSI) SecureBoot UEFI European Union (EU) Child Sexual Abuse Material (CSAM) End-to-End Encryption (E2EE) Privacy Capita