This week
Coronavirus and the cyber-crime economy
It is oft-quoted that organisations face an asymmetric threat (attackers need only succeed once; defenders need to get it right every time.) With such language, it is easy to extend that to a belief that cyber threat actors themselves are somehow infinitely scalable, too.
That is not to say that the threat profile of many organisations hasn’t changed overnight with the widespread adoption of remote working practices. New attack vectors are to be found as new technology is adopted. Organisational reliance on VPN and Remote Desktop solutions makes them more vulnerable to denial of service. And the heightened emotional states (be it from concern for family, or stress of isolation) are certainly what criminals are seeking to exploit with a range of COVID-19 related lures and scams.
The UK National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory outlining some of the tactics, techniques and procedures being used by malicious actors to try attack individuals and organisations. (The advisory includes technical indicators of compromise (IOCs) that may be useful to IT and security teams.)
The Australian Signals Directorate (ASD) has announced they are using offensive cyber capabilities to disrupt the operations of cyber-criminals seeking to exploit the global pandemic.
According to Microsoft, just 2% of malicious spam (malspam) is now using COVID-19 themed lures to entice users to click links. They go on to say the overall level remains the same: cyber-criminals are just pivoting to take advantage of the pandemic. As the initial feverous media coverage of graphs and data has subsided and those under lockdown measures are becoming used to new daily routines, perhaps these will become less effective.
Meanwhile, adverts on cyber-crime forums are offering discounts of 20-40, and free trials of their services. (The world of cyber-crime is well established and you can buy specialised services, with guarantees and service levels, in much the same way as you can buy products on Amazon or eBay.)
Cyber-criminals have proven themselves to be extremely agile in adapting to changing circumstances and adopting new ways of operating. So we should not examine rapid increases in campaigns around a new theme in isolation (sorry!)
Time will tell if the discounts tempt in new buyers: if the overall threat level does remaining broadly static, as Microsoft claims, then this may mean a drop in the cyber-crime economy (estimated at $1.6B annually.)
Rather than a field-day for criminals, it would signal ties to the shrinking global economy and paint them as ‘struggling’ like many legitimate businesses around the world.
ncsc.gov.uk, cisa.gov, cyberscoop.com (ASD), zdnet.com (malspam), cyberscoop.com (discounts)
Interesting stats
$2.3M ransom payment allegedly made by Travelex to Sodinokibi group to bring systems back online following attack earlier this year (vol 3, iss. 1), according to the Wall Street Journal bleepingcomputer.com
Other newsy bits
US Senate bans Zoom, investor lawsuits, and value of zed-day exploits
The FT reports that the US Senate has joined other organisations including Google in banning the use of Zoom’s video conferencing software for official business. It’s a move which makes sense if you’re the US Senate and worried about foreign espionage. The majority of organisations will not be of such interest to intelligence agencies though.
Sticking with the trust-risk discussed last week (vol. 3, iss. 14) Zoom faces another lawsuit for ‘overstating’ security measures and misleading investors.
Despite the slightly misleading headline, Vice Motherboard’s articles on interest in ‘zero-day’ exploits in video conferencing services, like Zoom, has some interesting data points. On the economic benefits, these exploits will sell for ~$30,000 — compared to $500,000 for web browser software like Chrome — and with Zoom now spending the next three months reviewing and improving security practices and protocols that investment could soon become worthless.
CNET has a running catalogue of Zoom’s media coverage.
ft.com, techcrunch.com, vice.com, cnet.com
FCC asked to revoke China Telecom license; Rostelecom hijacks traffic for 200 CDNs
The Department of Justice (DoJ) is asking regulator the Federal Communications Commission (FCC) to revoke China Telecom’s license to operate in the US. The action cites repeated BGP hijacks, where a telecom ‘announces’ incorrect routes to networks and services. You can think of BGP routes as being the equivalent to flight routes operates by airlines: different companies operate via different airports that are more, or less direct.
Sometimes accidental ‘route leaks’ occur and are quickly fixed. Other times they can go on for weeks or months and seem more suspicious, such as China Telecom advertising itself as the best route for traffic travelling between Canadian and Korean government sites. (You wouldn’t fly from Toronto to Seoul via Beijing and Shanghai.)
Another example of such BGP hijacking occurred this week when Russian state-owned Rostelecom announced it was the route to over 200 content delivery networks (CDNs) for an hour.
Internet infrastructure in both China and Russia is more tightly controlled, with fewer points of interconnection and Russia successfully testing its ability to ‘disconnect from the Internet.’ This ‘digital Balkanisation’ gives both governments greater control of what content is accessible and makes it easier to monitor traffic entering and leaving their territory.
Protecting against BGP hijacks is one of the objectives of the UK NCSC’s Active Cyber Defence programme (vol. 1, iss. 19.)
cyberscoop.com, zdnet.com (China Telecom), zdnet.com (Rostelecom)
In brief
Attacks, incidents & breaches
- Usernames and passwords stolen in skimming-style attack on two San Francisco Airport websites bleepingcomputer.com
- Files stolen from defence contractor Visser Precision published online by DoppelPaymer group after failure to pay ransom demand theregister.co.uk
Threat intel
- ‘Perfect 10’ vulnerability in VMware vCenter Server; patch now bleepingcomputer.com, vmware.com (VMSA-2020-0006)
- 80% of Microsoft Exchange servers still unpatched against critical vulnerability (CVE-2020-0688) fixed in February; being actively exploited by APT groups bleepingcomputer.com
Security engineering
- Guide on VPN split tunnelling to ease load on corporate networks when accessing Office 365 microsoft.com
- Cloudflare ditching reCAPTCHA for hCaptcha as Google start charging site for sites with 1M+ API calls/month theregister.co.uk, google.com
- Google joins Apple in proposal to standardise SMS-based one-time passcodes used 2FA/MFA zdnet.com
- Microsoft stumps up cash for corp.com domain (vol. 3, iss. 6) to avoid namespace collision and protect customers krebsonsecurity.com
- NCSC guide on cloud backups to mitigate threat of ransomware ncsc.gov.uk
- Atlassian advice on securing Jira Service Desks theregister.co.uk
Privacy
- British Airways and Marriott dat protection fines deferred again by UK ICO theregister.co.uk
Public policy
- Messaging app Signal indicates it may leave US market if EARN-IT act passes, creating leverage to undermine end-to-end encryption signal.org
- Dive into constitutional constraints one German military cyber operations (both defensive and offensive) lawfareblog.com
Law enforcement
- Dutch police took down 15 DDoS service providers in the last week zdnet.com
Mergers, acquisitions and investments
- Vulnerability disclosure platform BugCrowd closes $30M series D funding round techcrunch.com
- Accenture buys Revolutionary Security for undisclosed sum (in 2019 Accenture spent $1.2B on 33 acquisitions) zdnet.com
And finally
3D printed fingerprints work 80% of the time
Finishing this week with some interesting research from the team at Cisco Talos. They have been testing fingerprint sensors on popular smartphones and laptops against 3D printed fingerprints. On average they succeeded 80% of the time, using equipment that cost less than $2,000. Most people, facing a typical ‘consumer’ threat needn’t worry - it’s time-consuming and requires access to your prints and phone to work - though if you’re coming up against law enforcement or intelligence services then you may want to consider a long passcode instead. wired.com