Robin’s Newsletter #268

6 August 2023. Volume 6, Issue 32
Capita breach costs rise. Microsoft under pressure for opaque security practices. Side channel attack identifies keystrokes from audio over Zoom calls
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Capita boss to stand down as breach costs mount

  • Capita says that costs relating to the cyber-attack that compromised their systems in March (vol. 6, iss. 15, 17 are now expected to be up to £25 million, up 50%-66% on previous estimates. The figure is not thought to include any penalty that the Information Commissioner’s Office may levy. The news came as Capita reported an H1 pre-tax loss of £68 million, sending shares down 12%.
  • The BlackBasta ransomware group managed to gain access to Capita’s Microsoft 365 tenant and access the data of around 90 organisations processed by the outsourcer. 
  • Capita has communicated poorly about the breach since the outset and sought to diminish the impact by referring to the attack as a percentage of its overall server estate. The Guardian reports that Capita is now “close to completing” its investigation. 
  • Chief executive Jon Lewis will stand down at the end of the year in a move the outsourcer says follows Lewis delaying his retirement, rather than ‘paying the price’ of the cyber-attack. Amazon Web Services telco vice-president Adolfo Hernandez will replace Lewis.

Microsoft seeks to downplay the damage as pressure mounts over China compromise

  • Microsoft continues to try and downplay the severity of a recent Chinese attack where a critical signing key used to authenticate users to Microsoft’s cloud services (vol. 6, iss. 29. Cloud security business Wiz, which counts many Microsoft alums in its ranks, published a report examining the unanswered questions (vol. 6, iss. 30, which Redmond has tried to dismiss as “speculative” and “not-evidence based”. Meanwhile, Senator Ron Wyden accused Microsoft of being “negligent” in a letter (PDF) to CISA and the FTC.
  • Two weeks ago (vol. 6, iss. 30), Microsoft said that it would review its pricing practices and no longer restrict access to cloud security logs behind premium price plans (something few small or medium-sized organisations, and even some government departments, can afford).
  • In a scathing blog post on LinkedIn, Amit Yoran, CEO and Chairman of Tenable, says, “the truth is even worse than you think”. Recounting his company’s experience reporting a severe vulnerability in Azure, he calls Microsoft’s response “grossly irresponsible, if not blatantly negligent”. The issue allows an unauthenticated attacker access to cross-tenant applications and the ability to steal authentication tokens. Tenable reported the problem in March, and Microsoft won’t fully fix it until September. During this time, there have been no communications with customers, who are all unaware of the risk they currently face.
  • In response to the media coverage, a Microsoft spokesperson said, “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximised customer protection with minimised customer disruption.”

Attacks on the NHS, transport, and telecommunications listed in UK National Risk Register

  • Cyber is one of nine risk themes identified in the National Risk Register 2023 (PDF) that was released this week. The ‘NRR’ includes 89 risk scenarios that “would have a substantial impact on the UK’s safety, security and/or critical systems at a national level.” 
  • It’s the first time the public document “aligns with the structure and content” of the classified, internal assessment produced for the government. However, some scenarios are excluded on the ground of national security. It’s a good read for those in the risk and resilience spaces, especially those delivering critical national infrastructure.
  • Risk summaries are presented for cyber attacks on gas, electricity, fuel supply infrastructure, civil nuclear facilities, UK retail banking, and against the healthcare, transport and telecommunications sectors.
  • Infrastructure cyber attacks are estimated to have a 5%-25% likelihood of occurring and inflicting hundreds of millions of pounds worth of economic cost.

Interesting stats

Top 12 vulnerabilities:

  • Five-eyes cyber agencies have released a joint advisory detailing the top’ routinely exploited vulnerabilities’ from 2022. “In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities,” the advisory reads. Threat actors are taking the easy road and “targeted unpatched, internet-facing systems”, it continues.
  • Fortinet’s FortiOS, FortiProxy, and F5’s BIG-IP firewall make the list, as does Microsoft’s Exchange Server and Diagnostic Tool. Atlassian, Apache and VMWare also feature.

Other newsy bits / in brief

Investments, mergers & acquisitions

And finally

A hat-trick this week:


  Robin's Newsletter - Volume 6

  California Consumer Privacy Act California Privacy Protection Agency Connected Vehicles Capita Microsoft Side channel attacks (SCA) Phishing Google Play Dynamic code loading (DCL) Cloudzy Progress Software MOVEit MobileIron Mobile Device Management Ivanti Espionage Spyware Corrective control