![Chinese Hackers Target Telcos. Smart. [Encryption Digest 18] - cover graphic](/_next/image/?url=https%3A%2F%2Fcdn.venafi.com%2F994513b8-133f-0003-9fb3-9cbe4b61ffeb%2F7506a434-f4cb-4de4-99d4-c5b587fbabcc%2Faid_field_img__1f3ec36662d990cded6139b34241d596.png%3Fw%3D864%26h%3D370%26fm%3Dwebp%26q%3D75%26fit%3Dcrop&w=3840&q=75&dpl=dpl_H1HoLru8zbnj4wwarzUVadLRmxGZ){kind=small}
It seems the noose is tightening. While we may be nearing the end of an unregulated era of internet and a freewheeling commons of communications—everyone fights for the last fistfuls of sand. Facebook works for wins in E2EE call and video, in addition to encrypting its messages.
North Korea unleashes yet another Lazarus attack, this time sneakier than ever to siphon what information roams free on the internet, and China isn’t taking chances. A state-sponsored attack group seems to have been targeting Telcos for some time now, because, well, they’re still unencrypted. How long will the data-grab last, and who will put the final nail in the coffin? It looks like we’re closer to finding out, this week in the Encryption Digest.
Facebook makes a break to encrypt it all
Run, Forest.
Remember when Facebook was fighting to encrypt Messenger? Governments countered with “Please, don’t do that.” Facebook countered with “Maybe we’ll encrypt call and video, too.”
In an effort to boost civil liberties, Facebook ramps up encryption efforts on its popular Messenger, testing the idea of secret calls and video chats, along with the previously slated message encryption.
Since 2016, encrypting some communications was possible using the Secret Conversations feature. The fight recently was to make such end-to-end encryption not an opt-in, but a standard.
Facing backlash from the FiveEyes alliance, a loosely bound cohort of five western nations (Canada, Australia, New Zealand, the US, the UK), the social media magnate apparently took the heat and swallowed it. Formally petitioning Facebook to abandon its designs and "[not] preclude any form of access to content...for preventing or investigating the most serious crimes", the FiveEyes alliance favored protection over privacy, and called on the Silicon Valley giant to stand down.
What emerged was not backstepping, but an even more steeled resolve to “build a simpler platform that's focused on privacy first.” In a Magna Carta-esque statement of intent, Zuckerberg announced this past March that the company would seek to encrypt basic messaging, following the WhatsApp archetype, and expand E2EE across “calls, video chats, groups, stories, businesses, payments, commerce, and ultimately ... many other kinds of private services.”
Said Zuck, "We think it is the right thing to protect people's privacy more, so we will go defend that when the time is right."
In a world where all communication could become end-to-end encrypted, it will be up to the third party that hacks the best to obtain the information inside. After the 2015 terrorist-linked San Bernardino shootings, the FBI paid a capable mind over a million dollars to crack the suspect iPhone. Interested entities can always get in. In a fully E2EE frontier, the question just evolves from “Who wants it?” to “Who wants it more?”.
Related posts
- Facebook and the Fight for End-to-End Encryption [Encryption Digest 14]
- Is Cryptography Really A Threat to Liberty? [Labor Day Musings]
- Overheard In The Press: Encryption Backdoor Debate
Beware of Hoplight [again]: latest North Korean malware
BTS isn’t the only Korean-bred phenomenon sweeping the web.
Hidden Cobra strikes again.
The catch-all moniker refers to a network of bad actors, also known as Lazarus, affiliated with hacking schemes and the North Korean government. While the specific attackers are still at large, the specifics of the latest attack aren’t.
An investigation from the Department of Homeland Security reveals the following about Hoplight, the latest strain of Korean malware to hit Windows systems:
What it targets
Windows systems, 32-bit and 64-bit versions
Specialty
Staying hidden on compromised systems. 16 of its 20 executables disguise traffic between operators and malware.
How it works
First, it gets a legitimate public SSL certificate (Dark Web, anyone?) and uses it to fake a TLS handshake, “disguising network connections with remote bad actors.” One file contains the public SSL certificate and the other does not, but instead “attempts outbound connections and drops four files.” What’s in the files? Mostly IP addresses and SSL certificates.
The malware has four hard-coded IP addresses which it uses for the command-and-control servers and performs the TLS handshake with the servers once the malware has deployed. After that, a homegrown encryption scheme ensures secure communication between the server and infected device.
What it can do
“The malware can read, write, and move files, create and kill processes and services, edit registry settings, and upload and download files to and from a remote server.”
Previous Hidden Cobra attacks include WannaCry and ELECTRICFISH. This is the seventeenth Department of Homeland Security MAR report on the North Korean hacking group since May of 2017.
Find the full DHS report, here.
Machine identities are now worth more than human identities on the Dark Web. Find out what that means for your enterprise.
Related posts
- Digital Attackers Using New ‘Cipher Stunting’ Technique to Evade Detection
- Reductor Malware and Rogue Certificates
- Cisco Detects Malware in Encrypted Traffic
Chinese hackers target Telcos. Smart.
I don’t think “The Art of War” ever mentioned targeting Telcos first, but it seems to be a brilliant strategy.
A data mine of info gold, telecommunications companies—with their seductive swaths of SMS logs, personal information and call metadata—are becoming an opportunistic first line of attack. As the arms race for data marches forward, the networks that carry still unencrypted data are the easiest hill to take.
According to Jim Baker, former general counsel to the FBI, "it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States … can use to more effectively protect themselves from existential cybersecurity threats.” Like this one.
Let’s back up
- State-sponsored Chinese hacking group APT10 take down 10 Telcos, reported last June.
- APT41, of similar origins, “brute forces” victim industries for specific information, targeting Telcos like big game.
So, it appears state-sponsored Chinese hackers are favoring traditional communication infrastructure.
Which brings us to our current issue
APT41 targets SMS servers with [aptly named] MESSAGETAP. The malware takes full advantage of one of the last, best fronts of scores of unencrypted data. Not everyone’s (not anyone’s?) texts are E2EE safe. Not everyone uses an encrypted messaging platform (yet). The genius is simple, and scathing.
News breaker FireEye reports that Telcos “occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes.” Access into such a juncture “enables the Chinese intelligence services … to obtain sensitive data”.
It would take months, if not years, for a cultural shift from your cell provider’s data plan (“call, text and web...”) to a platform like Signal or WhatsApp. Like all social aggregators, they are only as good as the whole, and adoption may be a long time coming. In the meantime, all the data just sits there like a row of ducks.
Related posts