Newsletter

We have some additional room open for the Startup Secure book-signing hangout I’m co-hosting with Crossbeam CISO Chris Castaldo on August 4th in Las Vegas. If you’re in town for Black Hat/Defcon, request an invite here. Our thanks to friends at Uptycs and Armorblox for sponsoring and supporting the event.

The most clicked link from last week’s issue was the AP story on China’s new rules to block its offensive security researchers from selling data on zero-day vulnerabilities to police, spy agencies or other private companies. In normal times, this would be a top-of-the-fold story examining the downstream side-effects (there will be many!) but it’s been such a crazy week of news that China’s 0day crackdown barely registered a ripple.

The new rules take effect in September but there isn’t much clarity on how it will be implemented and how it will affect the reporting of security flaws to a range of players, including the bug-bounty programs and platforms like Android that rely heavily on incoming bug reports from Chinese hackers.

Microsoft, too, could be dealing with some fallout.  Have a look at this Microsoft celebration of the companies reporting the most security defects and threat indicators to Redmond last year. Prominently featured are Qihoo 360, Tencent, Baidu and Rising, Chinese tech vendors that use offensive security research output to recruit talent and showcase hacking capabilities.

The absence of reliable language translations isn’t helping much so I started a semi-open Gdoc to look at the  language and pinpoint areas of interest.  At first glance, I see some agita coming in the public hacking competitions like Pwn2Own and the public bug bounty programs.  The new rules also talks about punishing folks who overhype flaws or publicly release exploit code before patches are available. Have a gander at the Gdoc, If you see anything worthwhile, leave a comment and let’s parse it together.

Speaking of Microsoft and China, it’s very noticeable that only one vendor — a U.S. company — has left the controversial MAPP program since the company launched an investigation into whether a MAPP leak played a role in the recent Exchange mega-hack.  Barracuda Networks CTO Fleming Shi told me his company opted out of MAPP voluntarily because the data was not driving significant product functionality to justify the potential liability of accessing the pre-patch vuln information.  Interesting.

Hang in there and have a great week.

_ryan

A word from our sponsor (Uptycs, SQL-powered security analytics platform)

If you’re struggling with questions like, “What containers in my environment are running this known vulnerable package?” or “Where else is this file hash appearing across my Kubernetes Cluster?” or “How many servers have had the password rotated in the last 90 days?” Uptycs gives you the ability to get all the answers from the same console. Reach out for a hassle-free demo.

Candiru and ‘cyberweapons’

There’s a major disturbance in the 0day exploit supply business with all eyes on a growing list of Israeli companies being blamed for supplying surveillance tech for .gov customers to spy on journalists, activists and dissidents.  It’s a massive story with multiple players and angles:

• After weeks of hemming and hawing, Google and Microsoft teamed up with Citizen Lab to expose Candiru as the commercial vendor selling tools to infect and hijack data from specific targets in parts of Eastern Europe.
• Citizen Lab did all the heavy lifting on investigating and outing Candiru as a Tel Aviv vendor hawking 0days for iPhones, Androids, Macs, PCs, and cloud accounts.
• Microsoft’s participation in this story added a new acronym to 0day exploit conversation: PSOA (private sector offensive actors). Redmond’s legal Cristin Goodwin says her words are carefully chosen so when you see “cyberweapons” and “weapons” in a Microsoft blog describing  Candiru, you know the game has progressed to the next level.
• Google TAG says Candiru sold Chrome and IE browser zero-days to customers around the world.
• Kaspersky’s Brian Bartholomew was the first to expose Candiru exploit activity back in 2019.  Here’s Kim Zetter’s reporting on these players.

Pegasus and sophisticated iPhone malware

Just days after the Candiru outing, an even bigger story broke with iPhone exploits, unscrupulous .gov customers, and another Israeli spyware vendor in the crosshairs. It’s a lot to unpack so I’ll just share the main links:

• Pegasus – the new global weapon for silencing journalists: At least 180 journalists around the world have been selected as targets by clients of Israeli cybersurveillance company NSO Group.
• The Washington Post reports that Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories. The spyware can activate cameras or microphones to capture fresh images and recordings. It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction.
• This was a collaborative investigation that involved more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.
• Forbidden Stories: The rise and fall of NSO Group.
• NSO Group statement:  “We would like to emphasize that NSO sells it technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data.”
• Apple security chief Ivan Krstić issued a statement condemning the cyberattacks: “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
• Amnesty International’s new Mobile Verification Toolkit can help with forensic analysis of Android and iOS devices to find traces of Pegasus on mobile phones.
• This story is getting crazier by the day and is now getting the live-blog treatment at PBS Frontline.
• My buddy Juan Andres Guerrero-Saade isn’t happy with Apple: “I love Apple products. Wonderful things are regularly done under the hood to increase the cost of attack. But it’s clearly not enough to tinker with security engineering alone. Plenty of unscrupulous actors are finding it affordable and we can’t even tell how big that iceberg is. Apple has no idea how deep the iceberg of targeted iOS malware goes. Not by a long shot. They’ve just accepted it as an unremarkable inevitability and we can’t.

• With all the zero-day attack headlines everywhere, it’s useful to pause and dig into this 2014 essay by James Mickens (PDF) to differentiate between truly sophisticated hacks and the rest of us.

Meanwhile, China.

The news whiplash continued with U.S. government indictments against four Chinese hackers and global condemnation for the Microsoft Exchange mega-hack that has been formally attributed to China.

• Here’s the text of the indictment against Chinese government hackers accused of cyber-espionage against U.S. companies and institutions over the last seven years.
• US-CERT has published a detailed technical report documenting the Chinese .gov hacks, the tools and techniques used, and IOCs to help find signs of infections.
• My friend Tom Rid has the definitive Twitter thread breakdown of the allegations in the indictment.

Off-topic.

* My thanks to Uptycs and Armorblox for generously supporting the Chris Castaldo Startup Secure book-signing event in Las Vegas on August 4, 2021. Sign up here to secure an invitation.

* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms — Apple/iPhone, Google/Android, Spotify and Amazon/Audible.