Microsoft Makes Security The New Black

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Microsoft Makes Security the New Black

Microsoft has finally embraced security as a top priority. This is great news for customers as the move will turbocharge competition between firms over which of them is most secure.

Last week, Microsoft CEO Satya Nadella issued an all-hands memo making it clear that security was the company’s top priority. Nadella wrote:

If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.

Nadella also said part of senior leadership’s compensation will be based on progress toward security milestones.

It doesn’t get much clearer than that, and we are convinced this shift is genuine.

Microsoft also published a post last week from security head Charlie Bell that dives into concrete actions it plans to take.

In addition to spelling out three security principles and six pillars, Bell said the company would “elevate” security governance and work to instill a security-first culture.

A new emphasis on security culture is rippling out across the industry as competitors seek to position themselves as leaders in the area. In mid-April for example, the chief information security officer (CISO) at Amazon Web Services (AWS) published a post on “how the unique culture of security at AWS makes a difference.” And Google’s Office of the CISO featured in a Forbes article in early April.

And last week Amazon CEO Andy Jassy touted AWS’s security as a positive in the context of the deployment of cloud AI services, saying, “Most companies care deeply about the privacy of the data in their AI applications and the reliability of their training and production apps.”

There is a whiff of marketing in these efforts, but it is still a very good thing that companies are now competing on security rather than sweeping their failures under the carpet.

Last week we wrote, “Microsoft’s senior leadership are beginning to understand that good security underpins everything the company does… they are just afraid to say it out loud where it might spook investors.” Is it too much to hope that companies will tout their security as an advantage in future earnings calls?

Ransomware Kingpin Outed and Left Friendless

Law enforcement authorities say they have unmasked the ringleader of the LockBit ransomware group, naming “LockBitSupp” as Russian national Dmitry Yuryevich Khoroshev. The U.S., U.K., and Australian governments have levied financial sanctions against him.

This is the most significant coordinated action taken against a ransomware kingpin. It follows on from the February disruption of LockBit’s infrastructure.

Official announcements from U.S. and U.K. government agencies provide a lot of information about LockBit. The U.K.’s National Crime Agency says it now has “deep insight into LockBit’s operations and network.”

Risky Business News has more coverage of these insights, including allegations that Khoroshev has personally earned more $100 million from LockBit ransom payments.

Dmitry Yuryevich Khoroshev via the U.K. National Crime Agency

We get the strong sense that, in addition to standard criminal justice practices, the action is designed to throw Khoroshev to the wolves. An indictment released by the U.S. Department of Justice, for example, contains information that is likely to make Khoroshev’s life difficult. In information that may interest Russian law enforcement, the indictment says:

Although KHOROSHEV purported to prohibit LockBit affiliate Coconspirators from attacking victims located in Russia, KHOROSHEV and LockBit Coconspirators also deployed LockBit against multiple Russian victims.

Another section seems designed to ensure Khoroshev will not have friends in the Ransomware-as-a-service (RaaS) community:

Shortly after the February 2024 operation, KHOROSHEV, seeking to restore LockBit’s primacy and to stifle his competition within the criminal RaaS space, communicated with law enforcement and offered his services in exchange for information regarding the identity of his RaaS competitors. Specifically, KHOROSHEV asked law enforcement during that exchange to, in sum and substance, “[g]ive me the names of my enemies.”

If you don’t think you’ll get an arrest, the next best thing is to make a ringleader’s life a misery.

Digging Deeper Into Change Healthcare’s Failures

UnitedHealth Group CEO Andrew Witty testified to Congress last week about the disastrous ransomware attack on the company’s Change Healthcare subsidiary. This significant attack had far-reaching impacts across the U.S. health industry. These included disrupting billing and insurance payments and delivery of prescriptions.

In his testimony, Witty said the ransomware actor used stolen credentials to gain access to a Citrix portal that did not have multi-factor authentication (MFA) enabled. So at first glance, it simply seems that UnitedHealth was falling below an acceptable security baseline. But it’s more complicated than that.

UnitedHealth acquired Change Healthcare about 18 months ago, and its policy is to have MFA on external-facing systems. However, this wasn’t implemented on the hacker’s point of entry. The ransomware’s impact was also exacerbated by the presence of legacy systems, some of which were 40 years old.

In our view, this is the kind of complex high-impact event that likely has a multitude of contributing factors that the broader infosec (and business!) community would benefit from understanding. In other words, what we need is a report that dives into the nuts and bolts of contributing factors, going deeper than a surface-level “the Citrix portal didn’t have MFA” answer.

This reminds us of Conti’s ransomware attack on the Irish national public health service (HSE). Although the initial entry point was phishing, a post-incident report laid the ultimate blame on deeper governance failures.

We don’t think the Change Healthcare attack requires a Cyber Safety Review Board report, and the report into Conti’s HSE attack was commissioned by the health service’s own executive. Will UnitedHealth be brave enough to commission and publish its own independent report? We don’t think so, but it would be an excellent idea.

Three Reasons to Be Cheerful This Week:

1. Death to passwords: Microsoft has announced support for passkeys in consumer accounts, and Google says over 400 million Google Accounts have used passkeys over the past year. Passkeys are a new standard that allow users to log into apps or websites without entering a password and using a cryptographic token instead.
2. Fewer ransomware victims pay up: Blockchain analysis company Chainalysis reports ransomware victims are increasingly unlikely to pay up. It attributes this in part to enhanced cyber resilience among organizations. Unfortunately, Chainalysis finds that affiliates are increasingly using multiple ransomware strains and that launching attacks is easier than ever.
3. Hack for hire arrest: Reuters reports an Israeli private investigator, Amit Forlit, was arrested in London over allegations he carried out a hacking campaign on behalf of an unnamed American public relations firm. 

Shorts

Surprise! Transparent Blockchain Not Good for Money Laundering

Blockchain analysis company Elliptic has published an article describing research that uses a machine learning model to identify patterns or chains of transactions that represent bitcoin being laundered. This approach doesn’t rely on starting with previously identified illicit wallets and finds suspicious activity just by looking at transactions.

Elliptic describes blockchains as “fertile ground” for machine learning techniques because of their inherent transparency.

The research was co-authored with researchers from the MIT-IBM Watson AI Lab.

Russian Cyber-Kinetic Coordination About Seeing and Scaring

Ukrainian sources have speculated in recent weeks about Russian forces’ rationale for combining kinetic and cyber operations. In late April, Serhii Prokopenko, the head of operations at Ukraine’s National Cyber Security Coordination Center, speculated to The Record that Russia used cyber operations in tandem with missile attacks on Ukrainian energy infrastructure to collect information about the damage caused by those strikes.

This isn’t a new practice. In January, Ukraine’s security service, the SBU, warned Russia was compromising webcams, possibly to target missile strikes and assess damage.

Last week, Ukraine’s CERT (CERT-UA) published its report on Russian cyber operations in the second half of 2023 and discussed cyber-kinetic coordination. It says Russia continues to use what it calls “hybrid attacks that combine cyber elements with missile strikes, aimed primarily at exacerbating the psychological impact on civilians.” CERT-UA thinks, “with high certainty,” a disruptive cyberattack on the Ukrainian mobile operator Kyivstar was carried out in order to amplify the effect of missile strikes carried out before and after.

The U.S.’s Ambitious International Cyber Strategy

The U.S. government released its International Cyberspace and Digital Policy Strategy this week, and while we applaud the ambition, we are concerned about whether sufficient resources are available to execute the strategy.

It recognizes that technology will shape the way the world develops and there are adversary states trying to “shape the future of technology to the detriment of US interests and values.”

The strategy espouses a “comprehensive policy approach” using diplomacy and international statecraft across the entire digital ecosystem. It says this includes:

hardware, software, protocols, technical standards, providers, operators, users, and supply chains spanning telecommunication networks, undersea cables, cloud computing, data centers, and satellite network infrastructure, operational technologies, applications, web platforms, and consumer technologies as well as Internet of Things (IoT), artificial intelligence (AI) and other critical and emerging technologies.

The U.S. isn’t trying to go it alone, and partners and allies feature heavily in the strategy.

Still, that’s a lot of ground to cover.

Is China Pillaging U.K. Personal Data Holdings?

The U.K. government says a foreign “malign actor” accessed a payroll system holding details of current and former armed services personnel, including bank details and some addresses. Unsourced media reporting suggests the People’s Republic of China (PRC) is responsible.

This is entirely plausible. In the mid-2010s, Chinese actors went on a hacking spree in the U.S. that sought out bulk data sets (including breaches at the U.S. security clearance Office of Personnel Management, credit reporting agency Equifax, health insurance company Anthem, hotel chain Marriott and United Airlines). These data sets are complementary and were reportedly mined by the PRC to identify U.S. spies operating in China.

A 2021 breach of the U.K.’s Electoral Commission systems has been blamed by the U.K.’s National Cyber Security Centre on a “China state-affiliated actor.” Is the U.K. the target of the PRC’s next data harvesting exercise?

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq look at how different types of secrecy obsessed organizations learn.

From Risky Biz News:

New router malware intercepts traffic to steal credentials: Reports on interesting and puzzling malware strains are quite rare in infosecland, where most of the time you’re bound to read about cryptominers, Mirai clones, and the same five or six malware loaders and infostealers over and over again.

This week, Lumen’s Black Lotus Labs team published a report on a new malware strain named Cuttlefish that they found on both small office/home office and enterprise-grade routers.

The interesting part about the report was that Cuttlefish appears to have been designed to work as a traffic interception system on the infected devices. It scans network traffic and looks for text markers in URLs that reference passwords, keys, tokens, and other authentication-related items. According to a list pulled by Black Lotus researchers from the malware’s source code, Cuttlefish actively scans for 126 markers, with many referencing cloud services like Ali Cloud, AWS, Digital Ocean, CloudFlare, BitBucket, Ansible, and others.

Seeking authentication details for cloud-based resources could allow the attacker to move laterally across networks or even perform supply chain attacks from that infrastructure.

[more on Risky Business News]

Another Webex leak in Germany: The German Armed Forces (Bundeswehr) have misconfigured their Cisco Webex systems and leaked information on past and future meetings. Reporters from German newspaper Die Zeit found links to thousands of meetings on sensitive topics exposed on the internet. Meeting titles referenced sensitive and secret topics, such as Taurus missiles and battle tactics. The German government is also affected by the same issue with their Cisco Webex video conferencing software. Reporters say they easily found video conferences scheduled for Prime Minister Olaf Scholz and other ministers.

[Ed: The Grugq and I discussed a German Webex leak about Taurus cruise missiles on this episode of the “Between Two Nerds” podcast in March.]

Outcry over APT28 hacks: The German and Czech governments, the European Union, and NATO have condemned Russia for a major hacking spree linked to the APT28 group. Officials say the group used a Microsoft Outlook zero-day to compromise email accounts throughout 2023. The campaign targeted governmental entities, critical infrastructure operators, and political parties across the EU. Most of the victims were located in Germany, Czechia, and Ukraine. Germany has summoned a top Russian envoy to answer for the hacks and called on Russia to “refrain from such behaviour”—like that will work. The governments of Poland and the U.K. also issued their own statements on the incidents. Russian officials called the statements “unsubstantiated and unfounded” and designed to incite “anti-Russian sentiments in Germany.” [Additional coverage in DW]