Cyberweekly #62 - The next big malware that wasn't

Published on Saturday, July 27, 2019

The sky is falling, BlueKeep will result in thousands of compromised computers, you must patch now.

Lots of people said that this would be the next Wannacry, but it hasn't materialised, and we don't really know why. I've outlined below some of my thoughts, that attackers don't want to waste this exploit if they have it, because it's hard and valuable.

But what's the effect on defenders and executives when we react like this? If we don't make patching a normal activity, then we have to make a fuss and potentially spend a lot of money doing emergency patches to systems. But if there are headlines on how every other organisation got compromised, that investment feels worth it. But without those headlines, that extra spend feels like money wasted.

We need to ensure that patching and responding to the constant cyber threat news (and tech sites like nothing more than an amazing headline. FSB got hacked! Russians steal your face!) is just normal behaviour that doesn't require extra money and effort. If you have a regular patching cycle, the response to BlueKeep being announced should have been to say "Yeah, that patch will be deployed in our next patch cycle within the next few days/hours". Patching needs to be routine to make this easy and cost efficient to do.

    U.S. Cyber Command simulated a seaport cyberattack to test digital readiness

    Roughly 100 of the professionals played as adversaries in the exercise. They used publicly available, open source malware to run malicious operations on targets and test whether defenders were properly hunting down the attackers. The goal was for red team attackers to ultimately simulate blocking a port from moving cargo, which they did, staff told reporters.

    As part of working through the scenario, members from the U.S. Coast Guard in the Hampton Roads region in Virginia also participated in an exercise to run through how they would respond to a real cyberattack on ports, Mauger said.

    Ports are frequently targeted by cyberattacks around the world. The world’s largest shipping company, Maersk, was hit with the NotPetya ransomware attack, costing the company 4,000 servers, 45,000 PCs and hundreds of millions of dollars in damages. Last year, several major ports around the world reported being victims of cyberattacks, including the Port of Barcelona and the Port of San Diego. The Coast Guard this month revealed that a vessel traveling through international waters was hit with a “significant” malware attack. 

    We need to get better language here. It's well known that NotPetya was not targeting Maersk, but was targeting a ukrainian accountancy software package. Maersk was just collatoral damage. Equally, ransomware attacks are often not highly targeted. The individuals carrying them out don't really care what business you are in, they are just looking for soft targets.

    This reporting makes it sound like the team drilled for handling a high tech jewel heist, because they are aware that lots of people mugged on the streets have their jewelry taken.

    ​Unauthorised messages posted via Met’s MyNewsDesk platform - Metropolitan Police

    The site is a micro site that is used to publish and distribute news from the Metropolitan Police. It can be used to generate emails and to send Tweets as well as publishing stories. The unauthorised content was sent out on Twitter and via email as well as appearing on the news site.

    In response to the incident we are working closely with Mynewsdesk and specialist Met cyber-crime investigators to fully understand what has occurred and if there are criminal offences. Immediate changes have been made to our accounts in response to the incident. There has been no compromise of the Met Police’s IT network.

    This is an interesting view of the "Met Police's IT network". They don't consider tools that aren't in the building to be part of their network.

    The scary part about this is that the MetPoliceUK twitter account is one of the ones that can send a tweet that is an emergency notification. We don't know whether the attackers didn't know about them, or whether MyNewsDesk doesn't have the ability to check that box, but if it had, it could have been a lot worse.

    Introduction to OKRs [pdf]

    What Are OKRs?

    The acronym OKR stands for Objective and Key Results. The Objective is qualitative, and the Key Results (most often three) are quantitative. They are used to focus a group or individual on a bold goal.

    The Objective establishes a goal for a set period of time, usually a quarter. The Key Results indicate whether the Objective has been met by the end of the time.

    Lots of organisations are doing OKR's, but I rarely see very good understanding or internal training on what they are and why they work. This free book from O'Reilly is one of the best simple introductions to OKR's that I've read, and if your organisation is using them, especially if you are a manager responsible for setting and communicating OKR's to your team, you should read it.

    Active Cyber Defence (ACD): The Second Year - NCSC

    While the ACD programme is still young, we believe this report demonstrates the value of the new approach adopted by the government in the National Cyber Security Strategy. We are not expecting ACD interventions to be perfect, or to defend against every single type of cyber attack; other NCSC programmes (for example) disrupt targeted attacks from very sophisticated actors. However, we continue to believe that the ACD programme - by providing real services and generating real data and analysis - has to be a first step in demystifying cyber security, and beginning to tackle the impacts of cyber attacks at scale. As we described last year, cyber crime really does run on a return on investment model, and if we can affect that, we can demotivate attackers from targeting the UK. 

    I take slight objection to the report from the NCSC claiming to demystify cybersecuriy, while simultaneously publishing a PDF that looks formatted like an academic article, complete with classical graphs. Some tips from looking at the State of Data Breaches report on how to visualise statistics would be good.

    However, there's a lot of good stuff in here, and it's nice to NCSC being transparent (if late) with how their systems are doing.

    Russia's Secret Intelligence Agency Hacked: 'Largest Data Breach In Its History' [misleading headline]

    BBC Russia broke the news that 0v1ru$ had breached SyTech’s servers and shared details of contentious cyber projects, projects that included social media scraping (including Facebook and LinkedIn), targeted collection and the “de-anonymization of users of the Tor browser.” The BBC described the breach as possibly “the largest data leak in the history of Russian intelligence services.”

    You can read the original BBC article for more information. Weirdly, the BBC Russia team broke this, but it didn't appear on BBC UK anywhere.

    Anyway, the headlines around this story are quite misleading. This wasn't actually the FSB that got hacked, it was a company that had done unclassified work for the FSB. Some of these are academic partnerships, some are commercial projects that got outsourced.

    The loss of this data is embarrassing, but it's not quite large a data breach as is being made out.

    Stemming the flow: An urgent look at tackling a culture of leaks - Foreign Affairs Committee - House of Commons

    Sir Adam Thomson told us that the more robust secure systems (for documents classified higher than official) within the Foreign Office are ‘clunkier’ and Sir Peter Westmacott described it as a ‘bit of a clog dance to get access to it.’ If a secure system is impractical for the users then it may inadvertently have deterred users from utilising the system. Sir Simon McDonald confirmed that a new secure communication system Rosa had been rolled out already and that this system “is critically important to what happens next.

    This is super important. When more secure systems are clunkier (and can I say how much I love the expression "a bit of a clog dance") than the less secure systems, people won't use them unless they really feel they should have. If some of these documents had been marked Secret, then it's possible that the leak would not have happened.

    Lost in translation: Epic goes to Denmark - POLITICO

    As the go-live date of May 20, 2016 approached, Galster and his colleagues strongly argued for a delay. But the authorities followed what they described as Epic's strategy, “throw it all out there, fix the problems later, build the road while you’re traveling down it,” said Nils Jakob Knudsen, an endocrinologist who served as a clinical adviser for the installation.

    The system was turned on first at Herlev Hospital, a 28-floor tower overlooking Copenhagen’s northern suburbs — and created what Galster called “indescribable, total chaos.” Many who were there are still traumatized by having seen battle-hardened doctors and nurses weeping openly for days.

    “There were no pilots, no tests, just go-live,” said Galster. “I’ve worked on health IT for 20 years and never seen anything like it. This was worse than amateurish.”

    According to this writeup, this has been a disaster in the making. There's all kinds of issues with this program, and the writeup covers a lot of it, but this rollout plan feels like one of the core contributors to the problem. I can see not wanting to do a phased migration because of the additional technical complexity and the worry about data being lost, however for a project of this size, running a pilot and gathering user feedback is absolutely critical. The team could have employed people to manually transfer data from the pilot system to the old system and it would have still saved money while gathering feedback. That feedback might have meant that the system could work within the culture it's being deployed to.

    FaceApp Reveals Huge Holes in Today's Privacy Laws - The Atlantic

    FaceApp is the handiwork of a relatively unknown company in Russia—a provenance that, amid evidence of election interference and other misdeeds by Russian hackers, has raised widespread concerns in Washington. The Democratic National Committee and Senate Minority Leader Chuck Schumer are now calling out the app as a privacy threat.

    Which it is. Yes, you should stop using FaceApp, because there are few controls on how your data, including your face data, will be used. But the problems that FaceApp poses aren’t unique. Walking around anywhere can get your face included in facial-recognition databases. How that information can be mined, manipulated, bought, or sold is minimally regulated—in the United States and elsewhere.


    The suddenly ubiquitous portrait-aging app collects user-submitted photos and other user data and stores some or all of that data in cloud servers. In a response to criticisms of its privacy practices, FaceApp released a statement claiming that “most” photos are deleted within 48 hours. However, there are no legal guarantees for this in the privacy policy. Wireless Lab, which developed the app, also says users can request that their data be deleted, but the process for doing this is not noted in the policy either.

    FaceApp was run by a Russian company and that means it must be bad shocker!

    Sadly, mostly the way that we responded to this is to think that if we solve the FaceApp problem, then we are safe again. But we haven't fixed the general problem, that it's normal for applications to want access to your data and to be unclear on what they are going to do with it.

    Apple is slowly changing the permissions model, and of course users want the convenience. Some applications need access to your data to do what they do, but users struggle to understand. FaceApp needs to look through your photos to be able to show you a list of photos, but you can't in iOS just give it access to the one photo at a time.

    We need better models and more usable privacy as we get more and more of our lives onto these mobile devices, as this is only going to get worse

    Chances of destructive BlueKeep exploit rise with new explainer posted online | Ars Technica

    One of the only things standing in the way of real-world attacks is the expertise required to write exploits that remotely execute code without crashing the computer first. Several highly skilled whitehat hackers have done so with varying levels of success, but they have kept the techniques that make this possible secret. Much of that changed overnight, when a security researcher published this slide deck to Github.

    "It basically gives a how-to guide for people to make their own RCE," independent researcher Marcus Hutchins told Ars, using the abbreviation for remote code execution. "It's a pretty big deal given that now there is almost no bar to stop people publishing exploit code."

    The explainer significantly lowers the bar even to developers who are "not very skilled at all," Hutchins said. That's because it shows how to solve one of the most vexing problems in successfully gaining code execution from BlueKeep—successfully carrying out an exploitation technique known as a heap spray against the vulnerable remote desktop service.

    I think that Hutchins is overestimating the ability of "not very skilled attackers", but again it's a reminder that you should definitely have patched this long ago.

    There is now data out there, although mostly in Chinese, and without some level of technical awareness, it would still be hard to recreate this.

    Why Microsoft’s BlueKeep Bug Hasn’t Wreaked Havoc—Yet | WIRED

    State-sponsored groups may already be using it for quiet intrusions, but low-skilled criminals have yet to use it for wide-scale calamity. But that doesn't mean that a larger wave of BlueKeep exploitation isn't in store if—or when—the secret details of exploiting the Windows vulnerability leak out to a wider audience.

    "I would bet money that it's already being exploited quietly," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who has privately coded a working BlueKeep exploitation proof-of-concept. Like others who have tested the bug, Hutchins hasn't released his code for fear of enabling malicious use.

    Why hasn't it wreaked havoc? Because it's technically challenging, and that means that a working exploit is worth money, but also hard to use. That means that people who have it probably don't want to make a worm out of it, because they'll lose the access that they gain by using it.

    It's also unlikely to be featured in any major malware family anytime soon for the same reason, the more it's used, the more likely it is that people will actually patch and make the investment not worth it.

    The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You - MyCrypto & CipherBlade via Medium

    MyCrypto and CipherBlade have collaborated on this article to help you understand the dangers of a SIM-jacking attack, and how best to defend yourself against and attack, and how to recover from such an event. This article aims to be a “one-stop” article to read, reference, and share with your friends and colleagues. It's not short, but it's thorough.

    (Joel) Revised Directive on Payment Services (PSD2, EU 2015/2366) (among many other things) requires EEA banking institutions to implement Strong Customer Authentication (SCA) which is effectively saying banks must use multi-factor authentication (MFA, aka 2FA) when someone logs in to online banking, tries to send money online or otherwise does something that might be risky, where MFA can reduce fraud/abuse.

    Most EEA banks are implementing SMS-based MFA, which is about 75% better than no MFA, but not 'as good' as app-based TOTP (better), app-based pushes (even better) or hardware backed cryptography such as a YubiKey (best).

    There is varying alarmist content (that has been around for years, but growing) that SMS MFA is unsafe because of how mobile operator systems can be attacked or influenced (including someone pretending to be you to 'SIM swap' and steal your mobile phone number) but the important take away is that those attacks require manual effort so are less likely than, say, a phishing email... so... SMS MFA is still better than no MFA.

    This article attempts to draw together a bunch of different advice/guidance on what to do if you happen to be impacted by SIM swapping (someone having your mobile operator move your number to a SIM card they control). This is unlikely to happen but here you go.