Robin’s Newsletter #274

This week

Lots of ransomware this week, coinciding with the UK NCSC and NCA publishing a white paper on the ransomware, extortion and cybercrime ecosystem. Worth a read. 

Save the Children was attacked by the BianLian ransomware group

• Save the Children International has confirmed a ransomware attack against “part of [their] network”. The charity, which has supported over 1 billion children since being founded in 1919, says there has “been no operational disruption”.
• The BianLian ransomware group has claimed responsibility for the attack and claims to have made off with 6.8TB of data, including HR, financial and medical data.
• The charity is working with external specialists and says it’s “confident in the ongoing integrity of our IT infrastructure”.
• I agree that BianLian needs to be punched in the face.

MGM Resorts and Caesars International 

• MGM Resorts appear to have been pretty comprehensively pwned by the ransomware group: websites and online reservations at properties were unavailable, ATMs and slot machines in casinos weren’t working, and reports of room keys were no longer working. How much of that was precautionary, and how much was the direct result of attackers actions is unclear. ]
• The attack is being attributed to the Scattered Spider group, who Mandiant believe are fluent English speakers operating from the US, UK or Europe and “are very good at research”. The threat group is known for the social engineering IT support desk at its victims. In an unverified interview, people claiming to be part of the group claimed that the original intent of the attack was to manipulate slot machines, in an attack that wouldn’t be out of place in an Ocean’s Eleven style heist movie.
• Later reports suggested that the cybercriminals had managed to gain access to and encrypt more than 100 ESXi hypervisors that run the company’s IT systems.
• In a separate incident, Caesars Entertainment says its customer loyalty database was stolen. In an ‘8-K’ filing (required when a US public company suffers an event likely to have a material effect on their business), Caesars said personal data of a “significant number of members” was stolen, including driving license and Social Security numbers. 
• The hotel and casino firm is rumoured to have paid half of the $30 million demanded by the attackers in exchange for not releasing the information as part of “steps to ensure that the stolen data is deleted by the unauthorized actor”. 
• ALPHV, of which Scattered Spider is believed to be an affiliate, has claimed responsibility for the breach at Caesars.
• Threat intelligence firm Dynarisk claims to have seen around 100 account details for staff at both MGM and Caesars being traded on a Telegram channel on 1st September.

Sri Lanka investigating ransomware incident

• Sri Lanka’s national CERT is investigating a ransomware attack on the government’s email system. Around 5,000 email accounts were affected, with attackers believed to have compromised via an out-of-date Microsoft Exchange 2013 server.
• Backup servers were also compromised during the incident, believed to have occurred in May but only discovered in August. That lengthy intrusion and discovery doesn’t quite match the characteristics of a typical ransomware attack, though it could chime with data instead of disruption extortion.

Interesting stats

12% of Fortune 100 companies specifically disclose cyber security or privacy as a consideration in determining executive pay in 2023, up from  0% in 2018, according to analysis by EY.

Other newsy bits / in brief

• Over 12,500 Greater Manchester Police officers are being warned that their personal data was compromised in the same breach that affected London’s Metropolitan police (vol. 6, iss. 36). Cybercriminals obtained the names, ranks, serial numbers and photographs appearing on officers’ warrant cards during an attack on UK firm Digital ID, which makes identity cards for firms.

• Australian Federal Police (AFP) has confirmed that details of its officers, stolen in the breach of HWL Ebsworth by ALPHV/Blackcat in April this year (vol. 6, iss. 26), has been published on the dark web.

• Personal data of 3,200 Airbus vendors has been published on a leak site. The attack explained they’d gained access to the information by compromising an employee at Turkish Airlines who had third-party access to Airbus’ systems.

• Trucking services are being disrupted in the US after fleet management and driver tracking company ORBCOMM suffered a ransomware attack. Truckers are only allowed to use paper logs to track their hours for eight out of every thirty days, and the US regulator has had to issue a waiver so that operations can continue.

• It’s always DNS: Payments business Square says that an outage this week was the result of “making several standard changes” that “prevents out systems from properly communicating”. Changes to their DNS configuration meant internal support tools also stopped working, exacerbating and prolonging response to the incident on Thursday that wasn’t resolved until early Friday. There is “no evidence”, the firm says, that the outage resulted from a cyberattack.

• Retool, who suffered a breach recently, says deepfakes and multi-factor authentication tokens synchronised by Google exacerbated the incident.

• The Associated Press agency is warning customers of its AP Stylebook about phishing attacks against users following a data breach. While details of only 224 user accounts were compromised, they present attractive targets to actors seeking access to journalists and media outlets.

• Hundreds of thousands of businesses using Facebook Messenger are being targeted by Vietnamese cybercriminals every week, according to Guardio Labs. Around 1-in-70 of accounts targeted with phishing messages and malicious attachments are compromised, giving the attackers access to their Facebook business accounts to use for other fraudulent and criminal activities.

• MalwareBytes says that Google Ads are being used to spread a malicious version of Cisco’s Webex video conferencing software. Thanks to a loophole in how Google handles adverts, the official ‘webex.com’ domain is shown on the ad, which is in the #1 spot when searching Google for “webex”.

• Online ads are also the distribution mechanism for a new Israeli spyware solution dubbed Sherlock, according to an investigation by the newspaper Haaretz. The technology can allegedly compromise Microsoft Windows, Google Android, and Apple iOS devices. Using advertising as a distribution channel allows the same targeting mechanisms to be repurposed to go after groups of targets with the same characteristics favoured by marketers.

• Iranian group ‘Peach Sandstorm’ (APT33; Elfin) has been using password spraying and exploitation of Soho ManageEngine and Atlassian Confluence to compromise satellite, defence, and pharmaceutical organisations “around the globe” this year, say Microsoft.

• Symantec says that an espionage group called Redfly compromised and has been operating within the electricity grid of an Asian country for six months. The ‘ShadowPad’ malware used in the attack was previously linked to China and was used against the Indian power grid last year.

• Microsoft is set to phase out third-party printer and scanner drivers. Starting in 2025, no new drivers will be accepted to Windows Update and in 2026, Windows will default to its built-in universal Internet Printing Protocol (IPP) driver. Printer drivers and software have often been full of proprietary, poor quality, or ‘bloatware’, and threat actors have used such drivers (signed by Microsoft) in their attacks.

• California state legislatures have progressed a bill providing a centralised mechanism for individuals to request data brokers delete their data.

• Investments, mergers & acquisitions: AuthMind has raised an $8.5 million seed round for its identity security solution that uses network data flows to build context about an organisation’s identities. Digital forensics and incident response outfit Binalyze has announced a $19 million Series A funding round to ‘react to market conditions’ and ‘rapidly scale’. Patronus AI, founded by former Meta AI experts, launched a service to evaluate large language models and announced a $3 million seed round.

And finally

• WiKI-Eve: A paper from Chinese and Singaporean researchers claims to be able to infer numbers typed into smartphones by analysing beam forming feedback information (BFI) data used to improve signal strength between devices and wireless access points. Moving your fingers and tapping the on-screen keyboard disrupts the beam-forming signals. Machine learning models can achieve an accuracy rate of 88% for numeric-only and 40% for alphanumeric input.