Robin’s Newsletter #276

This week

Ukraine says Russia is targeting systems storing evidence of alleged war crimes

• Ukraine accuses Russian intelligence of targeting systems holding data on alleged war crimes. “Their primary objectives were to identify which evidence of Russian war crimes,” said the report from the Ukrainian State Service of Special Communications and Information Protection (SSSCIP), which continued “and exercise control over potential ground-deployed spies have our law enforcement teams”.
• The report (PDF) says that the number of cyber security incidents registered with its national CERT team has doubled from H2 2022 to H1 2023, however, the rate of ‘critical’ incidents has fallen over the same period by 81%.
• Other lessons learned included in the report are that returning attacks on previously victimised organisations gives the attackers advantages from knowing the network architecture and the ability to anticipate the response actions taken by defenders and that a focus on minimising detection and response time has led to a shift towards smash and grab data exfiltration, rather than prolonged lateral movement.

China is abusing Cisco routers to maintain persistence

• China is planting malware into Cisco routers, typically in branch offices of organisations, to enable and maintain persistent unauthorised access, according to an advisory from the Japanese and US governments. Cisco says that the Chinese threat actor only appears to have the ability to infect older models of its hardware, and compromise occurs after stealing legitimate administrator credentials, rather than by exploiting a software vulnerability. More at The Record.

UK logistics firm KNP announces insolvency, 730 redundancies, following ransomware attack

• KNP Logistics, a UK logistics company recognisable for its blue and gold liveried lorries emblazoned with Knights of Old, has declared itself insolvent this week. The company suffered a ransomware attack in June, which has contributed to the decision, and which will result in 730 redundancies. “Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue,” said Raj Mittal, a joint administrator.
• Thankfully this type of conclusion is unusual (though does not diminish the real world impact on those individuals). As a reminder, the widely circulated statistic that 60% of businesses go bust within six months of a cyber attack has been debunked and the National Cyber Security Alliance (NCSA), who is the reported source, has denied any knowledge of the statistic which “was not generated from NCSA research”.

Interesting stats

48 hours between ransomware attacks, according to the FBI, who has been observing the trend of victims being targeted with multiple strains of ransomware in quick succession since July 2023.

60,000 emails were stolen from the US State Department during the Chinese ‘Storm-0558’ compromise of Microsoft’s email platform in May this year (vol. 6, iss. 29).

Other newsy bits / in brief

• Crypto-currency company Mixin suspended transactions on its peer-to-peer network after their cloud service provider was compromised and $200 million of digital assets were stolen. Attacks against crypto-currency exchanges and other ‘decentralised autonomous organisations’ (DAOs) have become a popular choice for North Korea’s  

• MOVEit: Better Outcomes Registry & Network (BORN), an Ontario-government funded healthcare organisation, has announced that the personal information of 3.4 million people (primarily newborn babies) was compromised earlier this year by the Cl0p ransomware group. Cl0p used an exploit in Progress Software’s MOVEit file transfer system to make off with data including name, address, date of birth and, depending on the type of care being provided, details of lab results, pregnancy risk factors and other medical information. In a notice on their website, BORN says, “[at] this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes”. 

• Johnson Controls, the heating, ventilation, and air conditioning giant that employs over 100,000 people globally, has become a victim of a ransomware attack by the Dark Angels ransomware gang. The cybercrime group, believed to have started in May 2022, claims to have stolen 27TB of corporate data, encrypted the victim’s virtualisation environment, and demanded $51 million for a decryptor tool and delete the stolen data. In an SEC filing, Johnson Controls said that many of the company’s applications remain operational but that the attack has caused disruption to parts of its business. The filing said it “is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”

• Sony is investigating an alleged breach of “all of its systems” by a group called RansomVC. Security researchers and cybercriminals alike have shown scepticism towards RansomVC’s claims, with only a tiny sample being published, and a single ‘file tree’ indicating it may have come from a single machine. It seems that Sony has declined to pay the ransom, which is why the cybercriminals are now attempting to sell the data for $2.5 million.

• Google Bard chats are being indexed by the company’s eponymous search engine and included in other user’s results unintentionally. Google has indexed the links, which let users share results with friends. “Bard allows people to share chats, if they choose. We also don’t intend for these shared chats to be indexed by Google Search. We’re working on blocking them from being indexed now,” said the company on X (Twitter). Meanwhile, Microsoft’s Bing Chat has been seen serving up malicious ads to users. This isn’t a new problem per se, but users may be more familiar with ads served in search results and place different trust in the more conversational nature of chatbots.

• Chrome has received a patch to address a zero-day vulnerability that a commercial spyware vendor was exploiting. The vulnerability, tracked as CVE-2023-5217, is in the VP8 video format library with Firefox and many other users of the library also expected to be vulnerable. It bares similarities to the vulnerability in the WebP library fixed September (vol. 6, iss. 37) that was used in the ‘BLASTPASS’ exploit of Apple’s iMessage for commercial spyware infection.

• Progress Software’s WS_FTP file transfer server software has a ‘perfect 10’ vulnerability: CVE-2023-40044 allows a pre-authenticated attacker to execute remote commands on the underlying operating system.

• Multiple vulnerabilities in Exim email server software allow unauthenticated remote code execution. The open-source project and the Zero Day Initiative don’t appear to be handling the issues well, which affect over 250,000 email servers.

• Side channel / GPU.zip: Interesting research from the universities of Texas, Washington, Illinois Urbana-Champaign and Carnegie Mellon that uses scalable vector graphics (SVG) to leak visual data from all graphics cards. Full paper (PDF)

• Eon chief executive Leonhard Birnbaum has said that the German government is not doing enough to protect energy companies from cyber attacks. Eon is Germany’s largest gas and electricity distributor and operates similar networks in Sweden, Hungary and the Czech Republic. Birnbaum told the Financial Times that he believes he will be “on my own” in the event of a severe attack.

• CISA has launched a public awareness campaign encouraging Americans to improve their cyber security habits. The new Secure Our World site contains tips to improve personal and family safety online. If you’re looking for more help for families or small businesses, NCSC’s CyberAware microsite has some great tools and Get Safe Online also has lots of useful content.

• Sebastien Raoult, a French national also ‘known as Sezyo Kaizen’, has pleaded guilt to wire fraud and aggravated identity theft as part of the ShinyHunters group. The US Department of Justice says that ShinyHunters activity caused more than $6 million in damages, stealing data from over 60 companies between April 2020 and July 2021.

• Palo Alto Networks is allegedly in advanced negotiations to buy Israeli startups Talon Cyber Security and Dig Security for around $1 billion. Talon’s Enterprise Browser product helps instrument and protect access to web applications, while Dig’s ‘data security posture management’ platform claims real-time data protection in the cloud. Both products would expand Palo Alto’s zero-trust offerings and move away from its traditional network and endpoint security focus.

• Gem Security has announced a $23 million Series A found (hot on the heels of an $11 million seed round in February) for its cloud detection and response solution.

• Nord Security, sponsor of seemingly every tech YouTube channel, has raised $100 million from US private equity group Warburg Pincus. The money will be used to expand its product range (currently focussed on personal VPN solutions) and buy other companies.

• Nexusflow has raised a $10.6 million seed round towards development of its natural language interface intended to provide an interface into existing cyber security tools.

And finally

• Cloudflare cloud-based firewall and DDoS protections can be bypassed in some cases by using a free Cloudflare account to tunnel traffic into their network.