This week
BUSTED: Two Lapsus$ group members found responsible by UK jury
Arion Kurtaj, 18, from Oxford in the UK, and a 17-year-old who cannot be named have been found to have committed cyberattacks against BT, Okta and Grand Theft Auto developer Rockstar Games.
The pair were arrested, along with five others, in March 2022 (vol. 5, iss. 13) following a chaotic spree of attacks against high-profile victims with the group swing between seeking notoriety, financial gain, or amusement. They used social engineering tricks to access accounts and pivot within targeted organisations.
As reported by the BBC, Kurtaj is autistic, and psychiatrists deemed him not fit to stand trial, so he did not give evidence and the jury was asked to determine if he did or did not commit the alleged acts, rather than finding him guilty or not guilty.
The US Cyber Safety Review Board recently published a report (vol. 6, iss. 33; PDF)) into the group’s methods.
Interesting thinking
- Budget season: Phil Venables shares some thoughts on the discussions to have and levers you can pull when agreeing on cyber security budgets.
- What are you defending? Related to budgeting, yours truly explaining why this question is core to having ‘enough security’ during a panel discussion at the SPHERE23 conference in Helsinki earlier this year.
- Cyber security sauna: Also from SPHERE23, I was a guest on the podcast sweating the hot topics alongside Forrester’s Laura Koetzle and host Janne Kauhanen. We had an excellent chat about putting security outcomes first, in an actual sauna! Listen on Spotify, Apple Podcasts, or YouTube.
Interesting stats
5 days, the median dwell time in the first half of the year, down from 9 days in 2022 for ransomware threat actors, according to Sophos. Most ransomware attacks occur overnight:
29% of 18-34-year-olds have received unwanted sexual or romantic propositions after giving their personal information to a business, according to research conducted by Savanta on behalf of the UK Information Commissioner. Perhaps more importantly for businesses… 5% of the public (and therefore your potential employees) believed that this was ‘morally right’, despite it being illegal.
Other newsy bits / in brief
-
BabakovLeaks: A Ukrainian group calling itself Cyber Resistance has leaked 11GB of emails allegedly belonging to the deputy chairman of Russia’s parliament, Alexander Babakov. The email trove, which suggests corrupt dealings and attempts to avoid Western sanctions, may be legitimate and part of a growing number of leaks or doctored as part of the ongoing information war.
-
Cloud evaporation: Ransomware attackers encrypted the production infrastructure and backups of hosting companies CloudNordic and Azero. While it seems the attacker did not exfiltrate data before encryption, CloudNordic says that all website and email data is gone, and they won’t be able to restore it.
-
DuoLingo user data, scraped from the site sometime before January 2023 (vol. 6, iss. 5), has been leaked on a forum. The data set, affecting 2.6 million DuoLingo users, was previous being sold for $1,500.
-
Data scraping was the topic of a joint statement from twelve data protection and privacy authorities (PDF) this week too. It reminds “[in] most jurisdictions,” that publicly accessible personal information “is subject to data protection and privacy laws.” It sets the expectation that social media companies should protect personal data from unlawful data scraping in several ways, including monitoring for unusual activity, rate-limiting access and taking legal action against those misusing their services.
-
St Helens Borough Council in England has suffered a suspected ransomware attack. A spokesperson said it’s unclear if any personal data was taken, while internal council systems are affected “due to the actions we have put in place to prevent any further impact”.
-
Pôle emploi, the French agency responsible for unemployment benefits, has suffered a data breach at a supplier that affects 10 million individuals.
-
FTX and BlockFI have suffered a data breach after advisory firm Kroll suffered a ‘data incident’ and lost the personal data it was processing for the bankrupt cryptocurrency firms.
-
Tesla says that its May data breach affecting 75,000 staff was the result of “insider wrongdoing”.
-
Barracuda email security gateways are still being compromised, according to the FBI, who say the patch addressing CVE-2023-2868 is “ineffective”. The vendor recommended ripping and replacing affected devices (vol. 6, iss. 24) that were targeted by suspected Chinese nation-state affiliated threat actors.
-
A previously unknown group that Symantec is calling Carderbee are targeting Hong Kong organisations with versions of the PlugX malware, signed using a legitimate Microsoft certificate. Carderbee injected the malware into the Cobra DocuGuard software in a supply-chain attack.
-
The Akira ransomware group is targeting Cisco VPN products for initial access into victim’s networks, especially without multi-factor authentication, according to Aura. It’s unclear if the attackers are buying credentials, brute forcing passwords, or exploiting an unknown vulnerability.
-
Ivanti’s products keep getting popped. This week, another vulnerability has come under attack, this time in the company’s Sentry product. A patch is now available to address the issue, tracked as CVE-2023-38035 (9.8/10 severity).
-
Spyware developer WebDetective, whose app has been used to compromise 76,000 Android phones, mainly in Brazil, has been compromised by hacktivists who have deleted the affected devices and removed the stolen data.
-
Mergers & acquisitions: Identity management firm Cerby has closed a $17 million Series A round to manage ‘non-standard’ apps that don’t support (e.g.) account provisioning. Cypago has raised $13 million for their platform to automate governance, risk and compliance workflows.
-
Dragos has signed a three-year deal with Singapore’s Cyber Security Agency to enhance the city-state’s operational technology security.
And finally
-
Some sensible things: Google is testing a feature that will warn Chrome users if they have malicious extensions installed. Simple win, not sure why this wasn’t already a thing? The Mountain View headquartered company is also beginning to roll out a feature that will require two administrator accounts to approve specific security-related changes to Google Workspace tenant settings. Meanwhile, Meta will roll out end-to-end encryption by default in its Messenger product by the end of the year.
-
And a seemingly less sensible but probably useful thing: Excel will let you use Python scripts in your spreadsheets. Microsoft says the code will only run on their cloud servers, without any access to local devices, networks or user tokens. This sort of thing is open to abuse if those constraints aren’t implemented effectively.