Robin’s Newsletter #253

23 April 2023. Volume 6, Issue 17
Customer data stolen in Capita breach. 3CX was a 'cascading' supply-chain breach. UK faces 'Wagner-like' cyber threat.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Hello from San Francisco 👋🌁

On final approach over San Francisco (Credit: me)

I’m here for the annual RSA Conference — to learn some new things, see what other cyber companies are up to and catch up with friends and colleagues — if you’re around and want to grab a coffee, then drop me a line (LinkedIn, Twitter, Mastodon).

This week

Customer, supplier and colleague data stolen during Capita breach

  • Capita, a British outsourcing giant, has acknowledged it lost data during a March 2023 incident (vol. 6, iss. 15). It comes as the Black Basta ransomware crew has begun publishing data it says was stolen during the attack on its leak site.
  • The attackers reportedly had access to around 4% of its systems for approximately nine days before the interruption of some services on 31st March.
  • “There is currently some evidence of limited data exfiltration from the small proportion of affected server estate,” said the company in an update, adding that this may “include customer, supplier or colleague data”. Capita employs over 50,000 people in the UK and is a significant government supplier with over £6.5 billion of public sector contracts, including services to the NHS and MoD. 
  • Incident response is fast-paced, and new data will come to light, however, Capita’s handling of the incident is facing criticism over their lack of transparency. The most recent updates contradict a previous investor note that sought to downplay the impact and cited “no evidence” of such data being compromised.

3CX was supply-chain inside a supply-chain attack, says Mandiant

  • Mandiant has released a report from their investigation into the recent compromise of VOIP provider 3CX. In the report, the Google-owned incident responders attribute the attack to a financially-motivated ‘North Korean’ nexus. It also says that 3CX’s compromise was the result of a prior software supply-chain compromise of a financial trading app called X_TRADER.
  • A 3CX employee downloaded a compromised version of X_TRADER, and through this, the North Koreans could gain backdoor access before moving laterally using harvested credentials to the Windows and macOS build environments. From there, the attackers added their malware to 3CX’s applications.
  • The ‘cascading software supply chain compromise’ is a first, Charles Carmakal, Mandiant consulting’s CTO, told CyberScoop, adding “this is very big and very significant to us.”

UK faces ‘Wagner-like’ cyber threat

  • Oliver Dowden, UK Cabinet Office minister, warned attendees of the CyberUK conference that the country faces ideologically motivated, ‘Wagner-like’ Russian groups.
  • The reference to the Russian paramilitary group, labelled by the US as a “transnational criminal organisation”, is in part to highlight the “less constrained and… less predictable” nature of potential cyber-attacks against UK critical national infrastructure.
  • the threat from freelance and commercial cyber operators also featured in a threat assessment conducted by NCSC for the CyberUK conference (see below).

Interesting stats

A$3.1 billion lost by Australians to scams in 2022, up from  A$2 billion in 2021, according to the Australian Competition and Consumer Commission.

62% increase in ransomware attacks in March 2023 compared with March 2022, according to analysis by NCC Group, though this is primarily attributed to a single vulnerability (in Fortra’s file transfer app) rather than being a sustained increase.

60% of phishing attacks originating from Russia in the first three months of 2023 targeted Ukraine, according to Google’s Threat Analysis Group.

Other newsy bits / in brief

  • NCSC has released a ‘data-driven cyber security’ maturity model. Data-driven cyber (DDC) is “the use of data and scientific methods to make more evidence-based decisions about cyber security”. Tackling bias and providing objective, actionable insights is a good idea, but notably absent is any mention of risk or prioritisation in the model. The maturity of scope appears to be that it becomes an ‘all-seeing eye’ across everything, everywhere, all the time. Many government organisations (the intended audience) have small teams and likely insufficient budgets. There are lots of good ideas here that are easy to get excited about, but I’m concerned it downplays the practicality and effort required for adopters and doesn’t present a case for how to measure the benefit. While I think it’s intended to augment, rather than replace, existing approaches, it could quite quickly create a cottage industry of people, processes and technology. One for a bit more digging!

  • NCSC has also released a threat assessment on the commercial cyber proliferation threat. The commoditisation of tools and the rise of commercial spyware, ‘hackers-for-hire’ and zero-day exploit marketplaces are lowering the barrier to entry and increasing the capabilities of threat actors. “The proliferation of commercial cyber capability will result in an expanding number of elements for cyber defence to detect and mitigate”.

  • The FBI, Interpol and UK’s National Crime Agency say that Meta is making “purposeful” decisions that “blindfolds” them to child sex abuse. It’s another turn in the passage of the UK’s Online Safety Bill, which pits tech company responsibilities against security and privacy. Child exploitation is an important topic that’s also a proxy for broader state surveillance hampered by the rise of end-to-end encryption in messaging apps.

  • An Australian Defence Force pilot was forced to ditch a helicopter off the coast of New South Wales because the aircraft had not been patched. A software update for the MRH-90 Taipan helicopter, which has been available for years, would have prevented the pilot from conducting the ‘hot start’ that led to the engine failure and aircraft being ditched on the beach. Ten personnel were on board, and two suffered minor injuries.

  • Microsoft has unveiled ‘Defender Threat Intelligence’, a tool for returning TI on file hashes or URLs, similar to Google-owned VirusTotal.

  • The American Bar Association has suffered a data breach of a legacy member system and had the username and salted passwords of 1.4 million members stolen.

  • The Chinese-linked APT41 group has been using an open source ‘Google Command and Control’ project in their attacks. GC2 using Google Sheets to issue commands and Google Drive for data exfiltration.

  • APT28, aka FancyBear, is exploiting a six-year-old vulnerability to infect Cisco routers with malware and carry out surveillance, according to a joint advisory from the UK NCSC and USA’s NSA, CISA and FBI.

  • LockBit has been testing a native macOS version of its malware, according to MalwareHunterTeam.

  • Former members of TrickBot/Conti and FIN7 have teamed up to create new malware called Domino, according to a report from IBM. The Domino backdoor performs different actions depending on whether the infected machine is connected to a Windows domain. Domain-joined machines receive a ‘more capable’ backdoor, such as Cobalt Strike, otherwise the Nemesis info steal is downloaded to steal data from web browsers and local applications.

  • Industry news, investment rounds and acquisitions: Avalor, who intend to act as a ‘source of truth’ for cyber assets, controls, identities and more, has raised $25 million Series A funding to expand operations in US and Israel. Proton, the privacy-focused email provider, has launched a password manager called Proton Pass.

And finally


  Robin's Newsletter - Volume 6

  Capita 3CX Supply-chain Data-driven cyber (DDC) Maturity model Spyware Hacker-for-Hire Child Sexual Abuse Material (CSAM) Online Safety Bill End-to-End Encryption (E2EE)