Home / Robin's Newsletter

Robin’s Newsletter #145

FatFace IR comms 'confidential' while loosing 200GB data. Cyber insurer CNA may have been targeted for policy info. OSINT on the Ever Given.

 Vol. 4  Iss. 13  28/03/2021   Robin Oldham  ~6 Minutes

Subscribe to Robin's Newsletter

This week

FatFace’s lesson in how not to handle a cyber crisis

U.K. clothing retailer FatFace reportedly paid a £1.9 million ($2.65M) ransom to cybercriminals following a double-extortion attack that saw both customer and employee data stolen. Customers’ name, email and postal address, and the last four digits of their credit card were taken, while employees’ bank and national insurance details exposed.

The negotiations between FatFace and the Conti ransomware gang have been published by Computer Weekly and provides insight into the negotiations.

The criminal gang used information on the financial turnover of the business, and their cyber insurance premium, to guide the ‘price’ they were asking for. The attack itself taking place on 17th January, a week after gaining a foothold via a phishing email on 10th January. Around 200GB of data was exfiltrated over that period.

Some recommendations were provided as the negotiations concluded: Cylance or Carbon Black are the preferred endpoint detection and response vendors of the Conti gang. Though I’ll be honest: I’m not sure if that’s because the group thinks that they would be good preventing repeat attacks or, well, not!

When the company finally issued a breach notification to customers labelled ‘strictly private and confidential’ and requesting that customers “please do keep this email and the information included within it strictly private and confidential.” The irony hasn’t been lost on their customers, with a backlash on Twitter and a string of negative reviews for the company on their Trustpilot site.

The nature of FatFace’s response communications strategy - to minimise publicly available information of their breach - makes it extremely difficult for recipients to verify the authenticity of the message. That’s despite it encouraging users to phone a telephone number for an identity protection service. Sounds phishy, right?

Another consistent issue taken in the negative reviews is the length of time between FatFace becoming aware of the incident and notifying customers. Over two months elapsed between the incident and customer notification. The company chalks that up to the time needed to classify their data and conduct a thorough investigation so that they could notify only those that had been affected.

Two months for those sorts of exercises sounds about right, however, the issue here is the increased risk that both previous, and indeed new, customers may have been put in during that period.

Customer sentiment has been damaged by the handling of the incident, and while major press coverage may have been avoided, time will tell what consequences that has on FatFace’s retail business.

computerweekly.com, theregister.com, grahamcluley.com, techcrunch.com

Interesting stats

5x more likely for your email domain to be used for phishing emails if you don’t have DMARC enabled, according to Valimail zdnet.com

92% of Microsoft Exchange Servers are now (22nd Mar) patched against ProxyLogon, 43% improvement on the previous week, however ~30,000 still remain vulnerable, according to Microsoft and RiskIQ twitter.com

69,950 COVID-related phishing URLs observed by Palo Alto in 2020 theregister.com

£479M lost to SMS scams in the U.K. in 2020, according to UK Finance ft.com

Other newsy bits

Security features in the new fifty-pound note

A rendering of the back of the new £50 note featuring Alan Turing

Source: Bank of England

The new £50 note features Alan Turing, famous for his work developing computers and code-breaking at Bletchley Park during World War II and, while the security features of the note aren’t strictly cyber, it’s a chance to celebrate Turing and geek out at how they are designed to be more difficult to counterfeit. bankofengland.co.uk

Breach at insurer CNA

The website, email and other systems at U.S. insurance company CNA have been down for most of this week following a suspected ransomware attack using the Phoenix Locker malware. However, the primary objective of the attackers may have been the policy data that the company holds.

CNA is one of the top 10 providers of cyber insurance in the U.S. The policy data they hold, outlining what is or isn’t covered, and to what limits, would be extremely valuable to cyber criminals wishing to surgically strike insured organisations knowing they have the means to ‘pay up’. (In the FatFace story, above, the attackers had identified the cyber insurance policy and referred to it when negotiating payment.)

If that has been compromised then the threat faced by customers of CNA is therefore likely to be elevated for the foreseeable future. cyberscoop.com, bleepingcomputer.com

In brief

Attacks, incidents & breaches

  • A dozen U.K. local councils were sending out debt chasing text messages with links that could be trivially enumerated to get the details of other debtors including name, address, and amount outstanding theregister.co.uk
  • Cybercrime forum Carding Mafia breached, exposing emails, IP addresses, usernames and hashed passwords of almost 300,000 users vice.com
  • Australian TV disrupted as Nine Network struggles to fix ‘technical issues’ of cyber-attack theguardian.com

Threat intel

  • BlackKingdom ransomware targeting Microsoft Exchange servers arstechnica.com
  • U.K. universities and schools being targeted by ransomware gangs since reopening theregister.com
  • Microsoft warns of continued use of compromised marketing email tools in phishing campaigns bleepingcomputer.com
  • Purple Fox botnet gains capability to spread by scanning, exploiting weak passwords on local networks zdnet.com
  • Hades ransomware campaign, linked to Evil Corp, targeting U.S. organisations with over $1BN revenue zdnet.com
  • Clop ransomware gang starts emailing customers of ransomware victims to amp-up pressure to pay ransom demands bleepingcomputer.com

Vulnerabilities

Security engineering

  • Cloudflare ‘Page Shield’ service to notify on change of JavaScript libraries in bid to notify site owners of MageCart style attacks zdnet.com
  • Microsoft rolls out passwordless authentication to Azure and hybrid deployments microsoft.com

H/T To Niall for pointing out this auto-correct fail last week, that rather changed the meaning:

  • Microsoft Defender Antivirus will not now automatically mitigate Exchange Server vulnerabilities zdnet.com

Internet of Things

  • Honeywell has “returned to service” after ‘limited’ number of systems disrupted by malware cyberscoop.com

Public policy

  • NCSC chief “The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their finance director and general counsel.” zdnet.com

Law enforcement

  • IT contractor sentenced to two years and ordered to pay $567K remediation costs to company where he deleted 1,200 Office 365 accounts in act of revenge theregister.com

And finally

Applying OSINT techniques to the Ever Given

A great example of how open source intelligence (OSINT) techniques can be used to gain a better understanding of a situation. In this case, the Ever Given being lodged in the Suez Canal. Worth a read to understand why freeing the ship may take a little more than that ‘little digger’. bellingcat.com