Home / Robin's Newsletter

Robins Newsletter #100

 Vol. 3  Iss. 20  17/05/2020, last updated 24/05/2020   Robin Oldham  ~6 Minutes

This week

Assessing cyber risk from external information

An interesting post on the LawFare blog on assessing cyber risk from external information. Particularly the idea of hedging cyber risk and market pricing.

In a similar vein, there is an interesting data set (vol. 1, iss. 13; vol. 3, iss. 2) that analyses the relative market performance of public companies that suffered a data breach.

The headline is share prices fall an average of 7.27%, and underperform markets by -4.18%, however, it was another subtle mention that really caught my eye with that data: “The companies underperformed the NASDA by -1.65% leading up to the breach”

Correlation needn’t necessarily mean causation, though is helpful enough on its own when trying to build these types of external models.

CyberHedge, the company mentioned in the LawFare post, have created an index they claim is “market-based proof that cyber governance impacts shareholder value”. Or more simply, that good cyber governance makes more money for shareholders.

It’s an interesting area of research that could lead to ‘credit rating’ style labels for a businesses security or privacy trustworthiness.

lawfareblog.com, and some interesting comments to my post on linkedin.com, cyberhedge.com

Interesting stats

$761,106 average cost to remediate a ransomware attack ($506k for organisations with 100-1k employees; $981K for 1k-5k employees) $1.448M (~2X) the cost to remediate when the ransom is paid 27% of victims pay the ransom demands, and 94% of payments are covered by the victims cyber insurance 1/4 attacks were stopped before any data could be encrypted, according to a survey of 5,000 IT managers by Sophos sophos.com (PDF)

Other newsy bits

Attack on ‘UK electricity system’ limited to administrative player

A participant in the UK’s electricity market is reported to have suffered a ransomware incident this week. Elexon help run the UK’s electricity market - that is they monitor how much electricity is being generated by different providers, vs what is required by the grid, and what each forecast. Based on these measurements they then send out invoices so everyone gets paid the right amounts for their contributions. They’re not involved in the actual generation, transmission or distribution of electricity. Electricity grids make for good headlines, though in this case… potential for accounting headaches… yes, power outages… not so much. theguardian.com, zdnet.com, theregister.co.uk

Google omits firebase databases from its search index

Research from website Comparitech has found thousands of apps that have failed to secure access to their backend databases hosted using Google’s Firebase cloud service. Access rules need to be configured and, apparently, these can often be circumvented by adding ‘.json’ to the end of the request. It’s similar to leaving an Amazon AWS S3 bucket unprotected, like so many ‘passive’ breaches of the last couple of years. However, the thing that stuck out to me was that Google is omitting the data from their search index (where they would readily index and cache S3 data). It will show up in other search engines like Bing or DuckDuckGo. theregister.co.uk

Supercomputers across Europe hijacked to mine cryptocurrency

Earlier this week the UK’s ARCHER supercomputer inaccessible after administrators reported that SSH keys had been compromised on login jump box. Then reports surfaced from Germany, Switzerland and Spain that other high-performance computers (HPCs) have suffered similar security incidents. The processing power appears to have been commandeered to mine the Monero cryptocurrency. It’s a reminder of the value some attackers see in different commodities. Your compute power, network connectivity, or storage capacity may make attractive targets in their own right. theregister.co.uk, zdnet.com

Calm down about ThunderSpy

Some great research that’s led to the discovery of a vulnerability in Intel’s thunderbolt interface. An attacker can prise the case open on a computer and connect onto the chip directly, refreshing it and removing security protections. It’s been given a trendy name - ThunderSpy - and picked up by the media, but as the folks on the Risky Business podcast pointed out: this is going to be far more useful to law enforcement getting access to powered-on, seized machines than it is a threat to many of us. The vulnerability does not affect Macs, either. arstechnica.com

Analysing malware as images

Cool use of machine learning by Microsoft and Intel here: converting malware code into images for analysis. It makes it easy to identify structural patterns and similarities, apparently with over 99% accuracy. Hopefully not coming to a captcha system near you soon! Select all the images that contain ransomware ;-) zdnet.com

Fraudsters using NHSX Contact tracing app lure to steal data

Scammers are sending ‘smishing’ (SMS phishing) messages pretending to be related to the NHSX contact tracing app, but that redirect users to spoofed websites trying to steal personal and financial information. theguardian.com

In brief

Attacks, incidents & breaches

  • HR system of outsourcer Interserve breached, 100,000 employee records stolen telegraph.co.uk
  • ATM manufacturer Diebold Nixdorf ransomwared by ProLock; claims ‘limited to corporate IT network’; rolls out “takes the security of our systems and customer service very seriously” boilerplate krebsonsecurity.com
  • Norwegian state-owned investment fund, Norfund, victim of $10M business email compromise fraud cyberscoop.com
  • Inboxes of 47 New South Wales government employees ‘illegally accessed’ zdnet.com
  • Germany points finger at Russia’s Fancy Bear group for 2015 Bundestag breach theguardian.com
  • Sodinokibi/REvil ransomware crew doubles demand for GSM law (vol. 3, iss. 19) to $42M scmagazine.com

Threat intel

  • Microsoft open-sources its Coronavirus (COVID-19) threat intelligence microsoft.com
  • Sodinokibi (REvil) ransomware now uses Windows Restart Manager API to encrypt locked files of databases, mail servers, etc bleepingcomputer.com
  • Aka strain of ransomware now demands two payments: one to unlock files, second to not release copies of data bleepingcomputer.com
  • Mandrake Android malware has done its best to remain undetected for four years bitefender.com (PDF)
  • New airgap-jumping malware toolkit Ramsay may be linked to South Korean arkHotel group, according to ESET zdnet.com
  • US accuses China of stealing COVID-19 vaccine research - in reality all foreign intelligence services globally will be doing the same, trying to understand who knows what, where they are sourcing reagents and PPE, and what prices they’re paying for them. Spies gonna spy! cyberscoop.com

Vulnerabilities

  • ‘Top 10’ most exploited vulnerabilities in the last four years, according to DHS, FBI us-cert.gov
  • SAP release patches to address ‘contractual gaps’ (vol. 3, iss. 19) in range of their cloud software platforms sap.com
  • Zerodium drops price offered for Safari remote code vulnerabilities to $0 cyberscoop.com

Privacy

  • Amendment to revised US PATRIOT Act fails, allowing the FBI and other government agencies access Americans’ web history without probable cause or a warrant theregister.co.uk
  • Privacy International’s damning teardown of the NHSX contact tracing app hints at the real reason for UK’s centralised approach: lack of testing privacyinternational.org
  • Legal challenge over Android’s ‘opt-out of ads personalisation’ not removing unique advertising ID theregister.co.uk

Public policy

  • Calls for greater Congressional oversight of how local law enforcement are using spyware in US vice.com

Law enforcement

  • Romanian police arrest four planning ransomware attacks on hospitals in protest of lockdown measures zdnet.com

Mergers, acquisitions and investments

  • VMware acquires Octarine, plans to integrate Kubernetes tech into Carb Black Cloud zdnet.com

And finally

The ‘confessions’ of Marcus Hutchins

Marcus Hutchins - aka MalwareTech - the security researcher from Devon best know for ‘saving the Internet’ from WannaCry tells his story to Andy Greenberg in Wired this week. Hutchins was arrested a few months after WannaCry while visiting the US for his part in writing the Kronos banking trojan. It’s an interesting read about the descent, recovery and reckoning of a talented computer whiz struggling to make connections with those around him. wired.com