Robin’s Newsletter #234

11 December 2022. Volume 5, Issue 50
Apple offers encrypted iCloud backups. Medibank takes ysstems offline for security improvements. Attack on NZ MSP affects Justice and health bodies.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Apple introduces E2EE for iCloud backups 

  • Apple has lauded an optional end-to-end encryption (E2EE) feature for iCloud. While Cupertino’s iPhones have been notoriously difficult for law enforcement to access without the owner giving up their passcode, police may have obtained copies of data from the company via its iCloud backups.
  • The Advanced Data Protection scheme moves the encryption keys for iCloud backups, Photos, Notes and other data flagged for encryption by third-party apps solely onto the user’s devices, rendering them inaccessible to Apple.
  • The exclusion of email, calendar, and contact data is blamed on ‘interoperability requirements’.
  • The introduction of contact verification and ‘Security Keys’ (requiring hardware keys for MFA) strengthens iMessage. techcrunch.com, macrumors.com

Medibank will take systems offline this weekend for improvements

  • Australian health insurer Medibank, who experienced a ransomware attack in October (vol. 5, iss. 44), is taking all of its IT systems offline and closing branches this weekend to improve its defences.
  • ‘Operation Safeguard’ will add to new detection capabilities and the rollout of multi-factor authentication at the company. It is a planned outage and not the result of further criminal activity.
  • The scale of investigations and subsequently required security programmes following a significant cyber incident can come as a surprise to less mature organisations. theregister.com

On ChatGPT and AI malware

  • AI Systems like ChatGPT may show ‘promise’ for creating software exploits and writing malware, but they are only as good as their training material. They can rehash or generate new things in different styles, but they aren’t good at creating new, high-level concepts. cyberscoop.com

Interesting stats

12% of 8,000 European 16-19-year-olds admit to ‘money muling’ helping to launder the proceeds of crime, according to a study from the University of East London (UEL)…

“The research indicates that a large proportion of young people in the EU are engaging in some form of cybercrime, to such an extent that the conduct of low-level crimes online and online risk-taking has become almost normalised,” — Julia Davidson, Professor of Criminology, UEL. theguardian.com

$70 the average service desk labour cost of a password reset call, according to Forrester, with  20%-50% of all help desk calls are for password resets, says Gartner. bleepingcomputer.com

225,000 corporate email accounts for sale on criminal marketplaces, says KELA, with  $2-$30 is the typical asking price, rising for ‘desirable’ organisations. bleepingcomputer.com

Other newsy bits / in brief

Attacks, incidents & breaches

  • New Zealand managed service provider Mercury IT has become the victim of a ransomware attack, crippling the IT of customers, including multiple government departments and public authorities. The Ministry of Justice and Te Whatu Ora (Health New Zealand) are affected. therecord.media
  • Sequoia, an outsource HR and payroll company that counts over 500 venture-backed startups as clients, has suffered a data breach. The company notified affected individuals, though they were cagey over the exact number of victims. wired.com
  • Telstra says a ‘misalignment’ of databases caused 130,000 customers’ details to be published online. theguardian.com
  • VTB Bank says its website and mobile apps were taken offline by an “unprecedented cyberattack from abroad”. The IT Army of Ukraine has claimed responsibility for the distributed Denial of Service (DDOS) attack against Russia’s second-largest bank. bleepingcomputer.com
  • Personal data of 620,000 patients stolen during October ransomware attack at Chicago-based CommonSpirit Health. techcrunch.com
  • RackSpace says the security incident affecting their Hosted Exchange platform is ransomware (vol. 5, iss. 49). The company has offered affected customers licences and instructions to migrate their email to Microsoft 365 and, in an 8-K SEC filing, expects a $30 million impact on the affected part of its business. bleepingcomputer.com
  • The data breach at Amnesty International’s Canadian branch has been linked to a Chinese-sponsored group by Secureworks. therecord.media

Threat intel

  • Regional Russian courts and city halls struck by ‘CryWiper’ malware that pretends to be ransomware says Kaspersky, who is confident that “the attackers is not financial gain, but destroying data”. therecord.media
  • Cryptonite ransomware, which first appeared in October, doesn’t include decryption functionality, warns Fortinet. The malware is written in Python and available as a free, open-source toolkit. zdnet.com
  • Microsoft Word still has bits of Internet Explorer in it, and North Korea is exploiting it in malicious documents, says Google. arstechnica.com
  • US Department of Health is warning that the Royal Ransomware group targets healthcare providers, with a ‘sharp increase’ in activity observed since September. bleepingcomputer.com

Vulnerabilities

  • Patch released for CVE-2022-4262, a high-severity vulnerability in Google Chrome, already exploited by attackers and has resulted in CISA adding the zero-day to their exploited vulnerabilities list. zdnet.com, therecord.media
  • A critical vulnerability in Android’s System component that may lead to remote code execution over Bluetooth is amongst four serious issues addressed in Android’s December security bulletin. zdnet.com
  • High-severity remote code execution vulnerability (CVE-2022-20968) in Cisco IP phones will not receive patch until January 2023, says Cisco, who adds they are aware of ‘public discussion’ of a proof-of-concept, but that they haven’t observed any attempts at exploitation in the wild. bleepingcomputer.com

Cyber defence

  • Passkey support added to Google’s Chrome stable versions. Passkeys use the WebAuthn standard and public-private key pairs to authenticate users instead of passwords. arstechnica.com

Public policy

  • **US Defense policy bill set to allocate $44 million to Cyber Command’ “hunt forward” missions, and authorise operations (with presidential approval) in “foreign cyberspace” where “an active, systemic and ongoing campaign of attacks” is determined. cyberscoop.com

Regulatory

  • The UK Information Commissioner’s Office will now publish details of ‘reprimands’ made against organisations. In these cases, the ICO has used its broader ‘corrective powers’ where a monetary penalty would be inappropriate. The focus is part of a new ‘strategic approach’ to enforcement, set out by John Edwards at the National Association of Data Protection Officers in November. therecord.media, ico.org.uk

Mergers, acquisitions and investments

  • Homomorphic encryption company Vaultree has raised $12.8 million in their Series. techcrunch.com
  • SOC2 and GDPR compliance startup Drata has closed a $200 million Series C funding round and achieved ‘unicorn’ status with a $1+ billion valuation. techcrunch.com

And finally

Scammers scamming each other

  • Cybercriminals have lost at least $2.5 million to other criminals in the last 12 months. Mostly ‘rip-and-run’ scams, where services aren’t provided or are defective, the complaints raised on popular dark web forums offer a window into how the cybercrime ecosystem functions, says Sophos. zdnet.com

More air-gap hopping from Ben-Gurion University

  • Researchers at Israel’s Ben-Gurion University have been at it again, this time proving that carefully written software can manipulate the power supply in a system to create electromagnetic radiation over 2 meters. A receiving smartphone or laptop can pick up data, even through walls, at up to 1Kbps. bleepingcomputer.com
  • Previous research has demonstrated similar abilities to exfiltrate data from air-gapped systems via SATA (vol. 5, iss. 30), RAM (vol. 3, iss. 51), and even computer cooling fans (vol. 3, iss. 16).
Robin

  Robin's Newsletter - Volume 5

  Apple End to end encryption (E2EE) Medibank Mercury IT ChatGPT Artificial Intelligence (AI) Cybercrime Passwords Passkeys Air Gap Homomorphic Encryption Cryptography