Robin’s Newsletter #262

This week

This week marks the fifth anniversary of this newsletter! I’m also on vacation in Canada 🇨🇦 so a reduced format, and I don’t have any updated stats on how many words I’ve written (or how many hours you tell me this saves you).

A huge thank you for subscribing, and a quick plea, to take 2 minutes out of your busy day to let me know why you subscribe and how I can improve. I appreciate you, and hope you find this relevant, interesting and useful!

In brief

• Paul Brucciani has a good summary of the Info Security Europe exhibition hall. Some big absences this year, including Sophos, Palo Alto, Fortinet, ZScaler and Google. All of them were at RSA Conference. It’s unclear how much of this is due to economic headwinds, market size, or quality of the event. Possibly, probably, a bit of all three. There were still lots of F1 cars. Crowdstrike continued to fetishise threat actors (vol. 6, iss. 18).

• California’s Public Employees Retirement System (CalPERS), the largest public pension fund in the US, is affected by the mass attacks against MOVEit file transfer systems. CalPERS manages more than $477 billion in assets for over 1.5 million current and former state employees. The Clop ransomware gang claimed responsibility for the attacks (vol. 6, iss. 24), with more and more victims coming forward.

• CyberCX says it believes Russia is behind the ‘Anonymous Sudan’ group’s denial of service attacks against Microsoft’s Outlook webmail service last week.

• A flaw in UPS Canada’s tracking system allowed attackers to obtain phone numbers and shipping data that they used to craft extremely convincing ‘smishing’ (SMS phishing) scams.

• The NCSC has some new guidance and updated threat assessment for the legal sector that firms (like HWL Ebsworth and Bryan Cave Leighton Paisner; below) should take note of.

• Interesting read on how your new car tracks you from Matt Burgess for Wired.

Interesting stats

AU$700,000 ($474,670) per day in potential penalties facing Twitter if it doesn’t clean up harmful online content. Australia’s online safety regulator has issued a legal notice to the Elon Musk-owned social network who have 28 days to respond.

$1.2 million penalty for crypto-exchange bitFlyer for failing to comply with NYDFS’ cyber security regulations. The New York Department of Financial Services (“DFS”) cited multiple deficiencies at bitFlyer, observed during examinations in 2018 and 2020, including failures to conduct a risk assessment, maintain an effective cyber program, or implement a written security policy.

More newsy bits

• AlphV/BlackCat: AlphV/BlackCat ransomware group has published data from a law firm that has represented Australia’s National Disability Insurance Agency. Over 3TB of data was stolen from lawyers HWL Ebsworth, with 1.1TB already posted online. The same cybercriminals also broke into community site Reddit in February and are threatening to leak the 80GB of stolen data if Reddit doesn’t back down from controversial API pricing changes. The same gang is also threatening to release photographs of plastic surgery patients it stole in a ransomware operation against Beverly Hills Plastic Surgery.

• Food giant Mondelez has warned 51,000 past and present employees that their personal information has been breached. Law firm Bryan Cave Leighton Paisner detected unusual activity on their systems back in February and, four months on, has only just given Mondelez the information needed to determine which employees were affected.

• A ransomware gang has also emailed staff and students at the University of Manchester threatening to release their personal information as the criminals try to increase pressure on university management to pay their ransom demands.

• Attackers who have gained access to a Windows system can use Cisco’s Secure Client VPN software (formerly AnyConnect) to escalate privileges to SYSTEM.

• Fortinet has fixed yet another remote code execution vulnerability, this time in its FortiNAC zero-trust solution.

• A vulnerability in Microsoft Teams allows you to tamper with the metadata on a message to make it appear as if it came from an internal source, bypassing restrictions and protections.

• North Korean group APT37 is deploying a new info-stealer malware that can record audio from victim’s microphones.

• A variant of the Mirai botnet is targeting 22 vulnerabilities in seven brands of wireless routers. The malware automatically tries to compromise devices from D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek for use in distributed-denial-of-service (DDoS) attacks.

• Joseph O’Connor, aka PlugWalkJoe, has been sentenced to five years in prison after pleading guilty to four counts of computer intrusions, wire fraud and money laundering. O’Connor, a UK citizen, was behind the compromise of many high-profile Twitter accounts, which he used to peddle cryptocurrency scams (vol. 3, iss. 29) in July 2020, which he described as “stupid and pointless” in court.

• Australian prime minister Anthony Albanese is recommending citizens to “turn your phone off every night for five minutes” to thwart malicious apps. Rebooting your phone terminates background processes and can help with mobile malware, which may not ‘persist’ in the way that it might on computers. It comes as Australia has appointed air marshal Darren Goldie as the inaugural national cyber coordinator.

And finally

• An employee of ERP software vendor SAP found a missing hard disk from the company for sale on eBay. No checks were made on staff leaving the firm’s ‘secure’ data centre, and the disk was stolen from another building at their headquarters complex in Walldorf, Germany. The disk contained the personal records of 100 employees.