MalwareTech’s FBI-Induced Tour to Milwaukee, WI

/19 Comments/in /by

On Friday, WannaCry hero Marcus Hutchins (AKA MalwareTech) was granted bail by a Las Vegas judge; he will pay his bail on Monday, then have to travel, without a passport to show TSA, to Milwaukee for a court appearance Tuesday (I’m contemplating hopping the ferry for the hearing).

I’d like to focus on the venue, how it is that a British malware researcher came to be charged in Flyover USA for the crime of making malware.

Thomas Brewster-Fox wrote an important piece on Friday trying to figure out what a lot of people have been asking: what is Kronos, which a lot of researchers never really heard of. He notes that the malware was a bust in the criminal malware market.

The reduced price hints at another truth about Kronos: it was largely a failure amongst serious cybercriminals. There was early anticipation in 2014 it could go big, as prolific and profitable as one of its forbears, the banking malware known as Zeus. In an email to your reporter from RSA’s Daniel Cohen in 2014, he wrote: “Waiting to see whether Kronos turns into something. At this point it’s just a post on a forum, no sample or binary yet. It could be an interesting development if it does, as it would point to more movement away from the Zeus code.”

In the last 24 months, according to IBM global executive security advisor Limor Kessem, the Trojan emerged with a hefty $7,000 price tag in mid-2014, but actual attacks didn’t launch until the third and fourth quarter of 2015, when the company saw some Kronos malware campaigns hitting UK banks. “But after that timeframe, have not seen much more activity from the malware,” Kessem told Forbes.

“The very last time we saw Kronos activity was a small campaign in November 2016, when Kronos infected a very small number of machines mostly in Brazil, the UK, Japan, and Canada. At that particular time, we did not see fraudulent activity from Kronos, but rather, believe it was used a loader for other malware.

Importantly, IBM global executive security advisor Limor Kessem names the few places where the malware has been deployed: Some UK banks in the last two quarters of 2015 and then, in altered form and function, in a “very small number of machines” in Brazil, UK, Japan, and Canada.

So: UK, Brazil, UK, Japan, and Canada.

Not the US, as far as Kessem notes.

And in fact, the most commonly cited victim, the UK, is where Hutchins is from! Yet among the things the British National Cyber Security Centre — the folks who worked closely with Hutchins as he saved a bunch of NHS hospitals from being shut down due to the WannaCry malware — has been really circumspect about since Hutchins’ arrest is what the case is doing over here in the States.

We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.

So why are we seeing this case in the US — in Milwaukee, of all places?!?! — rather than in the UK where some of its few victims are?

The indictment against Hutchins includes just two actions he is alleged to have taken personally.

Defendant MARCUS HUTCHINS created the Kronos malware. (¶4a)

[snip]

In or around February 2015, defendants MARCUS HUTCHINS and [redacted] updated the Kronos malware. (¶4d)

All the other overt actions described in the indictment were done by Hutchins’ as yet unknown (even to him, per reports!) and still at-large co-defendant. That includes this action:

On or about June 11, 2015, defendant [redacted] sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency. [emphasis mine]

Most the other charges — counts three through six — cite that June 11 sale. So it’s that sale, in which Hutchins was not alleged to be involved and the alleged perpetrator of which hasn’t yet been arrested, that seems to be the core of the crime.

This Beeb article, by far the most detailed accounting of Hutchins’ arraignment, provides these details.

Prosecutors told a Las Vegas court on Friday that Mr Hutchins had been caught in a sting operation when undercover officers bought the code.

They claimed the software was sold for $2,000 in digital currency in June 2015.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

“He admitted he was the author of the code of Kronos malware and indicated he sold it,” said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant – who has yet to be arrested – where the security researcher complained of not receiving a fair share of the money.

From this, it might be safe to assume that some law enforcement officer, possibly working undercover in the Eastern District of WI, bought a bunch of shit off AlphaBay in 2015, including a copy of (a version of) the Kronos malware. The purchase (and the version of code) wasn’t sufficiently interesting last year to arrest Hutchins when (I believe) he came for the Las Vegas cons.

Nor was it interesting enough to the UK, where some of Kronos’ few victims are, to prosecute the sale (which, because conspiracy laws are not as broad as they are here in the US, might not have reached Hutchins in any case, and certainly wouldn’t have exposed him to decades of incarceration).

But this year, in the days after the Alpha Bay seizure (and several months after Hutchins helped to shut down WannaCry), prosecutors presented that $2000 sale to a grand jury in ED WI, after which an arrest warrant was sent out to Las Vegas, just in time to arrest Hutchins on his way out of the country, after most the unruly hackers had departed from Las Vegas.

Arresting Hutchins only as he left — and playing whack-a-mole moving him from one detention center to another — gave authorities the opportunity to interview Hutchins without an attorney, where — prosecutor Dan Cowhig claims, Hutchins “made a confession,” — not that he “created the Kronos malware,” which is what the indictment alleges, but instead that he “was the author of the code of Kronos malware.” That “confession” sounds like the kind of thing an overly helpful person might explain if asked to explain this tweet in circumstances where he didn’t have a lawyer.

So here’s what may be going on.

In the aftermath of the AlphaBay seizure, authorities in the US decided to wade through what they could charge from past purchases off the marketplace, and either remembered or stumbled on this remarkably minor sale. Perhaps because of Hutchins’ fame, or perhaps because someone is unhappy about Hutchins’ fame, it was prioritized in a way it otherwise would not have been. And, as always, the US used convenient travel as a way to nab foreign alleged hackers to pull into America’s far more onerous than its allies criminal justice system.

It’s not even clear, however, that that explains the Milwaukee venue. Recall that DOJ first charged Pyotr Levashov (and therefore first deployed its now legally sanctioned Rule 41 warrant) for the Kelihos botnet in Alaska, even though he’ll be tried in CT if he’s ever extradited to the US. The FBI reorganized the way they investigate cyber crimes in 2014 (no longer tying the investigation to the geography of the crime) and with Rule 41 and international crimes, they’ll be able to do so far more in the future. But at least with Levashov, there were victims referenced in the complaint, whereas here, the only act that may have taken place in ED WI is that purchase, if it even did.

All that said, the venue is a far less interesting question than whether the FBI really has evidence tying Hutchins to intending his code to be used for malware, or if they’ve just made a horrible mistake.

Three Things: Mas Gas, Las Vegas and Sass

/19 Comments/in , , , /by

I’m not even going to touch the massive stream of news out of Washington over the last 24 hours, from the Washington Post piece featuring ‘leaked’ transcripts of Trump’s whack doodle conversations with Mexico’s and Australia’s presidents to the impaneled grand jury and subpoenas. Plenty of other material not getting adequate air time.

Speaking of air time, hope you have a chance to catch Marcy on Democracy Now. She spoke with Amy Goodman about the confirmation of Chris Wray as FBI Director as well as former Fox News contributor Rod Wheeler’s lawsuit against Fox News.

Onward…

~ 3 ~

Venezuela’s state-run oil producer PDVSA is cutting oil sales to U.S. refining unit Citgo Petroleum. At the same time it is increasing shipments of oil to Russia’s largest oil producer, Rosneft. Venezuela is using its oil to pay down a $1.6 billion loan extended to PDVSA last year. Rosneft has loaned an even larger sum of money in the not-too-distant past, but the terms aren’t known; payments in oil as well as a hefty minority stake in Citgo were believed to be included in negotiations.

The threat to U.S. gasoline supply: though at lower levels than a decade ago, Venezuela is the third largest supplier of oil to the U.S.

Citgo has, however, been shifting its purchasing wider afield than just PDVSA:

Citgo last year started sending gasoline and other fuels to Venezuela in exchange for a portion of its crude supply. But Citgo has increased the volume of U.S. oil it refines, and has also has also expanded its crude import sources.
[…]
U.S. President Donald Trump’s administration has promised strong economic sanctions against Venezuela’s government after a Constituent Assembly was elected last week in what United States called a “sham” vote. The new body will have power to rewrite the constitution and abolish the opposition-led Congress.

If those sanctions were to constrain Venezuela’s oil shipments to the United States, Citgo could be ahead of its competitors in finding new supply sources.

The public will feel at the pump whatever happens to Citgo and other gasoline producers. Gasoline prices are already $0.16-0.24 per gallon higher than they were last year.

Who is profiting from this?

~ 2 ~

I’ve been thinking about the tagline, “What happens in Vegas, stays in Vegas” right about now after the arrest of Marcus Hutchins, a.k.a. MalwareTechBlog following Defcon’s end in Las Vegas. You’ve probably read Marcy’s piece already (catch up if you didn’t); since she published her post the information security community has been digging into Hutchins’ past and stewing about why/what/how.

Some speculate this was an aggressive recruitment effort; this might explain why the U.K. didn’t arrest him before he left for Defcon. Or did the U.K. and the U.S. agree not to spook any Defcon attendees by stopping Hutchins before he arrived in Vegas? Responses by U.K. authorities are annoyingly banal:

A spokesman for the Foreign and Commonwealth Office said: “We are in touch with local authorities in Las Vegas following reports of a British man being arrested.”

The UK’s National Crime Agency said: “We are aware a UK national has been arrested but it’s a matter for the authorities in the US.”

Others speculate he was framed as the target of revenge by someone caught up in Alphabay’s seizure. How does shutting down WannaCry fit into this scenario?

I don’t have a favorite theory right now. All I know is that WannaCry’s heat map sticks in my craw.

One thing which should come out of this situation is a dialog about coding, malware, and intent; the infosec community is having that discussion now, but it needs to be wider. If a white hat codes malware in part or whole to investigate capabilities, they are only separated from criminal malware producers/sellers/distributors by intent. How does law enforcement determine intent?

~ 1 ~

Your opinion is constantly shaped by the media you consume. Some consumers aren’t conscious of this shaping; neither are some producers.

And some producers know it but are just plain jerks.

A very important way in which opinion is shaped is by the perspective presenting a viewpoint. If only the members of one-half of the population ever gets a chance to present a perspective, consumers’ opinions are narrowed by that same factor. This is why gender equity in media is critical; if you’re only hearing men you’re not getting but part of the picture.

WIRED magazine knows that gender equity in content is important, but their last issue contained only male-written content. As a twisted tribute to the women who helped produce the issue, WIRED stuck a colophon listing important females.

Including a dog.

Really? The women of WIRED are on the same footing as a pet?

Somebody/ies at WIRED need a kick in the sass; I don’t give a fig if half the staff is female if the content itself is all-male. I’m going to do my best this next month not to cite WIRED.

Don’t think for a moment this is just WIRED, either. The VIDA Count measures annually gender equity in literary arts. There’s progress though slow.

~ 0 ~

That’s a wrap on this open thread. Let’s hope with Tiny Hands McGolfer on vacation that news slows a bit as we enter this weekend. I’m not holding my breath though. Behave.

FBI Busts the Guy Who Saved the World from NSA’s Malware

/23 Comments/in /by

Yesterday, the FBI arrested Marcus Hutchins as he was leaving Las Vegas after Black Hat/Defcon.

Hutchins is best known as the malware researcher, MalwareTechBlog, who inadvertently saved the world from NSA’s repurposed hacking tools by registering what has been assumed to be the sand boxing domain, effectively turning it into a killswitch.

But the government accuses him of making the Kronos banking malware sold on AlphaBay. In an indictment signed July 11 (6 days after AlphaBay got seized and), the government asserts simply that Hutchins made the malware. Motherboard first reported the arrest.

It also accuses him of conspiring with a co-defendant whose name is redacted, going back to July 2014, of selling it.

There’s a lot of skepticism about this indictment in the infosec community, in part because no one took Hutchins for a black hat, though others point to a past identity under which he may have engaged in carding. Plus, the timing is curious. The press release for the arrest notes “the Kronos banking Trojan … was first made available through certain internet forums in early 2014.”

On July 13, 2014, Hutchins put out an ask for a sample of the malware.

That’s also the day the indictment describes an advertising video first being posted to AlphaBay on how Kronos worked.

In remarkably timed news, between 3:10 and 3:25 AM UTC this morning (8 PM last night Mountain Time), someone emptied out all the WannaCry accounts.

Three Things: Killing Oil, Too Money, Kaspersky’s World

/32 Comments/in , , /by

Too much going on here today but the existing threads are getting too deep and a couple are drifting off-topic. Here’s three quick things to chew on and an open thread.

~ 3 ~

The marketplace will bring death to oil long before the government. (Bloomberg). But will governments — US and oil-producing countries alike — get in the way of alternative energy in spite of the market demanding more alternatives to fossil fuels? With this trend away from combustion engines pressing on them, fossil fuel producers are shifting toward increased LNG for use in electricity production; this only shifts CO2 creation from vehicles to power plants. Will the market put an end to that, too?

~ 2 ~

There’s too much money out there if Delta can order multiple planes configured for all-first class service. I just spoke with a friend earlier today about round-trip fares from a major Midwest airport to major cities in Europe; they were quite high even with a departure date more than a month out, and higher than they had seen in a while. Fuel prices haven’t increased that much over the last year; low oil prices are threatening pipelines as financing construction costs more than the return on oil. Somewhere between slack fuel prices, firm fares and demand, Delta’s making enough money to build these let-them-eat-cake planes.

One could argue that if buyers have the money they can have whatever they want — except that taxpayers finance the infrastructure including essential safety regulatory system which will now protect the few and not the many while increasing congestion. Too money — somebody needs to pay more taxes to support the infrastructure they’re using.

~ 1 ~

Kaspersky Labs is releasing around the globe a free version of their antivirus software (Reuters). It won’t replace the paid version of their AV software, providing only very basic protection. I’m not using it, though, for two reasons: if it’s like Kaspersky’s existing free tool, it will send messages back to the parent company about infections it finds — and possibly more. Congress and the U.S. intelligence community may have concerns about Kaspersky Lab’s vulnerability to the Russian government; I’m more concerned about Kaspersky Lab having been breached at least once in 2015, compromising data in their systems. Your mileage may vary; use under advisement.

~ 0 ~

That’s it for now. This is an open thread. Behave.

P.S. The fight against attacks on the health care system isn’t over. Call your senator at (202) 224-3121. Other tools for your use in this post.

The Long-Delayed Jeff Sessions Reveal

/61 Comments/in , , , /by

Today (or yesterday — I’ve lost track of time) the WaPo reported what has long been implied: there’s evidence that Jeff Sessions spoke to Russian Ambassador Sergey Kislyak about campaign-related stuff, contrary to his repeated sworn comments.

At first, I thought this revelation might relate to Richard Burr’s assertion that Devin Nunes made up the scandal about which Obama officials had unmasked the identity of Trump officials who got sucked up in intercepts of Russians.

“The unmasking thing was all created by Devin Nunes, and I’ll wait to go through our full evaluation to see if there was anything improper that happened,” Burr said. “But clearly there were individuals unmasked. Some of that became public which it’s not supposed to, and our business is to understand that, and explain it.”

After all, one of the things the Senate Intelligence Committee would do to clear Rice is figure out who unmasked the identities of Trump people. And there’s at least circumstantial evidence to suggest that James Clapper unmasked Jeff Sessions’ identity, potentially on the last day of his tenure.

But Adam Entous, one of the three journalists on the story (and all the stories based on leaks of intercepts) reportedly said on the telly they’ve had the story since June.

Which instead suggests the WaPo published a story they’ve been sitting on since Sessions’ testimony.

The WaPo story cites the NYT interview in which Trump attacked Sessions for his poor answers about his interactions with Kislyak.

Trump, in an interview this week, expressed frustration with Sessions’s recusing himself from the Russia probe and indicated that he regretted his decision to make the lawmaker from Alabama the nation’s top law enforcement officer. Trump also faulted Sessions as giving “bad answers” during his confirmation hearing about his Russian contacts during the campaign.

Officials emphasized that the information contradicting Sessions comes from U.S. intelligence on Kislyak’s communications with the Kremlin, and acknowledged that the Russian ambassador could have mischaracterized or exaggerated the nature of his interactions.

Many people took this interview as an effort on Trump’s part to get Sessions to resign.

And the WaPo goes on to note that the disclosure — by these same journalists — of Mike Flynn’s conversations with Kislyak led to his resignation.

Kislyak was also a key figure in the departure of former national security adviser Michael Flynn, who was forced to leave that job after The Post revealed that he had discussed U.S. sanctions against Russia with Kislyak even while telling others in the Trump administration that he had not done so.

And all of a sudden, we get this confirmation that Sessions has been lying all along.

Don’t get me wrong: I’d be happy to see Jeff Sessions forced to resign. But if he does, Trump will appoint someone more willing to help the cover up, someone who (because he wouldn’t have these prevarications about conversations with the Russian Ambassador and therefore won’t have to recuse) will assume supervision of Robert Mueller.

So while I’m happy for the confirmation that Sessions lied, I have real questions about why this is being published now.

On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

/30 Comments/in , /by

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

In Mistaking Surveillance for Sabotage, NYT Fearmongers Nukes Again

/8 Comments/in , /by

Last night, the NYT had an alarming story reporting that suspected Russian spies were compromising engineers that work at nuclear power plants across the United States. Amber! the story screamed.

Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.

Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The joint report was released on June 28. It was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the severity of the threat.

After screaming “Amber,” the story went on to scream “bears!”

The origins of the hackers are not known. But the report indicated that an “advanced persistent threat” actor was responsible, which is the language security specialists often use to describe hackers backed by governments.

The two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.

Ultimately, the story worked its way up to invoke StuxNet, an attack on the actual enrichment processes of a nuclear facility.

In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility, demonstrated how computer attacks could disrupt and destroy physical infrastructure.

The government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control, or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.

In retrospect, [former chairman of the Federal Energy Regulatory Commission] Mr. Wellinghoff said that attack should have foreshadowed the threats the United States would face on its own infrastructure.

And yet, in the fourth paragraph of the story, NYT admitted it’s not really clear what the penetrations involved. With that admission, the story also revealed that the computer networks in question were not the control systems that manage the plants.

The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.

Still further down, the report admitted that this involved phishing and watering hole attacks on engineers, not attacks on control systems.

In most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.

[snip]

Hackers wrote highly targeted emails messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.

[snip]

In some cases, the hackers also compromised legitimate websites that they knew their victims frequented — something security specialists call a watering hole attack.

That is, even while screaming “Amber Russian bear OMIGOSH StuxNet!!” the article admitted that this is not StuxNet. This amounts to spies, quite possibly Russian, “hunting SysAdmins,” just like the United States does (of course, the US and its buddy Israel also assassinate nuclear engineers, which for all its known assassinations, Russia is not known to have done).

That distinction is utterly critical to make, no matter how much you want to fearmonger with readers who don’t understand the distinction.

There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.

This is spying, what our own cyber doctrine calls “Cyber Collection.”

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)

That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.

But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.

And it’s not just me saying that. Robert M. Lee, who works on cyber defense for the energy industry and who recently authored a report on Crash Override, Russia’s grid-targeting sabotage tradecraft (and as such would have been an obvious person to cite in this article) had this to say:

So while the threat to nuclear from cyber is a real concern because of impact it’s very improbable and “what about Stuxnet” is a high bar

Or said more simply: phishing emails are lightyears removed from “what about Stuxnet” arguments. It’s simply otherworldly in comparison.

There’s one more, very real reason why the NYT should have been far more responsible in clarifying that this is collection, not sabotage. Among the things Shadow Brokers, with its presumed ties to Russia, has been threatening to expose is “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.” If the NYT starts inflating the threat from cyber collection on nuclear facilities, it could very easily lead to counter-inflation, with dangerous consequences for the US and its ability to monitor our adversaries.

There is very real reason to be concerned that Russia — or some other entity — is collecting information on how our nuclear and other power facilities work. But, as Lee notes, conflating that with StuxNet is “otherworldly.”

Nyetya: Sanctions and Taxes

/8 Comments/in /by

In my first post on the Nyetya/NotPetya attack launched in Ukraine last week, I suggested the attack looked a lot like a digital sanctions regime and pointed out that the malware had been compiled not long after the US Senate tried to pass new sanctions.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Update: I should add that Treasury added a bunch of people to its Ukraine-related sanctions list on June 20.

In her first post on it, Rayne focused on how the loss of MEDoc’s tax software might effect payments in Ukraine (though she remained open about other attackers besides Russia).

But the US wasn’t the only country that has moved towards imposing new sanctions on Russia. Ukraine did so too, back on May 15. Petro Poroshenko targeted a number of Russian tech brands — most spectacularly, VK, mail.ru, and Yandex, which are among the most popular sites in Ukraine. The Ukrainian president also banned Kaspersky, as American politicians are moving closer to doing. Most interestingly, Poroshenko banned 1C, maybe the equivalent of Microsoft’s Office suite.

A decree by Poroshenko posted late on Monday expanded sanctions adopted over Russia’s annexation of Crimea and backing of separatists in eastern Ukraine to include 468 companies and 1,228 people. Among them were the Russian social networks VK and Odnoklassniki, the email service Mail.ru and the search engine company Yandex, all four of which are in the top 10 most popular sites in Ukraine, according to the web traffic data company Alexa. The decree requires internet providers to block access to the sites for three years.

Poroshenko’s decree also blocked the site of the Russian cybersecurity giant Kaspersky Labs and will ban several major Russian television channels and banks, as well as the popular business software developer 1C.

In a post on his official page on VK, Poroshenko said he had tried to use Russian social networks to fight Russia’s “hybrid war” and propaganda.

1C is a competitor to MEDoc, the patient zero of the attack. (h/t Jeff Vader)

After Poroshenko imposed sanctions, Putin’s spox warned Ukraine had forgotten the principle of reciprocity.

Vladimir Putin’s spokesman told journalists that he wasn’t prepared to say but that Russia had not “forgotten about the principle of reciprocity”.

Now consider these other details.

It turns out that MEDoc had already sent out several malicious updates which backdoored the software and collected the unique business identifier of the victims, as well as credentials.

During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:

  • 01.175-10.01.176, released on 14th of April 2017
  • 01.180-10.01.181, released on 15th of May 2017
  • 01.188-10.01.189, released on 22nd of June 2017

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn’t contain the backdoored module.

Since the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a hypothesis that could explain low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th update was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already.

[snip]

Each organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number (Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers’ goal(s).

[snip]

Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application.

Note, that May 15 attack was actually earlier in the day, before Poroshenko announced the sanctions against Russia.

Talos used logs it obtained from MEDoc to confirm that it backdoored the victims, collecting data from targeted machines.

But then it makes what I consider a logical jump (albeit an interesting one): invoking something similar that happened with Blackenergy, it argues that the hacker that had backdoored MEDoc has lost the intelligence functionality of the MEDoc back door, so it must have a replacement at the ready. As a result, Talos basically suggests that businesses should treat anything touching Ukraine as if it has or soon will have digital cooties.

In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.

Based on this, Talos is advising that any organization with ties to Ukraine treat software like M.E.Doc and systems in Ukraine with extra caution since they have been shown to be targeted by advanced threat actors.  This includes providing them a separate network architecture, increased monitoring and hunting activities in those at-risk systems and networks and allowing only the level of access absolutely necessary to conduct business.  Patching and upgrades should be prioritized on these systems and customers should move to transition these systems to Windows 10, following the guidance from Microsoft on securing those systems.  Additional guidance for network security baselining is available from Cisco as well.  Network IPS should be deployed on connections between international organizations and their Ukrainian branches and endpoint protection should be installed immediately on all Ukrainian systems.

That may be right. But I’m not sure this analysis considers Rayne’s point: that by basically taking out crucial tax software used by 80% of the Ukrainian market (indeed, Ukrainian authorities raided the company in a showy SWAT raid today), you will presumably have some effect on the collection of taxes in Ukraine, something AP’s reporter reporting from Ukraine, Raphael Satter, says he has seen anecdotal evidence of already.

So, sure, the MEDoc attacker lost the back door into 80% of the companies doing business in Ukraine. But the attacker may have hurt Ukraine’s ability to collect taxes, even while destroying the Ukrainian competitor to one of the companies targeted in May, imposing tremendous costs on doing business in Ukraine, and leading security advisors to recommend treating Ukraine like it has cooties going forward.

As with my first post on this, I’m still really just spit balling.

But one thing we know about Russia: it wants to find a way to end the sanctions regimes against it, and helping Donald Trump get elected thus far hasn’t done the trick.

Update: Malware Tech, the guy who sinkholed WannaCry, points to his data showing declining WannaCry infections in Ukraine and Russia, which he says shows the effect of the Nyetya infections replacing WannaCry ones. That suggests the impact in Russia is real, contrary to some public comments.

Update: Bleeping Computers describes victims installing old versions of MEDoc because it is so central to their business operations.

With the M.E.Doc servers down, Bleeping Computer was told that most Ukrainian companies are now sharing older versions of the M.E.Doc software via Google Drive links. The software provided by Intellect Service is so crucial to Ukrainian companies that even after the NotPetya outbreak, many businesses cannot manage their finances without it, despite the looming danger of another incident.

Because of the way the software is currently shared between some usrs, Ukrainian companies are now exposing themselves to even more dangerous threats, such as installing boobytrapped M.E.Doc versions from unofficial sources like Dropbox or Google Drive.

NotPetya: Why Would Russia Target Kaspersky AV?

/14 Comments/in /by

With the backing of a bunch of security companies, both the US and Ukraine are getting closer to formally blaming Russia for the NotPetya attack last week on the same hackers that brought down the power grid in 2015.

But there are skeptics. Rob Graham suggests this analysis all suffers from survivorship bias. And Jonathan Nichols argues the attack was so easy pretty low level hackers could have pulled it off.

Nichols also raises a point that has been puzzling me. The attack does extra damage if it detects the Kaspersky Antivirus.

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present.

[snip]

Further, the specific targeting of Kaspersky Antivirus harkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly.

There may be a good reason to do this (such as, if Kaspersky dominates the AV market in Ukraine, it would provide an additional way to target Ukraine specifically, though that would seem to also implicate Russian companies, like Rosneft, that were hit by NotPetya as well). But absent such a reason, why would Russia selectively do more damage to victims running Kaspersky, especially at a moment with the US is so aggressively trying to taint Kaspersky as a Russian front?

As a reminder, back in January when Shadow Brokers claimed to be disappearing forever, they called out Kaspersky specifically in a dump of dated Windows files (SB trolled Kaspersky even more on Twitter, though deleted all those old tweets last week).

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

So not just cybercriminals with a grudge against Kaspersky for cooperating with western law enforcement, but the source of some of the exploits used in this attack, has targeted Kaspersky in the past.

I don’t know the answer. But it’s one counterargument to the rush to blame Russia that, in my opinion, needs some answers.

Does Maersk Count as US Critical Infrastructure?

/18 Comments/in /by

I Back when Sony Pictures got hacked after Sony Everything Else had been hacked serially over the course of 15 years, the US government declared that multinational studio owned by a Japanese parent US critical infrastructure entitled to heightened cybersecurity protection. That’s one of the bases for which the US imposed sanctions on North Korea. The designation also ramped up the ways in which FBI could help Sony.

The listing of a multinational movie studio as critical infrastructure led many people to understand just how broad the definition of CI is in the US, including (in the same Commercial Facilities Sector) a bunch of things that might better be called soft targets.

  • Entertainment and Media (e.g., motion picture studios, broadcast media).
  • Gaming (e.g., casinos).
  • Lodging (e.g., hotels, motels, conference centers).
  • Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
  • Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
  • Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
  • Retail (e.g., retail centers and districts, shopping malls).
  • Sports Leagues (e.g., professional sports leagues and federations).

That’s when I learned that DHS was on the hook for protecting Yogi Bear Jellystone and KOA campground facilities around the country from cyberattack.

Since 2014, DHS belatedly added one thing to its critical infrastructure designation: elections. Though DHS doesn’t appear to have updated the website to reflect that designation yet (though maybe I’m missing it; I’ll call tomorrow to ask them where it is).

Anyway, the global impact of the NotPetya (which I’ll henceforth call Nyetna, because that’s my favorite name for it) attack, particularly its impact on Danish shipping giant Maersk, has me wondering whether anything Nyetna affected counts as would count as critical infrastructure. The impact on Maersk has had significant effect at several ports in the US.

Danish shipping giant A.P. Moller-Maersk, one of the global companies hardest hit by the malware, said Thursday that most of its terminals are now operational, though some terminals are “operating slower than usual or with limited functionality.”

Problems have been reported across the shippers’ global business, from Mobile, Alabama, to Mumbai in India. When The Associated Press visited the latter city’s Jawaharlal Nehru Port Trust on Thursday, for example, it witnessed several hundred containers piled up at just two yards, out of more than a dozen yards surrounding the port.

“The vessels are coming, the ships are coming, but they are not able to take the container because all the systems are down,” trading and clearing agent Rajeshree Verma told the AP. “The port authorities, they are not able to reply (to) us. The shipping companies they also don’t know what to do. … We are actually in a fix because of all this.”

Probably the most important impact was on Maersk’s terminal in LA.

A cyberattack that infected computers across Europe and then spread into the United States halted operations at the Port of Los Angeles’ largest terminal Tuesday — and raised worries that destructive software could ricochet around the world and disrupt the critical supply chain.

APM Terminals — where Danish shipping carrier A.P. Moller-Maersk operates — turned truckers away all day, as did their terminals in Rotterdam, New York and New Jersey.

So does Maersk, and the 18% of global container shipping business it carries, count as US critical infrastructure?

Given that Maersk, not the several ports affected, is the victim, it’s not clear. Here’s how DHS defines the CI aspect of maritime shipping.

  • Maritime Transportation System consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways, and intermodal landside connections that allow the various modes of transportation to move people and goods to, from, and on the water.

But if Sony can count as US CI, it seems Maersk (or any comparable shipping giant) should as well.

It may not matter, as the Executive Branch seems to be hiding even further under their bed than they were after the WannaCry attack, with this being the one mention of the hack from the White House.

SECRETARY PERRY:  So let’s get over on the grid.  Obviously, the Department of Energy has a both scientific, they have a historic reason to be involved with that.  One is that, at one of our national labs, we have a test grid of which we are able to go out — one of the reasons that the Department of Homeland Security and DOE is involved with grid security is that DOE operates a substantial grid — a test grid, if you will — where we can go out and actually break things.  We can infest it with different viruses and what have you to be able to analyze how we’re going to harden our grid so that Americans can know that our country is doing everything that it can to protect, defend this country against either cyberattacks that would affect our electrical security or otherwise.

So the ability for us to be able to continue to lead the world — I think we all know the challenges.  We saw the reports as late as today of what’s going on in Ukraine.  And so protecting this country, its grid against not just cyber, but also against physical attacks, against attacks that may come from Mother Nature, weather-related events — all of that is a very important part of what DOE, DHS is doing together.

DHS is preoccupied rolling out Muslim Ban 3.0 and other flight restrictions.

By all appearances, Nyetna primarily targeted Ukraine. But in hitting Ukraine, it significantly disabled one of the key cogs to the global economy, the world’s biggest container shipping company. Does that count as an attack on the US, or at least its critical infrastructure?

Update: I’ve confirmed that “shipping lines” are included in Maritime Transportation. So Maersk would seem to count as critical infrastructure.

 

image_print