Stories from the Wild #1
Welcome to the first edition of our new Talking Tech series, Stories from the Wild. Every month, we bring you the latest stories in information security and cybersecurity. You can read our introductory post for why this matters.
This inaugural edition is being launched on a second Tuesday of the month to commemorate Patch Tuesdays. Even as patching moves towards automation (such as with Windows Autopatch), Patch Tuesdays will continue to be a fixture of any infosec calendar, serving up regular security and quality updates.
Our theme for the next twelve monthly editions will be birthdays. Subscribe and look out for our next edition in August, where we will commemorate the birthday of the first of twelve key figures in the history of infosec and cybersecurity.
This month in…ransomware
Evolution of n-extortion
Not so long ago, cyber criminals used to extort money from their victims by encrypting the data on the infected system and demanding a ransom payment in exchange for a decryption key – think WannaCry and NotPetya. More recently, underlying data has also been stolen ("exfiltrated") from infected systems, leading to a threat of "double extortion". In these cases, the ransom payment is demanded in exchange for the return or deletion of the exfiltrated data (or against a threat to publish the data) and for the decryption of the infected systems – a standard tactic for certain cybercrime groups.
But why stop there?
If a hacker has access to the underlying data, they may exploit it further. Details of customers and suppliers can lead to attacks on their systems and their people too. Victims may well be individual data subjects, even if that is not always the modus operandi of a threat actor (though personal data may well be sold onwards to other…interested parties, and when ransoms are not paid). Companies with a large network of stakeholders – financial institutions, healthcare organisations, insurers – are especially vulnerable in this regard. This additional layer of activity has become known as the threat of "triple extortion".
But anyone working with data will tell you that manipulating large (often unstructured) data sets effectively is difficult and resource intensive. Analysing data for nefarious purposes is no different. And accessing data over the darknet through protocols like TOR (The Onion Routing) is a slow process.
On 14 June 2022, ALPHV started to publish data of victims of hacking on the public Internet, in an easily searchable form. "Employees" and "guests" are invited to "check themselves".
It is unclear if this is a test run for ALPHV or if this is a new trend. Posting data on the open Internet rather than an inaccessible darknet site, and making the data easily searchable, is quite the curate's egg – an interesting and worrying development from the wild. Should we call it "quadruple extortion"?
P.S. Some groups have stopped bothering to encrypt systems and data all together. Does that take away one level of extortion?
This month in…television
Web of Make Believe: Death, Lies & the Internet
In a new documentary series released by Netflix in June 2022, Web of Make Believe: Death, Lies & the Internet, the debut episode, Death by SWAT, explores the dark side of "swatting".
- What is swatting? Swatting is used to describe generating an emergency services response under false pretences, with an aim of fooling emergency services into sending a Special Weapons and Tactics (SWAT) team to respond to the supposed emergency at the address or location of a target victim. "Swatters" commonly make phone calls to emergency services like 911 (in the US) and reporting a hoax situation, such as a shooting.
- How does swatting work exactly? Most devices can make available location services, which makes the user's location accessible and visible. Or a home address may be revealed by doxing (where personal data is published on the Internet, in some jurisdictions a criminal offence) or through other online means, such as matching IP addresses.
- How do I avoid being swatted? Enforce strict privacy and security settings on all devices and accounts, and regularly check these settings. Update old passwords regularly and ensure they are sufficiently complex – or use a password manager. Use multi-factor authentication whenever it is offered. And avoid oversharing. It's a wild, wild place out there.
It has been two years since the Round 3 candidates were announced for the NIST Post-Quantum Cryptography project (or competition) that seeks to evaluate and standardise one or more quantum-resistant public-key cryptographic algorithms.
On 5 July NIST finally announced the first four winners: four quantum-resistant algorithms that defend privacy both now and down the road.
The first algorithm, CRYSTALS-Kyber, is used for general encryption, such as to access secure websites. The second, third, and fourth algorithms are used for digital signatures, to verify identities. They are CRYSTALS-Dilithium, FALCON, and SPHINCS+ ("sphincs plus").
An additional set of four algorithms for general encryption remain under consideration and may be announced or incorporated into the proposed standards in the future.
We're expecting standards to be set down in 2024 and implementation to follow thereafter. The UK's National Cyber Security Centre (NCSC) urges caution against jumping too soon, before NIST and ETSI standards are available. (Some of you may have spotted though that Kyber is already supported on the AWS Key Management Service via a hybrid algorithm with a classic key exchange algorithm (Elliptic Curve Diffie-Hellmann).)
The National Security Agency (NSA) in the US has worked with NIST on the project, and has said that "there are no backdoors". But public key cryptography will always be a test of mathematics. Long-term security will continue to rely on constant improvement: some things we think of as computationally hard today will certainly not be so in the future, and you don't always need a quantum computer.
We can't finish without talking about vulnerabilities. With growing numbers of third-party exploit brokers and an ever-increasing attack surface, newer and scarier vulnerabilities are being exploited in the wild all the time (and captured on the Common Vulnerabilities and Exposures list). It's not all bad news: improved detection and disclosure means that bad news could be good news, especially as vulnerability does not equal risk. Which of the CIA triad does it target? What is the risk of exploitability? Have we any compensating controls?
In any case, good vulnerability management should be part of baseline security measures: it is part of the NCSC's 10 Steps to Cybersecurity and Cyber Essentials. It will be a TOMs requirement for most organisations under the GDPR's security principle (Articles 5(1)(f) and 32). But don't forget that TOMs are holistic: you need to know what you have to know to patch it.
Here are three that caught our attention recently.
The Microsoft Support Diagnostic Tool (MSDT) allows technical support agents to analyse data remotely for troubleshooting purposes. A security research group, Nao Sec, disclosed (tweeted) a vulnerability on 27 May 2022, where an unauthorised party can use a Microsoft Office Word document, a common method of delivery, to execute code by hijacking MSDT to load code and execute PowerShell commands. This was dubbed "Follina". Unlike most Word document exploits, Follina does not require a macro.
Do you remember when the ProxyLogon vulnerability was being exploited to target Microsoft Exchange servers last year? Kaspersky has reported that building automation systems and industrial control systems, often labelled "OT" or operational technology, were still being accessed months after Microsoft released emergency patches on 2 March 2021. The report is the latest reminder of why knowing your assets (and updating them) is a key step in any cybersecurity programme. Don't forget the lobby aquarium.
Fortinet SSL-VPN (CVE-2018-13379)
A secure sockets layer (SSL) virtual private network (VPN) enables users to access an organisation's network without specialised software. A vulnerability in Fortinet's SSL-VPN was disclosed by researchers (to Fortinet) in 2018 and fixes were issued around May 2019. Handily a step-by-step guide is available from BlackHat 2019, memes included (watch the presentation by DEVCORE).
This vulnerability is still being exploited three years on, as Microsoft's Threat Intelligence Centre and Digital Security Unit reported last month. This is over a year on from the joint UK-US government advisory published on 7 May 2021 (amongst others). Clearly, all processes should be carefully reviewed on a regular basis, as multiple exploits flow from this critical CVE (NIST: 9.8).
Until next time – Happy Patch Tuesday!