New trends in targeted attacks against civil society in 2019 :
10 years ago, the GhostNet report published by the Citizen Lab made quite a buzz; it described an important coordinated effort of compromising computers over the world, from the embassy of India in the US to PetroVietnam. It was one of the first times that an attack campaign of that scale was revealed, but what made it especially important is that this campaign was discovered when researchers identified attacks against the Tibetan community in exile, and more specifically against the Office of the Dalai Lama.
We have now a way better understanding of these attacks against civil society, with multiple examples in different regions and using different techniques, mostly thanks to the work of few research labs and non profit organisations like the Citizen Lab, Amnesty International or the EFF, but also from the security industry, often covering attacks targeting the industry at the same time (you can find a list of these reports currated by Claudio Guarnieri here).
The digital landscape has changed quite a bit in the last ten years. There are now more groups supporting civil society and Human Rights Defenders at the intersection of technology and security, with security trainings, collaborative maintenance of civil society websites, events to talk about technology and human rights. Yet, there is still a gap between security researchers precisely following the moving landscape of targeted attacks and people supporting civil society with trainings and technical support. I hope that this blog post can help bridge this gap by summarizing important changes in targeted attacks over the past year.
This year, we have seen confirmation that there are increasingly more attacks targeting smartphones today than there used to be, mostly in connection with three important events :
There are 0-days attacks against smartphone using one click (a message with a link that the target need to click on) or 0-click (no action needed from the targets) attacks available to dedicated groups with sufficient funds. There is no easy way to be protected against them. We either have to limit the attack surface available for these tools (for instance, by disabling iMessage on iPhone if you do not need it, or by using fewer chat applications), or assume that some devices are compromised if these types of attacks are in our threat model.
This topic is definitely an important one that we have to work on collectively, but we should not forget that most attacks today do not need to use 0-day to be successful, and keep in mind that attacks using known vulnerabilities are far more common against civil society.
All the discussion about 0-day should not make us forget that most attacks are technically really simple. And they work. This is also true for attacks against smartphones. For anyone buying a random android phone today, the chances are high that the phone is not freshly updated and may not have updates available (this depends on the country of purchase, and the price range of the phone, which creates an important inequality on smartphone security).
Attackers understand this, Tibetan groups were targeted this year by an attack framework that was only relying on fixed old-day vulnerabilities, one for iOS and 8 for Android. In most cases, the attackers only had to get the exploit code from the Chrome bug tracker and adapt it to be able to exploit it in the wild.
There are a few things we can do against this threat :
For many years, one of the main solution against phishing has been to recommend the use of 2 Factor Authentication. 2 Factor Authentication (2FA) is using secondary means of authentication in addition to the password. There are three common ways to do 2FA (ranking from the least secure to the most secure) :
In 2019, we received confirmation that attackers are now commonly using phishing kits that are bypassing all forms of 2FA except hardware keys :
All of these phishing kits are bypassing all forms of second factor authentication except hardware keys. Hardware keys are more robust and not vulnerable to these attacks; the key provides the temporary code to the domain through the browser but only after confirming that the current domain matches the previously registered domain. Therefore, classic techniques, like using a domain similar to a real one (
gooogle.com instead of
google.com, for example) are completely ineffective with it.
We have to expect that all phishing kits will support bypassing most forms of 2FA in the future, and promote and provide hardware security keys to human rights defenders.
Open Authentication (OAuth) is a protocol designed for access delegation and has become a popular way for major platforms (Facebook, Google, Twitter, etc.) to permit sharing of account information with third party applications. For some years now it has also been used in phishing campaigns against civil society: first by groups with a high technical level such as APT28, then by groups with significant lower technical skills.
OAuth phishing is a rather basic technique but it is very effective for one reason : it defeats most recommendations given to users against phishing websites. Most trainings advise to check the domain name or the content of the page, but with OAuth phishing an actual Google page is shown to the user to request access to their account. If the user has never heard about OAuth, it is quite easy to misunderstand what is happening and fall into it. Two Factor Authentication does not help with OAuth phishing either as the user should be legitimately logged with their Google account.
When these attacks appeared, Google (in likely addition to other major platforms) started to take measures to make these attacks more difficult, by adding a verification process to OAuth applications requesting sensitive scopes, and initiating some threat investigatons to block malicious applications. Google has also added an Advanced Protection feature that disables OAuth access to email and documents.
For quite some time, I thought we would see a drop of OAuth phishing in 2019. It turns out I was wrong. Many examples of OAuth phishing this year shows that Oauth phishing is still regularly used against civil society and that, more importantly, these attackers are using new tricks to bypass Google protections. An Amnesty International report from Summer 2019 describes OAuth phishing attacks requesting targets to give access to a legitimate third party application, and used social engineering to try to convince them to share the access key with the attacker. While the technique may not be especially effective, it is clever and shows that attackers are still exploring new ways to abuse OAuth access.
So OAuth phishing is still here and it will likely be for some time. There are a few things we can do against these attacks :
2019 is almost over, and it has been an interesting and challenging year. I hope this blog post helped you better understand the threats that Human Rights Defenders face today. If you have any questions or comments, or if you think you are being targeted by a possible government-sponsored attack as an activist, feel free to send me an email (tek AT randhome.io).