Robin’s Newsletter #224

2 October 2022. Volume 5, Issue 40
Optus breach attacker retracts demands as attention grows. Rise in fake LinkedIn CISO profiles. Microsoft Exchange Zero-Day.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

  • Optus’ data breach was “quite a basic hack,” says Australia’s cyber security minister, Claire O’Neil amid claims the data was stolen via an API with no authentication and poor access control. The basic personal information of 9.8 million people was compromised; of those, 2.8 million included driver’s license or passport information that “effectively amounts to 100 points of ID check,” said O’Neil. (9.8 million people is the equivalent of over 39% of Australia’s 25 million population.)
  • The attacker, who had demanded a ransom payment of US$1 million, briefly tried to amp up the pressure by threatening to release the personal data of 10,000 people every day. As scrutiny mounted, the attacker retracted their threat, deleted posts and said they had deleted the “only copy” of the data. There were “too many eyes,” the attacker said, apologising and adding that “Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you.” It’s a damage limitation tactic for the attacker, who probably hadn’t appreciated the national scale of their antics or the attention the breach would receive.

  • A leadership vote for the International Telecommunications Union has seen the US candidate comprehensive beat a Russian opponent 139 to 25 votes. The ITU, established in 1865, is an agency of the United Nations that facilitates the interoperability of telecommunications between countries. At a time of diverging views on Internet governance and freedom, it was a crucial election. Alexander Martin at The Record has a fascinating write-up on the history and recent events. Well worth a read.

Interesting stats

$53 cost incurred by victims of crypto mining malware for every $1 earned by the attacker, say Sysdig

20% (13 million) of ‘newly observed domains’ each month are used for malicious purposes, says Akamai (quite a few DNS providers let you block newly seen domains, which has relatively little business impact, but can protect users if phishing campaigns sucker them in)

Other newsy bits / in brief

  • There has been a big spike in fake CISO profiles being created on LinkedIn with roles at Fortune 500 companies (h/t Tim)
  • Business news site Fast Company used a “ridiculous easy” password to secure its content management system and other services, says an attacker. The attacker used their unauthorised access to post obscene and offensive messages on the website’s homepage and push notifications via Apple News. The latter resulted in Apple suspending Fast Company’s AppleNews account
  • Okta subsidiary Auth0 says source code from 2020 may have been stolen in a ‘security event’
  • Ukraine is bracing for Russian cyber attacks on critical infrastructure. The warning from the country’s Defense Intelligence agency says the attacks are expected to exacerbate the effects of missile strikes against electricity generation and distribution facilities
  • Finnish intelligence also says Russia is ‘highly likely’ to turn to cyber espionage this Winter, as traditional human intelligence methods are suffering from the West expelling Russian diplomats due to the war in Ukraine
  • ZINC threat actor is creating malicious versions of open-source tools — like PuTTY, KiTTY and TightVNC — for attacks against US, UK, Indian and Russian defence and aerospace and IT services businesses. Microsoft says they believe the group are related to the North Korean regime, with initial contact being made over LinkedIn before pivoting to WhatsApp
  • BlackCat ransomware tooling suggests they are experimenting with destroying, rather than encrypting, data that they steal to increase leverage on victims, say researchers at Cyderes and Stairwell. The group, also known as ALPHV, is believed to be a rebrand of the Darkside group who were responsible for the Colonial Pipeline attack in May 2021 (vol. 4, iss. 19)
  • ’Chaos’ botnet has quadrupled in size in two months, say researchers from Lumen Technologies. The malware, written in Go, affects Windows and Linux computers, as well as Linux-based consumer devices like wifi routers
  • Microsoft is warning about a zero-day vulnerability in Exchange Server that is being actively used in attacks. Temporary fixes are available for the server-side request forgery (CVE-2022-41082) and remote code execution (CVE-2022-41040) vulnerabilities, pending a full patch
  • WhatsApp has fixed a buffer overflow bug in how their Android client handles video calls. The vulnerability (CVE-2022-36934) is similar to that used by NSO Group to deploy their Pegasus malware; however, WhatsApp says it was discovered internally, and they have seen no evidence of exploitation
  • **Encrypted messaging protocol Matrix has fixed ‘serious vulnerabilities’ that would allow attackers to decrypt and spoof messages
  • A good summary of different national approaches to IoT security from the Atlantic Council and how these UK, US, Singapore, and Australian approaches may be consolidated into a single framework 
  • **Will Cathcart, head of WhatsApp, has warned that the UK’s Online Safety Bill risks undermining encryption, threatening the government’s communications and will embolden authoritarian regimes in an interview with the FT
  • TikTok faces a £26 million penalty from the UK Information Commissioner for processing the personal data of children under the age of 13 without parental consent. The “notice of intent” is provisional for GDPR failures occurring between May 2018 and July 2020, and the ICO will now consider TikTok’s representations
  • REvil arrests (vol. 4, iss. 46) may have been the result of information shared by a disgruntled insider. The intelligence shared by the individual with McAfee included “TTPs, internal relationships, information on the group’s operations” and enabled them to find the admin portal used by the ransomware group
  • The former eBay executives who harassed the firm’s critics have been jailed for cyberstalking. James Baugh, former Director of Safety and Security at the time, and David Harville were involved in a scheme (vol. 3, iss. 25 that included sending a couple who were critical of eBay a fetal pig, a funeral wreath, and live insects. Baugh received a 57-month (~5-year) sentence, with Harville receiving two year’s prison time and a further two years of supervised release
  • Ethical hacker platform Detectify has closed a $10 million follow-on funding round to progress product and improve user experience objectives
  • Ox Security has raised a $34 million seed funding round for their ‘Pipeline Bill of Materials’ (PBOM) platform. PBOM differs from Software Bill of Materials (SBOM), which gained popularity following the SolarWinds attack, but also considering the processes and procedures used by software development teams

And finally 

  • An IT admin has pled guilty to disrupting web and email systems at his former employer in the hope they would hire him back on a higher salary. Casey K. Umetsu worked for a financial services firm in Hawaii before he was laid off and now faces up to 10 years in prison and a $250,000 fine

  Robin's Newsletter - Volume 5

  Optus Data breach Ukraine Russia Finland eBay Microsoft Microsoft Exchange International Telecommunicaions Union (ITU) United Nations Internet governance Okta Internet of Things (IoT)