Robin’s Newsletter #219

28 August 2022. Volume 5, Issue 35
Lloyd's market bulletin tightens wording for cyber cover. Group behind Twilio attack has compromised 'over 130 organisations'. Mudge complaint alleges woeful security practices at Twitter.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Lloyd’s of London insurers set to exclude nation-state attacks from cyber policies

  • Lloyd’s of London has issued a market bulletin directing insurers to exclude cover of state-based attacks that either “significantly impact the ability of the state to function” or “significantly impartial the security capabilities of the state.” Policies must also set out a ‘robust basis’ on how state-sponsored attacks will be attributed — something notoriously difficult and made more challenging with the emergence of ‘grey’ groups such as Ukraine’s volunteer IT Army.
  • In the Seriously risky Business newsletter, Tom Uren, quoting Carnegie Institute’s Jon Bateman, makes a sound observation:

"[these Lloyd’s] exclusions “are not trying to solve a societal problem, they are trying to solve an insurance problem”, and ultimately the incidents that Lloyd’s are excluding are so significant the government will end up carrying the can regardless of whether insurance was available or not”

  • Lots of coverage has focussed on the ‘excluding nation-state attacks’ angle in their reporting, where the letter of the bulletin is more nuanced in tying it to state functions. It also requires exclusion for events arising from an ‘act of war,’ much like physical cover and terrorism exclusions. In that light, this move is hardly unprecedented.

  • The systemic risk posed by such attacks may “greatly exceed what the insurance market is able to absorb,” meaning that insurers would be unable to provide support to match the scale of the claims in such events. These are massive risk events that Lloyd’s is considering, not small, target attacks against individual organisations.

  • At its crux is the complexity of our digitally transformed modern world. Efficiencies have been gained from technology though resilience in many areas is still low, and risk can manifest in many ways, often well beyond the environment of any one organisation. The attack on the Colonial Pipeline (vol. 4, iss. 19) is a good example: the societal consequences far exceeded those of the business interruption or regulatory consequences for the company itself. The company shut down the pipeline to protect the safety of workers and ensure it could bill customers accurately; while citizen’s queued to top up amidst scares of fuel shortages.

  • Avoiding mismatched incentives and being clear on risk ownership in complex systems involving governments, private entities, and citizens is challenging. Lloyd’s is taking steps to improve clarity on the role it sees its members playing.

therecord.media, substack.com, mishcon.com

Interesting stats 

100,000 cyber attacks a year against the world’s largest sovereign wealth fund, of which 1,000 (or ~3/day) it deems ‘serious’, that’s up  2x in the last 2-3 years, according to Norges Bank Investment Management chief exec Nicolai Tangen, who told the FT:

”I’m worried about cyber more than I am about markets… We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.” ft.com

A whole host of stats from the Chartered Institute of Information Security’s annual industry survey ciisec.org:

57% think problem-solving and analytical skills are most important, followed by  24% saying communication skills, with just 18% saying technical subject matter skills are important; quite a different view to the proliferation of certifications available!

Unfortunately…  32% of security professionals are kept awake at night because of job-related stress

Other newsy bits

  • Ex-Twitter chief security officer Peiter Zatko (aka ‘Mudge’) has caught whistleblower protections while filing a complaint against his former employer. The complaint alleges “extreme, egregious deficiencies” in cyber defences at his former employer. Zatko claims half of Twitter’s servers run vulnerable software, that management downplays facts about breaches, and roughly half of 7,000 full-time staff had broad access to source code and production environments. The complaint also claims inaccuracies in how Twitter reports the number of bots on the platform to investors (which will surely be of interest in Elon Musk’s attempts to get out of buying Twitter). Regulators in Europe are also paying close attention. While the infosec allegations appear well-founded, Risky Business’ Patrick Gray pointed out that reporting’ monetisable daily active users’ was common practice washingtonpost.com, cnn.com

  • The attackers behind the Twilio and Cloudflare breaches (vol. 5, iss. 33) have compromised over 130 organisations and stolen over 9,931 credentials, according to a report by Group-IB. The Singapore-headquartered threat intel firm tracked the group, which it calls 0ktapus, using “unique enough” images, fonts and scripts used on the campaign pages generated by its phishing kits techcrunch.com

  • LastPass has written to customers advising of a breach of the company’s development environment. The attacker stole some source code through a single compromised developer account. There is no evidence that users’ data or password vaults are affected. Props to the company for the transparency in notifying customers of the break-in theregister.com

  • The Conservative party leadership election — which will, by extension, select the next UK Prime Minister — is being conducted online for the first time. Some experts are worried that it’s ‘not been proven’ for “high stakes” use, and there were changes needed to the system (vol. 5, iss. 32), however, NCSC has been involved in the process. I suspect that accidental error will likely be a more frequent risk than a foreign power explicitly meddling in the election: it’s the first time many will have encountered such a system theguardian.com

In brief

Attacks, incidents & breaches

  • DESFA, Greece’s national gas system operator, has confirmed a Ragnar Locker ransomware attack against their infrastructure. The supply of natural gas “continues to operate smoothly… safely and adequately,” said a company statement therecord.media
  • Novant Health, a network spanning 800 medical facilities in North Carolina, South Carolina and Georgia, has admitted disclosure of 1.3 million patients’ sensitive data to Facebook. Novant Health was using a Facebook tracking pixel to measure advertising campaign success that “was configured incorrectly and may have allowed certain private information to be transmitted” to the social media giant. Facebook says it filters potentially sensitive health-related data from its ads targeting software; however, it has previously handed over such data when subpoenaed theregister.com
  • Media streaming service Plex “discovered suspicious activity on one of [their] databases,” that led to the compromise of a “limited subset” — though by other sources, over half of their 30 million users — of user’s email addresses, usernames and encrypted passwords zdnet.com
  • An update to VMWare’s Carbon Black endpoint detection and response agent is causing Windows devices and servers to blue screen, leading to the firm being ‘inundated’ with support requests. Changes to a ruleset cause the problem in sensor versions 3.6.x.x through 3.7.x.x. Putting the agent into bypass mode, then removing the updated rules, will restore regular operation theregister.com
  • LockBit have attacked another hospital: the Center Hospital Sud Francilien (CHSF) in Corbeil-Essonnes, France, which had to transfer patients needing urgent care to other hospitals and reroute ambulances as operating theatres were affected by the outage therecord.media LockBit’s dark-web leak site has been knocked offline this week following a DDoS attack, perhaps linked to claims that the group breached cyber vendor Entrust earlier this year techcrunch.com

Threat intel

  • Google says Iran-linked Charming Kitten threat actors have developed a tool called ‘Hyperscrape’ to iterate through a user’s mailbox and download copies of every email therecord.media
  • Threat actors are ditching Cobalt Strike in favour of other frameworks such as Silver, says Microsoft, who have published some queries to aid threat hunting microsoft.com

Cyber defence

  • Cybercriminals and nation-state groups are seeking out dormant accounts and using the Azure AD self-enrolment process to apply MFA using devices they own (there is no extra verification needed to do this). Subsequent logins aren’t seen as suspicious. You can set Azure AD only to allow enrolment from within your internal network zdnet.com

Security engineering

  • Unsurprisingly, using deserialised data from untrusted sources is a risk. “When analyzing the 19 RCE exploits, we have identified several ways to introduce a gadget in a library: adding classes, methods, and interfaces, or changing the signature of methods,” say researchers Imen Sayar, Alexandre Bartel, Eric Bodden, and Yves Le Traon in their paper An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities theregister.com, arxiv.org

Internet of Things

  • Users on Russian cybercrime forums are targeting vulnerabilities in Hikvision cameras. CVE-2021-36260 is a command injection vulnerability from 2021 that scores 9.8/10, and it seems that over 80,000 cameras present in around 2,300 organisations are vulnerable therecord.media

Privacy

  • A good summary of the potential changes coming if the US data privacy bill passes theconversation.com
  • DuckDuckGo’s email service that removes trackers from messages is leaving a private beta and is now available to the public arstechnica.com
  • Ten out of fifteen top US mobile phone carriers retain location data for an average of two years, with no way for customers to opt out, finds the Federal Communications Commission cyberscoop.com

Public policy

  • Ukraine and Poland have signed an agreement to strengthen cybersecurity collaboration to jointly fight cybercrime and share experience combatting cyberattacks. The agreement will also see official digital documents, such as driver’s licences, being shared for ex-pats within their host government apps and systems therecord.media

And finally

Graduation prank Rickrolls 12,000 students

  • Wired has the story of four high school students who hijacked over 500 screens and projectors and tannoy systems across six schools in Cook County, Illinois, to rickroll 12,000 students as a graduation prank wired.com
Robin

  Robin's Newsletter - Volume 5

  Lloyd's of Londond Cyber insurance Nation-state Twilio 0ktapus Twitter LastPass UK Conservative party LockBit Healthcare