This week
30 countries discuss ransomware threat in White House-organised virtual meetings
The White House organised convened a summit of over 30 countries this week to discuss how to tackle the threat of ransomware. Taking place over a series of virtual meetings over two days there was an agreement of the “escalating global security threat with serious economic and security consequences.”
No formal treaty resulted from the meetings, though the UK, Australia, India and Germany will lead working groups to better co-ordinate and tighten the international response to ransomware. Action will be taken to “inhibit, trace, and interdict ransomware payment flows, consistent with national laws and regulations,” in the hope to disrupt the ability of cybercriminals to obtain financial benefit from their activities.
The ransomware problem has increasingly been likened to that of modern-day piracy. Efforts are needed to ensure that ‘safe harbours’ are not available for ransomware gangs to operate from. To that end, part of that will involve coordinated diplomatic response “to states whenever they do not address the activities of cybercriminals,” according to a statement released after the summit.
This kind of global cooperation and coordination is a welcome step towards consistent response and disruption to cyber criminals which needs to be tackled at the highest levels, rather than left to individual businesses alone to tackle.
The meetings involved representatives from Australia, Brazil, Bulgaria, Canada, Czech Republic, Dominican Republic, Estonia, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Poland, the Republic of Korea, Romania, Singapore, South Africa, Sweden, Switzerland, Ukraine, the United Arab Emirates and the United Kingdom. The European Union will also be represented.
Russia and China were notably absent from proceedings.
npr.org, washingtonpost.com, ft.com
Interesting stats
2.4Tbps distributed denial-of-service attack mitigated in August, stemming from a 70,000 strong botnet, mainly based in the Asia-Pacific region, according to Microsoft therecord.media
1/15 SolarWinds users are still running a version that is being actively exploited, according to Randori zdnet.com
95% of ransomware targets Windows, according to an analysis of samples uploaded to VirusTotal over the last eighteen months theregister.com
518% increase in ransom demands in the first six months of 2021, compared to 2020, $5.3M average demand, with $570,000 the average payment, according to Palo Alto cyberscoop.com
Meanwhile… $5.2B of BitCoin transactions have been tied to ransomware payments by the US Treasury, from over 2,000 Suspicious Activity Reports (SARs) filed over the last 10 years therecord.media
Other newsy bits
Bugs In Our Pockets: Client-side content scanning violates data privacy and is a form of mass surveillance, say experts
A group of leading experts has warned against the adoption of ‘client-side scanning’ (CSS), such as Apple’s controversial proposed child sexual abuse material (CSAN) functionality (vol. 4, iss. 32).
The ‘who’s who’ of cryptographers, including Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso, argue that “CSS neither guarantees efficacious crime prevention nor prevents surveillance.”
Of particular note is the historic inability of private companies, such as Apple to resist the pressures and legal requirements of governments in countries where they operate. The location of Chinese citizens data and removal of the ‘Navalny’ app in Russia being two examples cited.
“[Device scanning] makes what was formerly private on a user’s device potentially available to law enforcement and intelligence agencies, even in the absence of a warrant,” — Whitfield Diffie
The paper identifies technical ways in which CSS can fail and be evaded and expands on the ways in which it may be abused by authorities to be repurposed as a mass surveillance tool.
Ultimately the paper concludes that CSS is much more privacy-invasive than weakened encryption that would require the use of targeted warrants.
El Reg’s write up, and the executive summary of the paper are well worth a read.
theregister.com, ft.com, arxiv.org (paper)
In brief
Attacks, incidents & breaches
- Four-hour outage of NHS vaccine passport system left travellers stuck in airports arstechnica.com
- Axosoft’s GitKraken service generated duplicate SSH key pairs: GitHub, Bitbucket, GitLab and Microsoft have all revoked the insecure keys therecord.media
- 26-year old allegedly stole credentials and used them to delete and alter maintenance information of a Florida flight school to mark planes as ‘airworthy’ in an apparent attempt to get back at former employer vice.com
- Olympus takes network offline for the second incident in as many months (vol. 4, iss. 38) bleepingcomputer.com
- OVH, the third-largest hosting provider in the world, experienced downtime after a router misconfiguration during planned maintenance (echoes of Facebook’s recent outage here) bleepingcomputer.com
- Misconfigured ElasticSearch server leaked 1.75 billion sensitive files of Brazilian e-commerce platform Hariexpress zdnet.com
- Taiwanese electronics company Acer has suffered an ‘isolated attack’ resulting in a breach of after-sales service systems in India, with 60GB of data being stolen, including details of 10,000 customers and 3,000 distributors and retailers bleepingcomputer.com
- Verizon-owned mobile operator Visible confirms widespread credential stuffing attack against its users theverge.com
- Thingiverse, a 3D printing site, breached and details of 228,000 users compromised theregister.com
Threat intel
- Cybersecurity and Infrastructure Agency (CISA) alert on the threat to US water and sewerage systems cisa.gov
- Fox-IT report on ’SnapMC’ group that is exploiting a vulnerability in the Telerik ASP.NET framework, conducts 30-minute smash and grab on data before demanding a ransom to not release files therecord.media
- ’FontOnLake’ malware targeting Linux systems, according to ESET zdnet.com
- Romance scams are targeting users on dating sites, then encouraging them to install fake crypto investment apps that still their money and personal data cyberscoop.com
- Imperva claim ad-blocking Chrome extension does that, then injects its own ads instead theregister.com
- Clipboard hijacking malware ’MyKings’ alters cryptocurrency addresses to siphon off funds, has netted almost $25M, according to Avast therecord.media
- A group dubbed MirrorBlast is targeting financial services firms with macro-laden Excel files, according to Morphisec bleepingcomputer.com
- Twitter suspends accounts tied to North Korean attempts to catfish security researchers therecord.media
Vulnerabilities
- LibreOffice and OpenOffice vulnerability patched that allowed document signatures to be forged bleepingcomputer.com
- 71 Vulnerabilities, including 4 zero-days, fixed in October patch Tuesday from Microsoft zdnet.com
- New side-channel attacks found against AMD CPUs that are similar to Meltdown vulnerabilities from 2018 (vol. 2, iss 20) therecord.media
Privacy
- Potential $42M fine heading Facebook’s way for GDPR violations, but rights group accuses Irish Data Protection Commission (DPC) of allowing Facebook a “consent bypass” by labelling their agreement with their users a contract, rather than consent, under GDPR zdnet.com
- 7-Eleven breached Australian data privacy laws by collecting and retaining faceprints of respondents during market research survey, finds Office of the Australian Information Commissioner (OAIC) zdnet.com
Public policy
- US federal agencies were ordered to give CISA access within 90 days to endpoint detection platforms to improve security efforts across government. CISA is also to produce a maturity model for agencies to baseline and implement improvements against cyberscoop.com
- Sticking with the US government, the White House plans to shift agencies from SMS and app-based multi-factor authentication to hardware keys in efforts to prevent phishing vice.com
- Australian government to introduce new legislation and stand-alone offences for cyber extortion, targeting critical infrastructure, stealing data, dealing with stolen data, and buying/selling malware theguardian.com
Regulatory
- LinkedIn to pull their main app from China, due to ‘challenging’ regulatory environment therecord.media
Mergers, acquisitions and investments
- Cambridge University calls off £400M deal with the United Arab Emirates citing concerns over Pegasus spyware theguardian.com
- Evolution Equity Partners closes new $400M fund focussed on cyber security techcrunch.com
Partnerships, rather than M&A, but Google has been striking deals:
- Announces Cybersecurity Action Team and involvement of CrowdStrike and PaloAlto to provide blueprints for business customers looking to secure their environment zdnet.com
- With Cyberreason on an initiative to improve cloud XDR (Extended Detection and Response) zdnet.com
And finally
YoU WouLdn’T ViEW soURcE a WEbsItE
Missouri governor, Mike Parson, united the infosec community this week with an absurd statement that a journalist was a ‘hacker’ worthy of prosecution for reporting that social security numbers of teachers had been leaked in the HTML source code of a state website.
Apparently right-clicking, view source (sorry, a “multi-stage process”) to look at the data (sorry, “decode the HTML”) transmitted by a web server to your browser is a computer crime.
Smashing F12 aside, I noticed a couple of interesting things from Governor Parson’s tweet:
- The Missouri Highway Patrol has a digital forensic unit
- They are best placed to investigate this type of computer crime in Missouri
Glad we cleared that up. Swift on Security won the internet for their response.