Using Exploits to Steal Exploits Is as Old as Time

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Using Exploits to Steal Exploits Is as Old as Time

Google has discovered exploits developed by commercial spyware vendors being used by Russian government espionage groups.

Per Google’s Threat Analysis Group (TAG):

TAG observed multiple in-the-wild exploit campaigns, between November 2023 and July 2024, delivered from a watering hole attack on Mongolian government websites. … We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29. In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group.

TAG does not know how these attackers acquired these exploits. However, by the time attackers used them, they had been patched and were no longer zero-days.

Even though they were n-day exploits at the time, TAG pointed out they could still be effective when deployed at watering holes. If a watering hole brings in large numbers of visitors, then there will still be at least some potential victims running unpatched browsers.

The malware used in the campaigns was designed to steal browser authentication cookies for a range of online email providers so that the attackers could access those accounts.

The author of TAG’s post, security researcher Clement Lecigne, told TechCrunch that based on the technical similarities between the exploits, they don’t think the actor recreated them. Rather, he said, Russian services may have bought or simply stolen them.

An NSO Group spokesperson told TechCrunch, “NSO does not sell its products to Russia. Our technologies are sold exclusively to vetted U.S. & Israel-allied intelligence and law enforcement agencies.”

And why buy when you can steal? There is a long history of hackers stealing exploits and tools directly from other hackers’ computers or via unauthorized access to research communities and mailing lists. Now states are mimicking this behavior.

For example, North Korean groups have been targeting security researchers working on vulnerability research and development. This is to take advantage of vulnerabilities the researchers discover before they are disclosed and patched.

States have also demonstrated they are motivated to take advantage of an in-depth understanding of offensive tools developed by other groups.

In 2018, the GRU (Russian military intelligence) attempted to disrupt the opening ceremony of the PyeongChang Winter Olympics with a destructive cyber operation. The malware used in this operation was deliberately constructed to make it look like a North Korean effort, including a data-wiping function that mimicked North Korean techniques.

And in 2019, the U.K.’s National Cyber Security Centre reported that a Russia-based group called Turla (attributed to the Russian Federal Security Service, or FSB) had developed such an in-depth understanding of Iranian cyber espionage infrastructure that it was able to hijack it to run its own campaigns. This required deep technical knowledge of and access to the Iranian tools, including relevant cryptographic key material and knowing enough about its control software to issue legitimate tasking.

This type of activity isn’t limited to authoritarian states. In 2023, the U.S. government carried out a disruption operation against Snake, malware that Russia’s FSB had been using for nearly two decades. From our description of the takedown operation:

According to court documents, the FBI and U.S. intelligence agencies had been studying the malware and its inner workings for at least eight years, since 2015, ever since they found it on the networks of several U.S. organisations.
Officials worked with the entities to watch how the Snake malware worked, its custom modules, how it established encrypted communications, and how it exfiltrated data from infected hosts.

The FBI used this in-depth understanding to get Snake malware to effectively “eat itself.” It sent computers infected with Snake malware commands that resulted in its overwriting some of its own core components.

States have the motivation and the resources to develop an astoundingly in-depth understanding of malware used by other actors. And at times, they’ll take advantage of that knowledge.

A Diabolical Iranian Counterintelligence Program

Google’s Mandiant has identified what appeared to be a long-term campaign run by the Iranian regime that attempted to identify individuals within the country who could be counterintelligence threats.

This is entirely different from the way Western security agencies operate. These agencies typically run insider threat detection programs that look inward and focus on security culture, constant vetting, and auditing of internal systems. By contrast, this Iranian effort takes an outside-in approach and is the kind of broad-based campaign a state can run when it is not worried about proportionality or entrapment.

Mandiant says it has “high confidence the campaign was operated on behalf of the Iranian regime.” It observed a weak overlap between this campaign and operations from APT42, an Iran-linked group that its analysts believe works for the Islamic Revolutionary Guard Corps’s intelligence organization.

The campaign started as early as 2017 and was still running in March 2024, per Mandiant:

The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers.

Attack lifecycle, source: Mandiant

Mandiant says the campaign seeded links across multiple social media platforms such as X, formerly Twitter, and Virasty, a Twitter-like network commonly used in Iran. It described this as “cast[ing] a wide net” and says potential targets “may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.”

The fake websites Mandiant describes in the report target individuals affiliated with intelligence and security agencies. For example, one site says its goal is to “recruit employees and officers of Iran’s intelligence and security organizations” and that it is aimed at people with “relevant documented experience … in the field of information and cyber [security] in related institutions and organizations.”

There is evidence that Iranian intelligence agencies may have collaborated on this with allies in Syria and Lebanon. An earlier iteration of the campaign, from 2017 to 2022, targeted individuals affiliated with Syrian and Hezbollah security agencies.

The fake recruitment websites include forms that ask for name, birth date, email, home address, education, and professional experience. Mandiant notes the collected data “might be leveraged in future operations against the targeted individuals.” Given the campaign ran over five years, the data has probably been used against people, probably in a coercive or punitive way. Grim.

Three Reasons to Be Cheerful This Week:

1. SBOMs coming to the U.S. Army: The Army is putting in place rules requiring that vendors provide software bills of materials (SBOMs) in new contracts from early next year. Federal News Network says it took nearly two years of industry consultation to develop the SBOM rules. But SBOMs are a long-term project, and the more adoption there is the more useful they will become.
2. Goodbye to credit card numbers: Mastercard is expanding its efforts to replace credit card numbers with tokens for online transactions and announced a pilot in India. The technology has been in development for a decade, and Mastercard is now processing a billion transactions a week using it. The card provider is aiming for all online transactions in Europe to be tokenized by 2030.
3. SEC penalizes Equiniti Trust Co. for losing client funds: The U.S. Securities and Exchange Commission announced settled charges against Equiniti, formerly the American Stock Transfer and Trust Company, after it lost millions of dollars because of lax security. In one incident, according to the SEC, a thief was able to “create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts.” The thief then sold securities held by legitimate accounts and transferred the funds to external bank accounts.

Shorts

When You Know You Know

Politico EU reports the new prime minister of the Netherlands, Dick Schoof, has told ministers they cannot have smart devices present during cabinet meetings. Previously, smartphones were banned only for certain security discussions. Schoof formerly ran the AIVD Dutch intelligence and security service. So he knows a thing or two about the risks.

How Special Forces Hack

The U.S. Army describes how special forces used cyber capabilities in a training exercise:

During the exercise, the aforementioned ODA [Operational Detachment Alpha] team identified a target building and used a remote access device (RAD) to identify the networks coming from the facility. They were able to crack the WiFi password, enumerate the network, and run exploits on the target computer inside the building. This enabled the team to manipulate security cameras, door locks, and other security systems in the building.

Fun. Part of this scenario is straight out of a scene from Mission: Impossible, but for some operations, accessing security cameras seems both plausible and very useful.

Holding a Mirror to Facial Recognition Technologies

The Record covers the story that U.S. law enforcement is reluctant to use biometric face scans when providing security for National Football League (NFL) matches. The NFL has a new league-wide policy requiring all stadium personnel, police, and media to submit to face scans. These police concerns highlight that standards and practices surrounding use of the technology are not mature enough that regular people have confidence in them.

Sextortion Continues to Plumb New Depths

Krebs on Security covers how sextortion scam emails are now personalized with the recipient’s full name and a Google Street View picture of their house.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk to Alex Joske, author of a book about how the Chinese Ministry of State Security (MSS) has shaped Western perceptions of China. They discuss the MSS’s position in the Chinese bureaucracy, its increasing role in cyber espionage, its use of contractors, and the People’s Republic of China’s vulnerability disclosure laws.

From Risky Biz News:

White House recommends prioritizing RPKI ROAs: The White House has published a road map this week with its top recommendations for improving the security of internet routing protocols. The document [PDF] specifically looks at ways of improving the security of the Border Gateway Protocol (BGP), the technology responsible for directing internet traffic between different networks across the globe. The White House started looking into BGP security in 2022 as part of a concerted U.S. government effort to secure internet routing and prevent foreign actors from hijacking traffic from American networks using attacks known as BGP hijacks.

U.S. charges swatters who terrorized government officials: The U.S. Department of Justice has charged a Romanian and a Serbian man for a years-long swatting campaign that terrorized U.S. citizens, including multiple senior government officials. Officials say a 26-year-old Romanian named Thomasz Szabo was the moderator of an online chatroom called “Shenanigans,” where he planned swatting and fake bomb threats since December 2020. Szabo allegedly worked closely with a 21-year-old from Serbia named Nemanja Radovanovic. According to court documents [PDF], the two collected the personal information on well-known figures and then called authorities to report shootings, kidnappings, or bombs at their homes, hoping for an armed police response that would scare or even harm the victims.

Iranian APT moonlights as access broker and ransomware helper: An Iranian cyber contractor has been moonlighting as an initial access broker and providing support for ransomware gangs as a way to fill their personal coffers. In a joint report published this week, the Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Defense’s cybercrime division say that an Iranian group tracked as Pioneer Kitten (Fox Kitten, UNC757, Parasite, Rubidium, Lemon Sandstorm) has created successful personas on the criminal underground where it sells access to the networks of hacked companies. The group has operated using hacker names such as “Br0k3r” and “xplfinder” and has been observed selling access to affiliates for the AlphV, NoEscape, and Ransomhouse ransomware operations. U.S. officials say this part of the group’s activity is separate from their main operation, which is to conduct cyber espionage and hack-and-leak operations for the Tehran regime.