Circum Cyberes: 1(2)

By Ravi Nayyar

20 min readJan 28, 2023

QUT Alerts Staff, Students to Data Breach

The Queensland University of Technology (‘QUT’) has suffered a data breach in which the PII of 2500 staff and 67 students was stolen in late December 2022 from a single storage drive which the attackers pwned.

Suspicions of a breach were raised by university printers producing extortion notes from the attackers who demanded payment to forbear their disclosure of the stolen data. On detecting the incident, the university took down most of its IT, keeping it so for weeks. Note that the attackers did not compromise ‘[s]ystems used for teaching, research, student management, financial and personnel management and email’, per the university.

While not much detail on the attackers’ TTPs has emerged, the fact that an Australian university left all this data was sitting in one storage drive is really curious. And that it, evidently, wasn’t protected well enough, despite PII being a prized target. Risk management much?

Especially since QUT is far from the only tertiary education institution which has suffered a breach of cyber resilience in the last few years; take RMIT (2021), Swinburne University of Technology (2021) and Deakin University (2022). These came after the compromise of the PII of 200,000 students and staff of the Australian National University in 2018.

Oh, and don’t forget the founding of the University Foreign Interference Task Force (‘UFIT’) in 2019. UFIT is led by the Australian Security Intelligence Organisation (‘ASIO’, our counterespionage agency) and brings together Australian universities with national security agencies and other stakeholders. It produced Guidelines to Counter Foreign Interference in the Australian University Sector in 2021, one section of which dealt with, you guessed it, cybersecurity. This was followed by Australia amending the Security of Critical Infrastructure Act 2018 (Cth) in 2021 and 2022 so that national-security relevant assets owned or operated by Australian universities could be regulated under that law as critical infrastructure assets. Of course, this would apply more to high-end research facilities dealing with dual-use stuff, rather than systems storing student and staff PII, but these amendments underlined the need for our universities to keep their wits about them amid a deteriorating cyber threat environment.

Especially in light of their being targeted more generally by foreign powers and proxies to ‘shape discourse, promote research to the foreign powers’ strategic benefit, and to interfere in the lives of Australian students and staff when they have travelled overseas’, per ASIO.

And especially considering where our future political and industry leaders, public servants, scientists, academics and civil society representatives go to study. Folks who, depending on their positions and/or research, would be targets for cultivation as agents by foreign powers.

Insurers in Talks on Adding State-Backed Cyber to UK Reinsurance Scheme

Insurers and HM Treasury are assessing whether the UK’s insurer-owned and government-guaranteed terrorism reinsurance scheme, Pool Re (originally created in 1993 to assure insurance coverage in the wake of bombings by IRA terrorists), should also apply to ‘state-sponsored or war-related cyber attacks’ that are not covered by standard insurance policies. Note that Pool Re already ‘reinsures physical damage caused by terror attacks that have a cyber trigger’, but only if the attacks are not state-backed.

These consultations occur amid a fair bit of activity in the cyber insurance space as: the cyber threat environment (the risk environment) deteriorates; insurers get stricter on the degree of coverage they offer (eg by requiring policyholders to implement more comprehensive controls for cyber risk) or whether they offer coverage at all (as discovered by several water utilities in the USA last year); and the US Treasury Department is looking at comments on its consultation for whether and, if so, how there should be a federal insurance response to ‘catastrophic cyber incidents’. Note that, in August 2022, Lloyd’s required members of its group to ‘[exclude] liability for losses arising from any state backed cyber-attack’, prescribing criteria for such exclusion clauses. This month, Lloyd’s Market Associations updated its suite of ‘cyber war’ clauses.

Cyber insurance is a cyber risk allocation device. Now, given the criticality of effective cyber risk management by industry as a whole — not just that by the operators of critical infrastructure assets — to a modern digital economy like the UK or US, it can be argued that the cyber resilience of industry is a public good. The provision of which can be jeopardised by the inability of major firms or a significant number of firms to recover from ‘catastrophic’ breaches because they cannot afford the bill. Insurance, and thus reinsurance, can be regarded as bulwarks against their being wound up in such trying circumstances.

In this vein, HM Treasury and US Treasury’s consultations concern the degree to which the state should intervene in the reinsurance market to assure the provision of a public good — the cyber resilience of industry as a whole, which can be thrown into disarray during a major instance of state-backed CNA.

High-stakes stuff, folks, especially in light of the comments from Western governments about Russian CNA targeting Ukraine but ‘spilling over’ to other countries’ networks (including their critical infrastructure) or Russian CNA being directed at the latter in retaliation for Western support of Ukraine.

Devil’s advocate, assuming any government-guaranteed reinsurance scheme applies to state-backed CNA: if the government’s guarantee is called upon by insurers, is that a failure of the jurisdiction’s cyber policy and of its private sector in its attempt to uphold their end of the bargain when it comes to national cyber resilience?

Also, given that we are talking about matters adjacent to cyber insurance, I have to express my concern regarding folks mistakenly regarding the product as an alternative to decent cyber governance (hello, moral hazard). All this talk about insurance can distract company officers from getting the basics right in order to nullify tons of attacker TTPs, at a time when controls are still not good enough.

Further material:

A great thread from a postdoc who tracks the economics of cybersecurity for a living; and
the recording of a webinar I ran late last year on cyber insurance.

Australia Leads Global Task Force to Fight Ransomware

During the 2022 meeting of the International Counter Ransomware Initiative (‘CRI’), its 37 members stated their intent to create an ‘International Counter Ransomware Task Force’ (‘ICRTF’) which will handle things including: exchange of cyber threat intelligence; developing ‘cross-sectoral tools’; publicly reporting on attacker TTPs; uplifting ‘hygiene across the board’; and ‘consider[ing] a model’ for ongoing PPPs, ‘including the establishment of an ancillary industry chapter that would be actively engaged with the work of the ICRTF’.

It was announced at the time that Australia, through the Cyber and Critical Technology Coordination Centre within the Commonwealth Department of Home Affairs, would convene and host the ICRTF. Per the Secretary of the Department, Mike Pezzullo, in his closing remarks at said meeting, the ICRTF is aimed at accelerating defence and ‘disruption-by-design’ against ransomware groups.

Though Dep-Sec Pezzullo had said he was determined that the ICRTF will set up shop on New Year’s Day this year, it started operations on 23 January.

Which is wonderful to see.

Of course, our Sigint and cyber security agencies were already collaborating with their FVEY counterparts on a range of threats, including ransomware, but it’s always good to bring more folks inside the tent; ‘many hands make light work’ and all.

After all, ransomware is a national security threat, especially for countries with (emerging) digital economies and as critical infrastructure assets become ever more dependent on digital technology to operate (eg amid the IT/OT convergence). A lot of us use the same digital stuff across borders to run our societies, stuff which can be weaponised by ransomware actors as attack vectors. So international cooperation is by necessity, just as is that between the state and industry, something championed by the ICRTF above.

For more context on the CRI, check out my analysis of the joint statement from its first meeting.

JCDC Announcement

In 2021, the Cybersecurity & Infrastructure Security Agency (‘CISA’, the US counterpart of the Australian Cyber Security Centre) created a PPP body for critical infrastructure sectors called the Joint Cyber Defense Collaborative (‘JCDC’). It is focused on analysing and disseminating CTI, ‘providing real-world value and proactive solutions to defend today and prepare for tomorrow’. Both for domestic and international partners, with the JCDC having established ties with over 150 CERTs from around the world.

CISA has just released the JCDC’s planning agenda for 2023, which was developed through collaboration with the private sector. The agenda comprises ‘joint cyber defense plans focused on three areas: systemic risk, collective cyber response, and high-risk communities’.

Given my research interests, I will focus on the first two.

For ‘systemic risk’, CISA points to threat actors wisening up to go after ‘single points of failure in critical infrastructure’, including software and services ‘widely used’ across sectors and courage the risk of ‘cascading impacts and severe impacts to our national critical functions’. In this context, the JCDC will look at issues potentially thrown up by OSS used in industrial control systems (you beauty!) as well as work with RMM vendors, MSPs and MSSPs to help SME critical infrastructure entities improve their cyber resilience and C-SCRM (you beauty again!).

I’m grinning widely because I’m looking at how governments ought to deal with systemic risks created by NIST-defined ‘critical software’ (which includes ICS software) and other software which enjoys sizeable market penetration, such as (enterprise software which incorporates) OSS, as well as how C-SCRM by critical infrastructure operators ought to be regulated. Also, the second initiative regarding RMM vendors and service providers will be high-impact if done right because of the criticality of the latter entities to CNI supply chains generally and their influence on the cyber resilience of their customers. They can make their customers more cyber resilient at scale, and would have well-drilled security teams with a fair bit of best practice and tooling to share with SME customers.

For ‘collective cyber response’, I appreciate the language around the USG needing ‘to plan for a coordinated public-private response… and quickly recover’ (my emphasis) from a major incident. This is because it suggests the JCDC’s focus on national cyber resilience, not merely cyber security. I applaud the JCDC thus being slated to lead work to update the National Cyber Incident Response Plan in line with the ‘significant advance[ment]’ of government and industry in IR, and the need to articulate ‘specific roles for non-federal entities in organizing and executing national incident response activities’. Again, ‘many hands make light work’, especially in a crisis.

A Major App Flaw Exposed the Data of Millions of Indian Students

Files containing personal information for hundreds of thousands of Indian students and teachers were accidentally left on an unsecured Internet-facing cloud server used for India’s public education app, ‘Diksha’, (launched in 2017) for a while.

A UK-based security researcher discovered this in June 2022 and the server was taken down only after WIRED sent links to it to the Chief of Policy and Partnerships at the foundation, EkStep, which developed and ‘had been supporting Diksha for many years’.

The files contained: names, phone numbers and email addresses for over one million teachers; and, for 600,000 students, partially obscured email addresses and phone numbers, enrolment information (including school and dates) and progress information.

No two ways about it, this was a monumental failure of cyber governance by EkStep and the Indian Ministry of Education. Especially when privacy of hundreds of thousands of children was jeopardised, let alone that of data concerning where they went to school.

Yes, societies became increasingly dependent on apps and other edtech solutions to deliver schooling, so cyber risk in education was hardly confined to India. But come on, this is inexcusable — especially when this is the result of a basic stuff-up by whoever was running Diksha.

And hardly a novel kind of stuff-up — storage of tons of sensitive data in a misconfigured cloud environment.

Cases like this also make me believe that our Indian cousins, as much as they need thriving services startup ecosystems and have a world-class reputation for delivering complex IT services for customers in advanced economies, need to focus much more on getting cyber resilience right. Especially when someone was reported by the Indian press just this week to be flogging 25 GB worth of data from the Indian Ministry of External Affairs — including emails between senior Indian diplomats and their foreign counterparts — on the Dark Web.

Good thing the Indians are cooperating bilaterally with countries having decent cyber resilience ecosystems, like Israel, the USA and Australia — as well as through the Quad (with the USA, Japan and Australia) — on this very subject. During the best of times, it is critical to work with strategic partners to establish a thriving cyber security ecosystem and culture, one spanning sectors and stakeholders.

That said, not placing tons and tons of children and teachers’ PII in an unsecured cloud server does not necessarily require extensive bilateral cooperation, merely following basic guidance on how to configure cloud environments or handle data.

Technical Advisory — Multiple Vulnerabilities in the Galaxy App Store (CVE-2023–21433, CVE-2023–21434)

Researchers from cyber resilience firm, NCC Group, have discovered two vulnerabilities in the Galaxy App Store which is pre-installed (in addition to the Google Play Store) on Samsung Android devices. I raise these because app stores are a notorious vector for software supply chain attacks.

The first one, CVE-2023–21433, allows applications installed on a device, running up to the Android 12 operating system ‘to automatically install any application available on the Galaxy App Store without the user’s knowledge’. Therefore, if an attacker installs a malicious app on the device, they have a way to install any other app from the Galaxy App Store, including another malicious app, subject to Samsung’s regulation of the app store.

The second bug, CVE-2023–21434, concerns WebViews in the Galaxy App Store. WebView is an Android extension which developers can use to ‘essentially embed… a [web] browser within [an] app to do things like render webpages and execute script’. Now, the bug involves a misconfigured filter for a WebView within the Galaxy App Store, which allows the WebView to connect the device to an attacker-controlled domain. The attacker need only get the user to click a malicious link in Google Chrome or a malicious application already on the device, launch the relevant WebView and Bob’s your Uncle.

Having been notified in December 2022, Samsung patched the bugs on New Year’s Day in an update for the Galaxy App Store.

That said, a reminder that attackers love trying to get to their ultimate targets through app stores, be it by exploiting weaknesses in: scrutiny of apps by the store operators to have their malicious apps approved for downloading; and/or code of applications used to access the app stores themselves. This case captures the love which attackers are showing, and slated to show, software supply chains more generally as attack vectors.

Guess it underlines the criticality of organisations having robust MDM procedures in place as well as getting the other basics right, like regular software inventories and allowlisting of applications installed on organisation-owned/-managed devices.

Meet Google Play’s Target API Level Requirement

Google has announced that, starting this month, new apps and app updates can only be made available on the Google Play Store if they are compatible with versions of the Android operating system that are at least as recent as Android 12 (API level 31). This requirement will neither apply to: Wear OS apps that ‘which must target Android 11 (API level 30) or higher’ instead; nor apps that ‘are restricted to users in a specific organization and are intended for internal distribution only’.

This ought to stave off a chunk of the already sizeable software supply chain risks faced by Android users. To explain with a counterfactual, it makes no sense why Google should seek to ensure that: the better security enjoyed by users of Android 12 and above should not be enjoyed by users currently running older versions of Android; and thus that the latter users should be left vulnerable thanks to apps that do not comply with the higher security requirements of Android 12 and above.

Although, to be the life of the party I always am, would this merely clean cobwebs, rather than kill the spider?

Given the open and thus fragmented nature of the Android ecosystem, security of Android devices is far from uniform. Folks have a variety of devices sold by a variety of vendors and running a variety of versions of Android in relation to which said variety of vendors have a variety of timeframes for distributing Android patches to the devices, creating a ‘patch gap’. Those vendors include Google itself (ie for its Pixel smartphone).

Cf Apple’s far more controlled ecosystems for iOS, iPadOS and MacOS. Apple runs pretty much all of the respective technology stacks, save the third-party applications whose security and availability it regulates as the gatekeeper for the App Stores and Mac App Store. Since Apple designs and markets the hardware and the operating system, it can (take far greater action to) ensure that all devices run the latest version of the relevant operating system and thus enjoy the same protections up to that level of the relevant technology stack. (I will leave antitrust scrutiny of all this aside because I am not an antitrust law expert.)

FAA NOTAM Statement

The United States’ Federal Aviation Administration (‘FAA’) has disclosed some of the findings of its preliminary review into what caused the 11 January outage of its Notice to Air Missions system (‘NOTAM’).

As a bit of context, NOTAM is a vital piece of infrastructure which provides ‘information essential to personnel concerned with flight operations but not known far enough in advance to be publicized by other means’, including information about safety hazards within America’s National Airspace System (‘NAS’). The outage forced the FAA to ground all departures in the NAS until it started restoring NOTAM — that’s how vital NOTAM is.

Now, I had an inkling early on that it was non-malicious and the FAA itself had said, as it sought to bring NOTAM back online, that it found no evidence of it being malicious.

The agency then stated on the evening of 19 January (US time) that, per its preliminary review, that the outage was caused when ‘[an FAA] contract[or’s] personnel unintentionally deleted files while working to correct synchronization between the live primary database and a backup database’. Per its email to members of Congress, seen by Reuters, the FAA identified the contractor as Spatial Front and revoked the access of all Spatial Front personnel ‘directly involved in the deletion… to FAA buildings and systems’ while the investigation is pending.

Not only did the NOTAM outage demonstrate how the provision of essential services vital to the national interest have been so heavily reliant on technology, but also the sheer complexity of that technology and subsequent national security risks that said complexity engenders. Indeed, this makes it all the more critical for operators to factor their personnel and folks from their supply chains tripping over their own shoelaces as a threat more likely to eventuate than a wickedly intricate attack by the ‘winged ninja cyber monkeys’, to borrow Dr Ian Levy’s phrase. Just ask cloud people.

And I refer to tripping over shoelaces advisedly because, to quote cyber resilience expert, Joe Pescatore, in a recent edition of SANS NewsBites:

File integrity management is one of basic security hygiene requirements that actually works when done right.

Translation: The outage was not because the contractor’s personnel couldn’t thread a needle.

Keep checking on your suppliers and service providers, folks. Audit their employee training programmes, including how often they provide refresher training. Ask them about their culture. Because employees who are well-drilled in a decent organisation should not be making mistakes like the above.

The FAA has said that it ‘made the necessary repairs to the system and has taken steps to make the NOTAM system more resilient’. Dunno what the second bit means and thus would love to read the final report when the investigation is done.

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats

Unit 42, part of cyber security firm, Palo Alto Networks, is out with a write-up on CVE-2021–35394, a bug disclosed in August 2021 and affecting UDPServer in Realtek Jungle SDK (software development kit) version 2.0 and later-Realtek Jungle SDK version 3.4.14B. The bug enables remote code execution by unauthenticated attackers, followed by device takeover.

Given that the CVSS 9.8 bug is in a software development kit used to build applications for chips designed by Realtek and used by dozens of IoT vendors in dozens and dozens of IoT device models, Unit 42’s saying, ‘This is a typical supply chain issue in that it can be difficult to identify whether your own devices are impacted’, is an understatement.

As the firm puts it:

CVE-2021–35394 affects almost 190 models of devices from 66 different manufacturers… According to a Shodan scan searching for this vulnerability, we found port 9034 open in over 80 different IoT devices, and these devices belong to 14 unique vendors… [R]outer models manufactured by several popular networking vendors are affected by CVE-2021–35394… [T]he brands in Table 1 [see below] have the most popular vulnerable devices in mid-to-large sized deployments.

Exacerbating matters are the tons of exploitation attempts. Between August and October 2022, these constituted over 40% ‘of the total number of attacks’. As of December 2022, Unit 42 observed 134 million exploit attempts involving this bug, around 97% of which happened since August 2022. And many of these attacks tried to deliver malicious payloads to IoT devices as part of ‘large-scale attacks on smart devices around the world’.

Considering that this is a CVSS 9.8, the sheer size of the attack surface (ie the market penetration of IoT generally) and organisations’ questionable security controls, if at all, for IoT, fun toimes abound and await, people.

Especially when, as I’ve mentioned earlier in this edition, agencies have already warned about software supply chain attacks being on the rise. Unit 42 backs this up:

The surge of attacks leveraging CVE-2021–35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate.

Negative externalities galore.

Software SCRM makes the world go round, people!

Joint Statement by United States Secretary of Homeland Security Mayorkas and European Union Commissioner for Internal Market Breton

Secretary Mayorkas and Commissioner Breton met on 27 January in Washington. What I love is that their joint statement is on ‘cooperation… in the fields of Cyber Resilience’ (my emphasis). Because focusing on cyber security alone, in this day and age, would make even Sisyphus blush.

The meeting marked the launch of three ‘workstreams’ to effect the EU-US Cyber Dialogue:

Information Sharing, Situational Awareness and Cyber Crisis Response
Cybersecurity of Critical Infrastructure and Incident Reporting Requirements; and
Cybersecurity of Hardware and Software.

The ‘initial deliverables’ include: sharing intelligence on threats, vulnerabilities and incidents, as part of aiding stuff like ‘diplomatic responses’ (ie publicly attributing attacks and imposing sanctions on malicious cyber actors and their state sponsors?); sorting out a ‘working arrangement between ENISA and CISA’; and cooperating on safeguarding civilian space systems.

Re 2), I wonder if the Yanks look wistfully across the pond, given that NIS2, DORA and the updated Directive on the resilience of critical entities went into effect in mid-January while they could only enact CIRCIA, which itself is not in force until the CISA Director writes rules fleshing out the reporting requirements (6 USC § 681b(a)(7)).

3) is my favourite, though, as a software SCRM nerd. Building on cooperation under Working Group 4 (‘ICTS Security and Competitiveness’) of the EU-USA Trade and Technology Council (‘TTC’). In particular, I’m reminded of the ‘Trade and Technology Council Statement on the Importance of Security, Diversity, Interoperability, and Resilience for Information and Communications Technology and Services’ from the May 2022 meeting. This called for ‘a rigorous and risk-based evaluation of equipment, software, and services suppliers’ (my emphasis) and ‘address[ing] all of the layers and elements of the ICTS supply chain, from the physical to application layers…’ (my emphasis).

Cyber is a realm of statecraft, folks — good to work with friends to clean it up, given that the lot of us tend to use the same software.

In any case, that Commissioner Breton met with his US counterpart is a nice change from the former’s withdrawing from the December 2022 TTC meeting because of strident disagreements with the Yanks over tax incentives provided by the Inflation Reduction Act for US battery and electric vehicle industries. But then again, the just-concluded January meeting was on anyway.

China Owns Vast Network of UK Real Estate, Offshore Records Reveal

Per a UK government register of real estate owned by offshore entities, the China Investment Corporation — which manages the PRC’s forex holdings — is the ultimate beneficial owner of over 250 properties across Britain.

The especially concerning bits:

They include distribution centres that are key to the flow of food and goods in multiple regions of the UK including the south-west and south-east of England and the Midlands.
… focused on distribution depots, retail parks and trading estates, including some that are critical to regional infrastructure.

Come on, Poms, what happened to robust investment screening mechanisms that require ascertainment of the ultimate beneficial ownership of a prospective buyer of real estate on which critical infrastructure assets or stuff vital to the supply chains of said assets stand?

Speaking of the critical infrastructure angle, I am reminded of why the then-Treasurer of Australia, Scott Morrison, used his legal power to veto the partial sale of electricity distributor, Ausgrid, by the New South Wales government to a Chinese-dominated partnership on national security grounds in 2016. Reportedly, our Siginters had raised the alarm ‘half a minute to midnight’ that ‘Ausgrid hosts a piece of infrastructure that is a critical support to the Joint Facilities at Pine Gap’.

Context: Pine Gap is one of the crown jewels of FVEY and the Australia-USA bilateral because it serves as a signals and geospatial intelligence collection facility providing situational awareness — including for ballistic missile defence purposes — of the Eurasian landmass and the Indo-Pacific region. Pine Gap hoovers up all those signals and other emissions, processes it and sends it off to customers including America’s nuclear forces. It’s so important an installation for the FVEY peeps that the USSR designated it a target for nuclear strike.

Back to cyber: one doesn’t always need to spend a fair bit of time and effort to ‘cyber’ their way into a CNI asset if they own the land the asset sits on. One could simply station their own people and equipment on the ground.

Which is a concern in relation to the Northern Territory government’s lease of the Port of Darwin to the Chinese-owned company, Landbridge Group, in 2015. A lease, followed by uproar from the then-Obama Administration about subsequent risks to the deployment of US Marines in Darwin, which prompted the enactment of the aforementioned national security veto power of the Commonwealth Treasurer, and is being reviewed by the current Australian government.

That all said, at least the UK and Australian governments today are far more alive to the need for the state to invest in the protection of critical infrastructure assets than the UK government was in the 1970s, even after Provisional IRA targeting was discovered to include public utilities:

Source: *Christopher Andrew, The Defence of the Realm: The Authorized History of MI5*.

Protect Your Exchange Servers

Microsoft doth proclaim:

We’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated.

Given all the attacks against on-prem Exchange servers in the last few years, starting with the Chinese (HAFNIUM) dropping web shells on hundreds of boxes in 2021, I don’t know why you would not shift to a cloud-based service?

Why not outsource your risk management to a CSP with a far better-resourced security team than you?

TikTok Bans at Major Colleges Aren’t Going over Well with Students

The headline’s enough.

It suggests that the bans are well-targeted, given the user demographic for this firehose for Chinese Sigint and foreign interference otherwise known as TikTok.

After all, one would think that the percentage of devices connected to university Wi-Fi networks and running the app would be far higher than that of devices owned or managed by universities or governments and that have the app installed.