Cyberweekly #141 - Developing cyber skills in a global world

Published on Sunday, March 21, 2021

I often try to steer away from geopolitics on here for a whole bunch of reasons, but primarily because I'm at best an armchair watcher who reads a lot, rather than an educated commentator.

Geopolitics around how states interact with each other is hugely complex, and cybersecurity journalists and news outlets are unneccesarily reductive about it in many cases. US good, China bad is the theme of many western writers, and it's rare to find anyone attempting to look at the system as part of a multifaceted and complex area.

States are required to interact with one another in many ways, from agreeing on climate change, international trade, attendance at the united nations, oversees aid and of course agreement on the norms of conflict in the cyber arena.

In some areas, we may be in competition with other states, but in others we need to cooperate, and we need to be able to stand up and decry the behaviours of certain states without significant chilling of relations in all other areas.

Steve Yegge produced one of the most blistering essays on the lack of US recognition of just how well China is succeeding in world business stakes. His key point comes back to the fact that China has heavily invested into education, ensuring that it has a smart and capable workforce over multiple generations, whereas the US has continued to make basic and advanced education increasingly difficult to access for those without pre-existing money and privilege.

In a globally interconnected cyber world, it's hard to see how we can continue to compete on a world stage if we don't step up our investment in education, in ensuring that the smartest, regardless of social background, are able to access the education that they need.

    Hurricane China: How to prepare. I’m about to say some stuff that’s… | by Steve Yegge | Mar, 2021 | Medium

    https://steve-yegge.medium.com/hurricane-china-how-to-prepare-8f15ed3d5cde

    Here in the US, everyone is largely ignoring China, and they are doing so at their peril. China is the biggest and most organized economic, political, and soon, military force in the world. China does things very, very differently from the US and Europe, and ideologically they are also very different. So it’s very easy to be dismissive about them. It’s even easier to hate on China because you don’t like their policies. I can tell you right now: That’s dumb. It’s like hating a hurricane. It’s like hating tornadoes. There’s absolutely ZERO point in hating a hurricane. It gets you nowhere. What you have to do is prepare for a hurricane. That’s literally all you can do. You can’t stop it from coming. You can’t pretend it away. You need to prepare. China has been poor for a long, long time. For generations. And now they are rich beyond your wildest imagination. Their big cities make every single city in the US look like a dirty smelly armpit.

    This blistering and well articulated essay in essence argues that the west is failing in the culture, economic and social conflict with China primarily because we fail to invest in education sufficiently. Whether you agree with Steve Yegge’s conclusions about how to act, his articulation of our current global context is very good summary of where we are and how that global context will affect us all.

    Old Vulnerabilities Open the Door for WannaCry Ransomware - Security Boulevard

    https://securityboulevard.com/2020/12/old-vulnerabilities-open-the-door-for-wannacry-ransomware/

    One of the more surprising statistics to come from this report was the continued threat of WannaCry ransomware. There is no surprise about ransomware attacks on the network; 2020 has seen a 700% rise in ransomware attacks from the same point last year.

    “Not only has the number of ransomware attacks increased, but ransomware has continued evolving, with some of the most popular forms of ransomware last year having disappeared while new forms of ransomware have emerged. In some cases, these are even more disruptive and damaging,” according to an article in ZDNet.

    However, 26% of companies Positive Technologies tested were vulnerable to WannaCry, which was a threat years ago, and some even vulnerable to Heartbleed. “The most frequent vulnerabilities detected during automated assessment date back to 2013–2017, which indicates a lack of recent software updates,” the reported stated.

    Again, I’ll emphasise how big a deal it is that the exchange vulnerabilities have been patched in something like 75% of exposed systems.

    Barcode Scanner Android App Pushed Malware Onto Millions

    https://gizmodo.com/barcode-scanning-app-for-android-pushed-malware-onto-mi-1846221452

    Until recently, Barcode Scanner was a straightforward application that provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., and claims to have over 10 million downloads, the Wayback Machine shows.

    However, a rash of malicious activity was recently traced back to the app. Users began noticing something weird going on with their phones: their default browsers kept getting hijacked and redirected to random advertisements, seemingly out of nowhere. For a number of people, it wasn’t clear what was causing the disruptions—as many hadn’t recently downloaded any apps. After enough peeved victims wrote about their experiences on a web forum, one user ultimately pointed the finger at Barcode.

    Researchers with Malwarebytes have verified the scanner is the culprit, releasing a new report that shows it delivered

    This is somewhat of a nightmare scenario. We do testing and approval of applications onto our corporate systems, but what confidence do we have that 3 years down the line, that malware won't be introduced into the device? The appstore providers need to be working harder on their approvals processes to prevent this happening.

    IBM X-Force Threat Intelligence Index | IBM

    https://www.ibm.com/security/data-breach/threat-intelligence

    The #1 threat was ransomware Ransomware was the top threat type, comprising 23% of attacks. Sodinokibi (REvil) ransomware alone reaped a conservative profit estimate of USD 123 million.

    35% of attacks leveraged vulnerabilities Scan-and-exploit was #1 initial attack vector, surpassing phishing, the top attack vector in 2019.

    This is an interesting report from IBM's X-Force. Ransomware continues to be a huge threat type, which often gets in through large open scan and exploit campaigns. Remember that patching your network border, and mitigating and reducing scans is going to be important in the years to come.

    The oddest part of this report is the conflation of "cloud" and "open source" and "linux". As far as I can tell, this report notes that there are more malware varieties that target linux, which is used by people on their cloud providers, leading to the headline quote "Cybercriminals are moving to the cloud", which is, I think, a slight misreading of the data.

    The rise of linux running malware seems focused on Cryptominers, but there's also linux ransomware variants coming as well.

    Belgian and Dutch police take down encrypted criminal chat platform Sky ECC | The Record by Recorded Future

    https://therecord.media/dutch-and-belgian-police-take-down-encrypted-criminal-chat-platform-sky-ecc/

    Dutch Police said Sky ECC launched last year after a similar police investigation shut down Encrochat, a company that provided a similar secure platform and encrypted phones to cybercriminals.

    Officials said that many criminal gangs moved from Encrochat to Sky ECC, and the new company amassed more than 70,000 users by the end of 2020, with more than 11,000 located in the Netherlands and another 6,000 in Belgium.

    Sky ECC’s main product was its proprietary messaging mobile app that allowed gang members to exchange encrypted communications via a private global network of servers.

    Customers could install the app on Android, BlackBerry, and iPhone devices, and the app would prevent their data from being leaked to the underlying OS or other phone trackers.I=

    In addition, customers could also buy custom phones that had already been secured by Sky ECC, which had no cameras, GPS sensors, and did not allow users to install third-party apps. These phones, which cost between 800 and 2,200 euros to rent for a period of six months, also included a panic button to erase all their content in case of emergency or an arrest.

    This is a pretty nifty attack on a supply chain. The update to this article includes a remarkably defensive statement from Sky that says that the police didn’t break the underlying technical encryption, but simply cloned the system and distributed the duplicate devices into the criminal market.

    Those underground "dark markets" for buying and selling devices will always have a problem of trust, because law enforcement is highly motivated to compete with real underground sellers, and to provide a better platform and device for criminals to use in order to gather as much information as they can on the users.

    Is K-Anonymised Patient Information Safe? | by Sonal Patel | Mar, 2021 | Medium

    https://medium.com/@_ssana0/is-k-anonymised-patient-information-safe-e7de8384d4bd

    After suppressing all patient names, and generalising all ages to be within 10-year ranges, we can now say our dataset is 2-anonymous. Thus, any insensitive information we know about Natasha now matches at least two separate records — no individual patient record can be reidentified from their sensitive information. If we were to go a step further and generalise the area. We would be able to create a 3-anonymous dataset.

    This is a good introductory read into k-anonymity, and touches on the risks of assuming that it provides "perfect privacy".

    An attacker with outside information can still use your "pseudonymous dataset" to infer information about users in your dataset as their information combined with yours can help narrow down to a far smaller set of users.

    WeLeakInfo Leaked Customer Payment Info — Krebs on Security

    https://krebsonsecurity.com/2021/03/weleakinfo-leaked-customer-payment-info/

    The biggest potential gold mine for de-anonymizing Maza members is the leak of user numbers for ICQ, an instant messaging service formerly owned by AOL that was widely used by cybercrime forum members up until around 2010. That’s about when AOL sold the platform in 2010 to Russian investor DST for $187.5 million.

    Back then, people often associated their ICQ numbers to different interests, pursuits and commerce tied to their real life identities. In many cases, these associations are on public, Russian language forums, such as discussion sites on topics like cars, music or programming.

    In a common inadvertent exposure, a cybercriminal happens to make an innocuous post 15 years ago to a now-defunct Russian-language automobile forum.

    That post, preserved in perpetuity by sites like archive.org, includes an ICQ number and says there’s a guy named Sergey in Vladivostok who’s selling his car. And the profile link on the auto forum leads to another now-defunct but still-archived personal site for Sergey.

    Interestingly, services like WeLeakInfo can just as easily be used against cybercriminals as by them. For example, it’s likely that the database for the automobile forum where Sergey posted got compromised at some point and is for sale on sites like WeLeakInfo (there are active competitors).

    This model of "jigsaw identification", taking bits of data from different data sets and putting them together, like a jigsaw to build up a picture of someone is a real risk to cyber criminals. Each time they share a small factoid, from a band they like, or a quote from a favourite movie, they make it easier for open source investigators with access to large social databases to narrow down their pool of suspects.

    GitHub - jonasstrehle/supercookie: ⚠️ Browser fingerprinting via favicon!

    https://github.com/jonasstrehle/supercookie

    Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

    The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN or installing AdBlockers. 🍿 Live demo.

    About

    💭 Inspiration

    Paper by Scientists at University of Illinois, Chicago: www.cs.uic.edu

    Browsers are starting to deal with this kind of threat model, but it's hard for them to deal with. The sharing of the cache between incognito mode and non-incognito mode is particularly worrying from a privacy perspective.

    This is just a worry about "personal browsing", but for things like travel sites that want to track whether they have given you a quote before, airline sites that want to set your prices, and organisations that want to AB test their users.

    About the only fool proof system for dealing with this is something like Tails, the amnesiac distribution which completely destroys the computer and local storage on every reset, but it can still be tracked within a single session.

    GitHub - pry0cc/axiom: The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!

    https://github.com/pry0cc/axiom

    Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focussed on offensive and defensive security.

    Axiom works by pre-installing your tools of choice onto a 'base image', and then using that image to deploy fresh instances. From there, you can connect and instantly gain access to many tools useful for both bug hunters and pentesters. With the power of immutable infrastructure, most of which is done for you, you can just spin up 15 boxes, perform a distributed nmap/ffuf/screenshotting scan, and then shut them down.

    This is a lovely little tool, almost infrastructure as code management, but designed explicitly for doing parallel Isabel tasks, spinning up lots of machines and then controlling them.