Robin’s Newsletter #213

17 July 2022. Volume 5, Issue 29
False cyber security claims lands US defence contractor in $9 million settlement. Log4J features in the first Cyber Safety Review Board report.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Aerojet Rocketdyne settles cyber whistleblower case for $9 million

Aerojet Rocketdyne has agreed to a $9 million settlement to a lawsuit brought following a whistleblower accused the company of violating contractual cyber security requirements and misleading the government over its cyber security posture.

The court filing alleged the company received over $2.6 billion of DoD and NASA contracts between July 2013 and September 2015 by falsely representing it complied with cyber security regulations. In some cases, claiming it had security devices when the equipment was still in its box.

It’s an interesting lawsuit because it’s the first to be brought under ’qui tam’ provisions of the False Claims Act, which allow individuals to bring claims on behalf of the US government and receive a portion of any proceeds. The Department of Justice is encouraging whistleblowers to report cyber security violations and hold employers accountable.

For his part, whilst blower Brian Markus, who joined as a senior director of cybersecurity before being terminated after raising concerns with the firm’s ethics helpline, will receive $2.6 million of the payout for bringing the case forward. 

Aerojet Rocketdyne did not admit guilt as part of the settlement.

reuters.comtherecord.media

Interesting stats

3 million installs of six Android apps containing the ‘Autolycos’ malware that subscribe victims to premium services were available for more than  6 months after being reported to Google, with two remaining available over 12 months later bleepingcomputer.com

$52 million the 30-day average of cryptocurrency was sent to ‘mixers’ — used to obfuscate the source and destination of transactions — in April 2022, with almost 2x increase in funds coming from known illicit wallets driving the increase, according to Chainalysis cyberscoop.com

94% of industrial organisations have experienced a ‘security incident’ in the past 12 months (_6% are lying? 🤷), with  43% of those affecting operations for more than two days and  11% experiencing ‘significant’ impacts, according to Barracuda zdnet.com

Other newsy bits

  • The Chinese government didn’t know about Log4J before disclosure by Alibaba researchers, finds the Department of Homeland Security’s Cyber Safety Review Board in their inaugural report, which also labels the bug an “endemic vulnerability” that will persist in systems for at least the next decade cyberscoop.com, therecord.media, full report cisa.gov (PDF)

  • Victims of the US Office of Personnel Management (OPM) breaches in 2014/2015 may be entitled to between $700 and $10,000 following the settlement of a class action lawsuit for $63 million. The breach, which exposed sensitive information of almost 26 million people who had applied for government clearances, was attributed to the Chinese government by US officials therecord.media

In brief

Attacks, incidents & breaches

  • SHI, a New Jersey-headquartered IT reseller, suffered a “coordinated and professional malware attack” over the 4th July holiday weekend resulted in teams taking systems down as a precautionary measure therecord.media
  • Professional Finance Company (PFC), a Colorado-based medical debt collection agency, announced on 1st July it had suffered a ransomware incident that resulted in the personal data of 1.91 million patients from 650 healthcare providers being stolen by cybercriminals. The data stolen includes names, addresses, outstanding balances a ‘some’ dates of birth and social security numbers techcrunch.com
  • Physical and IP addresses and credit card information of five US Supreme Court justices were released by hacktivists following the over-turning of Roe vs Wade because they are focussing on “something unnecessary rather than focusing on bigger issues in [America]” theregister.com
  • Data breach at UK recruitment agency Morgan Hunt, including contractors’ names, contact details, identity documents, proof of address documents (including any bank or building society statement provided), National Insurance number, and date of birth theregister.com

Threat intel

  • Cybercriminals are impersonating a range of cyber vendors and contacting users about “abnormal” activity that they have detected as “your company’s outsourced data security services vendor”. If the user bites — phoning a ‘helpline’ with a case reference number — the criminals will try to get the user to install a remote access tool zdnet.com
  • Fake subscription renewal invoices for MasterClass, DuoLingo and others are being used as lures by ‘Luna Moth’ group, similarly directing victims to call ‘billing departments’ who try to coax the caller into installing a remote access trojan bleepingcomputer.com
  • Attackers increasingly using reverse-proxies to steal session cookies as well as credentials to bypass multi-factor authentication and access mailboxes for fraud or business email compromise scams, says Microsoft, with one ‘Attacker-in-the-Middle’ (AiTM) campaign targeting over 10,000 organisations since September 2021 microsoft.com
  • MaliBot, first seen in June, is now the third most prevalent malware targeting Android devices, according to CheckPoint zdnet.com
  • AlphV and LockBit join Karakurt ransom group in creating searchable databases of stolen data in a move designed to try and amplify pressure on victims to pay therecord.media

Vulnerabilities

  • App Sandbox escape vulnerability in Apple macOS (CVE-2022-26706) used standard input (stdin) to run python with the same privileges as launchd microsoft.com
  • Over 70 models of Lenovo laptops, including Yoga and ThinkBook product lines, have vulnerable UEFI firmware arstechnica.com
  • CISA is urging organisations to patch critical vulnerabilities in Juniper Networks Junos Space, Contrail Networking and NorthStar Controller products theregister.com

Operational technology

Privacy

  • Amazon handed over data from its Ring doorbells to law enforcement in eleven ‘good faith’ cases so far this year without a warrant, and without notifying users arstechnica.com
  • New Google Play Store privacy labels will feature developer-provided explanations on data collection and processing practices on an ‘honour system’ rather than the current automatically generated permissions information arstechnica.com

Public policy

  • The UK’s controversial Online Safety Bill is ‘on pause’ until the autumn when a new prime minister will be in post techcrunch.com

Regulatory

  • Australian telcos will be required to identify and block SMS scam messages and share information with authorities and others in the sector, or face up to A$250,000 fines, in a move designed to combat scams and fraud theguardian.com

Law enforcement

  • Former CIA software engineer Joshua Schulte has been found guilty of stealing sensitive information from the CIA and passing it to Wikileaks. The Vault 7 leaks contained extensive operational information on the national security agency’s operations. Schulte was found guilty on all nine counts, including illegally gathering national defense information and illegally transmitting that information, and now faces up to 80 years in prison nytimes.com

Mergers, acquisitions and investments

  • Defence IT consulting firm Booz Allen Hamilton has launched a venture capital arm, Booz Allen Ventures, with $100 million to invest in ‘strategic’ defensive and offensive startups techcrunch.com
  • Vitruvian Partners, who have previously invested in Bitdefender and Darktrace, has acquired a majority stake in vulnerability management firm Outpost24 pehub.com

And finally

  • A derailed train severed two fibre-optic lines, owned by telco Zayo, that handle data for air traffic controller Nav Canada and airlines, resulting in delays and cancellations for airlines in Western Canada therecord.media
Robin

  Robin's Newsletter - Volume 5

  Whistleblower Governance Accountability False Claims Act Log4J Log4Shell Cyber Safety Review Board (CSRB) Office of Personnel Management (OPM) Amazon Ring doorbell Online Safety Bill