2019.08.20 - DCSO Weekly Vol2 Issue 33

Volume 2, Issue 33
Classification: TLP Green

Effective: Tuesday 20th August, 2019
Version: 1.0
Author
TI Team
security-analysts@dcso.de
PGP Fingerprint: 2868 EF2B 34FB 0AD8 0C2D 45D2 ED20 E9B0 A0B2 C6A8
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH
EUREF Campus 22, 10829 Berlin, Germany
Volume 2, Issue 33 TLP Green
Contents
1 Issues in Brief ............................................................................................ 2
1.1 DanaBot Spreads Further, Adding New Tricks ............................................ 2
1.2 Texas Local Government Entities Hit in Coordinated Ransomware Attack. 2
1.3 Hexane: A New Group Targeting Middle Eastern Petrochemicals and
Telecommunications ....................................................................................... 4
1.4 Fallout Surrounding Capital One Breach: Pre-Existing Staff Concerns and
at Least 30 Other Entities Breached ................................................................ 4
2 Webmin RCE Vulnerability, Intentional Backdoor (CVE-2019-15107/CVE-
2019-15231) ................................................................................................ 6
2.1 Vulnerability Details................................................................................... 6
2.2 Vulnerability Description ........................................................................... 7
2.3 Vulnerable Configurations ......................................................................... 7
2.4 Attack Vectors and Proof of Concept ......................................................... 7
2.5 DCSO Recommendations ........................................................................... 7
3 Huawei Operations in Uganda, Zambia: A Cause for Concern? .................... 9
3.1 WSJ Reports on Huawei Cooperation in Domestic Surveillance, Company
Denies Any Wrongdoing .................................................................................. 9
3.2 Chinese Digital Dominance in Africa: An Inevitability? ............................. 10
3.3 After 5G, a (Virtually) Limitless Scope of Influence .................................. 11
3.4 DCSO Conclusions and Recommendations............................................... 12
3.4.1 DCSO Recommendations ...................................................................... 12
4 Report from Black Hat/DEF CON/Diana Initiative 2019 ............................. 14
Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 20th August, 2019 TI Team 1
1 Issues in Brief
1.1 DanaBot Spreads Further, Adding New Tricks
DanaBot, a Trojan first discovered by Proofpoint as an information stealer in May 2018, 1 has
surfaced in Germany in a renewed widespread campaign. Following familiar patterns of
continuous development and the addition of modular capabilities, the malware has been
observed to be deployed against a range of different German targets.2 The original Trojan
only came with banking website injections and information-stealing capabilities. The main
functionality was spying on the user’s infected system and forwarding valuable information
as well as stealing banking credentials. However, especially since the beginning of 2019,
researchers have noticed how DanaBot has continuously expanded its capabilities by adding
more information-stealing and even ransomware capabilities.3
In the current campaign, according to researchers from Webroot, DanaBot aims to target 15
well-known German online portals in order to steal primarily financial information from the
victims who log into targeted online shopping portals. It appears that the Trojan developer
invested a lot of time making the fake login portals and websites as believable as possible.4
In addition, the Trojan conducts extensive scouting of the target system, in what researchers
think might be preparation for later ransomware attacks. The development trajectory and
extensive capabilities of the most recent versions of DanaBot appear to point to the
direction of aggressive campaigns that aim to maximize the monetary value of every
infection, based on highly targeted geolocated campaigns.
1.2 Texas Local Government Entities Hit in Coordinated Ransomware Attack

The Texas Department of Information Resources announced earlier this week that, last
Friday, August 16, 23 government entities were compromised in a coordinated ransomware
attack believed to have been perpetrated by a single actor.5 The attack began when several
local governments reported having difficulty with accessing the Department of Information
Resources in the morning. It appears that the attack expanded over the weekend, ultimately
reaching 23 government entities which are primarily local governments,6 but also city
utilities and education entities.7 ZDNet now reports that the attack involved the well-known
1
Proofpoint Staff. ”DanaBot - A new banking Trojan surfaces Down Under,” May 31, 2019. Proofpoint.
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0
2
Collective.IO. “Review of a Danabot Infection,” August 14, 2019. Webroot. https://h3collective.io/review-of-a-
danabot-infection/
3
Harakhavik, Yaroslav and Chailytko, Aliaksandr. “DanaBot Demands a Ransom Payment,” June 20, 2019.
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
4
Collective.IO. “Review of a Danabot Infection,” August 14, 2019. Webroot. https://h3collective.io/review-of-a-
danabot-infection/
5
Cimpanu, Catalin. ”Over 20 Texas local governments hit in coordinated ransomware attack,“ August 18, 2019.
ZDNet.https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-
attack/
6
Fazzini, Kate. ”Alarm in Texas as 23 towns hit by coordinated ransomware attack,“ August 19, 2019. CNBC.
https://www.cnbc.com/2019/08/19/alarm-in-texas-as-23-towns-hit-by-coordinated-ransomware-attack.html
7
Goud, Naveen. ”Texas Ransomware attack to cost $12 million and more,” August 20, 2019. Cybersecurity
Insiders. https://www.cybersecurity-insiders.com/texas-ransomware-attack-to-cost-12-million-and-more/

Sodinokibi ransomware virus.8 The Sodinokibi virus is a prolific, highly evasive strain of
ransomware that has been active since April of this year and which Cybereason connects to
the author group responsible for the GandCrab ransomware.9 Cybereason also reports that,
in the four months since its first appearance, Sodinokibi has become the fourth most
common ransomware virus. Research conducted by cybersecurity analyst Brian Krebs links
the GandCrab ransomware to Russian cybercriminal virus developers.10
In response to what Texas officials have labelled a coordinated attack, Governor Greg Abbott
has ordered a “Level 2 Escalated Response” in recognition that “the scope of the emergency
has expanded beyond that which can be handled by local responders.”11 Federal agencies,
including the FBI and Department of Homeland Security, have subsequently become
involved in coordinating recovery efforts.12 Though it has been confirmed that the State of
Texas systems and networks were not impacted,13 sources of cybersecurity insiders have
indicated that the cost of the attacks to the state will be at least $12 million in damages.14
This attack is the latest in a rash of ransomware attacks against U.S. state and local entities
this year in New York, Louisiana, Maryland, and Florida.15 However, the centrally
coordinated, simultaneous attack against a high number of targets represents a dangerous
evolution in the tactics and sophistication of these ransomware gangs. In July, Louisiana
experienced a similar attack, during which four school districts experienced a wave of
ransomware attacks taking down systems within days of each other.16 This transition from
waves of attacks to simultaneous strikes acts as a force multiplier to the pressure applied on
state decision makers. It is unclear whether this will successfully result in the affected local
governments paying the ransom. During the Maryland attacks, for example, Baltimore opted
to push forward in defiance of the cybercriminals, whereas Florida’s victimized cities Lake
8
attack/
9
Fakterman, Tom. ”Sodinokibi: the crown prince of ransomware,“ August 5, 2019. Cybereason.
https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
10
Krebs, Brian. ”Who’s Behind the Gandcrab Ransomeware?” July 19, 2019. Krebs on Security.
https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/
11
12
attack/
13
14
Goud, Naveen. ”Texas Ransomware attack to cost $12 million and more,” August 20, 2019. Cybersecurity
Insiders. https://www.cybersecurity-insiders.com/texas-ransomware-attack-to-cost-12-million-and-more/
15
16
Abrams, Lawrence. ”Ransomware attacks prompt Louisiana to declare state of emergency,” July 25, 2019.
Bleeping Computer.https://www.bleepingcomputer.com/news/security/ransomware-attacks-prompt-
louisiana-to-declare-state-of-emergency/

City and Riviera Beach did elect to pay the ransom. As of Monday morning, the attack was
still ongoing.17
1.3 Hexane: A New Group Targeting Middle Eastern Petrochemicals and

Telecommunications
Dragos has identified a new activity group it calls Hexane, which has been compromising
industrial control system (ICS) related entities since mid-2018 for the purposes of
information collection.18 The group presents a unique victimology in that is appears to divide
its focus between ICS verticals within the petrochemical sector in the Middle East, with a
particular focus on Kuwaiti companies, and telecommunications in the broader Middle
Eastern, Central Asian, and African regions. Dragos indicates there is evidence to suggest
that Hexane is targeting regional telecommunications firms as a tactic to gain access to the
group’s true target among the firm’s client base. Initial methods of compromise tend to
include the use of embedded binaries in malicious documents. They have also demonstrated
the capability of utilizing DNS and HTTP as command and control (C2) communication
channels.
Within the broader cyber threat ecosystem in the Middle East, Hexane presents similarities
in both victimology and TTPs with other active groups. In particular, Dragos identifies
similarities with Iranian APTs Magnallium (also known as APT33 and Elfin) and Chrysene (also
known as APT34, OilRig, and Helix Kitten). These groups also target petrochemical and
telecommunications companies in the Middle East, though their interests expand further to
the aviation, defense, financial, and government sectors of Western countries. Like these
groups, increasing regional geopolitical instability appears to be shaping Hexane’s targeting
as well as driving a spike in activity that began in early 2019. Though the group’s interests
are difficult to infer without a clear line of attribution, certain details are suggestive of a
politically motivated, Iran-oriented threat actor.
1.4 Fallout Surrounding Capital One Breach: Pre-Existing Staff Concerns and at
Least 30 Other Entities Breached
In documents filed in the U.S. District Court for the Western District of Washington this past
week, U.S. officials confirmed rumors that Paige A. Thompson, the lone hacker behind the
Capital One breach, had stolen multiple terabytes of data from an additional 30
organizations via its AWS servers.19 The U.S. government expects to add additional charges
against Thompson, but has refused to name the impacted companies, educational
institutions, and other entities as they are still in the process of being “identified and
17
BBC. ”Texas government organizations hit by ransomware attack,” August 19, 2019.
https://www.bbc.com/news/technology-49393479
18
Dragos. ”Hexane,“ Accessed August 10, 2019. https://dragos.com/resource/hexane/
19
Cimpanu, Catalin. ”Capital One Hacker took data from more than 30 companies, new court docs reveal,“
August 14, 2019. ZDNet. https://www.zdnet.com/article/capital-one-hacker-took-data-from-more-than-30-
companies-new-court-docs-reveal/

notified.”20 The documents also stated that, following a forensic analysis of Thompson’s
home server, it was found that “much of the data appears not to be data containing
personal identifying information.” The accused has stated that she neither sold nor
otherwise disseminated the information obtained.21 Multiple media outlets have highlighted
claims by Israeli security firm CyberInt that Ford Motor Company, Vodafone, Michigan State
University, and the Ohio Department of Transportation may have been among the victims.22
As of this writing, none have made public statements confirming this reporting.
These court documents come on the heels of The Wall Street Journal reporting that long-
standing information security concerns had weakened Capital One’s cybersecurity unit’s
ability to withstand a breach, specifically slow software patching and high employee
turnover.23 Sources told WSJ that one-third of the unit’s staff had left in 2018 following the
hiring of a new chief information security officer the prior year. This situation underlines the
fundamental necessity of clear, comprehensive onboarding for cybersecurity professionals.
20
Andrew C. Friedman Assistant United States Attorney. “United States’ Memorandum in Support of Motion
for Detention United States of America v. Paige A. Thompson,” Filed August 13, 2019. United States District
Court for the Western District of Washington at Seattle.
https://www.scribd.com/document/421860692/Thompson-New-Memorandum
21
Andrew C. Friedman Assistant United States Attorney. “United States’ Memorandum in Support of Motion
for Detention United States of America v. Paige A. Thompson,” Filed August 13, 2019. United States District
Court for the Western District of Washington at Seattle.
https://www.scribd.com/document/421860692/Thompson-New-Memorandum
22
Whittaker, Zack. ”Capital One breach also hit other major companies, say researchers,“ July 31, 2019.
TechCrunch. https://techcrunch.com/2019/07/31/capital-one-breach-vodafone-ford-researchers/
23
Andriotis, AnnaMaria and Ensign, Rachel. “Capital One Staff Raised Concerns Before Hack,” August 15, 2019.
Wall Street Journal. https://www.wsj.com/articles/capital-one-cyber-staff-raised-concerns-before-hack-
11565906781

2 Webmin RCE Vulnerability, Intentional Backdoor (CVE-2019-

15107/CVE-2019-15231)
A remote code execution vulnerability has been discovered across multiple versions of
Webmin, the web-based, remote Unix-based system manager. Recent statements by
Webmin team members indicate that this vulnerability was in fact an intentional backdoor
injected into compromised build infrastructure, allowing unauthenticated attackers to
remotely execute commands.24
This vulnerability requires a Webmin admin feature enforcing password expiration policies
to be enabled in order to be exploited. This feature is not enabled by default; however, the
party responsible appears to have attempted to change the default state of this feature to
ensure that it was enabled in version 1.890. The issue was reported to developers, and the
change was reverted in the next release.25
The compromised build appears to have been pushed via SourceForge, the official
distribution vector for Webmin; the GitHub iteration of the Webmin code does not appear
to have been affected by the compromise.26
2.1 Vulnerability Details

CVE: CVE-2019-15107/CVE-2019-15231
Published: August 10, 2019
Vulnerable Software: Webmin, versions 1.882 to 1.921 downloaded via SourceForge
Vulnerability Rating: N/A
CVSS Score: N/A
Link:
https://nvd.nist.gov/vuln/detail/CVE-2019-15107
https://nvd.nist.gov/vuln/detail/CVE-2019-15231
Description: Remote code execution, apparent backdoor via compromised build

infrastructure
24
SwellJoe. Comment under post "0day remote code execution for webmin," August 18, 2019. Reddit.
https://www.reddit.com/r/netsec/comments/crk77z/0day_remote_code_execution_for_webmin/excgwnt/
25
Cimpanu, Catalin. "Backdoor found in Webmin, a popular web-based utility for managing Unix servers,"
August 19, 2019. ZDNet. https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-
utility-for-managing-unix-servers/
26
Cimpanu, Catalin. "Backdoor found in Webmin, a popular web-based utility for managing Unix servers,"
August 19, 2019. ZDNet. https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-
utility-for-managing-unix-servers/

Root Cause: An apparent backdoor in a Webmin admin password expiration policy feature
allows attackers to execute arbitrary shell commands and hijack Webmin installations.
Proof of Concept: https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-

Unauthenticated-Remote-Command-Execution.html
Remediation: Webmin has issued an advisory noting that the issue has been patched as of
version 1.930 and strongly recommends a prompt update.
2.2 Vulnerability Description

The vulnerability exists in a Webmin feature that provides administrators with a means by
which to enforce password expiration policies for Webmin accounts; if this feature is
enabled, attackers would be able to take over a Webmin instance by utilizing the "|"
character in HTTP requests sent to the targeted server to append shell commands.
Webmin provides system administrators with an extensive remote management toolset,

including OS setting modification, user account creation, and application configuration
updates. As such, any compromise of Webmin instances would provide attackers with
extensive access to managed networks.
2.3 Vulnerable Configurations

Webmin versions 1.882 to 1.921 downloaded via SourceForge appear to have been
compromised by the backdoor in question, but do not have the vulnerable feature
(administrator password expiration policy enforcement) enabled by default.
Webmin version 1.890 saw a further compromise of the build infrastructure that enabled
this feature by default, exposing any affected instances to exploitation; subsequent updates
reversed these changes.
2.4 Attack Vectors and Proof of Concept

A full writeup of proof of concept code, including an exploit module, for this vulnerability has
been published as of August 10, 2019.27
There are no indications as of publication that the exploit has been utilized in the wild;
however, if statements that the vulnerability was an intentional backdoor injected into
compromised build infrastructure are true, caution is highly recommended, as the actors
responsible remain unidentified.
2.5 DCSO Recommendations

With enterprise-oriented Linux distributions such as Red Hat and SUSE provided alongside
dedicated remote administration tools, and solutions other than Webmin on the market
27
Akkuş, Özkan Mustafa. "Webmin <= 1.920 - Unauthenticated RCE," August 10, 2019. Personal Blog.
https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-
Execution.html

otherwise, it is possible that Webmin is not utilized within your organization. However, the
tool appears to be in widespread use, with a ZDNet Shodan query returning more than
215,000 public instances globally, thus raising the possibility that the tool is used in less
secure supply chains.
• If Webmin is in use within your organization infrastructure, the version 1.930 patch
should be applied as soon as possible, as the backdoor in question appears to have
been implemented by a malicious actor with exploit code in public circulation.
• In order to ensure that supply chain compromise of this vulnerability does not lead to
lateral movement against your organization, we recommend an external scan of your
suppliers’ IP ranges for public Webmin instances using tools such as Shodan.
• A higher-level lesson can be drawn from the issue of compromised build

infrastructure: When pushing software for public distribution, it is highly
recommended that checks be conducted across publicly available build versions in
order to ensure integrity by detecting instances of asymmetry in code. This will
ensure that injections of malicious code of this kind can be detected and mitigated
promptly.

3 Huawei Operations in Uganda, Zambia: A Cause for Concern?

3.1 WSJ Reports on Huawei Cooperation in Domestic Surveillance, Company
Denies Any Wrongdoing
On Thursday, August 15, The Wall Street Journal released a report detailing Huawei’s role in
politically motivated intelligence operations carried out in Uganda and Zambia. The report
contends that local Huawei network technicians assisted Ugandan cyber-surveillance officials
to intercept and decrypt private communications prior to a police crackdown at an
opposition rally in April. That same month, Huawei employees also reportedly helped
Zambian intelligence officials access and track the personal phones of Facebook page
administrators disseminating pro-opposition news.28
Although the investigative reporting team failed to uncover any technical details or official
directives regarding the company’s support, numerous interviews with state officials from
both countries confirm Huawei’s central role in tracking their suspects’ mobile phones,
cracking their encrypted communication, and shutting down opposition news sites. In the
Ugandan case, the journalists largely relied on firsthand accounts and documents provided
by anonymous law enforcement officials. In the Zambian case, however, the incumbent
political party the Patriotic Front themselves confirmed in a (since-deleted) post on their
official Facebook page that police officers working with “Chinese experts at Huawei have
managed to track” and arrest the bloggers in question.29 Nevertheless, a Huawei
spokesperson pushed back against The Wall Street Journal’s report, stating, “Huawei and its
employees … have neither the contracts, nor the capabilities” to participate in any state-
backed hacking attempts.30
The report indicates that, for these two cases, the technical anxieties that accompany
Huawei’s ascendance within the global telecommunications industry might be unwarranted.
The Wall Street Journal’s team “didn’t find that there was something particular about the
technology in Huawei’s network that made such [espionage] activities possible.”31 To some,
this failure to provide hard technical evidence of Huawei’s purported backdoor capabilities
in their products is all-telling. However, others might see the Chinese company’s readiness
to provide ad hoc workarounds itself as evidence of how their code of conduct allows for the
same outcome to be achieved—even without hard-coded technical capabilities. Given
28
Parkinson, Joe. Nicholas Bariyo, Josh Chin. “Huawei technicians Helped African Governments Spy on Political
Opponents.” August 15, 2019. The Wall Street Journal. https://www.wsj.com/articles/huawei-technicians-
helped-african-governments-spy-on-political-opponents-11565793017
29
30
31

Huawei’s leading position within the African market, their irregular behavior could set a
dangerous precedent for governments and other telecommunications firms alike.
3.2 Chinese Digital Dominance in Africa: An Inevitability?

The fact that Huawei was positioned well enough to contribute to the state-backed
investigations reported on by The Wall Street Journal is no surprise, given its commercial
dominance in African markets. Today, through a combination of private capital and Chinese
grants and loans, the company is responsible for nearly 70% of the continent’s ICT backbone,
with other Chinese companies not far behind.32 Huawei is also a strategic partner for
numerous African governments’ digitalization and smart cities programs, and they provide
telecommunications infrastructure and an array of professional services in 23 African
nations.33
Uganda and Zambia are two countries on the continent in which Huawei has made large
investments and with whose governments it has substantive contracts. Last year, the
company signed a $125 million contract with the Uganda National Police to provide 5,552
CCTV units and a central command facility in Kampala.34 In Zambia, along with its fellow
Shenzhen-based telecommunications company ZTE, Huawei reportedly provides the
government with sophisticated internet monitoring and blocking equipment.35 Their public
contracts within these countries ostensibly have further value, as Huawei maintains a
number of Chinese experts on-site to support their systems in Uganda and Zambia who are
available to offer these additional technical services to state intelligence officials.
Huawei looks similarly well-positioned to dominate Africa’s upcoming 5G initiatives, having

launched the continent’s first commercial 5G network in South Africa earlier this year.36 In
April, the Egyptian minister of communications and information technology, Amr Talaat,
announced a government agreement with Huawei to deploy 5G technology in the Cairo
International Stadium in preparation for the 2019 Africa Cup of Nations tournament.37
According to DCSO analysts with knowledge of the country’s telecom industry, this program
32
Mackinnon, Amy. “For Africa, Chinese-Built Internet Is Better Than No Internet at All.” March 19, 2019.
Foreign Policy. https://foreignpolicy.com/2019/03/19/for-africa-chinese-built-internet-is-better-than-no-
internet-at-all/
33
Link, Jordan. “How Huawei could survive Trump.” June 10, 2019. The Washington Post.
https://www.washingtonpost.com/politics/2019/06/10/what-do-we-know-about-huaweis-africa-presence/
34
Bagala, Andrew. “CCTV cameras finally arrive.” August 3, 2018. Daily Monitor.
https://www.monitor.co.ug/News/National/CCTV-cameras-Police--Kampala-Huawei-Kayima/688334-4694862-
x2y7tpz/index.html
35
Prasso, Sheridan. “China’s Digital Silk Road Is Looking More Like an Iron Curtain.” January 10, 2019.
Bloomberg Businessweek. https://www.bloomberg.com/news/features/2019-01-10/china-s-digital-silk-road-is-
looking-more-like-an-iron-curtain
36
Shapshak, Toby. “Data-Only Operator Rain Launches Africa’s First 5G Network.” February 26, 2019. Forbes.
https://www.forbes.com/sites/tobyshapshak/2019/02/26/data-only-operator-rain-launches-africas-5g-live-
network/
37
Channel News Asia. “China’s Huawei to launch 5G at Africa Cup of Nations” AFP/de.
https://www.channelnewsasia.com/news/business/china-s-huawei-to-launch-5g-at-africa-cup-of-nations-
11465458.

did not take place as described and was most likely never technically feasible. Still, it shows
some level of cooperation and a wish for more.
With few Western alternatives willing to step up to build and expand digital infrastructure in
developing markets, the door is left open for Huawei to introduce its own products—and
values—in their stead.
3.3 After 5G, a (Virtually) Limitless Scope of Influence

Huawei’s success in Africa and their role in state-led surveillance operations such as those
reported on by The Wall Street Journal last week give rise to larger questions concerning
future models for internet governance in the region. Many of the aforementioned smart city
projects involving Huawei aim to make cities safer by installing advanced public surveillance
systems both online and offline, giving state officials a new and comprehensive set of tools
to subdue their political opponents.38 With the launch of commercial 5G systems set to
dramatically expand integrated systems and the transmission of data between users and
institutions, China’s national dominance in this frontier gives their decision-makers a
disproportionate ability to dictate how these systems and data might be used in the future.
As indicated by The Wall Street Journal’s report, Huawei’s usage of their own private
resources on foreign soil is not unlike how digital capabilities are frequently leveraged within
the heavily controlled Chinese internet.
Despite the internet’s significance to international business and issues of global governance,
its stability isn’t guaranteed by a set of legal regulations or protections like labor markets or
trade matters are. The lack of international agreements on the topic of responsible internet
governance, despite its centrality to transnational business, has given some nations ample
opportunity to leverage its asymmetrical and accelerative advantages to their own benefit.
Whether to sow disinformation in foreign countries,39 or to engage in cybercrime as an illicit
source of state revenue,40 governments acting in their own self-interest increasingly
destabilize the internet as a trustworthy space for communication and enterprise.
The private sector also plays a role in these developments. The Wall Street Journal reports
that Huawei technicians and private Israeli cybersecurity experts provide domestic
intelligence forces throughout Africa with the necessary training to use cyber-surveillance
and monitoring tools.41 Addressing the story, a Huawei spokesperson stated, “Huawei’s code
38
Chimbelu, Chiponda. “Investing in Africa’s tech infrastructure. Has China won already?” May 3, 2019.
Deutsche Welle. https://www.dw.com/en/investing-in-africas-tech-infrastructure-has-china-won-already/a-
48540426
39
Scott, Mark and Laurens Cerulus. “Russian groups targeted EU election with fake news, says European
Commission.” June 14, 2019. Politico. https://www.politico.eu/article/european-commission-disinformation-
report-russia-fake-news/
40
Nichols, Michelle. “North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report.”
August 5, 2019. Reuters. https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-
in-cyber-attacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX
41

of business conduct prohibits any employees from undertaking any activities that would
compromise our customers' or end users’ data or privacy or that would breach any laws.
Huawei prides itself on its compliance with local regulations and laws in all markets where it
operates.”42 The underlying question is whether anything should, or can, be done to improve
unraveling legal and regulatory protections in African nations, a development partly
attributable to the changes often made by decision-makers so that they may leverage
Huawei’s attractive product and service offerings to their fullest political potential.
3.4 DCSO Conclusions and Recommendations

Huawei has enjoyed unparalleled commercial success in the African telecommunications
industry, and has effectively entrenched its interests within the contemporary economic,
technical, and legal landscape of many African countries. Their strategic partnerships with
public and private partners throughout the continent come bundled with a set of values that
advocates for a more intrusive state role in cyberspace, in this case by encouraging the
incorporation of advanced digital capabilities into wide-reaching digital surveillance systems.
Furthermore, according to The Wall Street Journal, the company itself has demonstrated a
willingness to train and actively support local law enforcement officials to carry out
specialized cyber operations against national political targets.
Despite the Trump administration’s proposed sanctions, Huawei is still in a favorable

position to provide many other countries with the network infrastructure needed for their
own 5G programs. Especially given the current political climate between the U.S. and China,
it is difficult to foresee how future national regulatory regimes might adapt, especially as
more accounts on the company’s controversial practices come to light. The continued role
Huawei might play in our clients’ business operations should therefore be actively evaluated
in context with wider political trends as they affect relevant regulatory regimes.
3.4.1 DCSO Recommendations

• Diversify the range of telecommunications product and service providers represented
in information and industrial systems.
• Carry out risk assessments for any potential breaches in data confidentiality or
integrity in core systems that are dependent on equipment or services from a single
provider.
• Maintain active risk mitigation strategies by, for instance, layering systems with
additional security processes that provide an additional means of control or
monitoring data integrity or confidentiality.
• Remain notified of the impact that any upcoming telecommunications regulations
may have on national portfolios or production operations.
42

• Forecast the costs that divesting from any single telecommunications provider’s
products might have on business operations as a result of abrupt regulatory changes.

4 Report from Black Hat/DEF CON/Diana Initiative 2019
This August, I (DCSO co-Head of Threat Intelligence Kimberly Zenz) went to Las Vegas for
America’s annual cybersecurity conventions, sometimes called Hacker Summer Camp. By
this, I mean the combined event that is Black Hat, DEF CON, BSides, the Diana Initiative, and
others, including many smaller events, presentations, roundtables, and parties sponsored by
private companies. I am not aware of a comparable event in any other country that
concentrates so much of the industry in the same place at the same time, and there was
definitely quite a lot of interesting action.
The action began before the conference even began, when Black Hat revoked its invitation
to U.S. Representative William Hurd to be the keynote speaker. Within the context of
cybersecurity, the invitation made sense, as Rep. Hurd is one of the more active American
lawmakers in the field of cybersecurity policy and has sponsored multiple key bills.
However, as many tech companies are themselves learning when their own employees are
increasingly protesting corporate actions with geopolitical or social consequences,
cybersecurity is no longer its own distinct sphere, and politics matter. Rep. Hurd is also a
conservative lawmaker who voted against issues connected to women’s rights 98% of the
time, including a bill that would have supported women in STEM fields.43 For enough
attendees, this meant that he had no place at Black Hat, and his invitation was revoked. Dino
Dai Zovi of Square replaced him, and spoke about, fittingly, the importance of culture and
strategy for organizations.
Another topic of interest that appeared throughout the talks was vulnerabilities. Talks
describing the discovery of vulnerabilities are a mainstay of these events, but this year also
showed real interest in the business of vulnerabilities research and exploit sales. Microsoft
and Apple announced increased incentives to encourage researchers to tell them about their
findings and discourage other economic activity.
On the other side, a talk by Maor Shwartz on selling vulnerabilities filled rooms on both
briefing days at Black Hat and filled one of DEF CON’s cavernous ballrooms shortly
thereafter. Schwartz was also trying to attract researchers, but to his brokerage service, for
resale to government clients.
Another frequent topic, and likely the reason that Rep. Hurd was invited to begin with, was
the need for experts in the cybersecurity industry to engage with policymakers. I first went
to Black Hat and DEF CON more than a decade ago, and this has been an issue at these
events since at least that time. However, now it appears to have more urgency and more
discussions of actual steps participants should take, including attending legislative hearings,
sending direct messages to their representatives, and participating in other grassroots
43
Whittaker, "Rep. Will Hurd to keynote Black Hat draws ire for voting record on women’s rights," June 14,
2019. TechCrunch. https://techcrunch.com/2019/06/13/black-hat-keynote-will-hurd/

options for cybersecurity experts not able to engage their country’s politicians at the top
levels.
At least some of those politicians were there too, though, including several members of the
U.S. Congress. Personnel security and law enforcement agencies have always come, and
even sometimes presented, but the lawmakers themselves are visibly more interested, with
more respect for the cybersecurity industry and the expertise therein.
Another item of note is how much broader the topics of discussion were. Technical and
policy research were the bulk of the talks, but there was also a visible recognition that work
is more than the hard tasks at hand. There were talks on managing people and managing
work-life balance. There were talks on hacking oneself—getting over anxieties and mastering
one’s craft. There were talks on company culture and ways to improve it. And there was
advocacy, from DEAF CON for the hearing impaired to the Diana Initiative, a conference for
women in cybersecurity which is focused on not only technical research, but also the issues
specific to women in the industry.
Although this was my tenth time at “Summer Camp,” it was a little different thanks to the
expanded focus. It was also a little different because this time I spoke at Black Hat,
something I have never done before.
I spoke once before as a sponsored speaker at a previous employer’s request as my last act
prior to joining DCSO, but that does not really count as speaking at Black Hat. How little that
counts was also highlighted during this trip, when a sponsored speaker chose to use the
room provided by Black Hat to present a talk on “time AI.”
I did not attend this talk, but the kerfuffle it caused among attendees and InfoSec Twitter
was difficult to overlook, with a combination of valid concern that such a ridiculous talk
could be present anywhere at Black Hat, even at a sponsored talk, and some overly
righteous outrage by what looked to me like people enjoying a little gatekeeping. This is not
to say that the gate should not have been kept—the talk made little sense, and Black Hat
subsequently deleted it from their site.44
Being a speaker is an interesting experience most of all in that Black Hat provides a speakers’
room where we can meet, get lunch, and practice our talks on their equipment. This gave
me a chance to get to know my fellow speakers, who had a range of interesting experiences
and knowledge to share, plus a few tips. There was also a reception for speakers, but the
room during the conference was by far the more genuinely useful.
Black Hat also provides speaker mentoring in advance and liaisons to help speakers with all
logistics at the event, something that was much appreciated and which I wish more
conferences could offer. Most conference do not have the budget of Black Hat, though, or
the cachet to get former speakers, experts in their own right, to offer free assistance to the
44
Franceschi-Bicchierai, Lorenzo and Cox, Joseph.“ Black Hat Talk About ‘Time AI’ Causes Uproar, Is Deleted by
Conference,“ August 10, 2019. Vice Motherboard. https://www.vice.com/en_us/article/8xw9kp/black-hat-
talk-about-time-ai-causes-uproar-is-deleted-by-conference

next ones, but it is something to consider where possible. It ensures the best possible
content.
My topic, infighting among the Russian security services in the cyber sphere, was classified
as policy, which I suppose it was, in a way. I noticed at previous events that most talks
focusing on threat actors end up in the policy track, but in my case, I was told that there was
some discussion about which track best fit my topic.
I feel that my talk went well, and I was asked good questions after, with a session spilling
over into a separate room provided by Black Hat for talks where there are more questions
when a particular talk’s time is up. I was also able to meet with the people that I had hoped
to meet, with some fascinating and productive talks.
Unfortunately, although not entirely surprising, any talk with the word Russia in the title will
attract a few conspiracy theorists, and I did encounter two—one doubting that Russia ever
hacked U.S. elections resources and another convinced that the highly criminal BTC-e
cryptocurrency exchange was the target of a conspiracy. I had hoped that the high
registration fees and travel costs required to attend Black Hat would keep such actors away,
but two made it in, one with a media pass. As with sponsors, Black Hat may have to apply a
little more scrutiny to people applying as journalists as well.
Overall, I am grateful for the opportunity to have presented, and to have met with the
people who are the real reason to travel that far in the first place. I also appreciated the
expanded focus by all the conferences and the many corporate hosts of smaller events. The
industry is expanding, and it is good to see that its flagship events are as well, even if the
task ahead of all of us is so great that there is much more still to do. After so many years, I
still learned things and established more of what I hope will be productive connections.


2019.08.20 - DCSO Weekly Vol2 Issue 33

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2019.08.20 - DCSO Weekly Vol2 Issue 33

Uploaded by

Copyright:

Available Formats

Volume 2, Issue 33

Classification: TLP Green

Deutsche Cyber-Sicherheitsorganisation GmbH

1.2 Texas Local Government Entities Hit in Coordinated Ransomware Attack

Deutsche Cyber-Sicherheitsorganisation GmbH

Deutsche Cyber-Sicherheitsorganisation GmbH

1.3 Hexane: A New Group Targeting Middle Eastern Petrochemicals and

Deutsche Cyber-Sicherheitsorganisation GmbH

Deutsche Cyber-Sicherheitsorganisation GmbH

2 Webmin RCE Vulnerability, Intentional Backdoor (CVE-2019-

2.1 Vulnerability Details

Published: August 10, 2019

Vulnerable Software: Webmin, versions 1.882 to 1.921 downloaded via SourceForge

Vulnerability Rating: N/A

CVSS Score: N/A

Description: Remote code execution, apparent backdoor via compromised build

Deutsche Cyber-Sicherheitsorganisation GmbH

Proof of Concept: https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-

2.2 Vulnerability Description

Webmin provides system administrators with an extensive remote management toolset,

2.3 Vulnerable Configurations

2.4 Attack Vectors and Proof of Concept

2.5 DCSO Recommendations

Deutsche Cyber-Sicherheitsorganisation GmbH

• A higher-level lesson can be drawn from the issue of compromised build

Deutsche Cyber-Sicherheitsorganisation GmbH

3 Huawei Operations in Uganda, Zambia: A Cause for Concern?

Deutsche Cyber-Sicherheitsorganisation GmbH

3.2 Chinese Digital Dominance in Africa: An Inevitability?

Huawei looks similarly well-positioned to dominate Africa’s upcoming 5G initiatives, having

Deutsche Cyber-Sicherheitsorganisation GmbH

3.3 After 5G, a (Virtually) Limitless Scope of Influence

Deutsche Cyber-Sicherheitsorganisation GmbH

3.4 DCSO Conclusions and Recommendations

Despite the Trump administration’s proposed sanctions, Huawei is still in a favorable

3.4.1 DCSO Recommendations

Deutsche Cyber-Sicherheitsorganisation GmbH

Deutsche Cyber-Sicherheitsorganisation GmbH

4 Report from Black Hat/DEF CON/Diana Initiative 2019

Deutsche Cyber-Sicherheitsorganisation GmbH

Deutsche Cyber-Sicherheitsorganisation GmbH

Deutsche Cyber-Sicherheitsorganisation GmbH

You might also like