Robin’s Newsletter #180

28 November 2021. Volume 4, Issue 48
Big penalties associated with UK's IoT security legislation. Tardigrade malware targeting biomanufacturing. Databreach of 1.2M GoDaddy customer details. Lloyd's insurance policy wording on cyber war.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK ‘IoT security’ bill introduced

The ‘Product Security and Telecommunication Infrastructure Bill’ was introduced to the UK’S House of Commons this week. The legislation, similar to California’s SB-327 IoT cybersecurity law, sets requirements on device manufacturers that “better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products,” alongside 5G and gigabit broadband rollouts.

The ‘product security’ part of the bill takes aim at the vendors of smart devices, such as baby monitors and smart speakers, where apparently only one-in-five manufacturers embed basic security practices into their products. Apparently, the average UK household now has nine such smart devices, meaning almost two of them aren’t up to scratch.

If passed, it will grant ministers the power to specify minimum security protections for consumer products, require manufacturers, importers and distributors to comply with the regulations, and enforce penalties where these are not followed.

There are three rules laid out:

  • unique, device-specific passwords (rather than generic, shared defaults)
  • disclosure of minimum support period during which security updates will be provided
  • public contact for the vulnerability disclosure reporting

And the penalties, on paper at least, are quite substantial (and may sound familiar!): uptown £10M, or 4% of global turnover, plus £20,000 per day for ongoing contraventions.

bbc.co.uk, theregister.com, gov.uk

Interesting stats

77% of brute force password attacks use 1-7 characters, with only 6% containing greater than 10 characters, says Microsoft, and that there has been a 325% increase in attacks against RDP servers in the year to September 2021 therecord.media

The second Decrypting Diversity report from NCSC and KPMG in the UK is out… 36% female (2020: 31%) 8% Asian/Asian British (2020: 6%) 3% Black/African/Caribbean/Black British (2020: 4%) 10% identify as LGB (UK average: 2.2%) ~1% respondents are trans or non-binary (UK: ~1%) 25% report a disability (UK: 20%) 19% are neurodivergent (UK: 10%) … there are also lots of other data on inclusivity, incidents and relevant topics that make it worthy of a read and reflection ncsc.gov.uk (PDF)

80% of 320 honeypots were compromised within 24 hours, according to Palo Alto Networks bleepingcomputer.com

Other newsy bits

Tardigrade malware targets biomedical and manufacturing facilities

Lily Hay Newman has a write up of this interesting new malware for Wired. Researchers at BioBright discovered the malware while investigating a ‘halfhearted’ ransomware attack on a facility earlier this year. They found it to be far more sophisticated and complex than traditional ransomware, with complex covert command and control built-in, as well as the ability to fall back on predefined activities if it is unable to phone home for further instructions.

Dubbed ‘Tardigrade’ for its ability to withstand extremes, the malware is ‘actively spreading’ through the biomanufacturing industry via phishing attacks, though it is also capable of infecting USB sticks or self-propagation across networks.

Industry body BIO-ISAC is sharing details of the malware, which is presumably linked to state-sponsored espionage, though no attribution is made. While espionage makes sense, it’s also unclear as to why a noisy ransomware attack would have been used that inherently draws attention to the malware.

wired.com

GoDaddy data breach exposes over 1M accounts

GoDaddy warned in an SEC filing this week that it has suffered a data breach that may have exposed the details of 1.2M customers. The breach occurred on 6th September 2021 and was discovered last week on 17th November.

The affected users are all customers of GoDaddy’s managed WordPress services, and their email addresses and customer numbers were breached, with active customer SFTP credentials and database passwords being exposed. In some cases, the SSL private keys for HTTPS certificates were also compromised.

While it’s bad for individual users, the wholesale compromise of 1.2M sites like that could be a substantial boon to cybercriminals looking to manipulate SEO rankings, host phishing lures, or deploy cryptominers.

techcrunch.com, theregister.com

Lloyd’s releases insurance policy language on cyber warfare

Lloyd’s Market Association, part of Lloyd’s insurance marketplace tasked with identifying and resolving issues of ‘particular interest to the community’ has published clauses for underwriters to use as part of cyber insurance policies. The clauses provide standard language that covers instances of over war and other nation-state cyber operations. Attribution is included (and obviously needed if you’re going to be discerning what is, or isn’t ‘war’): this is primarily based on the government of the state where the targeted systems are located, but otherwise, the burden falls to the insurance company themselves.

lmalloyds.com, @JohnHultquist

Long reads

Nigerian cybercrime

This is well worth a read: an interview and context behind how people in Nigeria, where 40% are below the poverty line and inflation is at 17%, are getting caught up in cybercrime. Domestic events and policies can have consequences on the global stage therecord.media

Learning lessons from lawsuits

We’re approaching a year on from the Solarwinds breach and little is known about the causes of the breach. As an investor lawsuit progresses, Josephine Wolff looks at what might it tell us, and how may it set precedent for other breaches?

therecord.media

In brief

Attacks, incidents & breaches

  • Vestas Wind Systems, who manufacture, install and service wind turbines, suffers an incident affecting ‘all parts’ of IT infrastructure but refused to be drawn on whether it is ransomware or not theregister.com
  • US-based education software vendor SmarterSelect has exposed the details of 1.2M students after leaving over one terabyte of data in a misconfigured Google Cloud Storage bucket techcrunch.com
  • Problem with access control servers at Singapore’s DBS Bank left customers unable to access online and mobile banking for two days zdnet.com
  • IKEA employees are being targeted with ‘reply-chain’ phishing emails coming from compromised internal addresses of other group companies and business partners bleepingcomputer.com

Threat intel

  • RAT dispenser uses the double file extension to trick users into running javascript that installs a remote access trojan, says HP therecord.media
  • Apps downloaded 9.3M times from the Huawei App Gallery contained a malicious data-collection library therecord.media
  • Cloned sites and Discord channels used to target NFT and DeFi communities in a campaign aimed at stealing cryptocurrency and digital assets bleepingcomputer.com
  • 86% of fifty recent compromises of Google Cloud instances were used to run crypto mining software, according to Google theguardian.com
  • CronRAT, with links to MageCart attacks against eCommerce sites, hides itself in Linux’s crontab, scheduled to run on 31st of February bleepingcomputer.com

Vulnerabilities

  • MediaTek digital signal processor, used in audio chips of over 1/3 of (often low-to-mid-end Android) smartphones can be turned ‘into an eavesdropping bug’ theregister.com
  • Apple has filed a lawsuit against NSO Group to “prevent further abuse and harm to its users” with reasoning similar to Facebook’s filing last year (vol. 2, its. 44): that NSO misused its services to hack customer devices techcrunch.com Meanwhile, Moody’s now ranks NSO Group’s debt eight levels below ‘investment grade’ and meaning it is at high risk of defaulting on $500M of loans ft.com
  • Over 1,000 arrested in Interpol-coordinated operation between June and September this year, that intercepted $27M and the seizure of 2,350 bank accounts linked to romance scams, business email compromise and other forms of cybercrime bleepingcomputer.com

Mergers, acquisitions and investments

  • Schwarz Group, the retail group that owns Lidl, has acquired XM Cyber for $700M to bolster digital security with the rise of online shopping within the portfolio techcrunch.com

And finally

On the subject of threat intel

For Brad…

A man sits behind a desk with a sign reading “Threat Intel is Cyber Security TMZ. Change my mind.” (source: VX Underground)

🙃

Robin

  Robin's Newsletter - Volume 4

  Product Security and Telecommunication Infrastructure Bill Internet of Things (IoT) Diversity Cyber espionage Tardigrade Biomanfuacturing GoDaddy Cyber war Cyber insurance Nigeria Solarwinds