Newsletter

10.19.2021 | 10'' read

Guest op-ed: VPNs and targeted espionage concerns

by Ryan Naraine

* The most clicked link from last week’s newsletter was the Restore Privacy report on a former malware distributor called Kape Technologies spending north of $1 billion to acquire four VPN companies and a collection of VPN review sites.

Notes:

Monday blues. 

Ceding some space for some thoughts from Juan Andrés Guerrero-Saade, Principal Threat Researcher at SentinelOne and an Adjunct Professor of Strategic Studies at Johns Hopkins SAIS’s new Alperovitch Institute.

_ryan

VPN consolidation and targeted espionage concerns

by Juan Andrés Guerrero-Saade

When I saw the Restore Privacy documentation about VPNs getting consolidated under a shady company with a reputation for malware and adware distribution, my concern went deeper than the usual ad-peddling.

Sure, shady monetization schemes with advertising are the bulk of the business model but I don’t think we’re paying close enough attention to the targeted espionage concerns.  Ad networks are fantastically positioned to profile internet users with an impressive level of granularity but they’re limited to profiling and displaying content within constrained parameters.

For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. Your aperture into what the target is doing is limited and so is your ability to interact with them.

But a VPN introduces a much smoother avenue of attack.  The combination of malicious ad-network+VPN-provider means that not only can they profile specific users, but they can also manipulate their traffic. And that’s where the real magic enters the picture as ‘TNI’!

‘Tactical network injection’, as some ‘lawful intercept’ companies describe it, is one of the holy grails of mid-tier state espionage. The idea is that (by being on the same WiFi network or via an appliance in an attacker-controlled ISP) the attackers can trojanize executables in flight.

Here’s a scenario: A user downloads the Skype installer from the Skype website, the attacker has set a rule to monitor for these opportunities. The attacker gets in the middle of that connection and keeps it alive, downloads the legitimate Skype installer, trojanizes it with their backdoor, then serves the installer to the user.

Sure, the hash is wrong, the signature is either replaced or missing, but the victim got the installer they wanted from the legitimate website they visited so suspicions are low, and the target is infected.

These capabilities were developed and sold by HackingTeam and FinFisher among many others. Here’s a more recent example.

The limitations of TNI solutions are obvious. A ‘mobile’ setup (for example, a laptop with fancy network cards in a pelican case) is limited to proximity to a shared WiFi network. The more expensive appliance requires access to a compliant ISP and that the victim be a customer of that ISP. The latter is obviously region-limited to where the attacker has influence and where the victim happens to get their internet service.

How would you go about using this technology for targets of interest that live somewhere else? Fly people there each time (RU)? Supply a foreign ISP with a big box under false pretenses (US)?  Or you could own and proselytize the use of attacker VPN services in the regions you’re interested in?

Think about it, it’s not only cheaper, people are paying you to run this, you also make ad revenue, you can sell their data, AND you can occasionally serve some other shady interest by profiling user traffic and infecting some special unsuspecting customers.

There’s always been an expectation that this was happening, particularly with shady VPNs in the Middle East and ‘free proxy services’. How about a VPN monopoly? Over the past decade many of us have obsessed over the awesome capabilities of the SIGnals INTelligence giants. It seems some of us weren’t content just watching and are trying to replicate those capabilities for themselves.


On to the newsletter…

China’s zero-day hacking festival.

If you never want to click on anything again, take a peek at results from China’s Tianfu Cup zero-day festival where 11 out of 16 targets were pwned with 23 successful exploits.  All these software products were popped (some multiple times!) with remote code execution exploit chains.

  • Google Chrome
  • Apple Safari
  • Mozilla Firefox
  • Adobe PDF Reader
  • Docker-CE
  • VMware EXSi
  • Qemu
  • CentOS 8
  • Apple iOS 15
  • GalaxyS20
  • Windows 10 2004
  • TP-Link
  • ASUS Router

As Catalin Cimpanu reports, the most eye-opening of the exploits was a no-interaction remote code execution attack chain against a fully patched iOS 15 running on the latest iPhone 13. The second was a simple two-step remote code execution chain against Google Chrome, something that has not been seen in hacking competition in years.

In the past, exploits that first surfaced at the Tianfu Cup were seen in nation-state malware campaigns and, because there is a requirement that all winning vulns/exploits must be shared with the Chinese government, there are natural rumblings about China’s stockpiling of exploits.  All governments are now hoarding 0days so this isn’t something unique.

The big lesson, for me, is the fragility of modern software, despite decades of investments (and costs) on anti-exploitation mitigations.  As Florian Roth expertly points out, this fragility has led to the most important paradigm shift of the last 10 years, “the change of focus from protection (filter, patch, block) to detection (log, alert, react).”


Sponsored. CISO roundtable: How to stop phishing in Microsoft 365
In today’s data breach reality, 85% of incidents involve the human element and 61% of phishing attacks utilize compromised credentials. The threat landscape and attackers’ methodologies continue to evolve dramatically, and organizations urgently need to examine their email security defenses to remain secure.
Join this exclusive CISO roundtable hosted by Ryan Naraine for an interactive discussion on the evolving phishing threats targeting Microsoft 365 users; how to equip employees to act as a resilient last line of defense against phishing; how to effectively assess and manage your email security posture to remain protected, covering Microsoft anti-phishing solutions, IESS technologies and secure email gateways.  Register here.

US Treasury and ransomware wealth transfer.

The U.S. Treasury’s FinCEN unit is sharing some raw data on the extent of the wealth transfer from ransomware operations and the numbers are head-scratching:

Gas and water pipeline attacks.

A new CISA advisory documents ongoing attacks against U.S. water and wastewater systems (.pdf):

  • August 2021 — Malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
  • July 2021 — Cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
  • March 2021 — Cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
  • September 2020 —  Personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
  • March 2019 — A former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.

Security OGs destroy Apple’s porn-scanning tech

A high-powered group of security pioneers — Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague and  Carmela Troncoso — is skewering Apple’s iOS client-side scanning technology plans

46-page paper from the security OGs (.pdf) provide a detailed analysis of scanning capabilities at both the client and the server, the trade-offs between false positives and false negatives, and the side effects – such as the ways in which adding scanning systems to citizens’ devices will open them up to new types of attack.

University of Cambridge’s Ross Anderson sums up the findings:

Even if the engineering on the phone were perfect, a scanner brings within the user’s trust perimeter all those involved in targeting it – in deciding which photos go on the naughty list, or how to train any machine-learning models that riffle through your texts or watch your videos. Even if it starts out trained on images of child abuse that all agree are illegal, it’s easy for both insiders and outsiders to manipulate images to create both false negatives and false positives. The more we look at the detail, the less attractive such a system becomes. 
Here’s additional coverage from the New York Times.

Hardware, firmware and supply chain security

Some research things from the layers below the operating system:

 

Leftover.

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

Sponsored.

  • Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions.. Get in touch today for a demo.
  • Egress has built the only Human Layer Security platform that defends against inbound and outbound threats. Using patented contextual machine learning, Egress detects and prevents abnormal human behavior such as targeted phishing attacks, misdirected emails, and data exfiltration. Book a demo.
  • ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule. Request a demo.
|

This site uses cookies and may process personal data based on our Privacy Policy