Capita boss to stand down as breach costs mount
- Capita says that costs relating to the cyber-attack that compromised their systems in March (vol. 6, iss. 15, 17 are now expected to be up to £25 million, up 50%-66% on previous estimates. The figure is not thought to include any penalty that the Information Commissioner’s Office may levy. The news came as Capita reported an H1 pre-tax loss of £68 million, sending shares down 12%.
- The BlackBasta ransomware group managed to gain access to Capita’s Microsoft 365 tenant and access the data of around 90 organisations processed by the outsourcer.
- Capita has communicated poorly about the breach since the outset and sought to diminish the impact by referring to the attack as a percentage of its overall server estate. The Guardian reports that Capita is now “close to completing” its investigation.
- Chief executive Jon Lewis will stand down at the end of the year in a move the outsourcer says follows Lewis delaying his retirement, rather than ‘paying the price’ of the cyber-attack. Amazon Web Services telco vice-president Adolfo Hernandez will replace Lewis.
Microsoft seeks to downplay the damage as pressure mounts over China compromise
- Microsoft continues to try and downplay the severity of a recent Chinese attack where a critical signing key used to authenticate users to Microsoft’s cloud services (vol. 6, iss. 29. Cloud security business Wiz, which counts many Microsoft alums in its ranks, published a report examining the unanswered questions (vol. 6, iss. 30, which Redmond has tried to dismiss as “speculative” and “not-evidence based”. Meanwhile, Senator Ron Wyden accused Microsoft of being “negligent” in a letter (PDF) to CISA and the FTC.
- Two weeks ago (vol. 6, iss. 30), Microsoft said that it would review its pricing practices and no longer restrict access to cloud security logs behind premium price plans (something few small or medium-sized organisations, and even some government departments, can afford).
- In a scathing blog post on LinkedIn, Amit Yoran, CEO and Chairman of Tenable, says, “the truth is even worse than you think”. Recounting his company’s experience reporting a severe vulnerability in Azure, he calls Microsoft’s response “grossly irresponsible, if not blatantly negligent”. The issue allows an unauthenticated attacker access to cross-tenant applications and the ability to steal authentication tokens. Tenable reported the problem in March, and Microsoft won’t fully fix it until September. During this time, there have been no communications with customers, who are all unaware of the risk they currently face.
- In response to the media coverage, a Microsoft spokesperson said, “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximised customer protection with minimised customer disruption.”
Attacks on the NHS, transport, and telecommunications listed in UK National Risk Register
- Cyber is one of nine risk themes identified in the National Risk Register 2023 (PDF) that was released this week. The ‘NRR’ includes 89 risk scenarios that “would have a substantial impact on the UK’s safety, security and/or critical systems at a national level.”
- It’s the first time the public document “aligns with the structure and content” of the classified, internal assessment produced for the government. However, some scenarios are excluded on the ground of national security. It’s a good read for those in the risk and resilience spaces, especially those delivering critical national infrastructure.
- Risk summaries are presented for cyber attacks on gas, electricity, fuel supply infrastructure, civil nuclear facilities, UK retail banking, and against the healthcare, transport and telecommunications sectors.
- Infrastructure cyber attacks are estimated to have a 5%-25% likelihood of occurring and inflicting hundreds of millions of pounds worth of economic cost.
Top 12 vulnerabilities:
- Five-eyes cyber agencies have released a joint advisory detailing the top’ routinely exploited vulnerabilities’ from 2022. “In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities,” the advisory reads. Threat actors are taking the easy road and “targeted unpatched, internet-facing systems”, it continues.
- Fortinet’s FortiOS, FortiProxy, and F5’s BIG-IP firewall make the list, as does Microsoft’s Exchange Server and Diagnostic Tool. Atlassian, Apache and VMWare also feature.
Other newsy bits / in brief
Researchers from the UK’s Durham, Surrey and Royal Holloway universities have trained a model that can determine laptop keystrokes with up to 95% accuracy (PDF). The side channel attack uses audio recorded from a smartphone and also works over Zoom at 93% accuracy. This would make it possible for third parties to identify what was being typed, including passwords or other messages, while nearby or over video calls.
Serco has disclosed a breach affecting 10,140 of its US staff after its benefits administration provider, CBIZ, was caught up in the mass-compromise of MOVEit file transfer systems.
Phishing evasion: Researchers from Cofense say that threat actors are using Google’s ‘Accelerate Mobile Pages’ (AMP) to bypass email security protections. A similar redirection service from Microsoft has also been used. Both services make the phishing URLs appear as part of google.com or microsoft.com domains, piggy-backing on the de facto trust of these companies, and are therefore more likely to evade detection as phishing links.
Apps are circumventing Google Play’s security controls by dynamically loading code into apps after approval to their app store, in an updated threat trends report that will surely not come as a shock to anyone. This “[violates] Google Play Deceptive Behaviour policy” the report says.
MobileIron: CISA is warning that state actors are exploiting vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) software (formerly known as MobileIron Core). Gaining access to an organisation’s mobile device management platform is a boon for such threat actors as it provides control over all of those devices.
Cloud company Cloudzy may be “knowingly or unwittingly” providing a platform for multiple nation-state threat actors against the United States, say researchers at Halcyon. In their report, the security researchers identify ‘two-dozen’ groups from China, North Korea, Russia, Iran, Pakistan, and Vietnam that use Cloudzy’s infrastructure to route their command and control traffic.
Industrial control systems: Chinese state-affiliated actors are using new malware with capabilities to infect and steal data from air-gapped systems, according to Kaspersky. The method uses USB removable media to communicate and hides data for exfiltration in the ‘recycle bin’.
Patching reminder: There have been quite a few critical vulnerabilities in 0-days fixed recently in popular client software from Apple, Google and Microsoft, but it’s also been a ‘busy summer’ for enterprise vendors like Citrix, Sap and Oracle, all of whom have had 9/10+ scoring vulnerabilities. Oracle’s July Critical Patch Update Advisory says it fixes 508 vulnerabilities in its products, 57 of which can be exploited over a network without authentication. Over 600 Citrix servers have been backdoored, according to researchers from the Shadowserver Foundation.
One of the most important things that Security and IT teams can do is work to improve the frequency of patch deployments. Availability of business applications is essential, however, many vendors have got much better at fixing things while not impacting compatibility. Setting a target (and measuring your progress) to improve this jointly will stand you in good stead.
Microsoft Teams is being used by Russian government threat groups to send phishing lures and steal credentials, says Microsoft.
MMPA, a Minecraft security community, says threat actors are targeting a deserialisation vulnerability in a popular modding framework. BleedingPipe, as it is being called, can be used to take over servers, infect clients with malware and steal Discord and Steam session tokens.
Connected cars are the subject of a new investigation by the California Privacy Protection Agency. The data privacy review will seek to understand how and what consumer data is being collected by vehicle manufacturers and if this is being done so in compliance with California’s Consumer Privacy Act.
Meta is set to ask European users for permission to use their data for targeted (“personalised”) ads. It’s the result of a five-year legal battle, with the Facebook owner arguing that user’s gave permission when they signed up.
Investments, mergers & acquisitions
- Cyble, a threat intelligence provider, has announced a $24 million Series B funding round, with the investment put towards research and development.
- Socket, which aims to detect security vulnerabilities in open-source code, has announced a $20 million Series A round. Sticking with open source, Endor Labs, who focus on security within software dependencies, closed a $70 million Series A round; quite a significant investment!
- Meanwhile, bug bounty platform HackerOne is set to lay off around 12% of its 450-employee global workforce in a “one-time event”.
A hat-trick this week:
- Spyware maker LetMeSpy has confirmed a “permanent shutdown” after some gained unauthorised access to their systems and wiped all of their data, including that stolen from victim’s phones.
- Two US Navy sailors have been charged with passing classified information to China. Both have pleaded not guilty, despite one telling a fellow sailor he had been recruited for “quite obviously fucking espionage”.
- Not cyber, but an interesting example of a corrective control, NASA lost then regained contact with its Voyager 2 probe because of a system to automatically realign its antennas with the Earth.