This week
Operation Cookie Monster: Genesis Market cybercrime forum seized by law enforcement
- An FBI-led operation with over a dozen other international partners seized control of Genesis Market, one of the world’s largest cybercrime forums. The site offered criminals access to ‘bots’ with browser fingerprints to impersonate individuals and avoid triggering multi-factor authentication and other security protections.
- Operation Cookie Monster, as it is called, resulted in coordinated law enforcement action in 15 different countries and led to 119 arrests, 208 searches and other interviews with persons of interest. The FBI gained access to Genesis Market’s user database, giving the username, password, email, messenger and account history for around 59,000 users of the site. This data also allowed for individuals to be identified and targeted for arrest.
Responsible cyber power
- Responsible cyber power is the theme of a policy paper released by the UK’s National Cyber Force (NCF) this week.
- The paper acknowledges the NCF “doctrine of cognitive effect” whereby the joint GCHQ and MOD team degrades the infrastructure and operating environment of targets to “weaken their ability to plan and conduct actives effectively.” Going after the opponent’s perception is believed to be more effective than destroying the infrastructure, which may be trivial to replace.
- NCF operations are, it says, accountable, precise and calibrated as core principles.
AI Chatbot security and privacy risk
- Chatbot risks such as ‘jailbreaking’ by giving prompts to role-play as a different chatbot or disregard guardrails and potential for data poisoning on the training data sets are pretty well acknowledged. But, as AI large language models gain the ability to access the web, concern is shifting to the potential for malicious actors to inject prompts into the copy on websites.
- Meanwhile, data protection regulators in France, Germany, Ireland and Norway are all following an Italian investigation into Open AI’s data protection n practices closely. Italy’s Garante believes that ChatGPT-maker has four problems under GDPR: it can’t prevent those under 13s from using the platform; it can provide inaccurate information about people; people weren’t told their data was collected; and Open AI has ‘no legal basis’ for hoovering up large amounts of personal information from the Internet.
Interesting stats
300% increase in cyber insurance costs since July 2014, according to brokerage Howden, and referenced in the Economic Report of the President (PDF), ‘transmitted to Congress’ last month. The report (h/t @IelTop also includes a graph of the data:
Other newsy bits / in brief
-
DevOps threat matrix: Microsoft has released a threat matrix of techniques used to attack DevOps environments. Drawing from MITRE’s ATT&CK framework, it applies a DevOps lens on the stages from initial access to exfiltration to help engineering teams implement defences to protect their code pipelines.
-
Gaming Twitter: Elon Musk’s social media network released the source code for its recommendation algorithm this week and an Argentine developer promptly found the reputation of accounts could be damaged “without recourse.”
-
Capita has blamed an IT outage last week that affected many of its government customers on a cyber-attack. In a statement, Capita said that the cyber incident primarily impacted access to its Microsoft 365 apps. The outsourcer didn’t identify which customer services were affected.
-
Western Digital are facing a suspected ransomware incident after multiple of the storage company’s cloud services went offline. The architecture of Western Digital’s My Cloud system means that some users are also locked out of their local copies.
-
ARCO, the UK’s criminal records office has taken its web portal offline and is “working tirelessly” to resolve a cyber security incident. The incident affected ARCO’s website between 17th January 2023 and 21st March 2023. In a statement to The Register, ARCO confirmed that it has “no conclusive evidence that personal data has been affected by the cyber security incident; however, it is only right that we inform you of the situation”.
-
Tesla employees shared sensitive videos and turned footage into memes captured by their vehicles. An investigation by Reuters found that video and images were shared by workers employed by Tesla to develop its self-driving car technology. Some included accidents, including a child being hit by a car, while others were recorded inside people’s garages and included a man walking up to his vehicle naked. “We could see them doing laundry and really intimate things. We could see their kids,” said one of twelve employees interviewed for the piece.
-
Ad tracking: Alcohol abuse counselling startups Momentum and Tempest shared personal information with advertisers for years. Tracking code sent personal data, including name, date of birth, email, postal address, phone numbers, insurance provider information, photo, appointment information and survey responses to Facebook, Google, Microsoft and Pinterest platforms.
-
WinRAR’s self-extracting archives (SFX) files can be used to execute PowerShell when they are unzipped, even if the contents are benign, says CrowdStrike who have seen the technique in a recent incident response case.
-
Ransomware: ALPHV/BlackCat target organisations with unpatched Symantec/Veritas Backup servers, according to Mandiant.
-
Cobalt Strike: Microsoft, the Health Information Sharing & Analysis Center and Cobalt Strike maker Fortra have taken legal action to seize domains and disrupt criminals from obtaining cracked copies of Cobalt Strike.
-
CAN bus: Car thieves are using hardware devices disguised as Bluetooth speakers to confuse the ‘controller area network’ (CAN) bus on cars and cause the doors to unlock and disable the engine immobiliser. Thieves can access the CAN bus through wires running to the headlights on many vehicles, such as Toyota’s RAV4, which was stolen using this technique from an automotive security researcher.
-
Nexx level: 40,000 IoT devices manufacturers by Nexx are subject to five vulnerabilities that allow attackers to open doors, power off appliances, and disable alarms. Owners were advised to disconnect the smart home devices because the company did not respond to approaches from the security researcher or US Cybersecurity and Infrastructure Agency, however since the story broke, Nexx has disabled all remote functionality, annoying customers in the process.
-
Data deletion: Google has announced a new requirement for Google Play Store apps to offer the ability to delete accounts and in-app data. Android developers will have to provide an ability for users to trigger deletion without having to reinstall the app.
-
TikTok has been fined £12.7 million ($15.8M) for misusing children’s data by the UK Information Commissioner. The ICO estimated 1.4 million children under the age of 13 used the Chinese social media app in 2020 and that the company did not do enough to verify the age or enforce its rules on who can use the app.
-
Law enforcement: Spanish police have arrested José Luis Huertas (aka chimichuri) who they believe is responsible for a string of high-profile data breaches and cyber-attacks.
Fundraising: Congratulations to former colleagues at Quantexa on their oversubscribed $129 million Series E fundraising round and $1.8 billion valuation. A spinout from KPMG Studio, the firm’s internal incubator, call Cranium has raised $7 million and launched out of stealth to ‘protect AI pipelines’.
And finally
- Google Pay accidentally transferred some users between $10 to $1,000 by accident after it botched internal testing of a rewards programme. While it reversed the transactions in many cases, for those where the user had transferred or spent the money, Google said “the money is yours to keep,” adding that “no further action is necessary.”