This week
FCC revokes China Telecom license
The US Federal Communication Commission (FCC) voted unanimously to revoke China Telecom Americas license to operate this week. It’s the culmination of a request from the Department of Justice from April 2020 (vol. 3, iss. 15). The firm has 60 days to wind up its US operations and shut up shop.
The decision is driven by national security concerns, with the FCC review finding China Telecom “is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight”.
Those national security concerns are driven by classified briefings from intelligence agencies that allege the state-owned telco can ‘access, store and disrupt’ US communications as part of espionage activities. BGP hijacking is also a concern (vol. 1, and back in 2019 China Telecom mis-advertised BGP routes that redirected European traffic through China.
China Telecom Americas customers are primarily the Chinese diaspora living in the US, however, the company also provides fixed-line services to Chinese government facilities, the likes of embassies, in the US.
theguardian.com, theregister.com
Interesting stats
1,000 US schools disrupted by 70 ransomware attacks so far in 2021, according to Emsisoft and Recorded Future vice.com
Other newsy bits
Minimum viable secure product
Google and Salesforce have released an open-source ‘minimum viable secure product’ standard. Building on the company’s own work, and with backing from Okta, Slack and others, aims to ‘establish minimum acceptable security baselines’.
The standards will be useful for software-as-a-service (SaaS) startups and businesses looking to make sure they have a decent set of baseline security controls in place and is also intended to streamline procurement security conversations at businesses looking to buy such software.
Some good work here, check it out.
Long reads
ENISA Threat Landscape report
ENISA, the EU cyber security agency, has released its ninth threat landscape report that covers the period from April 2020 to July 2021. The report indicates that cyber threats are (unsurprisingly) on the rise, with ransomware ranking as the prime threat for this reporting period.
”In general, cybersecurity threats are on the rise. Spurred by an ever-growing online presence, the transitioning of traditional infrastructures to online and cloud-based solutions, advanced interconnectivity and the exploitation of new features of emerging technologies such as Artificial Intelligence (AI), the cybersecurity landscape has grown in terms of sophistication of attacks, their complexity and their impact.”
The Key Trends section is well worth a read highlighting, amongst others:
- Compromise through phishing e-mails, and brute-forcing on Remote Desktop Services (RDP) remain the two most common ransomware infection vectors.
- Malware targeting container environments have become much more prevalent, with novel evolutions like file-less malware being executed from memory.
- Business E-mail Compromise (BEC) has increased, has grown in sophistication and become more targeted.
In brief
Attacks, incidents & breaches
- Disruption for fuel at 4,000 petrol stations in Iran following a suspected cyber attack against payment infrastructure that prevented the sale of fuel ft.com
- Grief ransomware gang (linked to the sanctioned group EvilCorp) claims breach of US National Rifle Association (NRA) and lists them on leak site therecord.media
- A ‘cyber event’ at dairy company Schreiber Foods took plants and distribution centres offline over last weekend, will not comment on alleged $2.5M ransom demand cyberscoop.com
- EU investigating an apparent leak of the private key used to generate digital Covid passports bleepingcomputer.com
- UK website Guntrader aims to avoid data breach lawsuits (vol. 4, iss. 30) as it calls in liquidators and director launches ‘Guntrader 2’ business theregister.com
Threat intel
- Microsoft says the Russian Nobelium (aka Cozy Bear) group has compromised 14 tech resellers, SaaS vendors and managed service providers in attempts to piggyback into customer networks, much like they did with the 2020 Solarwinds breach cyberscoop.com
- Conti ransomware group is advertising network access - unclear if that’s a step towards ‘closing down’, a move into becoming a network access broker, or something else. It’d be odd to advertise access to named companies as that would allow them to be alerted krebsonsecurity.com
- Increasing number of QR codes are being used in phishing emails to redirect users to malicious sites, according to Abnormal. This is interesting as the codes are likely to be scanned using a mobile device, restricting visibility of corporate endpoint telemetry cyberscoop.com
- UK telco sector industry groups warn of on-going DDoS extortion campaigns against voice-over-IP (VOIP) phone providers therecord.media
- Chaos ransomware being distributed as Minecraft ‘alt lists’ bleepingcomputer.com
Vulnerabilities
- Critical vulnerability in web comments service Discourse in versions before 2.7.8 could lead to remote code execution zdnet.com
- High severity issues in the API of OptinMonster plugin for WordPress leaks server info, API keys and allow the inclusion of malicious javascript code bleepingcomputer.com
- Shrootless vulnerability in macOS Big Sur and Monterey patched that would give elevated privileges to attackers during software installation therecord.media
Security engineering
- Free decryptors released for AtomSilo, Babuk and LockFile ransomware therecord.media
A couple of things on the NPM front this week…
- NPM package ua-parser-js, used to extract web browser information, compromised and used to deploy data-stealing and crypto-mining malware to unsuspecting software developers theregister.com
- Copycat typo-squatting NPM packages for Roblox include password stealer and ransomware bleepingcomputer.com
Internet of Things
- Industrial goods and services firms most heavily targeted by ransomware groups, says Digital Shadows zdnet.com
Privacy
- Useful info in FBI document shows how law enforcement goes about obtaining geolocation data from telcos and how long they retain different types of customer data vice.com
Public policy
- Release the hounds: GCHQ may use UK’s new National Cyber Force to “go after” ransomware gangs, says head Sir Jeremy Fleming ft.com, theguardian.com
Regulatory
- Cyberspace Administration of China (CAC) issues draft guidelines on new rules requiring ‘Measure for Data Export Security Assessments’ from companies with more than 1 million Chinese users, dropping to 100,000 users for personal data, and 10,000 users where sensitive information is involved therecord.media
Law enforcement
- German law enforcement identify core REvil gang member posing as a crypto-currency investor bleepingcomputer.com
- Russian national Vladimir Dunaev, extradited from South Korea, appeared in federal court facing fraud, money laundering and identity theft charges for alleged role in Tricot malware cyberscoop.com
- Europol announced the arrest of 12 people believed to be behind LockerGoga, MegaCortex and Dharma ransomware attacks that claims 1,800 victims including Norsk Hydro bleepingcomputer.com
Mergers, acquisitions and investments
- UK-based supply chain security start-up Risk Ledger has closed a £2.1M seed round. Massive congratulations to Haydn and the RL Team! forbes.com
- Industrial cyber security firm Drags raises $200M Series D on $1.7B valuation techcrunch.com
- Singtel sells off SecureTrust (the PCI part of security business Trustwave) to Sysnet Global Solutions for $80M as ‘first step’ in a strategic review of the Trustwave cyber business that will focus on managed detection and response zdnet.com
And finally
Smart meter security
No.
Thanks, @cabe_bedlam