Robin’s Newsletter #178

14 November 2021. Volume 4, Issue 46
The balance of public/private responsibility for cyber security. FBI app sends spoof emails. Learning from how the aviation sector handles incidents.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Finding the right balance between public and private cyber security responsibility

Good perspective from the ex-NCSC head, Ciaran Martin, on the importance of dinging the balance between public and private responsibility to prevent cyber-attacks.

When Colonial Pipeline was hit, it wasn’t the pipeline controls that were hacked but the company’s corporate systems. It was the company, not the hackers, who shut down the pipeline, apparently because it could not run its services profitably because of the damage done to its business processes. This was a decision that the company was perfectly entitled to take. But while it did not consult the US government beforehand, it fell to the US government to deal with the fallout.

I often use a physical security analogy with clients: you’d put locks on your door to deter (and prevent) criminals, but wouldn’t stand up a private police force or armed forces: that’s why you pay your taxes. It can’t be solely down to organisations (and individuals!)

@ciaranmartinoxf, prospectmagazine.co.uk

Interesting stats

$6,312,190 the average ransom paid by US ransomware victims, $850,000 (~£630K) average paid by UK victims, according to Mimecast zdnet.com

271,768x more malicious domains per capita for .tk (Tokelau) than .de (Germany) domains - plus some other interesting titbits into which county top-level domains are being used for phishing, C2, etc - according to Palo Alto Networks paloaltonetworks.com

Other newsy bits

FBI web app compromised, used to send fake emails

Thousands of emails were sent from an official fbi.gov email address this week after a vulnerability in a web app was exploited. The messages warned recipients that FBI monitoring indicated “exfiltration of several of your virtualised clusters,” amongst other nonsense. The perpetrator contacted Brian Krebs to explain how they had gained access and explained they had intentionally tried to make the messages unbelievable while drawing attention to the system vulnerabilities. The offending application has been taken offline.

krebsonsecurity.com

Law enforcement action against REvil ransomware group

It’s been a bad week to be part of REvil, as global law enforcement action took action against a series of members and affiliates in moves that show there are consequences to cybercrime wired.com:

  • Two suspected REvil affiliates were arrested by Romanian law enforcement, and a further four suspected associates of the predecessor group, GandCrab, were scooped up by authorities in Kuwait bleepingcomputer.com
  • The US Department of Justice also charged a Ukrainian national, who was arrested entering Poland, for their involvement with REvil. DoJ also announced they had recovered over $6M cryptocurrency from another REvil partner ft.com

Thoughtful things

  • Adapting aviation safety models to cyber and the need for a ‘cyber safety review board’ like the NTSB belfercentrer.org
  • On the ethics of publishing offensive security tools (h/t Nick) @chrissanders88
  • Some good advice for Sean Gallagher at ArsTechnica on improving your security and reducing your digital footprint part 1, part 2
  • Research on the robustness of client-side scanning algorithms (such as Apple’s proposed child sexual abuse material (CSAM) feature) found images could avoid being flagged 99.9% of the time while maintaining the content of the image to look visually similar to the human eye usenix.org

In brief

Attacks, incidents & breaches

  • European electronics retailer MediaMarkt, who has 1,000 stores and 53,000 employees in 13 countries, has become victim to a ransomware attack, with the ‘Hive’ group demanding an initial $240M payment to restore systems bleepingcomputer.com
  • Some files from customer’s of UK data storage company Stor-a-File data turns up online after a ransomware attack in August that exploited a vulnerable version of Serv-U FTP server theregister.com
  • ‘Upgrade’ to Brittany Ferries website introduced “a fault in the authentication process” meaning you could log in to an account without the correct password theregister.com
  • Toronto’s Transit Commission, who operate the city’s bus, subway and streetcar systems, confirm a data breach of 25,000 employee names, addresses and social insurance numbers stolen as part of a ransomware attack techcrunch.com
  • Telnyx the latest to be hit by DDOS attacks in a campaign targeting VOIP telephony providers bleepingcomputer.com
  • An ‘access key’ (potentially an S3 storage bucket) to HPE’s Aruba Central network monitoring platform was compromised by attackers for 18 days allowing access to network analytics and contract tracing datasets bleepingcomputer.com
  • Card skimming devices found on point of sale terminals at some Costco locations in the US zdnet.com

Threat intel

  • China made a rare public statement that several Chinese airlines had been compromised in 2020. Travel companies (airlines, hotels, etc) are popular targets for intelligence agencies, like… therecord.media
  • Booking.com, who Dutch journalists alleged was compromised by an attacker with links to American intelligence but didn’t notify regulators theregister.com
  • Chinese language attackers are targeting ZoHo’s ManageEngine to steal passwords and gain onward access into networks theregister.com
  • Spyware campaign targeting South Korean residents, dubbed PhoneSpy, hides behind apparently legitimate lifestyle apps and uses social engineering techniques to get Android users to sideload the apps techcrunch.com
  • North Korea’s Lazarus group targeting security researchers with trojanised version of IDA Pro reverse engineering software bleepingcomputer.com
  • SMS Fraud alerts protect for voice phishing attacks against banking customers krebsonsecurity.com
  • BazarBackdoor phishing emails seen using Windows 10 App Installer links and forged certs to deploy malware zdnet.com
  • Google’s Threat Analysis Group found suspected state-backed group targeting Hong Kong pro-democracy supports with MacOS 0-day vice.com

Vulnerabilities

  • Microsoft urges quick patch of on-prem Exchange 2016, 2016 and 2019 for a vulnerability that may allow attackers to circumvent multi-factor authentication zdnet.com
  • #InfosecDrama: Randori Infosec discovered, then sat on a 0-day exploit in Palo Alto Networks GlobalProtect VPN for 12 months (while using it in penetration tests — dick move!) zdnet.com, then there was lots of backlash from the community zdnet.com, however throughout it all (and the ridiculous disclosure timeline) it appears that the underlying vulnerability was fixed in PAN-OS version 8.1.17 that became the ‘preferred release’ on 8th October 2020, prior to Randori’s research @JimSycurity, paloaltonetworks.com

Internet of Things

  • NCSC has posted five questions critical national infrastructure (CNI) providers should ask when securing internet-facing services ncsc.gov.uk
  • ’NUCLEUS:13’ set of vulnerabilities disclosed by Forescout and Medigate Labs in Siemens software the runs medical devices therecord.media
  • Attackers swam around the network of Sunwater, a water company in Queensland, Australia, for nine months abc.net.au

Privacy

  • Facebook will stop allowing adverts to be targeted based on race, sexual orientation and politics arstechnica.com

Public policy

  • In a move to ‘strengthen engagement on cyber issues’ (and presumably part of a charm-offensive to rebuild relations with France after poaching an Australian nuclear submarine deal from them), the US has signed on to the The Paris Call for Trust and Security in Cyberspace, (vol. 1, iss. 22) that was announced in 2018 theregister.com
  • The Ransomware and Financial Stability Act (H.R.5936) bill was introduced in US Congress, if approved it will set private notifications to US Treasury, amongst other requirements, to US financial institutions threatpost.com

Law enforcement

  • More info on Interpol’s Operation Cyclone that led to the arrest of six Ukrainian nationals behind the Clop/Cl0p ransomware group earlier this year (vol. 4, iss. 25) bleepingcomputer.com
  • Aleksandr ‘King of Fraud’ Zhukov has been sentenced to 10 years in prison for defrauding US advertising companies out of $7M in pay-per-view/pay-per-click scams cyberscoop.com

It’s been a bad week to be part of REvil, as global law enforcement action took action against a series of members and affiliates in moves that show there are consequences to cybercrime wired.com:

  • Two suspected REvil affiliates were arrested by Romanian law enforcement, and a further four suspected associates of the predecessor group, GandCrab, were scooped up by authorities in Kuwait bleepingcomputer.com
  • The US Department of Justice also charged a Ukrainian national, who was arrested entering Poland, for their involvement with REvil. DoJ also announced they had recovered over $6M cryptocurrency from another REvil partner ft.com

Mergers, acquisitions and investments

  • Consortium of investors plans to acquire McAfee and take it private for $14B, a 22.6% premium over its closing share price techcrunch.com

And finally

“Help me!”

“That feeling when you underestimate a threat actor.” Pumba is not to be messed with!

@LisaForteUK

Robin

  Robin's Newsletter - Volume 4

  Federal Bureuax of Investigation (FBI) Cyber defence National cyber National Transport Safety Board (NTSB) Vulnerability disclosure Offensive security tools Ethics Client-side Scanning (CSS) Child Sexual Abuse Material (CSAM)
Next:
Robin’s Newsletter #179
Previous:
Robin’s Newsletter #177