Robin’s Newsletter #279

This week

‘Unprecedented’ joint public appears of Five Eyes intelligence chiefs to warn over Chinese espionage

• Intelligence chiefs from the Five Eyes alliance appeared in person, together, for the first time this week. The inaugural Emerging Technology and Securing Innovation Security Summit, held at Stanford University, aimed to increase awareness and allow networking between the spooks, business leaders and entrepreneurs.
• FBI director Christopher Wray hosted Ken McCallum, head of MI5, and Mike Burgess, head of the Australian Security Intelligence Organisation, David Vigneault, director of the Canadian Security Intelligence Service, and New Zealand Security Intelligence Service chief Andrew Hampton.
• McCallum said that more than 20,000 people in the UK have been approached covertly by Chinese spies, citing a “sustained campaign on a pretty epic scale”.

_”If you’re working today at the cutting edge of technology then geopolitics is interested in you, even if you’re not interested in geopolitics,” — Ken McCallum, head of MI5.

• The FT reports that China dismissed the allegations as “baseless” and “smears” from an alliance that is “accustomed to producing and spreading false information about China”.
• Speaking at a Google public sector event this week, Kevin Mandia says that China is the “one apex attacker in cyberspace”. Mandia said that “China innovates more than anybody” and added that operational security, toolkits and training improvements have seen them take the top spot from Russia, which has been seen as the top threat for around the last fifteen years.
• Google also linked the use of a vulnerability in the WinRAR archiving tool (vol. 6, iss. 15) to both Russia and China this week.

Two ransomware groups taken out

• Good news! The Ragnar Locker and Trigona ransomware gangs have both been disrupted this week! Europol seized the Ragnar Locker group’s leak site in an international operation to take down the cybercrime operation. Meanwhile a group calling itself the Ukrainian Cyber Alliance comprehensively trashed the Trigona ransomware gang’s infrastructure.
• The Europol operation, conducted 16th-20th October, saw searches in Czechia, Spain, and Latvia, while a “key target” — believed to be a developer of the group’s malware — was arrested in Paris. Ukrainian police also raided premises and seized devices. As noted by Europol, the Ragnar Locker group warned their victims not to contact law enforcement, threatening to release stolen data.
• Meanwhile, activists calling themselves the Ukrainian Cyber Alliance were business infiltrating the systems of the Trigona ransomware group, using a recent critical vulnerability in Confluence. The UCA claim to have spent six days mapping out the criminal’s infrastructure, before running steps from the cybercriminal’s playbook and exfiltrating data from their admin panels, leak site and other internal tools. As those behind Trigona panicked, the UCA deleted and defamed their sites.

Thousands of Cisco devices compromised using 0-day vulnerability

• Security vendors Vuln Check, Census and Orange Cyberdefense say that over 35,000 Cisco devices have been exploited and compromised by attackers using a 0-day vulnerability in the web user interface of Cisco’s IOS XE software.
• Cisco released an advisory for the ‘perfect 10’ vulnerability, tracked as CVE-2023-20198 (10/10), on Monday, along with other guidance and mitigations, while researchers claimed the networking giant downplayed the issue.
• A second patch is expected to be available today (Sun 22nd) to address a second issue, CVE-2023-20273 (7.2/10).
• The attackers behind the mass-compromised are unknown, and the Cisco IOS XE software is used across a range of switch, router and wireless products. The devices likely sit on the edge of networks, either providing unauthorised access or the ability to proxy malicious traffic to make it seem like it’s coming from various sources worldwide.

Interesting stats

>2% of admin portals use “admin” as the password, according to Outpost24, who have also published a list of the top (bottom?) 20 password choices.

$3.5 trillion, the weighted average of three scenarios modelled by Lloyd’s of London and the Cambridge Centre for Risk Studies, of the costs resulting from a major attack against a global payments system.

3 million ‘lines of customer information’ claimed to be for sale on a cybercrime forum when only ~700 customer records had been stolen, according to D-Link and Trend Micro, following an investigation into the breach.

99% accuracy achieved by researchers using neural networks to identify attacker-in-the-middle attacks against unmanned vehicles. Paper (PDF).

In case you were under any illusion that Elon Musk’s assertion that bots and fake news outlets wouldn’t cough up $8/mo for verified status… 74% of the most engaged posts on the social network spreading false or unsubstantiated narratives about the Israel-Hamas war were posted from accounts verified by X (Twitter).

Other newsy bits / in brief

• NCSC has released principles for ‘ransomware-resistant’ cloud backups — some good points for IT admins and security teams to consider about their backup arrangements.

• The International Criminal Court (ICC) says that the attack (vol. 6, iss. 37) it detected in September was an act of espionage.

• Authorities in India have raided 76 locations linked to tech support scammers. Operation Chakra-II is a nationwide crackdown targeting financial crime gangs engaged in cybercrime and fraud.

• Android phones can now scan ‘sideloaded’ apps (those installed manually from third-party sites, rather than official app stores) for malware using Google Play Protect.

• An attacker gained access to Okta’s customer support systems and stole data that could be used to break into their networks, according to a post from the company’s CISO. The affected customers have been notified.

• 23andMe: An attacker has leaked 4.1 million genetic data profiles for people in the UK and Germany, as fallout of the incident, which the company blames on its users reusing credentials, increases. Earlier this month (vol. 6, iss. 41 details of 1 million Jews were leaked. 23andMe says it’s investigating the latest post but offered no further comment on how the scale of credential stuffing attacks went unnoticed.

• Temperatures in an Equinix data centre in Singapore rose after technical issues occurred during a chilled water system upgrade last week. The temperatures caused outages at two banks, with customers of DBS and Citi Singapore unable to withdraw cash from ATMs.

• Courts in Kansas are unable to accept electronic filings or payments after their systems were taken offline following a “security incident”.

• The FBI says that cybercriminals are targeting plastic surgery clinics in the US to extort surgeons and patients.

• Unknown actors are distributing a spoofed version of an Android rocket alert app bundled with spyway. The app is imitating the ‘RedAlert’ app, popular in Israel, that provides notifications of incoming rocket alerts based on location.

• Microsoft says that North Korea’s Lazarus and Andariel groups are targeting TeamCity continuous integration environments that are still vulnerable to CVE-2023-42793 (9.8/10).

• Researchers at Elastic Security have identified new malware that gives backdoor access to systems. Dubbed ‘BLOODALCHEMY’, the researchers say it’s part of a suite used by the REF5961 group, which has ties to China.

• Trellix says that advanced persistent threat (APT) groups have started abusing Discord’s CDN to distribute malware and webhook functionality to exfiltrate data, as cybercriminal gangs have done for some time. By using a legitimate service, the traffic can blend in, and make attribution more difficult.

• SolarWinds Access Rights Manager (ARM) has three critical remote code execution vulnerabilities in it. A [patch was released this week](patch available) addressing CVE-2023-3518, CVE-2023-35185, and CVE-2023-35187 (all 9.8/10).

• Clearview AI has won an appeal against a £7.5 million GDPR fine. The UK Information Commissioner had taken enforcement action for unlawful storing and processing of facial images of UK citizens. While GDPR applies ‘extraterritorially’, Clearview’s appeal was on the grounds that this information was being used solely by law enforcement, for which an exemption exists.

• Chatting to an AI chatbot, such as ChatGPT or Bard, can reveal a lot about you — including race, location, and occupation — according to researchers as ETH Zürich. That’s because of the way that the models are trained, being able to compare the way that you converse with the vast volumes of text that make up their models. “This certainly raises questions about how much information about ourselves we’re inadvertently leaking in situations where we might expect anonymity,” said assistant professor Florian Tramèr.

• Keyword warrants: “no court had established that individuals have a constitutionally protected privacy interest in their Google search history,” said Colorado Supreme Court judge William W. Hood, in an opinion that allowed their use in an arson case. The ‘(reverse) keyword warrant’ allows law enforcement to request details on users that have searched for specific keywords on search engines. It’s controversial because it’s not always clear who searched, let alone that it has any bearing on subsequent events. An Electronic Frontier Foundation spokesperson used examples of searching for information about guns or psychedelic drugs as poor signals to implicate innocent people in a shooting or drug investigation.

• Finnish prosecutors have brought 30,000 counts against an attacker that compromised a Helsinki-based psychotherapy centre and then tried to ransom patients individually (vol. 3, iss. 44).

• Joe Sullivan, the former CISO at Uber, appealed his conviction on two felony charges this week. Sullivan was sentenced to three years probation, a $50,000 fine, and 200 hours of community service (vol. 6, iss. 19) for concealing a 2016 data breach from US regulators.

• Tim Neal-Hopes has been appointed commander of the UK’s National Cyber Force.

• Fingerprint has raised a $33 million Series C round for its fraud prevention platform, which profiles users and devices based on their hardware and exposes this to developers via an API. It’s the same kind of profiling that AdTech companies use to identify users without relying on cookies.

And finally

• The Canadian Broadcasting Corporation has (abruptly) stopped broadcasting a daily time signal. A common part of national broadcasters over the years, a series of ‘pips’ allowed citizens to set their clocks and watches. However, modern transmission systems supporting digital or internet radio can’t guarantee the sound’s arrival time. Encoding, decoding, and buffering all play a part, meaning that while the signal can be generated accurately, it may be subject to a 2-8-second delay.
• Fun fact: In the UK, the time signal from The Royal Greenwich Observatory played a constant tone, which was inverted to generate the pips so that any errors could be identified quickly.