This month, Cyjax CISO, Ian Thornton-Trump, and Head of Editorial, Tristan de Souza, tackle Russian interference, threat intelligence failure, a Microsoft vulnerability with – shock, horror – wormable potential, the hijacks of numerous high-profile Twitter accounts, and a chat app being used for cyber-espionage in the Middle East.
The Russia Report
In mid-July, the Russia Report was released by the intelligence and security committee of the UK parliament, around nine months after Prime Minister Boris Johnson had received it. While it is currently unclear exactly why the report was not released immediately, or prior to the December 2019 general election – to which it would have been not a little pertinent – remains unclear. Boris Johnson denies that he sat on it.
The report showed that successive British governments and the security services had simply not been up to scratch or, worse, had been negligent and overly laissez-faire in their response to documented hostile acts by the Russian government in UK democracy. It seems that not only did they fail to learn from those hostile acts, but they also failed to adequately investigate them. After receiving credible reports of interference in the Scottish referendum, the matter was pursued no further. And all this took place while successive Conservative-led administrations looked the other way at the dirty money being laundered through the United Kingdom. Indeed, this seems to have been encouraged. Despite Kremlin claims that this is disgraceful Russophobia, the surprise is not Russia’s malevolent scheming, but rather the failings of the British security services.
On top of this, it’s important to note that Russian state-sponsored threat actors are not just focused on politics. In a separate report last month, the NCSC noted that an Advanced Persistent Threat (APT) group known as APT29 is perpetrating on ongoing campaign targeting research into a COVID-19 vaccine around the world. So this immediately becomes less of a nebulous, political issue – ‘oh, well, people are clever enough to spot misinformation and, anyway, it’s ages until the next election’ – to a very real threat to intellectual property that may be shared with the world unless captured and inappropriately politicised by malicious nation-state actors. As Dominic Grieve QC, the chair of the intelligence and security committee from 2015 to 2019, put it, the “government [should] desist from its childish interference in the workings of the intelligence and security committee.” Maybe they should start focusing on things that protect the country rather than themselves.
Threat Intelligence Failure
And talking of the need to be grown-up about intelligence and threats, Ian wrote a fantastic piece in mid-July looking at Threat Intelligence Failure (read this here). In it, he explores why so many organisations seem to be asleep at the wheel and are simply failing to protect themselves appropriately. Is there any excuse in 2020?
One of the examples given in Ian’s blog is a ransomware attack that hit the University of California San Francisco earlier in 2020. Questions remain as the preparedness of the organisation: had they used the intel available to them? What would have been an appropriate course of action?
Both Ian and Tristan were fairly critical of the fact that numerous organisations persist in having inadequate security measures in place to protect their infrastructure, data, and users and employees. The information is available. It is not overly expensive to implement an adequate cybersecurity protocol. You wouldn’t be able to drive a car without an MOT: perhaps it’s time that governments implemented clear minimum standards through regulation across the board.
SigRED – Latest Wormable Vulnerability
In terms of the information that is available to businesses about the infrastructure they have deployed, the most recent vulnerability affecting all Windows Server versions was a shining example of how to do cyber-preparedness, and how to do it well.
SigRED, as the vulnerability is known, is wormable. This is a quality that it shares with the vulnerabilities that were exploited in some of the most famous malware attacks of all time, not least WannaCry and NotPetya from 2017, both of which caused billions of dollars in damages in lost revenue and recovery costs. The fact that it is wormable is scary enough in itself: SigRED’s exploitability for remote code execution is even scarier when considered in tandem with its worming through systems unaided. Indeed, Ian has admitted to having numerous nightmares about remotely exploitable vulnerabilities.
Indicating how severe this was, the US Cybersecurity and Infrastructure Security Agency (CISA) asked all US federal executive branch departments and agencies to mitigate the SIGRed flaw within 24 hours. The emergency statement claims that “CISA has determined that this vulnerability poses an unacceptable risk to the federal Civilian Executive Branch and requires immediate and emergency action.” This is based on the high likelihood of the vulnerability being exploited by malicious actors, and the fact that it is exceptionally far-reaching.
That we have not seen a repeat of the WannaCry or NotPetya outbreaks, however, is testament to a number of things, foremost amongst them being the significant amount of communication that came from Microsoft and the various bodies overseeing cybersecurity around the world regarding SigRED. Patching is key, but so is knowing you have to patch, and too frequently we see a lack of clear, coherent messaging that enables security teams to efficiently do their job. In the case of SigRED, this doesn’t appear to have been the case.
Twitter Scams and Cyber-Espionage
Ian and Tristan finish the podcast by turning first to the Bitcoin scam that saw tens of high-profile Twitter accounts hijacked – a prime example of social engineering (vishing, specifically) – and then to the use of Welcome Chat, a “secure” (it wasn’t) chat app that was deployed by a state-sponsored threat actor for cyber-espionage against citizens of various Middle Eastern countries. To find out about those attacks, however, and to get the guy’s analysis of them, you’ll have to watch the podcast. Enjoy!
If you enjoy our podcast, please subscribe to our YouTube channel and follow us on LinkedIn for all the latest blogs covering the intersection of cybersecurity and geopolitics. Essential reading for all businesses.