On The Geo-political Posturing Over China’s Cyber Hacks, Plus The Weekly Playlist | #cybersecurity | #cyberattack


The
timing was one of the weirder aspects of this week’s cyber
condemnation of China by the West. Why was this piece of
political theatre being staged now? China (and Russia’s)
sponsoring and/or condoning of semi-state and criminal
hacker groups has been known about for nigh on a decade.
More particularly, Microsoft had been alerted to the flaws
in its Microsoft Exchange product in early January, and had
(belatedly) issued patches to correct those flaws in early
March. At that time, the company admitted that the four
major flaws in Microsoft Exchange had been penetrated by a
group of Chinese hackers that Microsoft called Hafnium. It
blamed the
Chinese government for harbouring the group. (Hafnium is
the same state-sponsored group that Canada and New Zealand
have called APT 40. APT stands for Advanced Persistent
Threat.)

So why did the US, the UK, the EU, Australia,
Japan etc etc take until July 20 to tell the world that
Chinese hackers have exploited flaws in Microsoft Exchange
and that this sort of behaviour must stop, or else? What
interests of political theatre are being served by making a
song and dance now – over three months after White House
officials had
publicly chided Microsoft, and told the company that
issuing inadequate security patches for Microsoft Exchange
was not a good enough response to the failings in its
product?

In New Zealand’s case, how could it be that
the (paywalled) Australian newspaper was able to tell
its readers that New Zealand and Canada were
about to condemn China’s complicity in the Microsoft
hack, before GCSB Minister Andrew Little informed New
Zealanders late on Monday night? On Monday, the Crikey
website cited the Australian story to the same effect
that negative comment from New Zealand and Canada about
China would be forthcoming. While the commentariat pondered
whether New Zealand should be applauded or criticised for
daring to criticise China, a raft of other questions went
unanswered.

Such as: what responsibility does a
lucrative tech giant like Microsoft bear for (a) having
readily exploitable flaws in Microsoft Exchange and (b)
taking its own sweet time to alert its customers of the
problems and provide them with security patches that still
(see below) seem to have left a ‘back door’ open?
Unfortunately, Bill Gates didn’t get to where is today by
making the quality of Microsoft’s products an overriding
concern. Beyond Microsoft, what oversight/testing capability
do (or should) security agencies have for vetting digital
products that can compromise the privacy and data of
individuals and firms? The banking system requires certain
stewardship standards from those entrusted with caring for
the public’s wealth. No similar standards seem to apply to
the highly profitable companies entrusted with caring for
the public’s digital data.

In the US, the FBI obtained
a court order in March to enter the networks of
businesses to remove web shells used by cyber attackers as
‘ back doors’ to exploit the vulnerabilities in
Microsoft Exchange. In lieu of adequate corporate
responsibility, is this kind of exercise of state power a
good idea, or a bad idea?

The state may need to get
more involved. The unfortunate reality is that almost all
the recent major hacks have been discovered by individuals
or by private players, such as the FireEye security firm
that discovered the SolarWinds hack last December. As things
stand, we seem to be relying on the private sector and on
computer nerds to check and report on the adequacy of the
tools we use to carry our digital data. At the very least,
it should be made mandatory for the companies selling these
systems to report the vulnerabilities in their products
immediately on discovery. Ironically, Microsoft and the
FireEye security firm are
both currently lobbying Congress to make breach
reporting mandatory. That legal requirement isn’t
currently in place. Tech companies can limit breach
disclosures to protect their share price.

Looking
ahead, would it be better – or worse – to call in the FBI
(or the GCSB and SIS)when product failings become apparent,
and when vital socio-economic organisations are being
attacked for reasons of ransom, IP theft or cyberespionage?
Either way, this is not a great situation. With reason, some
people may not want to have the SIS to be in a position
where it could trawl through their health data, even while
acting as a line of privacy defence.

Actual risk,
appropriate response

Why, one wonders, are the
attacks on Microsoft by Chinese operatives being treated by
the West as so much worse than the SolarWinds hack detected
in December, a raid widely attributed to Russian-based
operatives? In the SolarWinds hack – also made possible by
flaws in the company’s products – it is believed the
Russian hackers went for nine months undetected, while they
ransacked files held by the US Treasury, Justice etc and
some 18,000 other government agencies and private firms.
That attack too, was preceded by any number of Russian
attacks on everything from the IOC to the integrity of
elections in the US and France. If hacking was an Olympic
sport, Russia and China would both be medal
contenders.

So…why has the Western club of nations
decided that now is the right time to join together to
condemn China, when it hasn’t rallied the same team effort
to blame Russia for its (equally or more damaging)
persistent online behaviours? It looks very much as if New
Zealand has been wrangled into joining the chorus line in a
White House-led effort intended to put China (and the world)
on notice that the US is back, and in charge of Team West.
Basically, we have been pressured into putting our trade and
diplomatic relationship with China in jeopardy, in the
service of what is largely an exercise in image building by
US President Joe Biden. This week, there hasn’t been any
evidence of New Zealand having an “independent” foreign
policy. Or much sign of our fabled ability to juggle our
trade links with China, and our defence and security links
with the Americans. Plainly, under Biden, the space for that
kind of fancy footwork is going to shrink.

Here, at
Home

The cyber security questions don’t stop there.
Apparently, we are regularly coming under cyber-attack by
hackers sponsored by or operating with the tacit blessing of
several other nation states, including the hacker groups
acting on behalf of our main trading partner. If that’s
the case, why aren’t we being told which countries are
believed to have been responsible for the major hacks and
ransomware demands that have happened here, of
late?

For example: the public has been left in the
dark as to the likely national origins of the hackers who
committed the cyber-attacks on (a) the NZ stock exchange in
mid 2020 and (b) the Waikato DHB this year. Moreover, we
aren’t being told if these attacks are being launched by
foreign criminal gangs or by foreign state agencies, or by
individuals with a foot in both camps. Do our security
agencies even know such details? It would help public
confidence to know how well our cyber defenders are coping
with the traffic.

Rumour has it that in both those
major NZ hacks, Russian-speaking criminal gangs working with
the blessing of the Russian government were responsible. It
would still be nice though, to be officially told who our
security agencies regard as the prime suspects. Instead,
we’re being rallied by the Ardern government to the threat
posed by China even though we haven’t been offered any
evidence as to which New Zealand individuals, firms or state
agencies (if any) have suffered actual harm at the hands of
these Chinese APT groups.

The question is not merely
why we’re marching in step with our traditional allies to
name and shame China on the world stage. To repeat : GCSB
Minister Andrew Little has refused to name even the country
of origin of the hackers at the Waikato DHB or any of the
local victims of the multitude of hacks earlier this year of
Microsoft Exchange. His answer this week has been that there
are issues of national security and “commercial in
confidence reasons” that prevent him from commenting
further on such matters. Really? This is one area where the
public’s right to know who has been violating their
privacy and/or stealing their data is more important than
the possibility that some commercial firms might lose market
share (or some state agencies might lose face) if their
inability to protect the public’s data was to be
disclosed. Most people would blame Microsoft, not their
hapless local customers.

Thank goodness that during
the Vietnam War, similar issues of “commercial in
confidence” sensitivity didn’t prevent us from finding
out that Dow Chemical were making Agent Orange in New
Plymouth. In a transparency sense at least, those were the
good old days.

Hafnium, APT 40

The first
public sign of the vulnerabilities in Microsoft Exchange
were reported to the company (and to the world at large) on
January 5th in
this tweet
by a DEVCORE researcher using the handle
“Orange Tsai.” Initially it was thought that attacks
exploiting the four “zero day” flaws detected began on
January 6th. The Volexity site has
since reported that those attacks began three days
earlier, on January 3.

For background: Microsoft
Exchange Server is an email inbox, calendar, and
collaboration solution. Users range from giant
multinationals to small and medium-sized businesses
worldwide. The extent of the problems resulting to users of
the flawed versions of Microsoft Exchange have depended on
the adequacy of the security patches and the speed at which
they are made available by Microsoft, and put in place by
users. ZDNet has
explained here the four basic flaws, the kind of attacks
mounted on them, and the response by Microsoft. The
subsequent investigations have included the possibility that
the attackers were tipped off by an insider
:

Microsoft is now also reportedly investigating
potential links
between PoC attack code issued
privately to cybersecurity partners and vendors prior to
patch release and exploit tools spotted in the wild, as well
as the prospect of an accidental — or deliberate — leak
that prompted a spike in attacks.

If used in an
attack chain, all of the four main vulnerabilities cited
could lead to “Remote Code Execution (RCE), server
hijacking, backdoors, data theft, and potentially further
malware deployment….”As mentioned, Microsoft has blamed
a Chinese state sponsored group it calls Hafnium for the
subsequent attacks. There is useful background information
on Hafnium here. Here’s how the attackers did it
:

The attacks included three steps. First, it would
gain access to an Exchange Server either with stolen
passwords or by using the previously undiscovered
vulnerabilities to disguise itself as someone who should
have access. Second, it would create what’s called a web
shell to control the compromised server remotely. Third, it
would use that remote access – run from the U.S.-based
private servers – to steal data from an organization’s
network.

To an outsider, that last point that the
Chinese hackers (and presumably those sponsored by other
nation states) are launching their attacks via a web of
virtual private servers located in the US (partly in order
to conceal their true location) seems a bit surprising, and
ironic. It suggests a possible means of defence. Namely,
don’t lease US servers to Chinese, Russian or North Korean
based enemies of the state, or their representatives. This
is maybe where the FBI could be of some use, in tracing who
hired those servers, and from where.

Was China the
sole player?

Even when it comes down to just the
cyber attacks made via Microsoft Exchange, its doubtful that
Hafnium (aka APT 40) were the only culprits. Microsoft’s
own alerts accessible
here explicitly say others were
involved:

[03/08/2021]: Microsoft
continues to see multiple actors taking advantage of
unpatched systems to attack organizations with on-premises
Exchange Server….

Update
[03/05/2021]
: Microsoft sees increased use of these
vulnerabilities in attacks targeting unpatched systems by
multiple malicious actors beyond HAFNIUM.

Who
were these other players ? ZDNet’s chronology of
how the crisis developed in early March shows how quickly it
became open season on Microsoft Exchange. Even so, several
of the other identified attackers also seem to have been
Chinese-speaking. They included the notorious APT 27 group,
also known as LuckyMouse, which has a history of cyber
breaches stretching back to 2010. This year, it made
successful inroads into several
US gaming companies. Calypso, one of the other hacker
groups involved, is a cyber-espionage group that Russian
sources say
has “Asian roots.” Winnti Group, another team named
as being involved, is also Chinese-based. Reportedly,
while LuckyMouse has tended to specialise in
cyber-espionage,Winnti Group tends
to be a for-profit operation.

The US
Cybersecurity and Infrastructure Security Agency (CISA) says
that it is “aware of threat actors using open source tools
to search for vulnerable Microsoft Exchange Servers.” On
March 10, ESET said that
10
APT groups
have been connected to attacks
exploiting the Exchange Server vulnerabilities. These
state-sponsored groups include LuckyMouse, Tick, Winnti
Group, and Calypso. F-Secure researchers
have
called the situation
a “disaster in the making,”
adding that servers are “being hacked faster than we can
count.”

The slew of attacks in March via Microsoft
Exchange mushroomed :

Mandiant says further attacks
against
US targets
include local government bodies, a
university, an engineering company, and retailers. The
cyberforensics firm believes the vulnerabilities could be
used for the purposes of ransomware deployment and data
theft. Sources have told cybersecurity expert Brian Krebs
that at least
30,000
organizations
in the US have been hacked.
Bloomberg estimates put this figure closer
to
60,000
as of March 8. Palo Alto Networks suggests
there were at least
125,000
unpatched servers
worldwide, as of March
9.

Things quickly got worse:

On March 11,
Check Point Research said that attack attempts leveraging
the vulnerabilities were
doubling
every few hours
. On March 15, CPR said attack
attempts increased 10 times based on data collected between
March 11 and March 15. The US, Germany, and the UK are now
the most targeted countries. Government and military targets
accounted for 23% of all exploit attempts, followed by
manufacturing, financial services, and software vendors. The
US Cybersecurity and Infrastructure Security Agency (CISA)
says that it is “aware of threat actors using open source
tools to search for vulnerable Microsoft Exchange
Servers.”

As mentioned, some of the APT groups
cited above had previously been associated with intrusions
conducted mainly for reasons of cyberespionage or IP theft,
and not ransomware attacks for profit.. However, this
pattern seems
to be changing, as state actors and criminal gangs
appear to be co-operating in launching ransomware demands,
and
are sharing their tools of attack to do so. Reportedly,
they may also be splitting the proceeds. The tools
of the trade include these items :

In a
situation reminiscent of the 2017 WannaCry ransomware
outbreak, on March 12,
Microsoft
said
that a variant of ransomware known as
DoejoCrypt/DearCry is leveraging the bugs to deploy
ransomware on vulnerable Exchange servers…The deployment
of web shells,
such
as China Chopper
, on compromised Exchange servers
has proved to be a
common
attack vector
. Batch files written to servers
infected with ransomware may ensure access is maintained to
vulnerable systems, even after infections have been detected
and removed.

China Chopper is a tiny but crucial
part of the APT arsenal when it comes to creating enduring
“ back doors” to online targets. FireEye’s useful
brief description of China Chopper is
available here. ZDNet has also explained the
qualities of China Chopper that make it such a useful
“back door” instrument.

Finally….all the above
information is being freely published and debated elsewhere.
It is time the NZ government and its security agencies were
more forthcoming about the cyber attacks on our firms and
state agencies. Our security agencies were supposed to be
entering a new era of transparency, and have recently been
engaged in re-branding exercises to that effect. Yet when it
comes to cyber security, they’re ducking back into the
worst “zipped lips, we know best” practices of yore.
These come down to “trust us, we’re the experts and we
know what we’re doing” approach. It has never seemed to
occur to the SIS and the GCSB that the public’s trust is
not a given, but something that has to be earned. Right now,
cyber security isn’t a field where the state “experts”
hold all the cards, or even many of the relevant
ones.

Footnote One : Mindful of what
happened subsequently at Waikato DHB, the trend of targeting
healthcare providers had
been identified by Microsoft, last October. The spread
of cyber attacks to US hospitals is
also discussed by NBC news here.

Footnote
Two :
The term “cybersecurity” conjures up
images of ninja attacks by elite Asian hackers and Russian
SMERSH agents out to (a) steal the intellectual property of
our corporates, and (b) disrupt the key strategies of our
politicians and diplomats. Not to mention the theft and
extortion rackets being run by criminal gangs whose names
seem torn from the pages of a James Bond novel.

For
sure, there are some bad players out there in cyberspace.
Yet cyber-security also seems to consist of democratic
governments building and deploying platforms for
pro-active cyber offensives aimed at alien foreign
powers, and even (when it comes down to stealing trade
secrets) some that have aimed in the past at a few of our
friends and allies. What I’m getting at is that
cybersecurity is not just about building up our
resilience/resistance capabilities on the home front. Last
year, the Australians were upfront about
what they have in mind – 

Australia will
recruit 500 cyber spies and build on its offensive
capabilities to take the online fight overseas in a $1.3
billion funding boost……The Australian Signals
Directorate will also share intelligence with government
departments and companies in near real time as part of the
biggest ever cash injection to Australia’s cyber defences.
Prime Minister Scott Morrison [announced] the ASD will be
given more than $1 billion over the next decade to disrupt
foreign cyber criminals and better identify malicious
hacks.

Hmm. So… Australia aims to “build on
its offensive capabilities to take the online fight
overseas.” Clearly, in the age of cyber conflict, hack
attacks are just another form of force projection. And
“our side” is
doing it, too.

The playlist

This week’s
Spotify playlist kicks off with a track from the
Superwolves collaboration between Will Oldham and
Matt Sweeney, and they’re backed on this cut by the great
Sahel region guitarist Mdou Moctar, and his band. The hybrid
result sounds like West African rockabilly. That’s why
I’ve segued into the classic “Obaa Sima” dance cut
from Ghana There’s a fascinating documentary available
here on Youtube about how this terrific piece of music
was recorded, buried, re-discovered and has since spread
around the world, much to the amazement of the humble “Ata
Kak”guy who made it.

Everything else is pretty
self-explanatory. Desperate Journalist are a four piece
British band, – two women, two blokes – based in London. The
playlist’s closing cut “Banks of the Hope” is not just
an optimistic metaphor, though it is that, too. The Hope
River runs through the St Andrew parish of Kingston,
Jamaica. You should check out this
beautiful video featuring Agent Sasco – who grew up on
the river- side – as he stands on the bridge that links
his old neighbourhood of Kintyre (in St Andrew parish) to
the rest of the world. That line about wanting “better
public transport” is only part of what the community
needs.

Here’s the playlist :

© Scoop Media

 





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 31 = forty one