Newsletter
10.19.2021 | 10'' read
Guest op-ed: VPNs and targeted espionage concerns
Notes:
- I’ll be moderating a CISO Roundtable on cloud email security on November 10, 2021. Register here to learn about mitigating threats targeting Microsoft 365 deployments.
- I’ll be interviewing Dragos chief executive Robert M. Lee at this year’s ICS Cybersecurity Conference. Snag a seat here.
- I’ll be in Atlanta and Miami for a pair of work events from October 24 through November 3. Wanna grab coffee? (Twitter DMs are open).
Ceding some space for some thoughts from Juan Andrés Guerrero-Saade, Principal Threat Researcher at SentinelOne and an Adjunct Professor of Strategic Studies at Johns Hopkins SAIS’s new Alperovitch Institute.
_ryan
VPN consolidation and targeted espionage concerns
When I saw the Restore Privacy documentation about VPNs getting consolidated under a shady company with a reputation for malware and adware distribution, my concern went deeper than the usual ad-peddling.
Sure, shady monetization schemes with advertising are the bulk of the business model but I don’t think we’re paying close enough attention to the targeted espionage concerns. Ad networks are fantastically positioned to profile internet users with an impressive level of granularity but they’re limited to profiling and displaying content within constrained parameters.
For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. Your aperture into what the target is doing is limited and so is your ability to interact with them.
But a VPN introduces a much smoother avenue of attack. The combination of malicious ad-network+VPN-provider means that not only can they profile specific users, but they can also manipulate their traffic. And that’s where the real magic enters the picture as ‘TNI’!
‘Tactical network injection’, as some ‘lawful intercept’ companies describe it, is one of the holy grails of mid-tier state espionage. The idea is that (by being on the same WiFi network or via an appliance in an attacker-controlled ISP) the attackers can trojanize executables in flight.
Here’s a scenario: A user downloads the Skype installer from the Skype website, the attacker has set a rule to monitor for these opportunities. The attacker gets in the middle of that connection and keeps it alive, downloads the legitimate Skype installer, trojanizes it with their backdoor, then serves the installer to the user.
Sure, the hash is wrong, the signature is either replaced or missing, but the victim got the installer they wanted from the legitimate website they visited so suspicions are low, and the target is infected.
These capabilities were developed and sold by HackingTeam and FinFisher among many others. Here’s a more recent example.
The limitations of TNI solutions are obvious. A ‘mobile’ setup (for example, a laptop with fancy network cards in a pelican case) is limited to proximity to a shared WiFi network. The more expensive appliance requires access to a compliant ISP and that the victim be a customer of that ISP. The latter is obviously region-limited to where the attacker has influence and where the victim happens to get their internet service.
How would you go about using this technology for targets of interest that live somewhere else? Fly people there each time (RU)? Supply a foreign ISP with a big box under false pretenses (US)? Or you could own and proselytize the use of attacker VPN services in the regions you’re interested in?
Think about it, it’s not only cheaper, people are paying you to run this, you also make ad revenue, you can sell their data, AND you can occasionally serve some other shady interest by profiling user traffic and infecting some special unsuspecting customers.
There’s always been an expectation that this was happening, particularly with shady VPNs in the Middle East and ‘free proxy services’. How about a VPN monopoly? Over the past decade many of us have obsessed over the awesome capabilities of the SIGnals INTelligence giants. It seems some of us weren’t content just watching and are trying to replicate those capabilities for themselves.
On to the newsletter…
China’s zero-day hacking festival.
If you never want to click on anything again, take a peek at results from China’s Tianfu Cup zero-day festival where 11 out of 16 targets were pwned with 23 successful exploits. All these software products were popped (some multiple times!) with remote code execution exploit chains.
- Google Chrome
- Apple Safari
- Mozilla Firefox
- Adobe PDF Reader
- Docker-CE
- VMware EXSi
- Qemu
- CentOS 8
- Apple iOS 15
- GalaxyS20
- Windows 10 2004
- TP-Link
- ASUS Router
As Catalin Cimpanu reports, the most eye-opening of the exploits was a no-interaction remote code execution attack chain against a fully patched iOS 15 running on the latest iPhone 13. The second was a simple two-step remote code execution chain against Google Chrome, something that has not been seen in hacking competition in years.
The big lesson, for me, is the fragility of modern software, despite decades of investments (and costs) on anti-exploitation mitigations. As Florian Roth expertly points out, this fragility has led to the most important paradigm shift of the last 10 years, “the change of focus from protection (filter, patch, block) to detection (log, alert, react).”
The U.S. Treasury’s FinCEN unit is sharing some raw data on the extent of the wealth transfer from ransomware operations and the numbers are head-scratching:
- FinCEN report (.pdf): “Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.”
- The Office of Foreign Assets Control (OFAC) has issued a sanctions compliance guidance (.pdf) for virtual currency industry, a warning that sanctions are coming for companies involved in the ransomware wealth transfer.
- There’s an official press release outlining the Treasury Departments goals and motivations.
- New from Google’s VirusTotal subsidiary: We analyzed 80 million ransomware samples – here’s what we learned.
Gas and water pipeline attacks.
A new CISA advisory documents ongoing attacks against U.S. water and wastewater systems (.pdf):
- August 2021 — Malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
- July 2021 — Cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
- March 2021 — Cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
- September 2020 — Personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
- March 2019 — A former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.
Security OGs destroy Apple’s porn-scanning tech
A high-powered group of security pioneers — Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague and Carmela Troncoso — is skewering Apple’s iOS client-side scanning technology plans
A 46-page paper from the security OGs (.pdf) provide a detailed analysis of scanning capabilities at both the client and the server, the trade-offs between false positives and false negatives, and the side effects – such as the ways in which adding scanning systems to citizens’ devices will open them up to new types of attack.
University of Cambridge’s Ross Anderson sums up the findings:
Hardware, firmware and supply chain security
Some research things from the layers below the operating system:
- New from Google: SiliFuzz: Fuzzing CPUs by proxy (.pdf) outlines a system for finding CPU defects.
- The Open Source Firmware Conference has released a very impressive agenda.
- JupiterOne CISO Sounil Yu writes about the need to shift the thinking on securing the software supply chain.
- New from Apple: A threat analysis of the risks of side-loading on iPhones (.pdf).
- Shodan Trends is worth some of your time.
Leftover.
- Project Zero’s Jann Horn warns in detail about how a simple Linux kernel memory corruption bug can lead to complete system compromise.
Tangentially.
- Peep this throwback article from 2005. Hat-tip to Costin Raiu for spotting this.
Sponsored.
- Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions.. Get in touch today for a demo.
- Egress has built the only Human Layer Security platform that defends against inbound and outbound threats. Using patented contextual machine learning, Egress detects and prevents abnormal human behavior such as targeted phishing attacks, misdirected emails, and data exfiltration. Book a demo.
- ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule. Request a demo.