Robin’s Newsletter #245

26 February 2023. Volume 6, Issue 9
USSOCCOM Email server left exposed. Critical vulnerability in another file transfer app. Signal says it would exit UK market.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

  • Loose lips: An email server belonging to the US Department of Defense was secured this week after being left accessible to anyone who found its IP address. The server contained three terabytes of unclassified but sensitive emails primarily belonging to US Special Operations Command, responsible for special forces ops.

  • Concentration & competition: Three weeks after a ransomware attack at Ion Markets, global markets still face disruption and rely on workarounds to compile weekly trading activity reports. Technology and automation have aided efficiency and allowed businesses like Ion to scale, but regulators are increasingly concerned over concentration risk. Will resilience, as well as consumer choice, become a critical decision in the regulatory approval of mergers and acquisitions?

  • We interrupt our scheduled programming: Virgin Media Television, who broadcast five free-to-air channels in Ireland, has warned of programming disruption following an “unauthorised attempt to access our systems,” with a spokesperson telling The Record that it wasn’t a ransomware attack.

  • File transfer: CISA has added IBM’s Aspera Faspex’s CVE-2022-47986 (9.8/10) to its list of known exploited vulnerabilities. On-premise file transfer apps are becoming a bit of a target for attackers, with cybercriminals targeting others like Accellion (vol. 4, iss. 6) and GoAnywhere (vol. 6, iss. 6) as a way into organisations. These types of app help organisations that transfer large volumes of data and, by their nature, need to be on an organisation’s perimeter. In the case of Aspera, TheRecord notes that it won an Emmy in 2014 for enabling faster video workflows. Perhaps Virgin Media Television is a customer?

Interesting stats

2,363 victims of double extortion ransomware attacks in 2022, according to an analysis of leak sites conducted by Outpost 24, which also showed  34% of these attacks were conducted by one group, LockBit.

520,000 distributed denial of service (DDoS) attacks against Microsoft’s global infrastructure in 2022, an equivalent of  1,435 on average each day, according to the company.

$18.5 billion venture capital funding to cyber security companies in 2022, down from $30.3 billion in 2021, according to research by Momentum Cyber.

$8.8 billion reported lost by Americans to fraud in 2022, across  2.4 million reports, and representing a  30% increase on 2021 (itself up 70% on 2020), according to the FTC.

80% of the top 40 Google Play Store apps have discrepancies between their privacy policies and app ‘nutrition labels’ describing their data collection and processing activities, says Mozilla.

4 days the average time taken to complete a ransomware attack in 2021,  2 months was the average time taken in 2021, according to IBM.

Other newsy bits

  • Signal fire: Messaging app Signal would ‘exit the UK’ if the Online Safety Bill passes in its current form and requires the company to weaken its end-to-end encryption (E2EE), says CEO Meredith Whittaker.

  • What are you defending? DNA testing firm DNA Diagnostic Center (DDC) will pay $400,000 to settle a case brought by the states of Ohio and Pennsylvania after a breach in 2021 exposed the data of 21 million US citizens. DDC didn’t realise that it held the data and had ignored alerts from its managed service provider over suspicious activity. “Negligence is not an excuse for letting consumer data get stolen,” said David Yost, Ohio Attorney General.

  • TikTok: The European Commission has banned TikTok from its devices, citing ‘security concerns’. Parent company ByteDance has promised to open data centres in Europe (and the US) to address data sovereignty concerns. Wired looks at the push to outright ban the Chinese-owned social network. (Spoiler alert: it’s geopolitics, not privacy),

  • Home truths: The NSA has released tips on securing your home network. Lots of common sense stuff in here (patching your OS; use antivirus software) but also some that are perhaps a bit more of a stretch with consumer-grade equipment, such as segregating your main, guest and ‘IoT’ wireless devices. (PDF)

  • Lessons learned: Cryptocurrency exchange Coinbase has a write-up of a recent social engineering attack it caught from an attacker linked to 0ktapus. As well as phishing credentials, the attacker called the Coinbase staffer posing as the company’s IT support desk. No customer funds were accessed.

  • Ransomware: LockBit has claimed responsibility for an attack against the water company supplying Portugal’s second-largest city, Porto. Fruit and vegetable producer Dole has confirmed a ransomware attack affecting systems across North America. Royal Mail says it has finally restored its international shipping systems, one month after it became victim to the LockBit ransomware group.

  • Security vendor vulns: CVE-2023-20858, a 9.1/10 severity vulnerability in Carbon Black App Control for Windows. The EDR vendor advises customers to patch promptly, though privileged access to the App Control admin console is needed to exploit. Meanwhile, CVE-2022-39952 is a 9.8/10 critical vulnerability in FortiNAC, Fortinet’s network access control solution, that allows unauthenticated remote code execution.

  • Fishing expedition? Eighty-three law firms are challenging a demand from the US Securities and Exchange Commission for a firm to hand over a list of clients affected by Chinese state-sponsored attackers. The SEC says it’s investigating potential insider trading, while the law firms are pushing attorney-client privilege and alternative routes for the investigation.

  • US Cyber strategy: An upcoming White House cyber security strategy document will “[shift] the burden” of cyber security to larger companies to build products and services secure by design.

  • War games: The UK won the Defence Cyber Marvel 2 (DCM2) cyber warfare exercise in Estonia this week. Seventeen countries participated in the West’s ‘largest cyber exercise’ that simulated attacks and tactics used by Russia in their invasion of Ukraine.

  • Investment: The UK government announced an £18.9 million investment for a ‘Cyber-AI hub’ in Belfast, Northern Ireland. Eight organisations, including Nvidia, will participate and be located at the Centre for Secure Information Technologies (CSIT).

  • Fundraising: Sublime has raised $9.8 million for their platform, which will allow customers to share and adopt rulesets in a crowdsourced model; Israeli firm Chain Reaction has announced a $70 million Series C round to expand its team designing chips to reduce energy consumption and speed up cryptographic computations; and finally, big congratulations to CyberSmart on a £12.75 million ($15.4 million) Series B for its cyber security and insurance solution for small and medium-sized businesses. (Cydea is a CyberSmart partner)

  • Acquisitions: Wavenet has acquired penetration testing firm Fidus Information Security.

And finally

  • Uncrop: A note on the hazards of cropping images: some tools allow viewers to undo the crop and reveal information you may want to conceal, plus thumbnails in metadata may have cached the original image.

  • Cost to serve: Broader tech, rather than cyber-specific, but Alphabet’s Chairman John Hennessy told Reuters that ChatGPT-style natural language queries will cost the Google 10x to serve users. Presumably, significant efforts will be underway to reduce that — or shift it to the end client — though it leaves me wondering what the typical premium is on AI-powered security tools, too?


  Robin's Newsletter - Volume 6

  US Department of Defense Misconfiguration Concentration risk Competition Regulation File transfer Ransomware Fraud End-to-End Encryption (E2EE) Signal Online Safety Bill TikTok Artificial Intelligence (AI)