Robin’s Newsletter #208

12 June 2022. Volume 5, Issue 24
LockBit distances themselves from Conti. Round-up from RSA Conference 2022. And 'predicting thunderstorms not lightning strikes'.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Cydea is expanding and we’re looking for a Senior Cyber Risk Consultant to join our team 🚀 More info and apply here. We’re also looking for a developer to help build our app, if you know anyone that’d be interested. And if you’re interested in either role, drop me an email: [email protected]!

This week

  • LockBit doesn’t appear to have compromised Mandiant, was just trying to get your attention to let you know that they don’t have anything to do with (the sanctioned group) Conti

  • RSA Conference: Anton Chuvakin’s musings from walking the industry show’s expo halls in San Francisco this week

  • Plus a round-up of news from El Reg, including more on ‘secret’ agents being installed on cloud customer virtual machine images by Microsoft, Amazon and Google (think like OMIGOD last year (vol. 4, iss. 38))

In brief

  • French authorities believe the widespread severing of fibre optic cables in April (vol. 5, iss. 18) to be the work of ‘radical ecologists’ who ‘oppose the digitalisation of society’

  • Palermo, Italy’s fifth-largest city and home to 1.3 million people, has shutdown systems following a suspected ransomware attack impacting police, traffic and tourism, among other civic services

  • Threat intelligence firm KELA says that ransomware attacks in Q1 2022 were down 40% compared to Q4 2021, observing an average of 232 attacks per month

  • Less than 25% of NetWalker ransomware victims reported their incidents, says the FBI, following their takedown of the group that gave insights into the criminal enterprise. There are lots of other interesting data points and insights in this writeup by Jonathan Greig

  • More surveillance than cyber: the US Secret Service ordered two of the travel industry’s global distribution system (GDS) providers (who facilitate the booking of flights, hotel rooms, etc) to monitor for bookings made in the name of a Russian cybercriminal so they could circumvent Moscow’s anti-extradition policy, and arrest him when he left Russia

  • The new ‘WannaFriendMe’ ransomware strain is selling its decryptor via the game Roblox’s marketplace

  • The ‘Follina’ exploit in Windows is being used to spread Qbot malware

  • The Emotet botnet has gained a module specifically targeting the theft of credit cards saved in Google’s Chrome web browser

  • Russia threatens ‘direct military clash’ over cyber attacks, says Reuters, following a defacement of a Russian government website to read ‘Glory to Ukraine’ last weekend

  • Researchers at Blackberry have released info on a strain of stealthy Linux malware, dubbed Symbiote, found targeting financial institutions in Brazil and that infects other existing processes and filters network traffic to avoid detection via packet capture tools

  • Researchers at MIT have identified a hardware vulnerability in Apple’s M1 chip making it possible to guess a pointer authentication code (PAC) that is seen as the ‘last line of defence’ to prevent compromise of the system kernel. The vulnerability is being called ‘PACMAN’ and is a side-channel attack, the same type as the Spectre and Meltdown issues found in Intel processors

  • CISA, NSA and FBI publish an advisory on how Chinese state actors are targeting telcos

  • Meanwhile the ‘known exploited vulnerabilities’ (KEV) list maintained by CISA has “driven extraordinary focus and really a big re-conceptualization of how organizations rate and prioritize vulnerabilities,” according to the agency’s Eric Goldstein as businesses turn away from CVSS

“We can sometimes predict thunderstorms but not lightning strikes”  says Chris Inglis, National Cyber Director at RSA Conference this week, adding that ‘Shields Up’ (vol. 5, iss. 13) is the new normal

  • US Department of Justice CFAA policy changes are “not really providing a lot of protection for security research” and instead “were intended to generate good PR for the [DoJ]” say lawyers

  • WWDC: Apple has announced a new Safety Check feature to help victims of domestic abuse reset permissions and access to devices in case of emergency, but the timing of its use is critical

  • Also announced this week, Apple operating systems will apply security patches on the fly and without requiring a reboot outside of the typical OS software update cycle

  • IBM is acquiring Randori, a provider of attack surface management (ASM) and continuous automated red teaming (CART) services

  • Interesting read on the zero-day exploit market: ‘hack global, buy local’. Also, does information asymmetry make it a market for lemons?

And finally

  • It’s possible to enrol new NFC keys for Tesla cars within 130 seconds of them being unlocked by another NFC key with no notifications being presented in the car or app. Because obviously the option to add keys is the sort of feature you want from your car every time you unlock it

  Robin's Newsletter - Volume 5

  LockBit Conti Mandiant RSA Conference Telecommunications China Follina Qbot Known Exploited Vulnerabilities (KEV) Computer Fraud and Abuse Act (CFAA) Tesla Zero-day