Home / Robin's Newsletter

Robin’s Newsletter #111

 Vol. 3  Iss. 31  02/08/2020, last updated 09/08/2020   Robin Oldham  ~6 Minutes

This week

Ransomware payments encourage more ransomware

It’s been a rewarding week for ransomware gangs. Garmin services have started coming back online following reports that the company ‘obtained the decryption key’ presumably by paying the ransom. Meanwhile, corporate travel agent CWT paid $4.5M to get out of their ransomware incident.

The CWT case is interesting as Jack Stubbs’ tweets shaw, with publicly available chat logs between CWT and the Ragnar Locker operators that giving an insight into the negotiations from a $10M demand down to their $4.5M payment.

These are not, by-and-large, sophisticated attacks. Password reuse or lack of multi-factor authentication allows ransomware gangs to gain a foothold. Just because something is basic doesn’t mean that it is easy to delivery perfectly and consistently. Ask any professional athlete. Doing so at scale - be it a large organisation, or as a whole nation - is both extremely difficult and extremely costly.

The individuals behind many high-profile ransomware gangs are known to law enforcement, such as ‘Evil Corp,’ a Russian cyber-crime group believed to be behind the Garmin incident. To curtail the group the U.S. has levied sanctions as a policy measure against members of Evil Corp and offered a $5M reward for information that leads to a conviction against its leader, Maksim Yukabets.

Sky News claim Garmin made payment via an intermediary, a move that is potentially to avoid falling foul of sanctions. That may or may not be sufficient to keep it out of the eye of U.S. Treasury officials, though Forbes points out that the payment may be tax-deductible.

The No More Ransom project turned four years old this week too and claims to have saved companies $632M by researching and making decryptors to popular ransomware strains available for free.

Another non-technical policy option available the legislators — and that in the U.K supports NCSC’s mission to “make the UK the safest place to live and work online” — is to blanket make the payments of ransomware demands illegal.

The Times reports cost UK businesses £200M in the last year alone and the legislation. Removing the ability for UK company directors to authorise payments makes them a much less attractive target for financially-motivated attackers.

sky.com, reuters.com, @jc_stubbs tweets, theguardian.com, forbes.com, bleepingcomputer.com (No More Ransom) thetimes.co.uk

Interesting stats

£22M set aside by British Airways in their financial results for ‘any penalty issues by the ICO,’ that is 90% lower than the proposed in the (currently deferred (vol. 3, iss. 14)) original ICO intention to fine mishcon.com

Phishing pages are disposable: 9 hours from first visit to detection of phishing pages, that last 21 hours on average from first to last victim, with 5.19 days typical for attackers to use stolen credentials, and 6.92 days for the credentials to appear in dumps on criminal forums, according to researchers from Google, PayPal, Samsung, and Arizona State University that studied 22,553,707 user visits to 404,628 phishing pages zdnet.com

27% of 115 supply chain attacks analysed by the Atlantic Council from the last decade involved hijacking of legitimate software updates atlanticcouncil.org

31% of the UK cyber industry is female, according to a new survey of 1,252 people conducted by NCSC and KPMG, markedly higher than previous studies (~15-20%), 11% identify as lesbian, gay, bisexual or transexual (LGBT), and 13% identify as Black, Asian, Minority Ethnic (BAME) ncsc.gov.uk

Other newsy bits

The EU imposes its first ever cyber sanctions

Dipping into the ‘cyber diplomacy toolbox’ the Council of the EU brought travel bans and frozen the assets of six individuals and three Russian, Chinese and North Korean entities. The sanctions target those behind attacks on the OPCW (Organisation for the Prohibition of Chemical Weapons) and behind WannaCry, NotPetya, and Operation Cloud Hopper. europa.eu, bloomberg.com

Three charged with Twitter compromise

Quick work from law enforcement that this week: The U.S. Department of Justice brought charges against one UK and two US-based individuals. The charges come just over a fortnight (vol. 3, iss. 29) since 45 mostly high-profile Twitter accounts were hijacked to promote a cryptocurrency scam. Twitter also confirmed that a ‘phone spear phishing’ was the mechanism by which the attackers gained their initial access to Twitter’s systems. bbc.co.uk, wired.com, techcrunch.com

Vulnerability in ‘GRUB2’ Secure Boot loader

When you power on a computer there is a small simple programme whose job is to load the more complex operating system. GRUB is one such ‘boot loader’ that is used in almost all Linux, and some Windows computers to get them going. Part of its job can be ‘secure boot’ checks that confirm that nothing has tampered with the underlying system code. A vulnerability in GRUB can lead to a buffer overflow and an attacker being able to replace legitimate firmware with compromised code at the level below your operating system. There’s an accessible write up of the bug and issues over on the Capsul8 blog written by Kelly Shortridge.

That’s bad news because most security controls operate within the operating system, and this means victims wouldn’t be able to trust their operating system. It’s exacerbated as Linux is a popular operating system for the embedded systems and Internet of Things devices used within operational technology environments.

It is also going to be difficult and take a long time to fix. Partly because it’s such a fundamental component, and also because it involves updating the allow lists and block lists used to verify the updates themselves. (The first wave of patches from Red Hat, Ubuntu, Debian, CeentOS and Fedora Linux distributions are preventing some users from booting their systems (see ZDNet.)) cyberscoop.com, capsul8.com, zdnet.com

In brief

Attacks, incidents & breaches

  • ‘Grab the hard drives and run!’ Good ol’ fashioned theft of data at Walgreens as burglars make off with 70,000 customer’s prescriptions cyberscoop.com
  • Account details of up to 2.5M customers of alcohol delivery startup Drizly compromised techcrunch.com
  • Australian ISP Telstra’s DNS servers knocked offline by DDoS zdnet.com
  • Data from eighteen(!) startups leaked by ShinyHunters bleepingcomputer.com

Threat intel

  • Pro-Russian group dubbed Ghostwriter compromised legitimate news sources to spread fake news in disinformation campaign wired.com, theguardian.com
  • Emotet malware now steals and includes legitimate email attachments, alongside poisoned files, to add legitimacy in spoofed replies to email threads bleepingcomputer.com
  • North Korea targeting defence and military contractors by posing as recruiters and sending malware-laden job descriptions cyberscoop.com

Security engineering

  • Good description of homomorphic encryption - being able to perform calculations on encrypted data - here arstechnica.com
  • Useful tool from CyberArk, dubbed SkyArk, that scans AWS, Azure infrastructure for misconfigured accounts zdnet.com

Internet of Things

  • 45 Netgear wifi routers will not receive fix for software upgrade vulnerability theregister.com
  • Firmware update to 3D printers can cause them to overheat and catch fire theregister.com
  • QNAP NAS users warned of QSnatch data-stealing malware, urged to update by US CISA, UK NCSC alert cisa.gov

Privacy

  • US retail chain Rite Aid had deployed facial recognition tech to hundreds of stores over the last eight years to ‘prevent thefts and protect staff’ reuters.com

Public policy

Law enforcement

  • 30-year-old Moldovan national Valerian Chiochiu plead guilty to being part of the $’568M Infraud’ cyber-crime group cyberscoop.com
  • Operator of GandCrab ransomware arrested in Belarus. The group announced they were to ‘retire’ last year (vol. 2, iss. 22) bleepingcomputer.com

Mergers, acquisitions and investments

  • Mimecast acquires behavioural analytics firm MessageControl zdnet.com

And finally

Email distribution biz Substack replies-all to new privacy policy

Substack, an email newsletter platform, sent out an update to its privacy policy via email with 500 of its customers in the ‘To,’ rather than ‘BCC,’ line. The company say it is ‘aware of the irony.’ Oops! theregister.com