Perpetual IT

This week’s fascinating Friday fable reaches back nearly a decade, and is a reminder of how hard it can be to decide what wrong has been done, if any, in court cases that deal with what most people would call “hacking”.

The story of the original court case is simply told, and it goes like this.

In late 2013, X was brought in as an IT manager for a city in the state of Georgia in the US, supposedly to “increase the reliability and efficiency of the City’s computer system.”

X seems to have decided that Y’s work wasn’t up to scratch, and “criticized Y’s work performance, which led to an argument and a loud outburst from Y.”

The outcome of this, it seems, is that Y had some of his IT powers reduced for security reasons, and sadly ended up getting fired in mid-2014.

A couple of months after Y’s departure, X received an email from another colleague, whom we shall call Z, and replied as he normally would…

…only to receive a “bounce” message (a delivery failure) from a mysterious external email address, Q.

An additional recipient

You can probably guess what was going on here.

Back in 2013, presumably before his administrator privileges were revoked but after their falling-out, Y had modified X’s email account settings so that a copy of all X’s incoming email messages would be sent to the mysterious outside address, Q.

Q, it transpired, was not only operated by Y but also had been “routinely accessed from his cellphone.”

As you probably know, abusing built-in mail forwarding rules in email systems is a common trick used by cybercrooks to keep tabs on what their victims are up to, especially in so-called Business Email Compromise (BEC) scams.

BEC criminals typically monitor messages to senior figures in a company, such as the CEO or CFO, so that they have first-hand information about major financial milestones.

When huge invoices are due (or, in one notorious case, when a multimillion dollar major league soccer transfer was about to conclude), the crooks make their play to get some or all of the money redirected to a bogus account.

The ruse revealed

In this case, the siphoning off of X’s emails had been orchestrated unsubtly enough that it eventually drew attention to itself when one of X’s reply-to-alls failed to reach the unexpected additional recipient.

Unsurprisingly, perhaps, Y was prosecuted, convicted by a jury of “computer trespass”, and sentenced to 10 years’ probation.

Given that there is no suggestion that Y didn’t actually do what was described above – namely, use his Administrator powers to get copies of his boss’s emails – this probably sounds like an open-and-shut case.

However, Y has very recently, nearly eight years after the incidents described above, had his conviction set aside by the Supreme Court of Georgia.

The legal report from the hearing makes fascinating reading, albeit that it is both lengthy (at 36 pages) and full of legal jargon, such as:

The fundamental rules of statutory construction require us to construe [a] statute according to its own terms, to give words their plain and ordinary meaning, and to avoid a construction that makes some language mere surplusage.

Obstruction and interference

In plain English, the judgment focuses on examining whether the plain English meaning of the words “obstruction” and “inferference”, as used in Georgia’s Computer Trespass law, actually apply in this case.

Did Y’s actions – siphoning off and looking at someone else’s business email, even after his employment at that company had ended – really amount to obstruction, given that no emails were actually impeded?

The court, it seems, decided that Y didn’t obstruct or interfere with anything, so that whatever he did, it wasn’t Computer Trespass, even though the judgement expressly notes that it is “[i]t is undisputed that Y did not have authority or permission to forward X’s e-mail.”

Ironically, the judgement mentions in one of its footnotes that Y could have been charged under a nearby part of Georgia law that uses rather different words, perhaps with a different final outcome.

That part of the Georgia computer crime statutes criminalises “us[ing] a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority.”

The dissenters

Interestingly, three of the judges on this case dissented from the majority opinion, remarking that:

By manipulating the data stream to give himself access to X’s e-mails, Y intermeddled in the affairs of others and the data intended to go to others with neither authority nor invitation. As such, there was sufficient evidence to support a finding that Kinslow interfered with the use of the City’s computer program and its data.

Additionally, the dissenting judges criticised the majority opinion with these intriguing words:

The majority opinion educates wrongdoers that they are better off from both a detection standpoint and from prosecution as a matter of law if they simply copy data rather than block its delivery.

We can’t help but wonder whether the dissenters were alluding to contemporary ransomware attacks here, where data is often both copied, or “stolen” as you or I might say (which does not prevent the owner of the data from continuing to use it), and scrambled (which does).

What do you think?

[05’32”] When you spend tens of pounds but get billed thousands because the system mistook the date for the amount.  [14’17”] Our tips to make #SocialMediaDay your safest day on social media yet.  [28’06”] A clip from a great new privacy splintersode we’ll be airing next week.  [33’46”] Oh! No! of the week

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

There’s a critical Windows bug out there that’s not only known by three different names, but also listed variously as having three different severities.

The first name you will see is the official MITRE identifier CVE-2021-1675, fixed in the Microsoft June 2020 Patch Tuesday update that was issued on 08 June 2021.

You’ll also hear and see the flaw referred to as the Print Spooler bug, based on the headline on Microsoft’s security update guide that describes the flaw as a Windows Print Spooler Vulnerability.

The bug was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019.

ARM64 versions of Windows, Server Core builds (minimalist installs of Windows Server products) and even Windows RT 8.1 made the list of affected platforms.

But on 21 June 2021, Microsoft upgraded the CVE-2021-1675 security update page to admit that the bug could be used for RCE (remote code execution) as well, making it a more serious vulnerability than an EoP-only hole.

Breaking in and taking over

As you probably know, EoP means that someone who has already compromised your computer, but is stuck with the sort of access that you would have yourself when logged on as a regular user, can promote themselves to a more privileged account without needing to know the password for that account.

An attacker who could promote themselves to the local SYSTEM account, for example, could do far more than just read or scramble your files (as bad as that would be on its own).

With access to the SYSTEM account, the attacker could capture all network traffic, load and unload kernel drivers, change security settings that are off-limits to regular users, scrape through the memory of every process looking for trophy data such as credit card numbers or passwords that never get saved to disk, and much more.

That’s bad enough, but RCE refers to a bug by which cybercriminals can break into your computer in the first place; if the bug then also permits EoP, then that’s even worse, because it essentially combines breaking in and taking over into a single security hole.

Of course, the upgrade in the severity of CVE-2021-1675 from EoP to RCE didn’t matter – or so everyone thought – as long as you’d already applied the Patch Tuesday update.

After all, closing a security hole protects you whether that hole is an EoP, an RCE, or both.

Not all bugs created equal

Apparently, what happened next was an unfortunate publication mistake.

Researchers from the cybersecurity company Sangfor, who were preparing to present a paper on Print Spooler bugs at a forthcoming Black Hat conference in August 2021, seem to have decided that it would be safe to disclose their proof-of-concept work earlier than intended.

After all, what harm in discussing and demonstrating the Print Spooler RCE bug openly, given that it was now publicly documented as an RCE, and had been patched two weeks earlier?

You can probably guess where this is going.

It seems that the newly-disclosed Print Spooler bug discovered the Sangfor researchers wasn’t actually the same security hole that was fixed on Patch Tuesday.

In short, the Sangfor crew inadvertently documented an as-yet-undisclosed RCE bug, thus unintentionally unleashing a zero-day exploit.

The researchers apparently took down the offending information once the mistake was figured out…

…but by then it was too late, because the exploit code had already been downloaded and republished elsewhere.

Pandora’s jar had already been opened, and it was too late to close it up again.

The new-and-unpatched bug is now widely being described by the nickname PrintNightmare: it’s a Windows Print Spooler Remote Code Execution Vulnerability, just like CVE-2021-1675, but it’s not prevented by the latest Patch Tuesday update.

Indeed, several independent researchers have published screenshots on Twitter showing the new exploit succeeeding on a Windows server that already has Microsoft’s June 2021 patches installed.

What to do?

There’s no official patch yet [2021-06-30T21:00Z].

We’re assuming that a fix will be released by Microsoft as soon as possible – perhaps even before next month’s Patch Tuesday updates are scheduled to arrive (12 July 2021), if a reliable patch can be created in time.

Watch out for a patch and deploy it as soon as you can once it’s out.

Until then, it looks as though disabling the Print Spooler on vulnerable computers is a satisfactory workaround.

If you have servers where you absolutely have to leave the Print Spooler running, we suggest that you limit network access to those servers as strictly as you can, even if it means that some of your users experience temporary inconvenience.

If you have servers where the Print Spooler is running but is not in fact necessary, turn it off and leave it off even after the patch comes out for this bug, on the principle of not exposing a larger attack surface than you need to.

Also, watch this space – more news as we have it!

PS. While you’re about it, please make sure that you have correctly installed the CVE-2021-1675 fix that came out on Patch Tuesday. There’s not much point in chasing after this new RCE bug for which there isn’t yet a patch if you are still exposed to the old RCE bug that does have a patch!

More than eight-and-a-half years ago, we wrote about the US indictment of three cybercrime suspects.

The troika was wanted for allegedly operating a bank-raiding crimeware “service” known as Gozi, based on zombie malware that used a technique known as HTML injection to trick victims into revealing personal information relating to their on-line banking.

As we explained at the time [original text slightly edited]:

Adding to or altering the content of a bank’s online login form is tricky if you want to make the modifications on the server side or while the content is in transit. […]

But if you can plant malware on the victim’s PC, you can use what’s known as an MiTB attack, or “manipulator in the browser”.

Then, you wait until a suitable online transaction form has been securely delivered and decrypted for display in the browser. Only then do you inject content into the HTML in order to modify the form, for example to request additional security information that wouldn’t normally be needed at that point.

Finally, you exfiltrate the extra data entered by the victim by sending it somewhere other than the bank.

By leaving the genuine fields in the web form alone, and allowing data in the genuine parts of the form to flow to the regular banking site as usual, HTML injection attacks generally don’t interfere with the original transaction.

That means there is no tell-tale error message or failed transaction that the crooks need to disguise, and there is no tell-tale fake URL in the address bar that an observant user might notice.

Using the stolen data, the Gozi crooks could then raid the victim’s bank account, with the US Department of Justice (DOJ) noting at the time that there were at least 17,000 Gozi malware infections in the US alone, including 160 at NASA.

It seems that rocket scientists aren’t aren’t just people of interest to cybercrooks for the latest spaceplane plans – their bank account details are valuable, too.

The three defendants were accused of playing different roles in the overall scam, detailed by the 2013 charge sheet as follows:

Kuzmin was said to have been what you might call the COO of the “business”, hiring coders to write the Gozi malware and operating the Crimeware-as-a-Service (CaaS) business based around it.

Čalovskis was the HTML injection expert, coding up the HTML modifications used to trick the victims and steal their account information.

Paunescu allegedly ran what are known as “bulletproof hosts” for the enterprise – servers that are intentionally operated to be hard for cybersecurity defenders to identify and take down.

By 2016, Kuzmin – whom we assume was caught in the US despite himself being Russian, and who had been in custody for more than three years while his case dragged on – finally pleaded guilty, and was sentenced to “time served”, meaning that his 37 months on remand were considered incarceration enough.

He was also required to forfeit just under $7,000,000, which gives you an idea of how much money bank-raiding malware crooks stand to make off with.

Čalovskis was in Latvia, and sucessfully fought extradition to the US until 2015, having convinced a Latvian court that his likely sentence would be considered unreasonably harsh by Latvian standards.

(The DOJ routinely lists maximum sentences in its reports – 67 years in the case of Čalovskis, as shown above – even though maximums are rarely handed out.)

By 2015, however, the two countries had apparently reached a “reasonableness agreement” whereby Čalovskis, if extradited, would not appeal his conviction or sentence if he were to get no more than two years.

In the end, that’s what happened, with Čalovskis being sent to the US, pleading guilty and admitting: “I knew what I was doing was against the law.”

After 21 months in custody, he too was sentenced to “time served” while waiting extradition and sentencing, a period of less than two years, as agreed in advance.

Only Paunescu remained out of the DOJ’s clutches, apparently spared from extradition by a Romanian court.

Until this week, that is, when he was picked up at Bogotá International Airport by the Colombian authorities, who promptly contacted the US diplomatic service to see if it wished to begin extradition proceedings.

We’re not sure whether Paunescu was busted on the way in or on the way out; reports state just that he was “sporting a thick beard and wearing a red t-shirt.”

(A Wu-Tang Clan shirt, apparently, according to one image bearing the Colombian Attorney General’s logo.)