China

Symantec Reports on Cicada APT Attacks against Japan

Symantec Reports on Cicada APT Attacks against Japan

Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.

Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.

The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.

Interesting details about the group’s tactics.

News article.

Sidebar photo of Bruce Schneier by Joe MacInnis.

NSA Advisory on Chinese Government Hacking

NSA Advisory on Chinese Government Hacking

The NSA released an advisory listing the top twenty-five known vulnerabilities currently being exploited by Chinese nation-state attackers.

This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133) or for external web services (T1190), and should be prioritized for immediate patching.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Friday Squid Blogging: Chinese Squid Fishing Near the Galapagos

Friday Squid Blogging: Chinese Squid Fishing Near the Galapagos

The Chinese have been illegally squid fishing near the Galapagos Islands.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Hong Kong downloads of Signal surge as residents fear crackdown

Hong Kong downloads of Signal surge as residents fear crackdown

d3sign / Getty

The secure chat app Signal has become the most downloaded app in Hong Kong on both Apple’s and Google’s app stores, Bloomberg reports, citing data from App Annie. The surging interest in encrypted messaging comes days after the Chinese government in Beijing passed a new national security law that reduced Hong Kong’s autonomy and could undermine its traditionally strong protections for civil liberties.

The 1997 handover of Hong Kong from the United Kingdom to China came with a promise that China would respect Hong Kong’s autonomy for 50 years following the handover. Under the terms of that deal, Hong Kong residents should have continued to enjoy greater freedom than people on the mainland until 2047. But recently, the mainland government has appeared to renege on that deal.

Civil liberties advocates see the national security law approved last week as a major blow to freedom in Hong Kong. The New York Times reports that “the four major offenses in the law—separatism, subversion, terrorism and collusion with foreign countries—are ambiguously worded and give the authorities extensive power to target activists who criticize the party, activists say.” Until now, Hong Kongers faced trial in the city’s separate, independent judiciary. The new law opens the door for dissidents to be tried in mainland courts with less respect for civil liberties or due process.

This has driven heightened interest among Hong Kongers in secure communication technologies. Signal offers end-to-end encryption and is viewed by security experts as the gold standard for secure mobile messaging. It has been endorsed by NSA whistleblower Ed Snowden.

One of Signal’s selling points is that it minimizes data collection on its users. When rival Telegram announced it would no longer honor data requests from Hong Kong courts, Signal responded that it didn’t have any user data to hand over in the first place.

Bloomberg has also reported on the surging adoption of VPN software in Hong Kong as residents fear government surveillance of their Web browsing.

Huawei sues FCC to stop ban on Huawei gear in US-funded networks

Huawei's logo seen at a technology conference.

Enlarge / Huawei’s logo at the Smart City Expo World Congress in Barcelona in November 2019.
Getty Images | SOPA Images

Huawei has sued the Federal Communications Commission over the agency’s order that bans Huawei equipment in certain government-funded telecom projects.

“Huawei asks the court to hold the FCC’s order unlawful on the grounds that it fails to offer Huawei required due process protections in labelling Huawei as a national security threat,” the Chinese company said in a press release announcing the lawsuit. “Huawei believes that the FCC also fails to substantiate its arbitrary findings with evidence or sound reasoning or analysis, in violation of the US Constitution, the Administrative Procedure Act, and other laws.”

Huawei said it filed the complaint in the US Court of Appeals for the Fifth Circuit. We haven’t been able to get a copy of the lawsuit yet.

The FCC voted unanimously on November 22 to ban Huawei and ZTE equipment in projects paid for by the commission’s Universal Service Fund (USF). The order will affect many small telecom providers that rely on the companies’ network gear.

FCC Chairman Ajit Pai said at the time that Huawei and ZTE were chosen as ban targets because they “have close ties to China’s Communist government and military apparatus. Both companies are subject to Chinese laws broadly obligating them to cooperate with any request from the country’s intelligence services and to keep those requests secret. Both companies have engaged in conduct like intellectual property theft, bribery, and corruption.”

Huawei contended that “Pai and other FCC commissioners failed to present any evidence to prove their claim that Huawei constitutes a security threat and ignored the facts and objections raised by Huawei and rural carriers after the FCC first made the proposal in March 2018.”

Huawei accuses FCC of spreading fear

“These politicians ignore an important fact: Huawei has been working with rural US carriers for many years, and our customers trust our equipment,” Huawei Chief Legal Officer Song Liuping said, according to a transcript posted by Huawei. “They are experts in the security of their own networks, and they like working with us.”

Pai has “tried to spread fear about Huawei” by “us[ing] words like ‘backdoors’ to scare people. But they offer no proof,” Song said.

Song argued that carriers affected by the ban will end up using equipment from Nokia and Ericcson, which aren’t Chinese companies but do “manufacture in China.”

“The US government has never presented real evidence to show that Huawei is a national security threat,” Song said. “That’s because this evidence does not exist. When pushed for facts, they respond that ‘disclosing evidence might also undermine US national security.’ This is complete nonsense.”

Glen Nager, Huawei’s outside counsel, argued that the Huawei/ZTE ban “exceeds the FCC’s statutory authority” because “nothing in the Universal Service provisions of the Communications Act authorizes the Commission to make national security judgments or to restrict use of USF funds based on such judgments.”

The FCC ban will take effect upon being published in the Federal Register and will initially affect future projects paid for by the USF and the use of federal funding to maintain existing equipment. The FCC is also taking public comment on another plan to require removal of Huawei and ZTE equipment from networks that have already been built, and the commission is “seek[ing] comment on how to pay for such removal and replacement.”

Ban will cost small ISPs, Huawei says

Huawei spokesperson Karl Song said that requiring the removal of equipment “would cost hundreds of millions of dollars” for small providers.

“We’ve built networks in places where other vendors would not go. They were too remote, or the terrain was difficult, or there just wasn’t a big enough population,” he said. “In the US, we sell equipment to 40 small wireless and wireline operators. They connect schools, hospitals, farms, homes, community colleges, and emergency services.”

Hoftstra University law professor Julian Ku said that “even a small [Huawei] victory in the case, one that makes the FCC go and start the process over again, would be a huge victory for them,” according to The New York Times. But it may be a difficult case for Huawei to win because US courts usually give federal agencies “a tremendous amount of deference,” Ku said.

Bloomberg alleges Huawei routers and network gear are backdoored

5G Logo in the shape of a butterfly.

Enlarge / PORTUGAL – 2019/03/04: 5G logo is seen on an android mobile phone with Huawei logo on the background.

Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone’s “fixed-line network in Italy.” But Vodafone disagrees, saying that while it did discover some security vulnerabilities in Huawei equipment, these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.

Bloomberg’s claims are based on Vodafone’s internal security documentation and “people involved in the situation.” Several different “backdoors” are described: unsecured telnet access to home routers, along with “backdoors” in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and “broadband network gateways” (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).

In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it has documentation about some optical service node vulnerabilities, Vodafone continued, it has no information about when they were fixed. Further, the network operator said that it has no evidence of issues outside Italy.

The sources speaking to Bloomberg contest this. They claim that the vulnerabilities persisted after 2012 and that the same flaws could be found in Vodafone-deployed Huawei equipment in the UK, Germany, Spain, and Portugal. In spite of this, Vodafone continued to buy equipment from the Chinese firm because it was so cost competitive.

The sources also claim that the story was not so simple as “Vodafone reports bug, Huawei fixes bug.” Vodafone Italy found that Huawei’s routers had unsecured telnet access, and the company told Huawei to remove it. Huawei told Vodafone that it had done so, but further examination of the routers found that telnet could be re-enabled. Vodafone told Huawei that Vodafone wanted it removed entirely, only to be told by Huawei that the company needed to keep it for testing and configuration.

The Bloomberg report doesn’t offer any detail on the other alleged “backdoors” in the gateways or service nodes.

When is a front door a backdoor?

The accuracy of Bloomberg’s report hinges on the distinction between a vulnerability and a backdoor. A vulnerability is an accidental coding error that permits unauthorized parties to access the router (or other hardware). A backdoor, in contrast, is a deliberately written piece of code that permits unauthorized parties to access the router. While a backdoor could be written such that it’s obvious that it’s a backdoor (for example, one could imagine an authentication system that allowed anyone to log in with the password “backdoor”), any competent backdoor will look either like a legitimate feature or an accidental coding error.

Telnet access, for example, is a common feature of home routers. Typically, the telnet interface gives greater control over the router’s behavior than is available through the Web-based configuration interface that these devices usually have. The telnet interface is also easier to automate, making it easier to preconfigure the devices so that they’re properly set up for a particular ISP’s network. Even Huawei’s initial response to Vodafone’s request, which allowed users to re-enable the telnet service, isn’t out of the ordinary: it’s common for the Web front-ends to allow telnet to be turned off and on. Vodafone’s assertion that the telnet service wasn’t accessible from the Internet is also likely to be true; typically, these telnet services are only accessible from the local network side, not from the Internet IP address.

As such, Vodafone and Huawei’s posture that this isn’t a backdoor at all is entirely defensible, and Huawei has done nothing that’s particularly out of the ordinary. This is not to say that the hardware is not backdoored—routers with unauthenticated remote access or bypassable authentication have been found in the past and are likely to be found in the future, too. But there’s no indication that these particular Huawei issues are an attempt to backdoor the routers, and nothing in the Bloomberg report corroborates this specific claim.

What there is, however, is a concern fueled by the US government that Huawei wishes to compromise or undermine networks and systems belonging to the US and Europe, as well as a concern that the company tries to unlawfully use intellectual property taken from Western countries. Among Chinese firms, Huawei is viewed with particular suspicion due to its ties to the Chinese military.

Huawei’s CFO was arrested in Canada on behalf of the United States, which says that Huawei has violated the US sanctions against Iran, and the company has also been indicted for stealing robotic phone-testing technology from T-Mobile. The US government has pressured domestic companies to not buy or sell Huawei hardware, and more broadly, the US has pushed its allies to avoid Huawei network hardware. Examination of Huawei’s firmware and software by the UK government has revealed a generally shoddy approach to security, but these problems appear to be buggy code that was carelessly written and leaves systems hackable rather than deliberate insertion of backdoors.

This pressure is particularly acute when it comes to deploying 5G networks. Huawei’s 4G hardware is already widely deployed in Europe, and Huawei’s 5G hardware is aggressively priced and seen as critical to the timely deployment of 5G infrastructure in Europe. Vodafone, for its part, continued to buy Huawei gear until January of this year; further purchases have been paused because of the concerns about the company.