Crypto-Gram
February 15, 2021
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.
Cell Phone Location Privacy
Injecting a Backdoor into SolarWinds Orion
Sophisticated Watering Hole Attack
SVR Attacks on Microsoft 365
Insider Attack on Home Surveillance Systems
Massive Brazilian Data Breach
Dutch Insider Attack on COVID-19 Data
Police Have Disrupted the Emotet Botnet
New iMessage Security Features
Including Hackers in NATO Wargames
Georgia's Ballot-Marking Devices
More SolarWinds News
Another SolarWinds Orion Hack
Presidential Cybersecurity and Pelotons
NoxPlayer Android Emulator Supply-Chain Attack
SonicWall Zero-Day
Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer
Ransomware Profitability
Attack against Florida Water Treatment Facility
Medieval Security Techniques
Chinese Supply-Chain Attack on Computer Systems
** *** ***** ******* *********** *************
Cell Phone Location Privacy
[2021.01.15] We all know that our cell phones constantly give our location away
to our mobile network operators; thatΓÇÖs how they work. A group of researchers
has figured out a way to fix that. ΓÇ£Pretty Good Phone PrivacyΓÇ¥ (PGPP)
protects both user identity and user location using the existing cellular
networks. It protects users from fake cell phone towers (IMSI-catchers) and
surveillance by cell providers.
ItΓÇÖs a clever system. The players are the user, a traditional mobile network
operator (MNO) like AT&T or Verizon, and a new mobile virtual network operator
(MVNO). MVNOs arenΓÇÖt new. TheyΓÇÖre intermediaries like Cricket and Boost.
HereΓÇÖs how it works:
One-time setup: The userΓÇÖs phone gets a new SIM from the MVNO. All MVNO SIMs
are identical.
Monthly: The user pays their bill to the MVNO (credit card or otherwise) and the
phone gets anonymous authentication (using Chaum blind signatures) tokens for
each time slice (e.g., hour) in the coming month.
Ongoing: When the phone talks to a tower (run by the MNO), it sends a token for
the current time slice. This is relayed to a MVNO backend server, which checks
the Chaum blind signature of the token. If itΓÇÖs valid, the MVNO tells the MNO
that the user is authenticated, and the user receives a temporary random ID and
an IP address. (Again, this is now MVNOs like Boost already work.)
On demand: The user uses the phone normally.
The MNO doesnΓÇÖt have to modify its system in any way. The PGPP MVNO
implementation is in software. The userΓÇÖs traffic is sent to the MVNO gateway
and then out onto the Internet, potentially even using a VPN.
All connectivity is data connectivity in cell networks today. The user can
choose to be data-only (e.g., use Signal for voice), or use the MVNO or a third
party for VoIP service that will look just like normal telephony.
The group prototyped and tested everything with real phones in the lab. Their
approach adds essentially zero latency, and doesnΓÇÖt introduce any new
bottlenecks, so it doesnΓÇÖt have performance/scalability problems like most
anonymity networks. The service could handle tens of millions of users on a
single server, because it only has to do infrequent authentication, though for
resilience youΓÇÖd probably run more.
The paper is here.
** *** ***** ******* *********** *************
Injecting a Backdoor into SolarWinds Orion
[2021.01.19] Crowdstrike is reporting on a sophisticated piece of malware that
was able to inject malware into the SolarWinds build process:
Key Points
SUNSPOT is StellarParticleΓÇÖs malware used to insert the SUNBURST backdoor into
software builds of the SolarWinds Orion IT management product.
SUNSPOT monitors running processes for those involved in compilation of the
Orion product and replaces one of the source files to include the SUNBURST
backdoor code.
Several safeguards were added to SUNSPOT to avoid the Orion builds from failing,
potentially alerting developers to the adversaryΓÇÖs presence.
Analysis of a SolarWinds software build server provided insights into how the
process was hijacked by StellarParticle in order to insert SUNBURST into the
update packages. The design of SUNSPOT suggests StellarParticle developers
invested a lot of effort to ensure the code was properly inserted and remained
undetected, and prioritized operational security to avoid revealing their
presence in the build environment to SolarWinds developers.
This, of course, reminds many of us of Ken ThompsonΓÇÖs thought experiment from
his 1984 Turing Award lecture, ΓÇ£Reflections on Trusting Trust.ΓÇ¥ In that
talk, he suggested that a malicious C compiler might add a backdoor into
programs it compiles.
The moral is obvious. You canΓÇÖt trust code that you did not totally create
yourself. (Especially code from companies that employ people like me.) No amount
of source-level verification or scrutiny will protect you from using untrusted
code. In demonstrating the possibility of this kind of attack, I picked on the C
compiler. I could have picked on any program-handling program such as an
assembler, a loader, or even hardware microcode. As the level of program gets
lower, these bugs will be harder and harder to detect. A well-installed
microcode bug will be almost impossible to detect.
ThatΓÇÖs all still true today.
** *** ***** ******* *********** *************
Sophisticated Watering Hole Attack
[2021.01.20] GoogleΓÇÖs Project Zero has exposed a sophisticated watering-hole
attack targeting both Windows and Android:
Some of the exploits were zero-days, meaning they targeted vulnerabilities that
at the time were unknown to Google, Microsoft, and most outside researchers
(both companies have since patched the security flaws). The hackers delivered
the exploits through watering-hole attacks, which compromise sites frequented by
the targets of interest and lace the sites with code that installs malware on
visitorsΓÇÖ devices. The boobytrapped sites made use of two exploit servers, one
for Windows users and the other for users of Android
The use of zero-days and complex infrastructure isnΓÇÖt in itself a sign of
sophistication, but it does show above-average skill by a professional team of
hackers. Combined with the robustness of the attack code -- which chained
together multiple exploits in an efficient manner -- the campaign demonstrates
it was carried out by a ΓÇ£highly sophisticated actor.ΓÇ¥
[...]
The modularity of the payloads, the interchangeable exploit chains, and the
logging, targeting, and maturity of the operation also set the campaign apart,
the researcher said.
No attribution was made, but the list of countries likely to be behind this
isnΓÇÖt very large. If you were to ask me to guess based on available
information, I would guess it was the US -- specifically, the NSA. It shows a
care and precision that itΓÇÖs known for. But I have no actual evidence for that
guess.
All the vulnerabilities were fixed by last April.
** *** ***** ******* *********** *************
SVR Attacks on Microsoft 365
[2021.01.21] FireEye is reporting the current known tactics that the SVR used to
compromise Microsoft 365 cloud data as part of its SolarWinds operation:
Mandiant has observed UNC2452 and other threat actors moving laterally to the
Microsoft 365 cloud using a combination of four primary techniques:
Steal the Active Directory Federation Services (AD FS) token-signing certificate
and use it to forge tokens for arbitrary users (sometimes described as Golden
SAML). This would allow the attacker to authenticate into a federated resource
provider (such as Microsoft 365) as any user, without the need for that userΓÇÖs
password or their corresponding multi-factor authentication (MFA) mechanism.
Modify or add trusted domains in Azure AD to add a new federated Identity
Provider (IdP) that the attacker controls. This would allow the attacker to
forge tokens for arbitrary users and has been described as an Azure AD backdoor.
Compromise the credentials of on-premises user accounts that are synchronized to
Microsoft 365 that have high privileged directory roles, such as Global
Administrator or Application Administrator.
Backdoor an existing Microsoft 365 application by adding a new application or
service principal credential in order to use the legitimate permissions assigned
to the application, such as the ability to read email, send email as an
arbitrary user, access user calendars, etc.
Lots of details here, including information on remediation and hardening.
The more we learn about the this operation, the more sophisticated it becomes.
In related news, MalwareBytes was also targeted.
** *** ***** ******* *********** *************
Insider Attack on Home Surveillance Systems
[2021.01.25] No one who reads this blog regularly will be surprised:
A former employee of prominent home security company ADT has admitted that he
hacked into the surveillance feeds of dozens of customer homes, doing so
primarily to spy on naked women or to leer at unsuspecting couples while they
had sex.
[...]
Authorities say that the IT technician ΓÇ£took note of which homes had
attractive women, then repeatedly logged into these customersΓÇÖ accounts in
order to view their footage for sexual gratification.ΓÇ¥ He did this by adding
his personal email address to customer accounts, which ultimately hooked him
into ΓÇ£real-time access to the video feeds from their homes.ΓÇ¥
Slashdot thread.
** *** ***** ******* *********** *************
Massive Brazilian Data Breach
[2021.01.26] I think this is the largest data breach of all time: 220 million
people. (Lots more stories are in Portuguese.)
EDITED TO ADD (2/11): I seem to be conflating two stories, one current and one
from last year. The current massive leak from last week is the Brazilian
equivalent of the Equifax leak, and someone is selling the private information.
** *** ***** ******* *********** *************
Dutch Insider Attack on COVID-19 Data
[2021.01.27] Insider data theft:
Dutch police have arrested two individuals on Friday for allegedly selling data
from the Dutch health ministry's COVID-19 systems on the criminal underground.
[...]
According to Verlaan, the two suspects worked in DDG call centers, where they
had access to official Dutch government COVID-19 systems and databases.
They were working from home:
ΓÇ£Because people are working from home, they can easily take photos of their
screens. This is one of the issues when your administrative staff is working
from home,ΓÇ¥ Victor Gevers, Chair of the Dutch Institute for Vulnerability
Disclosure, told ZDNet in an interview today.
All of this remote call-center work brings with it additional risks.
EDITED TO ADD (2/11) More information (translated from Dutch).
** *** ***** ******* *********** *************
Police Have Disrupted the Emotet Botnet
[2021.01.28] A coordinated effort has captured the command-and-control servers
of the Emotet botnet:
Emotet establishes a backdoor onto Windows computer systems via automated
phishing emails that distribute Word documents compromised with malware.
Subjects of emails and documents in Emotet campaigns are regularly altered to
provide the best chance of luring victims into opening emails and installing
malware -- regular themes include invoices, shipping notices and information
about COVID-19.
Those behind the Emotet lease their army of infected machines out to other cyber
criminals as a gateway for additional malware attacks, including remote access
tools (RATs) and ransomware.
[...]
A week of action by law enforcement agencies around the world gained control of
EmotetΓÇÖs infrastructure of hundreds of servers around the world and disrupted
it from the inside.
Machines infected by Emotet are now directed to infrastructure controlled by law
enforcement, meaning cyber criminals can no longer exploit machines compromised
and the malware can no longer spread to new targets, something which will cause
significant disruption to cyber-criminal operations.
[...]
The Emotet takedown is the result of over two years of coordinated work by law
enforcement operations around the world, including the Dutch National Police,
GermanyΓÇÖs Federal Crime Police, FranceΓÇÖs National Police, the Lithuanian
Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau
of Investigation, the UKΓÇÖs National Crime Agency, and the National Police of
Ukraine.
EDITED TO ADD (2/11): Follow-on article.
** *** ***** ******* *********** *************
New iMessage Security Features
[2021.01.29] Apple has added added security features to mitigate the risk of
zero-click iMessage attacks.
Apple did not document the changes but Groß said he fiddled around with the
newest iOS 14 and found that Apple shipped a ΓÇ£significant refactoring of
iMessage processingΓÇ¥ that severely cripples the usual ways exploits are
chained together for zero-click attacks.
Groß notes that memory corruption based zero-click exploits typically require
exploitation of multiple vulnerabilities to create exploit chains. In most
observed attacks, these could include a memory corruption vulnerability,
reachable without user interaction and ideally without triggering any user
notifications; a way to break ASLR remotely; a way to turn the vulnerability
into remote code execution;; and a way to break out of any sandbox, typically by
exploiting a separate vulnerability in another operating system component (e.g.
a userspace service or the kernel).
** *** ***** ******* *********** *************
Including Hackers in NATO Wargames
[2021.01.29] This essay makes the point that actual computer hackers would be a
useful addition to NATO wargames:
The international information security community is filled with smart people who
are not in a military structure, many of whom would be excited to pose as
independent actors in any upcoming wargames. Including them would increase the
reality of the game and the skills of the soldiers building and training on
these networks. Hackers and cyberwar experts would demonstrate how industrial
control systems such as power supply for refrigeration and temperature
monitoring in vaccine production facilities are critical infrastructure;
theyΓÇÖre easy targets and should be among NATOΓÇÖs priorities at the moment.
Diversity of thought leads to better solutions. We in the information security
community strongly support the involvement of acknowledged nonmilitary experts
in the development and testing of future cyberwar scenarios. We are confident
that independent experts, many of whom see sharing their skills as public
service, would view participation in these cybergames as a challenge and an
honor.
** *** ***** ******* *********** *************
Georgia's Ballot-Marking Devices
[2021.02.01] Andrew Appel discusses GeorgiaΓÇÖs voting machines, how the paper
ballots facilitated a recount, and the problem with automatic ballot-marking
devices:
Suppose the polling-place optical scanners had been hacked (enough to change the
outcome). Then this would have been detected in the audit, and (in principle)
Georgia would have been able to recover by doing a full recount. ThatΓÇÖs what
we mean when we say optical-scan voting machines have ΓÇ£strong software
independenceΓÇ¥you can obtain a trustworthy result even if youΓÇÖre not sure
about the software in the machine on election day.
If Georgia had still been using the paperless touchscreen DRE voting machines
that they used from 2003 to 2019, then there would have been no paper ballots to
recount, and no way to disprove the allegations that the election was hacked.
That would have been a nightmare scenario. IΓÇÖll bet that Secretary of State
Raffensperger now appreciates why the Federal Court forced him to stop using
those DRE machines (Curling v. Raffensperger, Case 1:17-cv-02989-AT Document
579).
I have long advocated voter-verifiable paper ballots, and this is an example of
why.
** *** ***** ******* *********** *************
More SolarWinds News
[2021.02.03] Microsoft analyzed details of the SolarWinds attack:
Microsoft and FireEye only detected the Sunburst or Solorigate malware in
December, but Crowdstrike reported this month that another related piece of
malware, Sunspot, was deployed in September 2019, at the time hackers breached
SolarWindsΓÇÖ internal network. Other related malware includes Teardrop aka
Raindrop.
Details are in the Microsoft blog:
We have published our in-depth analysis of the Solorigate backdoor malware (also
referred to as SUNBURST by FireEye), the compromised DLL that was deployed on
networks as part of SolarWinds products, that allowed attackers to gain backdoor
access to affected devices. We have also detailed the hands-on-keyboard
techniques that attackers employed on compromised endpoints using a powerful
second-stage payload, one of several custom Cobalt Strike loaders, including the
loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.
One missing link in the complex Solorigate attack chain is the handover from the
Solorigate DLL backdoor to the Cobalt Strike loader. Our investigations show
that the attackers went out of their way to ensure that these two components are
separated as much as possible to evade detection. This blog provides details
about this handover based on a limited number of cases where this process
occurred. To uncover these cases, we used the powerful, cross-domain optics of
Microsoft 365 Defender to gain visibility across the entire attack chain in one
complete and consolidated view.
This is all important, because MalwareBytes was penetrated through Office 365,
and not SolarWinds. New estimates are that 30% of the SolarWinds victims
didnΓÇÖt use SolarWinds:
Many of the attacks gained initial footholds by password spraying to compromise
individual email accounts at targeted organizations. Once the attackers had that
initial foothold, they used a variety of complex privilege escalation and
authentication attacks to exploit flaws in MicrosoftΓÇÖs cloud services. Another
of the Advanced Persistent Threat (APT)ΓÇÖs targets, security firm CrowdStrike,
said the attacker tried unsuccessfully to read its email by leveraging a
compromised account of a Microsoft reseller the firm had worked with.
On attribution: Earlier this month, the US government has stated the attack is
ΓÇ£likely Russian in origin.ΓÇ¥ This echos what then Secretary of State Mike
Pompeo said in December, and the Washington PostΓÇÿs reporting (both from
December). (The New York Times has repeated this attribution -- a good article
that also discusses the magnitude of the attack.) More evidence comes from code
forensics, which links it to Turla, another Russian threat actor.
And lastly, a long ProPublica story on an unused piece of government-developed
tech that might have caught the supply-chain attack much earlier:
The in-toto system requires software vendors to map out their process for
assembling computer code that will be sent to customers, and it records whatΓÇÖs
done at each step along the way. It then verifies electronically that no hacker
has inserted something in between steps. Immediately before installation, a
pre-installed tool automatically runs a final check to make sure that what the
customer received matches the final product the software vendor generated for
delivery, confirming that it wasnΓÇÖt tampered with in transit.
I donΓÇÖt want to hype this defense too much without knowing a lot more, but I
like the approach of verifying the software build process.
** *** ***** ******* *********** *************
Another SolarWinds Orion Hack
[2021.02.04] At the same time the Russians were using a backdoored SolarWinds
update to attack networks worldwide, another threat actor -- believed to be
Chinese in origin -- was using an already existing vulnerability in Orion to
penetrate networks:
Two people briefed on the case said FBI investigators recently found that the
National Finance Center, a federal payroll agency inside the U.S. Department of
Agriculture, was among the affected organizations, raising fears that data on
thousands of government employees may have been compromised.
[...]
Reuters was not able to establish how many organizations were compromised by the
suspected Chinese operation. The sources, who spoke on condition of anonymity to
discuss ongoing investigations, said the attackers used computer infrastructure
and hacking tools previously deployed by state-backed Chinese cyberspies.
[...]
While the alleged Russian hackers penetrated deep into SolarWinds network and
hid a ΓÇ£back doorΓÇ¥ in Orion software updates which were then sent to
customers, the suspected Chinese group exploited a separate bug in OrionΓÇÖs
code to help spread across networks they had already compromised, the sources
said.
Two takeaways: One, we are learning about a lot of supply-chain attacks right
now. Two, SolarWindsΓÇÖ terrible security is the result of a conscious business
decision to reduce costs in the name of short-term profits. Economist Matt
Stoller writes about this:
These private equity-owned software firms torture professionals with bad user
experiences and shitty customer support in everything from yoga studio software
to car dealer IT to the nightmarish ΓÇÿcoreΓÇÖ software that runs small banks
and credit unions, as close as one gets to automating Office Space. But they
also degrade product quality by firing or disrespecting good workers,
under-investing in good security practices, or sending work abroad and paying
badly, meaning their products are more prone to espionage. In other words, the
same sloppy and corrupt practices that allowed this massive cybersecurity hack
made Bravo a billionaire. In a sense, this hack, and many more like it, will
continue to happen, as long as men like Bravo get rich creating security
vulnerabilities for bad actors to exploit.
SolarWinds increased its profits by increasing its cybersecurity risk, and then
transferred that risk to its customers without their knowledge or consent.
** *** ***** ******* *********** *************
Presidential Cybersecurity and Pelotons
[2021.02.05] President Biden wants his Peloton in the White House. For those who
have missed the hype, itΓÇÖs an Internet-connected stationary bicycle. It has a
screen, a camera, and a microphone. You can take live classes online, work out
with your friends, or join the exercise social network. And all of that is a
security risk, especially if you are the president of the United States.
Any computer brings with it the risk of hacking. This is true of our computers
and phones, and itΓÇÖs also true about all of the Internet-of-Things devices
that are increasingly part of our lives. These large and small appliances, cars,
medical devices, toys and -- yes -- exercise machines are all computers at their
core, and theyΓÇÖre all just as vulnerable. Presidents face special risks when
it comes to the IoT, but Biden has the NSA to help him handle them.
Not everyone is so lucky, and the rest of us need something more structural.
US presidents have long tussled with their security advisers over tech. The NSA
often customizes devices, but that means eliminating features. In 2010,
President Barack Obama complained that his presidential BlackBerry device was
ΓÇ£no funΓÇ¥ because only ten people were allowed to contact him on it. In 2013,
security prevented him from getting an iPhone. When he finally got an upgrade to
his BlackBerry in 2016, he complained that his new ΓÇ£secureΓÇ¥ phone couldnΓÇÖt
take pictures, send texts, or play music. His ΓÇ£hardenedΓÇ¥ iPad to read daily
intelligence briefings was presumably similarly handicapped. We donΓÇÖt know
what the NSA did to these devices, but they certainly modified the software and
physically removed the cameras and microphones -- and possibly the wireless
Internet connection.
President Donald Trump resisted efforts to secure his phones. We donΓÇÖt know
the details, only that they were regularly replaced, with the government
effectively treating them as burner phones.
The risks are serious. We know that the Russians and the Chinese were
eavesdropping on TrumpΓÇÖs phones. Hackers can remotely turn on microphones and
cameras, listening in on conversations. They can grab copies of any documents on
the device. They can also use those devices to further infiltrate government
networks, maybe even jumping onto classified networks that the devices connect
to. If the devices have physical capabilities, those can be hacked as well. In
2007, the wireless features of Vice President Richard B. CheneyΓÇÖs pacemaker
were disabled out of fears that it could be hacked to assassinate him. In 1999,
the NSA banned Furbies from its offices, mistakenly believing that they could
listen and learn.
Physically removing features and components works, but the results are
increasingly unacceptable. The NSA could take BidenΓÇÖs Peloton and rip out the
camera, microphone, and Internet connection, and that would make it secure --
but then it would just be a normal (albeit expensive) stationary bike. Maybe
Biden wouldnΓÇÖt accept that, and heΓÇÖd demand that the NSA do even more work
to customize and secure the Peloton part of the bicycle. Maybe BidenΓÇÖs
security agents could isolate his Peloton in a specially shielded room where it
couldnΓÇÖt infect other computers, and warn him not to discuss national security
in its presence.
This might work, but it certainly doesnΓÇÖt scale. As president, Biden can
direct substantial resources to solving his cybersecurity problems. The real
issue is what everyone else should do. The president of the United States is a
singular espionage target, but so are members of his staff and other
administration officials.
Members of Congress are targets, as are governors and mayors, police officers
and judges, CEOs and directors of human rights organizations, nuclear power
plant operators, and election officials. All of these people have smartphones,
tablets, and laptops. Many have Internet-connected cars and appliances, vacuums,
bikes, and doorbells. Every one of those devices is a potential security risk,
and all of those people are potential national security targets. But none of
those people will get their Internet-connected devices customized by the NSA.
That is the real cybersecurity issue. Internet connectivity brings with it
features we like. In our cars, it means real-time navigation, entertainment
options, automatic diagnostics, and more. In a Peloton, it means everything that
makes it more than a stationary bike. In a pacemaker, it means continuous
monitoring by your doctor -- and possibly your life saved as a result. In an
iPhone or iPad, it means...well, everything. We can search for older,
non-networked versions of some of these devices, or the NSA can disable
connectivity for the privileged few of us. But the result is the same: in
ObamaΓÇÖs words, ΓÇ£no fun.ΓÇ¥
And unconnected options are increasingly hard to find. In 2016, I tried to find
a new car that didnΓÇÖt come with Internet connectivity, but I had to give up:
there were no options to omit that in the class of car I wanted. Similarly,
itΓÇÖs getting harder to find major appliances without a wireless connection. As
the price of connectivity continues to drop, more and more things will only be
available Internet-enabled.
Internet security is national security -- not because the president is
personally vulnerable but because we are all part of a single network. Depending
on who we are and what we do, we will make different trade-offs between security
and fun. But we all deserve better options.
Regulations that force manufacturers to provide better security for all of us
are the only way to do that. We need minimum security standards for computers of
all kinds. We need transparency laws that give all of us, from the president on
down, sufficient information to make our own security trade-offs. And we need
liability laws that hold companies liable when they misrepresent the security of
their products and services.
IΓÇÖm not worried about Biden. He and his staff will figure out how to balance
his exercise needs with the national security needs of the country. Sometimes
the solutions are weirdly customized, such as the anti-eavesdropping tent that
Obama used while traveling. I am much more worried about the political
activists, journalists, human rights workers, and oppressed minorities around
the world who donΓÇÖt have the money or expertise to secure their technology, or
the information that would give them the ability to make informed decisions on
which technologies to choose.
This essay previously appeared in the Washington Post.
** *** ***** ******* *********** *************
NoxPlayer Android Emulator Supply-Chain Attack
[2021.02.08] It seems to be the season of sophisticated supply-chain attacks.
This one is in the NoxPlayer Android emulator:
ESET says that based on evidence its researchers gathered, a threat actor
compromised one of the companyΓÇÖs official API (api.bignox.com) and
file-hosting servers (res06.bignox.com).
Using this access, hackers tampered with the download URL of NoxPlayer updates
in the API server to deliver malware to NoxPlayer users.
[...]
Despite evidence implying that attackers had access to BigNox servers since at
least September 2020, ESET said the threat actor didnΓÇÖt target all of the
companyΓÇÖs users but instead focused on specific machines, suggesting this was
a highly-targeted attack looking to infect only a certain class of users.
Until today, and based on its own telemetry, ESET said it spotted malware-laced
NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong
Kong, and Sri Lanka.
I donΓÇÖt know if there are actually more supply-chain attacks occurring right
now. More likely is that theyΓÇÖve been happening for a while, and we have
recently become more diligent about looking for them.
** *** ***** ******* *********** *************
SonicWall Zero-Day
[2021.02.08] Hackers are exploiting a zero-day in SonicWall:
In an email, an NCC Group spokeswoman wrote: ΓÇ£Our team has observed signs of
an attempted exploitation of a vulnerabilitythat affects the SonicWall SMA 100
series devices. We are working closely with SonicWall to investigate this in
more depth.ΓÇ¥
In MondayΓÇÖs update, SonicWall representatives said the companyΓÇÖs engineering
team confirmed that the submission by NCC Group included a ΓÇ£critical
zero-dayΓÇ¥ in the SMA 100 series 10.x code. SonicWall is tracking it as
SNWLID-2021-0001. The SMA 100 series is a line of secure remote access
appliances.
The disclosure makes SonicWall at least the fifth large company to report in
recent weeks that it was targeted by sophisticated hackers. Other companies
include network management tool provider SolarWinds, Microsoft, FireEye, and
Malwarebytes. CrowdStrike also reported being targeted but said the attack
wasnΓÇÖt successful.
Neither SonicWall nor NCC Group said that the hack involving the SonicWall
zero-day was linked to the larger hack campaign involving SolarWinds. Based on
the timing of the disclosure and some of the details in it, however, there is
widespread speculation that the two are connected.
The speculation is just that -- speculation. I have no opinion in the matter.
This could easily be part of the SolarWinds campaign, which targeted other
security companies. But there are a lot of ΓÇ£highly sophisticated threat
actorsΓÇ¥ -- thatΓÇÖs how NCC Group described them -- out there, and this could
easily be a coincidence.
Were I working for a national intelligence organization, I would try to disguise
my operations as being part of the SolarWinds attack.
EDITED TO ADD (2/9): SonicWall has patched the vulnerability.
** *** ***** ******* *********** *************
Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer
[2021.02.09] MalwareBytes is reporting a weird software credit card skimmer. It
harvests credit card data stolen by another, different skimmer:
Even though spotting multiple card skimmer scripts on the same online shop is
not unheard of, this one stood out due to its highly specialized nature.
ΓÇ£The threat actors devised a version of their script that is aware of sites
already injected with a Magento 1 skimmer,ΓÇ¥ MalwarebytesΓÇÖ Head of Threat
Intelligence Jérôme Segura explains in a report shared in advance with
Bleeping Computer.
ΓÇ£That second skimmer will simply harvest credit card details from the already
existing fake form injected by the previous attackers.ΓÇ¥
** *** ***** ******* *********** *************
Ransomware Profitability
[2021.02.10] Analyzing cryptocurrency data, a research group has estimated a
lower-bound on 2020 ransomware revenue: $350 million, four times more than in
2019.
Based on the companyΓÇÖs data, among last yearΓÇÖs top earners, there were
groups like Ryuk, Maze (now-defunct), Doppelpaymer, Netwalker (disrupted by
authorities), Conti, and REvil (aka Sodinokibi).
Ransomware is now an established worldwide business.
Slashdot thread.
** *** ***** ******* *********** *************
Attack against Florida Water Treatment Facility
[2021.02.12] A water treatment plant in Oldsmar, Florida, was attacked last
Friday. The attacker took control of one of the systems, and increased the
amount of sodium hydroxide -- thatΓÇÖs lye -- by a factor of 100. This could
have been fatal to people living downstream, if an alert operator hadnΓÇÖt
noticed the change and reversed it.
We donΓÇÖt know who is behind this attack. Despite its similarities to a Russian
attack of a Ukrainian power plant in 2015, my bet is that itΓÇÖs a disgruntled
insider: either a current or former employee. It just doesnΓÇÖt make sense for
Russia to be behind this.
ArsTechnica is reporting on the poor cybersecurity at the plant:
The Florida water treatment facility whose computer system experienced a
potentially hazardous computer breach last week used an unsupported version of
Windows with no firewall and shared the same TeamViewer password among its
employees, government officials have reported.
Brian Krebs points out that the fact that we know about this attack is whatΓÇÖs
rare:
Spend a few minutes searching Twitter, Reddit or any number of other social
media sites and youΓÇÖll find countless examples of researchers posting proof of
being able to access so-called ΓÇ£human-machine interfacesΓÇ¥ -- basically web
pages designed to interact remotely with various complex systems, such as those
that monitor and/or control things like power, water, sewage and manufacturing
plants.
And yet, there have been precious few known incidents of malicious hackers
abusing this access to disrupt these complex systems. That is, until this past
Monday, when Florida county sheriff Bob Gualtieri held a remarkably clear-headed
and fact-filled news conference about an attempt to poison the water supply of
Oldsmar, a town of around 15,000 not far from Tampa.
** *** ***** ******* *********** *************
Medieval Security Techniques
[2021.02.12] Sonja Drummer describes (with photographs) two medieval security
techniques. The first is a for authentication: a document has been cut in half
with an irregular pattern, so that the two halves can be brought together to
prove authenticity. The second is for integrity: hashed lines written above and
below a block of text ensure that no one can add additional text at a later
date.
** *** ***** ******* *********** *************
Chinese Supply-Chain Attack on Computer Systems
[2021.02.13] Bloomberg News has a major story about the Chinese hacking computer
motherboards made by Supermicro, Levono, and others. ItΓÇÖs been going on since
at least 2008. The US government has known about it for almost as long, and has
tried to keep the attack secret:
ChinaΓÇÖs exploitation of products made by Supermicro, as the U.S. company is
known, has been under federal scrutiny for much of the past decade, according to
14 former law enforcement and intelligence officials familiar with the matter.
That included an FBI counterintelligence investigation that began around 2012,
when agents started monitoring the communications of a small group of Supermicro
workers, using warrants obtained under the Foreign Intelligence Surveillance
Act, or FISA, according to five of the officials.
ThereΓÇÖs lots of detail in the article, and I recommend that you read it
through.
This is a follow on, with a lot more detail, to a story Bloomberg reported on in
fall 2018. I didnΓÇÖt believe the story back then, writing:
I donΓÇÖt think itΓÇÖs real. Yes, itΓÇÖs plausible. But first of all, if someone
actually surreptitiously put malicious chips onto motherboards en masse, we
would have seen a photo of the alleged chip already. And second, there are
easier, more effective, and less obvious ways of adding backdoors to networking
equipment.
I seem to have been wrong. From the current Bloomberg story:
Mike Quinn, a cybersecurity executive who served in senior roles at Cisco
Systems Inc. and Microsoft Corp., said he was briefed about added chips on
Supermicro motherboards by officials from the U.S. Air Force. Quinn was working
for a company that was a potential bidder for Air Force contracts, and the
officials wanted to ensure that any work would not include Supermicro equipment,
he said. Bloomberg agreed not to specify when Quinn received the briefing or
identify the company he was working for at the time.
ΓÇ£This wasnΓÇÖt a case of a guy stealing a board and soldering a chip on in his
hotel room; it was architected onto the final device,ΓÇ¥ Quinn said, recalling
details provided by Air Force officials. The chip ΓÇ£was blended into the trace
on a multilayered board,ΓÇ¥ he said.
ΓÇ£The attackers knew how that board was designed so it would passΓÇ¥ quality
assurance tests, Quinn said.
Supply-chain attacks are the flavor of the moment, it seems. But theyΓÇÖre
serious, and very hard to defend against in our deeply international IT
industry. (I have repeatedly called this an ΓÇ£insurmountable problem.ΓÇ¥)
HereΓÇÖs me in 2018:
Supply-chain security is an incredibly complex problem. US-only design and
manufacturing isnΓÇÖt an option; the tech world is far too internationally
interdependent for that. We canΓÇÖt trust anyone, yet we have no choice but to
trust everyone. Our phones, computers, software and cloud systems are touched by
citizens of dozens of different countries, any one of whom could subvert them at
the demand of their government.
We need some fundamental security research here. I wrote this in 2019:
The other solution is to build a secure system, even though any of its parts can
be subverted. This is what the former Deputy Director of National Intelligence
Sue Gordon meant in April when she said about 5G, ΓÇ£You have to presume a dirty
network.ΓÇ¥ Or more precisely, can we solve this by building trustworthy systems
out of untrustworthy parts?
It sounds ridiculous on its face, but the Internet itself was a solution to a
similar problem: a reliable network built out of unreliable parts. This was the
result of decades of research. That research continues today, and itΓÇÖs how we
can have highly resilient distributed systems like GoogleΓÇÖs network even
though none of the individual components are particularly good. ItΓÇÖs also the
philosophy behind much of the cybersecurity industry today: systems watching one
another, looking for vulnerabilities and signs of attack.
It seems that supply-chain attacks are constantly in the news right now.
ThatΓÇÖs good. TheyΓÇÖve been a serious problem for a long time, and we need to
take the threat seriously. For further reading, I strongly recommend this
Atlantic Council report from last summer: ΓÇ£Breaking trust: Shades of crisis
across an insecure software supply chain.ΓÇ£
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright © 2021 by Bruce Schneier.
--- GoldED+/OSX 1.1.5-b20180707
* Origin: A Pointless Point in Connemara (618:500/14.1)
|
Computer Support/Help/Discussion... 
