Honeypots, Harassment on the Up + Big Tech Bogeyman for Privacy Reform Push

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Norms? What Norms? Honeypots, Harassment on the Up

Multiple recent incidents show state actors violating what Five Eyes countries consider to be acceptable norms of online behavior.

Politico reports that politicians, officials, and journalists working in the U.K. Parliament were subjected to honeypot-style phishing campaigns. Politico’s investigation identified six men who were targeted with unsolicited WhatsApp messages. 

Many of the messages contain striking similarities, including personalized references to the victims’ appearances at U.K. political events and drinking spots. In several cases explicit photos were also sent — and in at least one case, the victim reciprocated.

And further on in the article:

[T]he sender or senders of the messages often displays extensive knowledge of their target and their movements within the narrow world of Westminster politics.

British police are also investigating another incident that appears to be part of the same campaign but was not covered in Politico’s report.

Any one of these incidents on its own probably falls into the “acceptable espionage” bucket, but it is the scale and brazenness of the activity that makes it problematic for Western policymakers.

This campaign hasn’t been linked to any particular state actor.

However, countries including China are known to be pushing boundaries when it comes to cyber-enabled interference with domestic politics.

According to a Microsoft report released last week, a Chinese Communist Party-linked online influence actor has targeted U.S. domestic politics. The actor’s activities have included creating “AI-generated memes targeting the United States that amplified controversial domestic issues and criticized the current administration.”

Although the actor, which Microsoft refers to as Storm-1376 but is also known as “spamouflage” or “Dragonbridge,” is experimenting with artificial intelligence, the report states that AI-generated media has not had much impact.

Storm-1376’s campaigns have covered a range of topics, including claiming that a U.S. “weather weapon” started wildfires in Hawaii, amplifying outrage over Japan’s disposal of nuclear wastewater, and advancing conspiracy theories over a November 2023 train derailment in Kentucky.

Although these kinds of online influence operations have not proved to be effective, the direct attempt to affect domestic politics must be galling for U.S. policymakers.

What can be done here? Late last month we wrote that part of the U.S. and U.K. governments’ motivation in sanctioning Chinese hackers was to call out transgressions.

Ultimately, we think it unlikely that the Chinese government can be entirely deterred from carrying out operations that we think transgress norms. It’s never happened before despite various U.S. and allied efforts stretching back nearly a decade.

Despite that, efforts at exposing operations are tremendously valuable, because they at least spell out loud and clear where Western governments think the line that should not be crossed is.

As an aside, we’d love them to try honeypots against the French. Lol.

Politicians Invoke the Big Tech Bogeyman in Privacy Reform Push

New draft bipartisan legislation presents the best opportunity to date for federal privacy reform in the United States.

There is a lot to like here, including a consumer right to access, correct, and delete data collected about them; an opt-out for targeted advertising; and also a requirement for companies to minimize the data they collect to what is necessary and proportionate for a range of permitted purposes.

In our view, however, the focus on Big Tech in the rhetoric surrounding the bill is not quite right. Per the press release announcing the legislation:

This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. 

Rather than arising directly from how Big Tech handles data, however, we think most of the U.S.’s data ecosystem risks arise from the more or less unrestrained collection, trading, and sale of sensitive data outside of Big Tech.

We don’t believe adversary intelligence services are buying data about Americans from Google, Meta, or Amazon, for example, but we expect it is being bought from one or more of the U.S.’s numerous data brokers.

The U.S.’s data ecosystem has evolved over the past 20 years, so even if this bill passes, it won’t be an instant panacea. But the U.S. needs some progress on federal legislation to start fixing the mess.

This D-Link Thing Shouldn’t Happen Ever Again

In late March, a security researcher known as Netsecfish discovered two security vulnerabilities in end-of-life D-Link NAS (network attached storage) devices. Netsecfish claimed the vulnerabilities affected over 92,000 internet accessible devices, although the true number is more likely to be around 5,000.

So far, so normal. But where this gets interesting is D-Link has washed its hands of the devices, saying they’re “end of life” and that they will “no longer receive device software updates and security patches.” The vendor recommends users “retire and replace” the devices.

So... trash them. Great response!

One of the vulnerabilities is a hard-coded backdoor account—user “messagebus” with a null password—and the second is a command injection vulnerability. These can be combined into a single line GET request to run arbitrary commands on the devices.

D-Link told Bleeping Computer that the affected devices could not be automatically updated and didn’t have customer outreach features that could deliver messages or notifications.

The advisory says the devices can run third-party open-firmware, but D-Link doesn’t support users doing this. We think it’d be nice if its advisory actually listed the firmware so customers could go and get it, but maybe we’re asking for too much.

On one level, the end-of-life decision seems fair enough. The devices are old, weren’t particularly expensive at $300 or less, and newer devices would be better and more secure.

However, it’s still a bit rich for a company to shed itself of responsibility for something like a hard-coded credential. These devices will very likely be exploited to cause harm across the internet.

This newsletter has previously covered the KV-botnet, which espionage groups linked to the People’s Republic of China appear to have used in building capability to disrupt U.S. critical infrastructure. Most of the devices that made up the KV-botnet were end of life, and it makes sense for administrators to focus on devices that vendors have absolved themselves of responsibility for and are unlikely to patch.

In the case of the KV-botnet, the U.S. government, with assistance from international and private-sector organizations, carried out a court-authorized disruption operation. These operations aren’t cheap, however, so a vendor’s inability or unwillingness to address these types of security problems effectively pushes costs onto the public purse.

Another security incident this week reportedly affects 91,000 LG smart televisions that are not end of life. Security firm Bitdefender says four TV models are all susceptible to four different vulnerabilities.

In contrast to D-Link’s NAS devices, LG has the ability to push out updated firmware, which should be installed automatically on its affected devices. That’s a great position to be in, but then the question for policymakers becomes how long LG will provide these security updates. Until it retires these models? Until it gets sick of providing support? Or until a relatively small number of devices remain online?

Given that the justification for requiring that vendors issue security patches is the public interest, it makes sense that the obligation be based on how much harm could occur. In other words, vendors should be required to patch when there are still tons of devices online.

An ounce of vendor prevention is better than pounds of government cure, so placing security obligations on vendors makes sense.

Three Reasons to Be Cheerful This Week:

1. Tackling Microsoft Office’s government monopoly: Sen. Ron Wyden (D-Ore.) has released draft legislation that would require software used by the government to be interoperable to prevent vendor lock-in. Seriously Risky Business addressed this issue recently, and it’s fair to say it is complicated. So some high-level focus on it is welcome.
2. Ivanti’s commitment to security: Ivanti’s CEO has published an open letter regarding the vendor’s “commitment to security.” Ivanti products have been the target of several state- and financially motivated campaigns in recent years. It’s very early days, but this letter is a good example of a security initiative that sounds promising because it is CEO backed, is board supported, and includes explicit lines of effort. 
3. LockBit disruption looks successful: A Trend Micro report released last week says that the law enforcement operation against ransomware group LockBit has had a “significant impact” on the group. There was almost no LockBit activity after this disruption, despite the group’s claims. The report also hints at the size of the groups and identifies 193 affiliate accounts. Adam Boileau and Patrick Gray discussed the effects of ransomware disruption on the Risky Business podcast yesterday.

Shorts

The Evolution of Ukraine’s IT Army

The Record’s Ukraine correspondent, Daryna Antoniuk, has an interesting article looking at the evolution of Ukraine’s IT Army, the volunteer hacktivist outfit that supports the Ukrainian cause.

Antoniuk describes the IT Army increasing its organization, sophistication, and capability over time. To us, it looks like the Ukrainian government is increasingly collaborating with hacktivist cyber operations, but “Ted,” an IT Army spokesperson, told Antoniuk that there were only unofficial links. 

Ted also said that the IT Army aims to be an annoyance and knows that it won’t win the war.  “For most people, working in the IT Army is compensation for the guilt of not being on the front lines,” he said.

HR Is Not Ransomware’s Friend

TechCrunch has an entertaining account of a phone call in which a data theft hacker trying to extort a company applies pressure by calling its public telephone line. The hacker gets put through to Human Resources and both parties end up talking at cross purposes.

Kaspersky Ban Incoming

The U.S. government is reportedly said to be preparing to ban software made by Russian cybersecurity firm Kaspersky from being used by U.S. citizens and companies. Makes sense to us.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq look at the human side of the XZ Utils supply chain attack.

From Risky Biz News:

Ukraine wants Sandworm hackers tried at The Hague: The Ukrainian government is gathering evidence and intends to file a war crimes case against Russian military hackers at the International Criminal Court in The Hague.

The case will center around the December 2023 cyberattack against Kyivstar, Ukraine’s largest mobile operator.

Russia hackers breached the company in May of last year, gathered data, and then wiped thousands of servers on Dec. 12.

The attack disrupted mobile services for the Ukrainian population for days as the operator raced to rebuild affected systems.

In light of the incident’s destruction and broad impact on its civilian population, Ukrainian officials hope to have the cyberattack labeled as a war crime.

[more on Risky Business News, including more on Ukraine’s justification and possible hurdles Ukraine’s efforts could face.]

Multi-party approval comes to Google Workspace: Google has added a new feature for its Workspace enterprise platform that will require multiple administrators to approve changes to an organization’s sensitive settings.

The new multi-party approval feature will roll out in the next two weeks and will be available to any Google Workspace customer with two or more super admin accounts.

Once enabled, all super admins will be required to approve changes made to sensitive Workspace environments, such as changing multifactor authentication settings, account recovery steps, and login and session controls.

The feature is intended to counter admin account hacks. In the past, threat actors would often compromise an admin account and then silently make changes to an organization’s sensitive Workspace settings without the rest of the admin team noticing.

[more on Risky Business News]

Ukraine suspends SBU cyber chief: Ukraine has suspended Illia Vitiuk, the head of the SBU security service’s cyber division. Officials say they’ve reassigned Vitiuk to a unit on the front while they investigate claims of corruption. Journalists from local news outlet Slidstvo claimed that Vitiuk and his wife recently bought expensive real estate despite not having the financial means to do so. Slidstvo reporters also claim they were harassed by SBU staff after publishing their article.