This week
Montana bans TikTok
- Tiktok has been banned by the US state of Montana over ‘national security’ concerns. I think this is pretty dumb: both technically and legally, with restrictions being easy to circumvent and any ban difficult to enforce given the lack of control or monitoring that the state has over Internet access. Moreover, this type of ban is performative rather than a scalable or sustainable solution to the problem (perceived or otherwise).
Ransomware as activism?
- Activism is how one ransomware group is casting its activities. After encrypting victims’ files, they “simply ask” that victims “make a donation to a non-profit that we approve of” before suggesting “you can probably get a tax deduction and good PR” from what it calls a ‘donation’. The group, called MalasLocker, targets users of the Zimbra collaboration tool. The group has claimed almost 200 victims since April.
Capita breaches continue to escalate
- Capita’s data breach woes are getting worse as five more local councils say their data was put at risk by the outsourcer’s mismanagement of cloud infrastructure. Coventry, Adur and Worthing in West Sussex, Rochford District and South Staffordshire have variously described the incidents as a “serious data breach,” “belatedly informed,” and that the “full extent of the issue is not yet fully known.” Meanwhile, Marks and Spencer, Diageo, Unilever and Rothesay have all confirmed that their pension schemes, operated by Capita, may have been compromised. A statement from M&S said a “large proportion” of scheme members may be affected. The growing scale of those affected stands in stark contrast to Capita’s claims that “less than 0.1%” of its server estate was impacted (vol. 6, iss. 17).
Interesting stats
1.7 million app submissions were blocked for privacy, security or content policy violations in 2022, and $2 billion of fraudulent transactions were prevented by Apple’s App Store team.
10x less likely for abandoned Google accounts to have multi-factor authentication enabled, opening the door to account takeovers, so the company will begin deleting these accounts after two years of inactivity.
400 Naira (87¢) an hour paid to a worker in Lagos, Nigeria, to operate ‘hundreds’ of virtual profiles on dating apps in catfishing scams.
Other newsy bits / in brief
-
Black Hat Asia: Two researchers from the UK’s University of Birmingham demonstrated two attacks against Supermicro motherboards using modified firmware. One lowered the voltage levels to defeat protections around Intel’s Secure Enclave, while the other caused an over-voltage situation that caused the permanent failure of the Xeon CPUs plugged into the motherboard. Gaining information from the Secure Enclave could be useful for espionage purposes while being able to ‘brick’ CPUs could allow attackers to cause havoc within victim organisations.
-
US authorities have indicted Russian national Mikhail Matveev, aka Wazawaka and Boriselcin, for their role as a “central figure” in the Hive, LockBit and Babuk ransomware operations. Matveev has claimed responsibility for the attack against Washington D.C. police (vol. 4, iss. 18) and is also suspected to have ties to Conti, who attempted to ransom the country of Costa Rica (vol. 5, iss. 18). Sanctions against Mateev accompanied the indictment and a $10 million bounty for information leading to his arrest or conviction.
-
UK GDPR updates (the Data Protection and Digital Information (DPDI) bill) raise concerns following the removal of clauses over police use of live facial recognition.
-
CISA’s responsibilities may be extended after Congress passed bills that would see satellites, open-source and cyber reservists fall within the agency’s scope.
-
** Vesuvius**, the UK industrial ceramics manufacturer, says that its February (vol. 6, iss. 7) cyber security incident will cost the company £3.5 million.
-
PharMerica, one of the US’ largest pharmacy companies, has confirmed that attackers accessed the personal data of 5.8 million people. PharMerica detected suspicious activity in March 2023 and has recently begun notifying affected individuals. The stolen data includes patients’ names, dates of birth, health insurance, Social Security and medication information.
-
The Philadelphia Inquirer, the third longest-running newspaper in the US, was unable to print following a ransomware attack. The last time operations were disrupted for multiple days was a blizzard in January 1996.
-
RA Group is the latest of five new cybercrime gangs to emerge since the end of 2021 leveraging the leaked Babuk ransomware source code. Cisco Talos reports that RA Group claims to have compromised four victims and stolen 2.5TB of data across financial services and defences sectors.
-
Researchers at Blackberry say that Cuba Ransomware is a front for Russian government attackers targeting Ukrainian military and local government organisations. However, others are less certain: while targeting seems driven by national interests or espionage purposes, they could be being co-opted or moonlighting.
-
Samsung address space layout randomisation (ASLR) in its Android 11, 12 and 13 handsets can be bypassed, according to CISA, because sensitive information is included in log files.
-
FIN7 is back and using Clop ransomware to carry out attacks, according to Microsoft (who tracks the group as Sangria Tempest in its new naming scheme).
-
BianLian ransomware tactics and indicators of compromise have been documented in a joint alert from the FBI, CIS and Australian Cyber Security Centre. Mitigations include limiting the use of RDP, disabling command-line and scripting permissions, and restricting PowerShell to the latest version.
-
Mustang Panda, a Chinese state APT group, has developed malware to turn small office and home routers into a botnet for it to hide its network traffic, according to Check Point
-
PyPI is pausing new users and projects due to a high volume of malware being submitted to the package management system. npm packages have been caught serving up TurkoRAT for the last two months.
-
ZIP: There was some contention around Microsoft’s practice of scanning the contents of passworded ZIP files for malicious files this week (it’s not a new practice). Google’s offering of .zip domains also raised concerns that this could be used to fool users into running commands on windows that would launch a browser. While true, this misses that similar domains, such as .sh (Saint Helena / shell script), .pl (Poland / perl script) and even .com (executable file), have long existed.
-
Belkin has backtracked over not providing a patch for the ‘end of life’ WeMo Mini Smart Plug V2. The devices were launched in 2019, and the vulnerability stems from giving the device a name longer than 30 characters which cause a buffer overflow and allows the injection of remote commands.
-
A University of Maryland study found that mobile phones seized by police were being auctioned off without being wiped. Photos of identity documents, targets for scams and communications between sex workers and their clients were all found on a sample of devices that the researchers purchased from one of the leading auction sites of civil forfeiture.
-
iSpoof creator Tejay Fletcher has been jailed for running a site that allowed fraudsters to impersonate companies and con victims out of more than £100 million. Fletcher received a 13-year prison sentence for his role that prosecutors netted him £2 million personally. Data from Action Fraud show 4,785 people reported scams averaging £10,000, rising to, in one case, £3 million.
-
M&A: IBM has announced it’s purchasing cloud data management outfit Polar to integrate into its Guardian unit. Tel Aviv-based Entro has announced a $6 million seed round for its platform that helps credential, certificate and API key management.
And finally
- HP, hot on the heels of an update blocking non-HP ink cartridges over ‘security concerns’ (vol. 6, iss. 20) has bungled a firmware update that is bricking its OfficeJet Pro 9020e printers.