This week marks the second birthday of Robin’s Newsletter!
There are a few things I’m hoping to be able to share with you soon, but that aren’t quite ready yet. So in a showing of great self-restraint, I’m going to put off any massive celebrations just yet, other than to say THANK YOU SO MUCH for being a subscriber. It’s always lovely to hear your feedback and a privilege to have you on this journey.
I presented at the Open Security Summit this week on a couple of topics: Threat Personas & Application Vulnerability Scoring that you can check out the session, recap in this Twitter thread, and watch it on Youtube.
COVID-19 Cyber threat probably over-blown, but you can learn from it
Microsoft have a broad range of telemetry from which to base their telemetry — virus & threat protection data from Windows; spam/phishing data from Hotmail and O365 to name a couple — and this week that may some observations about the much-discussed COVID-19 cyber threat.
The peak of COVID-19 cyber threat activity was in the first two weeks of March. Campaigns are localised though, with the backdrop of COVID-19 being the background, rather than foreground. The volume of attacks coincides with local news and events, for example, spikes in the UK around lockdown and during Prime Minister Boris Johnson’s hospitalisation, the US followed the global trend and had a second spike in activity as the country passed 100,000 confirmed deaths.
It broadly seems to have been a redeployment of existing cyber threat resource. In isolation, it is a significant eleven-fold jump, because you’re starting from such a low base. As a proportion of overall cyber threat activity, it never amounted to more than 2% of what Microsoft witnessed.
What the Microsoft threat intelligence team haven’t analysed is how successful these attacks were. With time, some of that may come to light through regional crime statistics.
For me, it underlines the importance of contextualised and localised content in security training and engagement programmes. Attackers are putting the effort in to tailor their campaigns: you should too! microsoft.com
2.3Tbps size of the distributed denial of service attack that Amazon says it mitigated, 1.7Tbps size of the previous recording holding attack, 42,435x the average speed of a UK broadband connections (54.2Mbps) zdnet.com
Other newsy bits
TCP/IP stack vulnerabilities affect ‘hundreds of millions’ of IoT devices
Israeli security researchers have found a series of vulnerabilities in a TCP/IP stack licensed by U.S. firm Treck, and used in ‘hundreds of millions’ of Internet of Things (IoT) or Operational Technology (OT) devices. They have dubbed the collection ‘Ripple20.’
Treck are a relatively obscure organisation that specialises in code that handles network protocols for embedded and operational technology. Their code is picked up and used in lots of network devices by other manufacturers.
It’s a combo of two emerging and interrelated cyber security trends: software supply chain vulnerabilities and OT security updates.
Software supply chains are complex, with many open source, or licensed, libraries offering savings through code re-use that saves organisation significant effort and often results in higher quality code. Where vulnerabilities are discovered the ‘ripple’ effect means the impact may be multiplied many times over.
Operational technology, covering industrial control and embedded systems to consumer internet of things or ‘smart’ devices, require code updates to address software bugs and feature improvements (like any computer!) However industrial processes may limit the frequency with which updates can be applied, and consumer tech can move quickly, with companies not considering support, or even going bust, resulting in similar patching issues.
Combined then, these two trends can result in a situation with a force multiplier on impact, with no easy way to directly remediate the vulnerability.
Fortunately, in this case, Treck has issued updates that fix the issues, and this has seemingly been a good business move: with many of their customers choosing to renew or take out support contracts. wired.com, cert.org, jsof-tech.com
Australia diplomatically trying to reduce cyber-attacks on government
At a ‘snap press conference’ on Friday, Australian Prime Minister Scott Morrison announced that the country was aware of and responding to attacks from a ‘sophisticated’ adversary. He declined to name who, though it is widely speculated to be China, and the move aimed at deterring attacks.
An advisory note from the Australian Cyber Security Centre (ACSC) dubbed them ‘copy-paste compromises’ because of the threat actors heavy use of open source and proof-of-concept exploits. If those don’t work then spear-phishing is used as an alternative technique.
That’s not particularly ‘sophisticated’ though any campaign targeting government departments, agencies, critical infrastructure and essential services is certainly a scale-player. Adopting ‘copy-paste’ techniques also help to muddy the waters on any public attribution.
Six former eBay employees charged for outrageous cyberstalking campaign
A particularly egregious campaign was mounted by six eBay executives to against husband and wife bloggers critical of the company. “as alleged in the complaint, [it is] a systematic campaign, fueled by the resources of a Fortune 500 company, to emotionally and psychologically terrorize this middle-aged couple,” said attorney Andrew Lelling. A Halloween mask of a bloodied pig, fly larvae and spiders and a funeral wreath were amongst some of the items sent to intimidate the couple. eBay’s senior director of ‘safety and security,’ and five conspirators, have been charged concerning the cyberstalking, a charge carrying up to five years in prison. wired.com
South Africa’s post office bank has to replace all the customer’s payment cards
If you’re running a Public Key Infrastructure (PKI) used to encrypt or digitally sign data, then your people and processes play an absolutely critical part of security - more so than technical measures - and so it’s probably not good if you’re a bank that an employee was able to print out your master key used in all your payment cards. South Africa’s Postbank has found that out the hard way: with 25,000 fraudulent transactions totalling $3.2M being made between March and December 2019. Over 12 million customer cards are being replaced at a cost of approximately $58M. Master private key material should be kept isolated, with no single individual being able to reconstruct it. zdnet.com
How to spot and avoid like-farming
The Facebook, rather than the field, type. Some great public engagement from Leicestershire Police around some of the ‘like-farming’ scams doing the rounds at the moment. This one focussed on the chances to win luxury motorhomes or ‘tiny homes.’ As ever, if it sounds too good to be true, it probably is. They go on to explain why cyber-criminals want you to like and promote their pages. Some great content, accessible content. Bravo! (H/T Helen C!) facebook.com/leicscyberaware/
Attacks, incidents & breaches
- Magecart card skimmer found on websites of Claire’s Accessories, Interspot and Icing zdnet.com
- 845GB of explicit photos and messages found in unsecured AWS S3 buckets of nine dating apps linked to white label provider wired.com
- U.S. chip maker MaxLinear victim of Maze ransomware attack bleepingcomputer.com
- Malware attack ’isolated’ at Crozer-Keystone Health System in Philadelphia claimed by Netwalker ransomware group, who are described as ‘relatively new but very innovative’ by Recorded Future cyberscoop.com
- North Korea’s Lazarus group used LinkedIn and fake job offers to infiltrate targets at defence companies, stole proprietary information, then engaged in Business Email Compromise scams, according to ESET zdnet.com
- AcidBox malware repurposes Turla group exploit, uses it against Russian targets paloaltonetworks.com
- 111 Chrome browser extensions, downloaded 33M times, removed after slurping personal data, screenshots to Israeli company GalComm arstechnica.com
- Remote exploit in 79 models of Netgear router released over the last thirteen years cyberscoop.com
- Turning security controls against you: turn on multi-factor authentication, before cyber-criminals do, and permanently lock you out of your account krebsonsecurity.com
- A redacted report from 2017 investigating the ‘Vault 7’ leak was published this week. Somewhere between ‘180GB to 34TB’ of CIA data was obtained by WikiLeaks. The conclusions read like an audit report for many organisations: monitoring blindspots, shared administrator passwords, poor control of removable media, and having ‘woefully lax’ security practices arstechnica.com
- Anti-malware ‘Control-flow Enforcement Technology’ (CET) to debut in new Intel’s ‘tiger lake’ CPUs arstechnica.com
- Microsoft Defender APT now detects Windows 10 bios malware bleepingcomputer.com
- Message claims encrypted phone company ‘Enchrochat,’ used widely by criminals, has been taken over by law enforcement. This type of access would give law enforcement significant intelligence on criminal activities. I suspect this won’t be the last we hear of this! vice.com
Mergers, acquisitions and investments
- Security assurance software provider Spanugo acquired by IBM for undisclosed terms zdnet.com
Economic realities are biting ransomware groups
A blunder by the Maze ransomware group saw them targeting a group of New York architects, rather than a Canadian standards body, due to “work pressures” from the economic downturn of COVID-19. Both organisations go by the monicer ‘CSA Group,’ with one owning the .com, the other .org, domain name. theregister.com