Home / Robin's Newsletter

Robin’s Newsletter #125

Nothing cyber happened in the US election. Corporate VOIP systems being targeted. Don't pay ransomware gangs to not leak your data.

 Vol. 3  Iss. 45  08/11/2020, last updated 15/11/2020   Robin Oldham  ~5 Minutes

Subscribe to Robin's Newsletter

This week

US Election free from cyber-attack

The big news this week is also a non-event: the US election went off without any reported cyber-attacks.

Director of the US Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, released a statement saying that “after millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies.”

That doesn’t mean that there aren’t isn’t room for improvement - vulnerabilities in voting and tabulation machines and so on (though these have reported in a somewhat sensationalist manner) - but the human oversight and audit provide a meaningful control to manage such risk.

The processes by which officials are elected in the US vary hugely. These differences occur not just state-by-state, but also at the precinct level. A cyber-attack, against an election system where different precincts use different voting machines, requires a substantial amount of coordination to pull off at scale. Especially if you don’t want to get caught doing it and the plausible deniability of such action will be high on the list of any foreign adversary.

The economics is that it is far easier and cost-effective to attempt to influence the public using social media accounts and groups to spread misinformation than it is to conduct a cyber-attack.

Keith Richards was right: Talk is cheap.

cisa.gov

Interesting stats

10% increase (723 total) in incidents dealt with by NCSC in year to 31st August 2020 than previous 2019 27% of 2020’s incidents related to Covid-19 theguardian.com, ft.com

31% increase, to $233K, in the mean ransomware payment in the last quarter, however 2% increase, to $110K, in median, indicating some larger outliers, according to Coveware [see Don’t Pay… below]

Other newsy bits

Corporate VOIP systems being targeted to call premium rate numbers

New research from CheckPoint this week calls attention to corporate voice over IP (VOIP) phone systems that are being targeted by cyber-criminals.

Phone systems built on software from Sangoma and Asterisk are particularly susceptible. A vulnerability in both, that can be exploited without requiring any authentication, was patched last year however phone systems are often difficult to schedule downtime for and frequently overlooked by IT teams.

One group has racked up an estimated 1,200 victims, according to CheckPoint, with over half of those victims being in the UK.

Once inside the company’s phone network the usual activities are to dial premium-rate numbers (owned by the attackers) or to sell ‘unlimited’ VOIP packages to other users on the Internet.

If you run a VOIP phone system, especially if it runs on Asterisk, you should check to see if there are any outstanding updates and audit accounts for unauthorised use. zdnet.com, checkpoint.com

Don’t pay ransomware gangs to delete your stolen data

Ransomware has continued to be a dominating threat to organisations in 2020 and, as shown in the stats above, payments continue to increase. Cyber-criminal gangs are targeting larger organisations and, increasingly, are stealing data as well as encrypting it.

They then make two demands: one to decrypt files and one not to leak the stolen files. Approximately half of the ransomware cases now involve the theft of sensitive data.

However, a report from Coverware highlights why paying is no guarantee that the copied data will be purged: Victims of Sodinokibi were extorted multiple times within weeks with threats to post the same data; Egregor (and related) groups have posted data before victims have had the chance to make contact; while Netwalker and Mespinoza have posted the data of companies that have paid for it not to be leaked.

There is, shockingly, no honour among thieves.

Regardless of choosing to pay, or not, the data has been stolen and notifications may legally be required under data protection regulations. It’s better for businesses to focus on their legal obligations than ‘pay and hope’ that they can control the outcome. krebsonsecurity.com, coverware.com

Tracking what people are typing on video calls

It’s not hugely accurate, but some very cool research over tracking how a user’s arms are moving, and extrapolating what they may be typing from their feed on video calls. Careful what you’re typing in the sidebar! schneier.com

In brief

Attacks, incidents & breaches

  • Mattel suffered ransomware attack in July, response plans prevented financial and operational impact zdnet.com
  • Games company Capcom victim of RagnarLocker ransomware group demanding $11M and claims to have stolen 1TB of data bleepingcomputer.com
  • RagnarLocker also hit Italian beverage co Campari, demanding $15M bleepingcomputer.com
  • Brazil’s Superior Tribunal de Justiça, the country’s second-highest court, hit by ransomware attack, disrupting legal proceedings for one week theregister.com

Threat intel

  • Maze ransomware group shuts up shop, won’t leak any more data, denies creating a cartel bleepingcomputer.com
  • Solaris vulnerability used to breach corporate defences zdnet.com

Vulnerabilities

Security engineering

  • FireEye release ThreatPursuit VM virtual machine for threat intel analysts containing open-source tools for investigation fireeye.com

Privacy

  • Google’s reCAPTCHA under the spotlight for triangulating cookies used to serve ads theregister.com

Law enforcement

  • DOJ has seized $1BN of cryptocurrency proceeds of the Silk Road dark web marketplace from wallet that has remained dormant since 2015 vice.com

And finally

Tech support scammer called Australia’s cybercrime squad

An interesting source of intelligence for the cybercrime unit of South Australia’s police force this week: the tech support scammer themselves. While dialling random telephone numbers, the fraudsters dialled the police, who proceeded to keep them on the line and gather information on the tools they are using. theregister.com