FOXTROT/ALFA: Git is 15, “Bulletproof” Hoster Crew Cyberbunker Facing Prosecution, Staying Under the Radar by Hacking Linux Servers

Today is Tuesday, 7 April 2020 and this is issue 95 of FOXTROT/ALFA, your daily tech news and policy newsletter. Here’s what’s been happening in the world of technology.

The Coronavirus Curfew is Leading to Vulnerable IT Systems

Companies are increasingly opening footholds to hackers in their internal networks by hastily trying to enable their employees to work from home amid the coronavirus crackdown.

As companies move their staff to remote working amid the COVID-19 coronavirus pandemic, some IT teams have made internal platforms, such as tech support desks, face the public internet. The hope, presumably, is that this ensures employees can easily reach these services from their homes, allowing them to raise support tickets and the like. However, organizations are leaving themselves open to mischief or worse by miscreants, we’re told, because the portals are not fully secured. Strangers on the internet can create new accounts, impersonate staff, submit requests for bogus work, potentially access sensitive information, such as payroll details and documentation, and so on.

Inti De Ceukelaire of bug-bounty platform Intigriti claimed earlier this month hundreds of corporate service portals have been exposed to the internet, a 12 per cent increase since he scanned the internet for them last summer – an increase the COVID-19 crisis may have contributed to.

Atlassian’s software seems to be especially prevalent here.

“An increasing number of Atlassian Jira Service Desks have been misconfigured to be accessible for anyone to sign up. In essence, this is nothing to worry about as service desks may have legitimate reasons to be public. However, a growing number of instances have been repurposed to serve as an internal service ticket portal, allowing attackers to impersonate employees and create legitimate internal requests.

There are now fresh guidelines from Atlassian available on how to deal with this.

Git Turns 15

Today, Git is 15 years old. Linus Torvalds' version control system was first released on 7 April 2005. GitHub has interviewed Git maintainer Junio Hamano for the occasion.

What’s your first memory of Git?

I wish I could claim that I’ve been here from the very beginning, but I think I probably got involved about a week after Linus announced that he had something that remotely resembled the first version of Git on April 7 in 2005. I got the tarball soon after hearing there was something “interesting” happening, and then read everything in a single sitting. It was small enough to read in two hours and understand all that was going on in the code. I remember that I was very impressed by the simplicity of the design and the clarity of the code.

There were many new version control projects starting around 2005. What made you choose to use and work on Git?

Along with my employer at the time, I personally was benefiting from the work done by the Linux kernel project. Linus was taking a “vacation” from it, out of necessity, to build some version control they could use, and I knew a bit about patch and diff. My initial motivation was to join other people who were helping that effort, hoping that it would help Linus declare victory sooner and go back to his kernel work.

In that sense, there wasn’t any “do I help Git, or do I help some other system?” choice. It was purely “chase Linus out of the distraction back to the kernel”, although Linus seemed to have also enjoyed the intense ride in the first three months until he gave the maintainer role to me at the end of July 2005.

Side note: Every single of these newsletters and even the smallest update to my website is kept in Git.

Cyberbunker Crew Facing Prosecution

Remember that raid on the “bulletproof” hoster Cyberbunker in Germany? Well, the prosecution is now getting ready to charge four Dutch citizens, three Germans and a Bulgarian member of the hosting company for aiding and abetting serious crimes.

Over the last months, several German police offices have looked through about two petabytes of data. They’ve found every conceivable crime from child porn, to murder-for-hire postings as well as drug and weapons sales. Apparently parts of the Mirai botnet which took down millions of routers at the end of 2016 was controlled from here as well. Police are saying that before raiding the server farm located in an old bunker complex in Traben-Trarbach, the investigated the hosting company for over four years. According to the investigators, there wasn’t a single legitimate service being hosted with the hosting provider.

It looks like the investigators had to crack several encrypted machines to get to the internal email servers of the hosting companies. Those play a crucial role in proving the hoster actively worked with its clients to further their crimes and knew that illegal stuff was going on in the first place. This is important, because in Germany, employees of a hosting company can’t be prosecuted for merely hosting illegal sites. Investigators have to prove they knew what was going on and helped in furthering and hiding the crimes.

The prosecution expects it will take a few months still to move the charges to trial. Under German law, to charge someone for aiding and abetting a crime, the prosecution has to first prove that these crimes were committed in the first place – so police also needs to investigate all of these crimes as well and charge people with them.

COVID Depression: Samsung and Google UK Still Doing OK

So far, the COVID-19 lockdown (that will most likely lead to a global depression) hasn’t hit the tech sector yet. At least it hasn’t made an impact on reported earnings numbers so far. Samsung’s first quarter for 2020 is still looking good.

Samsung has published its earnings guidance for Q1 2020, and it’s looking fairly sunny for the South Korean tech conglomerate, with revenue and profit both expected to show year-on-year growth. Sales are forecast to hit ₩55 trillion (£38.8bn at today’s exchange rates), up 5 per cent on Q1 in 2019, while profits are expected to reach ₩6.4 trillion (£4.28bn), up 3.2 per cent.

Looking at historical trends, it’s likely components helped elevate Samsung’s fortunes, with semiconductors representing half of the company’s profits in 2019 – down from 75 per cent in 2018. The market strengthened in the tail end of last year, with industry-wide sales up 5.8 per cent to $26.8bn in Q3 2019, per World Semiconductor Trade Statistics.

It seems Google’s UK subsidiary is also doing fine for now.

Google’s UK tentacle booked a jump in revenues for the year ended 30 June 2019 while still managing to cut its tax bill by more than £21m. The figures, filed at Companies House yesterday and made available to read today, saw revenues of £1.6bn flood Google’s coffers, up from £1.4bn in the previous year, but an increase of more than £200m in “administrative expenses” meant the company’s profit before taxation actually fell from £246.3m to £225.8m.

Due to how Google UK’s revenues are recognised and reported, there is every chance that ad revenues were actually quite a bit higher; the company only generates revenues through service agreements with other Alphabet group companies (primarily marketing and services support). Number boffins at Statista estimated that UK ad revenues away from the gaze of HMRC were more like £5.1bn in 2019, up from £4.43bn in 2017. Google’s parent company, Alphabet, reported total ad revenues of $135bn for FY2019 in its February financials.

Staying Under the Radar by Hacking Only Linux Machines

How do you stay undetected as a state-sponsored hacker group? You go after Linux servers. Nobody cares about Linux, apparently.

A group of hackers operating as an offshoot of China’s Winnti group managed to stay undetected for more than a decade by going open source. A report from BlackBerry outlines how the group, actually a collection of five smaller crews of hackers thought to be state-sponsored, assembled in the wake of Winnti and exploited Linux servers, plus the occasional Windows Server box and mobile device, for years.

Part of the reason the attack has gone unnoticed for so long, BlackBerry reckons, is due to their preference for Linux servers. It is believed the hackers use three different backdoors, two rootkits, and two other build tools that can be used to construct additional rootkits on a per-target basis for open-source servers. This in addition to the command-and-control tools and what is described as a “massive botnet” of compromised Linux servers and devices. Some of the malware has been in use dating back to 2012.

“In the attacks BlackBerry observed, the open Linux platform has enabled Chinese actors to develop backdoors, kernel rootkits, and online-build environments at a high level of complexity and specificity, with the end result being a toolset specifically designed to be harder to detect,” the report noted. “Compounding low detection rates inherent in the malware design is the relative lack of coverage quality and features in malware detection solutions for Linux available on the market today.”

“The fact that this new Linux malware toolset has been in the wild for the better part of the last decade,” said BlackBerry, “without having been detected and publicly documented prior to this report, makes it highly probable that the number of impacted organizations is significant and the duration of the infections lengthy.”

Also Noteworthy

Some other stuff I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.