Robin’s Newsletter #223

25 September 2022. Volume 5, Issue 39
Uber points the finger at Lapsus$; GTA games copmany rockstar, Aussie telco Optus, and fintech Revolut all suffer breaches.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

  • Uber has pointed the finger at Lapsus$ for last week’s compromise that saw many of the ride-hailing company’s internal and administrative systems compromised. In an update, the company confirmed that a contractor working for the organisation had received multiple push-based multi-factor authentication requests, eventually accepting and granting access (a technique some call “MFA fatigue”). They believe the attackers likely purchased the contractor’s credentials on the dark web. While many of Uber’s internal systems were compromised, it does not appear that the attackers exploited access to public-facing systems.
  • Meanwhile, on Tuesday, in the trial of former CISO, jurors heard that Joe Sullivan’s view was that Uber’s legal team, not the security team, were responsible for the disclosure decision. The testimony was given by Randall Lee, a partner from a law firm brought in by Uber’s ‘special matters committee’ to review how the company handled the breach. That Uber didn’t disclose the breach is central to the charges of obstruction and concealment of a felony. Sullivan’s focus was ‘on the operational side,’ and he tried to ‘stay out’ of legal decisions, testified Lee.
  • Lapsus$ is a seemingly loosely affiliated group of hacktivists doing it ‘for the lulz’ (their own amusement). Based in Brazil and the UK, they previously made headlines by compromising Nvidia (vol. 5, iss. 10) and Okta (vol. 5, iss. 14) earlier this year. The compromise of Rockstar Games (see below) has also been attributed to the group.,,

  • Rockstar, the games company behind the Grand Theft Auto, has suffered a “network intrusion” and around 90 videos showing early development gameplay from a forthcoming unnamed GTA release were stolen and posted online while also claiming to have stolen source code. While the games industry press called it one of the ‘biggest leaks in video games history’, the reality is perhaps a little less sensational. Yes, GTA V’s follow-up is widely anticipated, but the breach was of the company Slack instance and the firm “does not anticipate… any long-term effect [on development]”. There will be investigations that incur financial costs and divert attention in the short-term; however, open-world games like GTA take many years to create. While it’s embarrassing for Rockstar right now, the release of this sequel isn’t expected for another ~2 years. An individual rumoured to be related to the incident has allegedly already been apprehended by police in Oxfordshire, UK.,,,

  • Sticking with MFA and all things authentication, NCSC has published some helpful guidance on different authentication methods

Interesting stats

34% of login attempts are credential stuffing attacks, says Okta, surpassing legitimate login requests in some countries, 10 billion credential stuffing events were detected on its platform in the first 90 days of 2022

Other newsy bits / In brief

  • British fintech Revolut has confirmed a breach affecting tens of thousands of customers. A company spokesperson was quick to downplay the “unauthorised third party [access]” stating it lasted around one day and affected less than 0.16% of customers. In a message to customers, the company said no card details, PINs or passwords were accessed but declined to confirm what data was compromised in the breach. There’s also seemingly no information about the incident on the company’s website. That may be because it’s too early to tell, though with the approach taken (downplaying and leaving unaffected customers out of the loop instead of providing reassurance) doesn’t look good

  • **Australia’s second-largest mobile operator, Optus, is investigating ‘unauthorised access’ that may have compromised up to 9.7 million customers’ dates of birth, email addresses and passport numbers. The Australian Federal Police (AFP) is investigating an alleged ransom of US$1 million (AU$1.5M)

  • Ten terabytes of emails and other data have been stolen and released from South American militaries and law enforcement agencies by a hacktivist group calling itself Guacamaya. The data is from Chile, Mexico, El Salvador, Colombia and Peru agencies. This incident is the latest in a string of breaches that the group has claimed responsibility for since March in a campaign aimed to combat environment exploitation and suppression of native populations by ‘the global north’ (vol. 5, iss. 34)

  • Kiwi Farms, a forum used to organise harassment campaigns against trans and non-binary people, has been breached. The site’s administrator warned users to assume their password, email and IP address may have been compromised. The site often doxxes victims, and a post just below the breach notification contained a victim’s social media password. As @GossiTheDog noted, Alanis Morrisette would be impressed with the irony of the admin trying to paint himself as a victim with “so many more people trying to destroy than create.”

  • Indonesia has passed personal data protection legislation. The Personal Data Protection (PDP) Bill, expected to be ratified this coming week, brings together and replaces a patchwork of 32 previous laws and is modelled on the EU’s GDPR. The law requires personal data to be updated and errors corrected within 24 hours and include penalties of up to 2% of annual revenue and six-year jail terms for anyone found to have broken the law. Indonesia is the world’s fourth most populous country, and the legislation applies, like GDPR, extraterritorially, meaning that any business processing data on an Indonesian citizen will need to comply

  • Private medical photos found in the LAION-5B image set used to train artificial intelligence models like those powering Stable Diffusion

  • Iran has limited mobile internet and social media access, while Anonymous has launched attacks on the websites of Iran’s central bank, national portal and state-owned media, as anti-regime riots gather momentum,

  • The toolkit used to build LockBit ransomware has leaked prompting concerns of increased ransomware attacks and competing groups using it to complicate attribution

  • A path traversal bug in Python’s tarfile package may affect up to 350,000 open-source repositories and has remained unpatched since 2007

  • Microsoft analysis of an OAuth phishing attack used to spread spam and phishing emails

  • Control failure: Malwarebytes antivirus blocked all Google services for an hour this week, leading to some disabling their AV so they could work

  • Cool: An engineer has generated an image containing an MD5 checksum of itself

  • Morgan Stanley is to pay $35 million for not wiping the personal data of 15 million customers from hard drives and servers before disposing of them

  • SentinelOne has launched a $100 million investment fund — S Ventures — focussed on enterprise cyber startups

And finally

  • Researchers from the University of Florida say they can spot deepfake audio. It reverses fluid dynamics techniques used to reproduce the sounds that animals make. Instead of hypothesising what, for example, a dinosaur sounds like based on its vocal tract, they take the sound and reverse engineer what an approximation of the vocal tract was that produced the audio. While it may sound similar to the human ear, the results are that deepfake audio equates to the “same relative diameter and consistency as a drinking straw”

  • The FT has a really neat ‘ransomware game’ where you can try to negotiate your way out of a ransomware attack. It highlights typical discourse, trade-offs and expectations that business leaders must make. Well worth a go, and might be helpful as a part of broader senior education programs


  Robin's Newsletter - Volume 5

  Rockstar Games Grand Theft Auto Guacamaya Hacktivism Kiwi Farms Multi-factor Authentication (MFA) Revolut Personal Data Protection Bill (Indonesia) Deepfakes Uber Joseph Sullivan