Home / Robin's Newsletter

Robin’s Newsletter #153

Lots of ransomware: Ireland's HSE will not pay. Colonial coughed up $4.4M'. But there are Technology Detection Dogs. And they're very good dogs!

 Vol. 4  Iss. 21  23/05/2021, last updated 30/05/2021   Robin Oldham  ~8 Minutes

Subscribe to Robin's Newsletter

It’s all ransomware this week. Sorry about that. Though some long reads on the RSA breach and Apple’s operations in China are well worth the time. Perhaps we need a ‘troop surge’ of cyber prosecutors to deal with ransomware gangs?

This week

Irish health service ransomware incident continues to unfold

Public healthcare in Ireland is still being disrupted as the country’s Health Services Executive enters the second week responding to a ransomware attack linked to the Conti group. The HSE has said there are up to 2,000 systems that need checking and around 80,000 devices to check too.

In a public relations move, on Thursday the attackers provided a decryption key to aid restoration of services but said confidential data would be released on Monday if a ransom payment was not made.

The criminals say they have stolen 700GB of data and are demanding $19,99M to not disclose the data publicly. Micheál Martin, Ireland’s Taoiseach (prime minister), has said they will not pay the attackers demands. Samples posted online have included patient contact and medical records, employment contracts, payroll data and other financial information. The samples have been described as ‘credible’ and Irish authorities have warned that the data may be abused.

Dublin’s High Court has issued an injunction to prevent the ‘sharing, processing, selling or publishing any data stolen’. The move will prohibit legitimate websites, like Google, Facebook and Twitter, from hosting the content and therefore limit its exposure.

Meanwhile, it appears the same group was in the process of trying to launch an attack on Ireland’s Department of Health at the same time, but that was discovered when Cobalt Strike malware was dropped on endpoints. On the other side of the globe, non-urgent treatments in a district of New Zealand’s North Island have also been suspended as teams battle with a ‘cybersecurity incident’ that sounds eerily similar.

The Record has an interview with Jason Lewkowicz, CISO at Cognizant, on the emotional impact that dealing with ransomware attacks has on those defending companies. The long days and pressure you might expect, but the length of time it takes to get back to normal may surprise you. Especially when customers are demanding calls to discuss the impact and understand how they can prevent it from happening to themselves for months afterwards.

bbc.co.uk, bleepingcomputer.com (DoH), zdnet.com (data abuse), ft.com (injunction), cyberscoop.com (New Zealand), therecord.media (emotional impact)

Interesting stats

48% increase in ‘stalker ware’ detections on Android in 2020, according to ESET, who say they also found 150 security issues across 58 apps they investigated, meaning stalkers may be exposing their own information welivesecurity.com

2,200 acts of fraud are committed every day in the U.K. theguardian.com

30% of attacks start with compromise of RDP, and 69% of attacks involve RDP at some point, according to Sophos zdnet.com

Other newsy bits

Axa suspends ransomware payments in France, Asian operations hit by attack

Axa’s business in Thailand, Malaysia, Hong Kong, and the Philippines have been hit by a ransomware attack, shortly after the French-headquartered firm suspended ransom payments for policyholders in France. The events are a coincidence. The Avaddon group has claimed responsibility and posted a sample of three terabytes of data that they claim to have exfiltrated from the company’s Asian operations. The data includes policies, claims forms, medical diagnoses and other personal and payment information. The compromise occurred at a subsidiary that offers assistance with medical claims across the region. ft.com, bleepingcomputer.com

Colonial paid $4.4M to ransomware group, will face congressional grilling

Colonial Pipeline’s CEO, Joseph Blount, authorised the payment to the DarkSide ransomware operators because it was the “right thing to do for the country.” The payment was made the day after the attackers locked up Colonial’s IT systems and the company chose to suspend operations to ensure the safety of its pipeline. Blount will appear before the House of Representative’s Homeland Security Committee in a few weeks, and will surely face intense questioning, and how the company engaged with law enforcement. Representative Jim Langevin, who sits on the committee tweeted “freezing out the FBI and [the Cybersecurity and Infrastructure Security Agency] is not ‘good for the country’” wsj.com, cyberscoop.com

Long reads

RSA breach

Andy Greenberg has a long read on the 2011 breach at RSA that saw Chinese military attackers make off with the ‘seeds’ needed to spoof the eponymous two-factor authentication tokens. Well worth a read.

As the recovery effort got under way, one executive suggested they call it Project Phoenix. Coviello immediately nixed the name. “Bullshit,” he remembers saying. “We’re not rising from the ashes. We’re going to call this project Apollo 13. We’re going to land the ship without injury.” wired.com

Apple’s Chinese compromises

Another interesting read from the New York Times on the different ‘sides’ to Apple as the company tries to balance a supply chain reliance and valuable market with the civil liberty and privacy ideals core to their brand.

Apple now assembles nearly all of its products and earns a fifth of its revenue in the China region. But just as Mr. Cook figured out how to make China work for Apple, China is making Apple work for the Chinese government. nytimes.com

In brief

Attacks, incidents & breaches

  • Bloomberg cites people ‘close to the matter’ and claims CNA Hardy paid $40M to ransomware group to restore systems, spokesperson says the firm “is not commenting on the ransom” bloomberg.com
  • Monday.com says source code was accessed in Codecov breach in SEC filing bleepingcomputer.com
  • Air India data breach sees 4.5M individuals names, dates of birth, passport and ticket information stolen bleepingcomputer.com
  • SolarWinds CEO apologises for an intern being blamed for the Orion breach, which may have begun as early as January 2019 therecord.media
  • Check Point identifies 23 Android apps exposing over 100 million users data through poor security practices therecord.media
  • Two Toyota subsidiaries in Japan and U.S. suffer ransomware attacks theregister.com
  • Doncaster-based insurer One Call victim of DarkSide ransomware, weeks after the group declared they were shutting up shop theregister.com

Threat intel

  • Brazilian Bizzaro banking trojan targeting European banks, using fake tax notifications to encourage users to install malware which disables browser autocomplete and captures multi-factor authentication codes zdnet.com
  • Stolen identities being ‘rented’ to gig economy workers that couldn’t pass background checks, 14 arrested vice.com
  • QLocker ransom group ‘shuts down’ after extoring hundreds of QNAP NAS users bleepingcomputer.com
  • Increasing number of ‘vishing’ attacks… but also, apparently Exchange Online Protection and Defender for O365 can be defeated by… calling yourself AMAZ0N (with a zero)?! zdnet.com
  • Emsisoft says some ransomware groups are ‘double encrypting’ victims, either side-by-side, hindering investigation and response, or encrypted files twice with different malware wired.com

Vulnerabilities

  • Four vulnerabilities in Android that give “complete control of the victim’s mobile [device]” are being exploited in the wild arstechnica.com
  • Party like it’s 1999: Proof of concept released for wormable IIS bug (CVE-2021-31166) but only applies to version of Windows/Server released in 2020 therecord.media

Security engineering

  • This weird trick may help protect you: in a move to try and avoid prosecution on home turf, many strains of ransomware will not encrypt devices with Russian, or other Commonwealth of Independent States (CIS) language packs installed
    krebsonsecurity.com
  • 1Password releases Linux client zdnet.com
  • User’s of Google Chrome’s password sync feature will soon be able to use its Duplex personal assistant to change passwords on selected websites techcrunch.com
  • Microsoft open-sources SimuLand, a virtualised lab environment to help teach adversary tradecraft and improve detection strategies microsoft.com

Infosec profession

  • CREST will not publish investigation into cheatsheet scandal theregister.com

Internet of Things

  • More than 1,000 computers visited watering hole targeting water treatment plants over a 58 day period, says Dragos investigating Oldsmar, FL incident(vol. 4, iss. 7) arstechnica.com

Privacy

  • Apple has worked hard to address privacy concerns in AirTags, however unintended consequences of the ‘last seen’ timestamp may allow people to track when you’re not at home vice.com
  • Data protection competency framework (H/T Phil) dataprotection.education

Public policy

  • U.K. government considering applying regulation to managed service providers, similar to those on critical infrastructure operators zdnet.com
  • EU extends sanctions on Russian, Chinese, North Korean cyber operatives for 12 months therecord.media
  • Japan to introduce cyber regulation on critical infrastructure sectors who must consider and address national security risks posed with using foreign equipment and services nikkei.com
  • U.S. senators reintroduce Social Media Privacy Protection and Consumer Rights Act, that would allow opt-out of tracking, require breach notification arstechnica.com

Law enforcement

  • Bloggers awarded $350K compensation after U.S. city sues them for ‘hacking’ Dropbox link that included files that hadn’t been reviewed in error arstechnica.com

Mergers, acquisitions and investments

  • API security company with ‘micro-firewall’ tech, 42Crunch, raises $17M series A funding techcrunch.com
  • Britive announces $10M funding round to automate multi-cloud privileged access management techcrunch.com

And finally

Technology Detection Dogs

The Australian Police Force is to spend AU$5.7M training furry additions to the force. The cyber canines will be trained to sniff out USB devices and SIM cards and help to bring cybercriminals and child sex offenders to justice. Check out good girl Georgia getting very excited at finding a mobile phone hidden in a vacuum cleaner in the Facebook video. theregister.com, fb.watch