Symantec Reports on Cicada APT Attacks against Japan
Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.
Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.
The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.
Interesting details about the group’s tactics.
Sidebar photo of Bruce Schneier by Joe MacInnis.
NSA Advisory on Chinese Government Hacking
The NSA released an advisory listing the top twenty-five known vulnerabilities currently being exploited by Chinese nation-state attackers.
This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133) or for external web services (T1190), and should be prioritized for immediate patching.
Sidebar photo of Bruce Schneier by Joe MacInnis.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.
Sidebar photo of Bruce Schneier by Joe MacInnis.
The secure chat app Signal has become the most downloaded app in Hong Kong on both Apple’s and Google’s app stores, Bloomberg reports, citing data from App Annie. The surging interest in encrypted messaging comes days after the Chinese government in Beijing passed a new national security law that reduced Hong Kong’s autonomy and could undermine its traditionally strong protections for civil liberties.
The 1997 handover of Hong Kong from the United Kingdom to China came with a promise that China would respect Hong Kong’s autonomy for 50 years following the handover. Under the terms of that deal, Hong Kong residents should have continued to enjoy greater freedom than people on the mainland until 2047. But recently, the mainland government has appeared to renege on that deal.
Civil liberties advocates see the national security law approved last week as a major blow to freedom in Hong Kong. The New York Times reports that “the four major offenses in the law—separatism, subversion, terrorism and collusion with foreign countries—are ambiguously worded and give the authorities extensive power to target activists who criticize the party, activists say.” Until now, Hong Kongers faced trial in the city’s separate, independent judiciary. The new law opens the door for dissidents to be tried in mainland courts with less respect for civil liberties or due process.
This has driven heightened interest among Hong Kongers in secure communication technologies. Signal offers end-to-end encryption and is viewed by security experts as the gold standard for secure mobile messaging. It has been endorsed by NSA whistleblower Ed Snowden.
One of Signal’s selling points is that it minimizes data collection on its users. When rival Telegram announced it would no longer honor data requests from Hong Kong courts, Signal responded that it didn’t have any user data to hand over in the first place.
Bloomberg has also reported on the surging adoption of VPN software in Hong Kong as residents fear government surveillance of their Web browsing.
Five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade, according to BlackBerry.
The report provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices.
Most large organizations rely on Linux
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks.
While the majority of the workforce has left the office as part of containment efforts in response to the COVID-19 outbreak, intellectual property remains in enterprise data centers, most of which run on Linux.
Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).
Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. The report examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.
“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry.
“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”
APT groups: Other key findings
The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.
The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.
The research identifies two new examples of Android malware, continuing a trend seen in a previous report which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.
One of the Android malware samples very closely resembles the code in a commercially available penetration testing tool, yet the malware is shown to have been created nearly two years before the commercial tool was first made available for purchase.
The report examines several new variants of well-known malware that are getting by network defenders through the use code-signing certificates for adware, a tactic that the attackers hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts.
The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control and data exfiltration communications which appear to be trusted network traffic.
During 2019, financially motivated cybercrime activity occurred on a nearly continuous basis, according to a CrowdStrike report.
There was an increase in incidents of ransomware, maturation of the tactics used, and increasing ransom demands from eCrime actors. Increasingly these actors have begun conducting data exfiltration, enabling the weaponization of sensitive data through threats of leaking embarrassing or proprietary information.
Moving beyond eCrime, nation-state adversaries continued unabated throughout 2019, targeting a wide range of industries. Another key trend in this year’s report is the telecommunications industry being targeted with increased frequency by threat actors, such as China and DPRK.
Various nations, particularly China, have interest in targeting this sector to steal intellectual property and competitive intelligence.
Pursuing the 1-10-60 rule
Combatting threats from sophisticated nation-state and eCrime adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility. Organizations should pursue the “1-10-60 rule” in order to effectively thwart cyberthreats.
1-10-60 guidelines are the following: detect intrusions in under one minute; investigate in 10 minutes; contain and eliminate the adversary in 60 minutes. Organizations that meet this benchmark are much more likely to eradicate the adversary before an attack spreads from its initial entry point, ultimately minimizing organizational impact.
“2019 brought an onslaught of new techniques from nation-state actors and an increasingly complex eCrime underground filled with brazen tactics and massive increases in targeted ransomware demands. As such, modern security teams must employ technologies to detect, investigate and remediate incidents faster with swift preemptive countermeasures, such as threat intelligence, and follow the 1-10-60 rule,” said Adam Meyers, vice president of Intelligence at CrowdStrike.
- The trend toward malware-free tactics accelerated, with malware-free attacks surpassing the volume of malware attacks. In 2019, 51% of attacks used malware-free techniques compared to 40% using malware-free techniques in 2018, underscoring the need to advance beyond traditional AV solutions.
- China continues to focus many operations on supply chain compromises, demonstrating the nation-state’s continued use of this tactic to identify and infect multiple victims. Other targeting of key U.S. industries deemed vital to China’s strategic interests — including clean energy, healthcare, biotechnology, and pharmaceuticals — is also likely to continue.
- The industries at the top of the target list for enterprise ransomware (Big Game Hunting) observed were local governments and municipalities, academic institutions, the technology sector, healthcare, manufacturing, financial services and media companies.
- In addition to supporting currency generation, DPRK’s targeting of cryptocurrency exchanges could support espionage-oriented efforts designed to collect information on users or cryptocurrency operations and systems. In addition, it is suspected that DPRK has also been developing its own cryptocurrency to further circumvent sanctions.
“This year’s report indicates a massive increase in eCrime behavior can easily disrupt business operations, with criminals employing tactics to leave organizations inoperable for large periods of time. It’s imperative that modern organizations employ a sophisticated security strategy that includes better detection and response and 24/7/365 managed threat hunting to pinpoint incidents and mitigate risks,” said Jennifer Ayers, vice president of OverWatch at CrowdStrike.
In recent years, burner phones have become an obligatory part of the international business traveler’s toolkit. But though these devices are designed to minimize the amount of stored data available for capture by malicious actors in a foreign country, burner phones actually give attackers an opening to another, potentially more valuable, form of data: conversations that occur during key meetings in the vicinity of the device.
In this article, I’ll explore the threat of mobile eavesdropping targeting the burner phones of executives and other corporate employees traveling to high-risk countries and look at some mitigations for this emerging risk.
The evolution of technical eavesdropping
Though videoconferencing has made it possible for corporate executives to instantly traverse the globe, face-to-face meetings are still preferable for critical tasks like partnership discussions, sales and business development, corporate or legal negotiations, strategic planning, research-oriented conversations with colleagues, political meetings and more.
In fact, these types of discussions are usually the main reason executives travel overseas in the first place. After all, the vast majority of people would spare themselves the time, money and hassle of international travel if they could get the same results with a video chat or even a phone call or email.
Within these sensitive, face-to-face meetings and conversations on foreign soil, an enterprise’s most important information is often revealed, including information that hasn’t yet been committed to writing. And corporate spies know this. In China, the epicenter of state-sponsored spying on foreign-owned businesses, spies have been known to bug conference rooms, hotel rooms, restaurants and even taxis. It’s been alleged that Chinese spies have gone so far as to secretly plant listening devices inside the electronic key cards used to open travelers’ hotel rooms.
Given that foreign spies have both the propensity to eavesdrop on conversations and the capability to do so via mobile spyware that remotely activates smartphone cameras and microphones, it’s easy to understand why it happens – hacking the phone eliminates the need to use other techniques since executives voluntarily carry the spying device everywhere they go.
Since burner phones are intended to provide a minimal data footprint in the likely event of compromise, they generally do nothing to mitigate the capture of data in vicinity of the device, including the sensitive conversations that occur in the closed-door meetings that brought the executive to the country in the first place.
Burner phones eavesdropping toolkit
Foreign security services have various means of screening incoming visitors and flagging CEOs and other corporate targets. Once targets are in country, there are a number of possible methods that intelligence agencies or sophisticated corporate competitors can take to install spyware on burner phones for the purposes of eavesdropping, including examples such as these:
- Malicious carrier updates: In many countries, the entire telecommunications infrastructure is state-owned. The first time a targeted burner phone attempts to connect to a cellular network, spies can install spyware on that phone via a malicious carrier-level update.
- Radio frequency (RF) hacking: Airports, by design, have many chokepoints. In such close proximity to a user and their phone, it’s possible to exploit Bluetooth and other RF vulnerabilities to install spyware.
- Physical installation by customs agents: If a traveler is chosen for secondary screening, their phone is often confiscated and examined. Physical access to a device opens up yet another avenue for device compromise and malware installation.
- Fake cell towers: It’s also possible for spies to set up an IMSI catcher to simulate a cellphone base station. Once the burner phone connects to this fake cell tower, spies can perform spyware installations from the spoofed tower.
- Infections via hotel WiFi: As we saw with the DarkHotel spyware campaign, targeted business travelers can be infected through a hotel’s WiFi network, typically via bogus software updates.
- Evil maid attacks: Hotel staff and government officials in China can access hotel rooms, including safes, to either install spyware directly onto the burner phone or use other techniques to compromise the phone.
Keeping private conversations private
Unfortunately, even savvy travelers who do the right things – disabling Bluetooth, not connecting to unknown networks, never leaving their phone out of sight – are still at risk of conversations being eavesdropped on through their burner phones. But instead of choosing a “dumb” phone or asking users to not bring their phones into critical meetings, security teams have the following options at their disposal for mitigating the risk of high-level conversations being captured.
- Invest in an anti-surveillance case for the burner phone that masks the surrounding audio in the vicinity of the phone, preventing spies listening on the other end from gaining any meaningful information.
- Purchase a burner phone that features a hardware kill switch for shutting off the microphones when not needed.
- If telephone calls aren’t necessary, physically disconnect the microphones within the burner phone.
The theft of files and emails at the hands of foreign spies gets all the attention, but face-to-face conversations in the presence of a compromised smartphone can reveal information that’s just as valuable. It’s important for security teams to recognize this emerging threat and take the proper precautions.
Huawei has sued the Federal Communications Commission over the agency’s order that bans Huawei equipment in certain government-funded telecom projects.
“Huawei asks the court to hold the FCC’s order unlawful on the grounds that it fails to offer Huawei required due process protections in labelling Huawei as a national security threat,” the Chinese company said in a press release announcing the lawsuit. “Huawei believes that the FCC also fails to substantiate its arbitrary findings with evidence or sound reasoning or analysis, in violation of the US Constitution, the Administrative Procedure Act, and other laws.”
Huawei said it filed the complaint in the US Court of Appeals for the Fifth Circuit. We haven’t been able to get a copy of the lawsuit yet.
The FCC voted unanimously on November 22 to ban Huawei and ZTE equipment in projects paid for by the commission’s Universal Service Fund (USF). The order will affect many small telecom providers that rely on the companies’ network gear.
FCC Chairman Ajit Pai said at the time that Huawei and ZTE were chosen as ban targets because they “have close ties to China’s Communist government and military apparatus. Both companies are subject to Chinese laws broadly obligating them to cooperate with any request from the country’s intelligence services and to keep those requests secret. Both companies have engaged in conduct like intellectual property theft, bribery, and corruption.”
Huawei contended that “Pai and other FCC commissioners failed to present any evidence to prove their claim that Huawei constitutes a security threat and ignored the facts and objections raised by Huawei and rural carriers after the FCC first made the proposal in March 2018.”
Huawei accuses FCC of spreading fear
“These politicians ignore an important fact: Huawei has been working with rural US carriers for many years, and our customers trust our equipment,” Huawei Chief Legal Officer Song Liuping said, according to a transcript posted by Huawei. “They are experts in the security of their own networks, and they like working with us.”
Pai has “tried to spread fear about Huawei” by “us[ing] words like ‘backdoors’ to scare people. But they offer no proof,” Song said.
Song argued that carriers affected by the ban will end up using equipment from Nokia and Ericcson, which aren’t Chinese companies but do “manufacture in China.”
“The US government has never presented real evidence to show that Huawei is a national security threat,” Song said. “That’s because this evidence does not exist. When pushed for facts, they respond that ‘disclosing evidence might also undermine US national security.’ This is complete nonsense.”
Glen Nager, Huawei’s outside counsel, argued that the Huawei/ZTE ban “exceeds the FCC’s statutory authority” because “nothing in the Universal Service provisions of the Communications Act authorizes the Commission to make national security judgments or to restrict use of USF funds based on such judgments.”
The FCC ban will take effect upon being published in the Federal Register and will initially affect future projects paid for by the USF and the use of federal funding to maintain existing equipment. The FCC is also taking public comment on another plan to require removal of Huawei and ZTE equipment from networks that have already been built, and the commission is “seek[ing] comment on how to pay for such removal and replacement.”
Ban will cost small ISPs, Huawei says
Huawei spokesperson Karl Song said that requiring the removal of equipment “would cost hundreds of millions of dollars” for small providers.
“We’ve built networks in places where other vendors would not go. They were too remote, or the terrain was difficult, or there just wasn’t a big enough population,” he said. “In the US, we sell equipment to 40 small wireless and wireline operators. They connect schools, hospitals, farms, homes, community colleges, and emergency services.”
Hoftstra University law professor Julian Ku said that “even a small [Huawei] victory in the case, one that makes the FCC go and start the process over again, would be a huge victory for them,” according to The New York Times. But it may be a difficult case for Huawei to win because US courts usually give federal agencies “a tremendous amount of deference,” Ku said.
Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone’s “fixed-line network in Italy.” But Vodafone disagrees, saying that while it did discover some security vulnerabilities in Huawei equipment, these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.
Bloomberg’s claims are based on Vodafone’s internal security documentation and “people involved in the situation.” Several different “backdoors” are described: unsecured telnet access to home routers, along with “backdoors” in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and “broadband network gateways” (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).
In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it has documentation about some optical service node vulnerabilities, Vodafone continued, it has no information about when they were fixed. Further, the network operator said that it has no evidence of issues outside Italy.
The sources speaking to Bloomberg contest this. They claim that the vulnerabilities persisted after 2012 and that the same flaws could be found in Vodafone-deployed Huawei equipment in the UK, Germany, Spain, and Portugal. In spite of this, Vodafone continued to buy equipment from the Chinese firm because it was so cost competitive.
The sources also claim that the story was not so simple as “Vodafone reports bug, Huawei fixes bug.” Vodafone Italy found that Huawei’s routers had unsecured telnet access, and the company told Huawei to remove it. Huawei told Vodafone that it had done so, but further examination of the routers found that telnet could be re-enabled. Vodafone told Huawei that Vodafone wanted it removed entirely, only to be told by Huawei that the company needed to keep it for testing and configuration.
The Bloomberg report doesn’t offer any detail on the other alleged “backdoors” in the gateways or service nodes.
When is a front door a backdoor?
The accuracy of Bloomberg’s report hinges on the distinction between a vulnerability and a backdoor. A vulnerability is an accidental coding error that permits unauthorized parties to access the router (or other hardware). A backdoor, in contrast, is a deliberately written piece of code that permits unauthorized parties to access the router. While a backdoor could be written such that it’s obvious that it’s a backdoor (for example, one could imagine an authentication system that allowed anyone to log in with the password “backdoor”), any competent backdoor will look either like a legitimate feature or an accidental coding error.
Telnet access, for example, is a common feature of home routers. Typically, the telnet interface gives greater control over the router’s behavior than is available through the Web-based configuration interface that these devices usually have. The telnet interface is also easier to automate, making it easier to preconfigure the devices so that they’re properly set up for a particular ISP’s network. Even Huawei’s initial response to Vodafone’s request, which allowed users to re-enable the telnet service, isn’t out of the ordinary: it’s common for the Web front-ends to allow telnet to be turned off and on. Vodafone’s assertion that the telnet service wasn’t accessible from the Internet is also likely to be true; typically, these telnet services are only accessible from the local network side, not from the Internet IP address.
As such, Vodafone and Huawei’s posture that this isn’t a backdoor at all is entirely defensible, and Huawei has done nothing that’s particularly out of the ordinary. This is not to say that the hardware is not backdoored—routers with unauthenticated remote access or bypassable authentication have been found in the past and are likely to be found in the future, too. But there’s no indication that these particular Huawei issues are an attempt to backdoor the routers, and nothing in the Bloomberg report corroborates this specific claim.
What there is, however, is a concern fueled by the US government that Huawei wishes to compromise or undermine networks and systems belonging to the US and Europe, as well as a concern that the company tries to unlawfully use intellectual property taken from Western countries. Among Chinese firms, Huawei is viewed with particular suspicion due to its ties to the Chinese military.
Huawei’s CFO was arrested in Canada on behalf of the United States, which says that Huawei has violated the US sanctions against Iran, and the company has also been indicted for stealing robotic phone-testing technology from T-Mobile. The US government has pressured domestic companies to not buy or sell Huawei hardware, and more broadly, the US has pushed its allies to avoid Huawei network hardware. Examination of Huawei’s firmware and software by the UK government has revealed a generally shoddy approach to security, but these problems appear to be buggy code that was carelessly written and leaves systems hackable rather than deliberate insertion of backdoors.
This pressure is particularly acute when it comes to deploying 5G networks. Huawei’s 4G hardware is already widely deployed in Europe, and Huawei’s 5G hardware is aggressively priced and seen as critical to the timely deployment of 5G infrastructure in Europe. Vodafone, for its part, continued to buy Huawei gear until January of this year; further purchases have been paused because of the concerns about the company.