Robin’s Newsletter #279

29 October 2023. Volume 6, Issue 43
Five Eyes security chiefs warn of espionage threat. Two ransomware gangs taken out. Thousands of Cisco devices compromised.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

‘Unprecedented’ joint public appears of Five Eyes intelligence chiefs to warn over Chinese espionage

  • Intelligence chiefs from the Five Eyes alliance appeared in person, together, for the first time this week. The inaugural Emerging Technology and Securing Innovation Security Summit, held at Stanford University, aimed to increase awareness and allow networking between the spooks, business leaders and entrepreneurs.
  • FBI director Christopher Wray hosted Ken McCallum, head of MI5, and Mike Burgess, head of the Australian Security Intelligence Organisation, David Vigneault, director of the Canadian Security Intelligence Service, and New Zealand Security Intelligence Service chief Andrew Hampton.
  • McCallum said that more than 20,000 people in the UK have been approached covertly by Chinese spies, citing a “sustained campaign on a pretty epic scale”.

_”If you’re working today at the cutting edge of technology then geopolitics is interested in you, even if you’re not interested in geopolitics,” — Ken McCallum, head of MI5.

  • The FT reports that China dismissed the allegations as “baseless” and “smears” from an alliance that is “accustomed to producing and spreading false information about China”.
  • Speaking at a Google public sector event this week, Kevin Mandia says that China is the “one apex attacker in cyberspace”. Mandia said that “China innovates more than anybody” and added that operational security, toolkits and training improvements have seen them take the top spot from Russia, which has been seen as the top threat for around the last fifteen years.
  • Google also linked the use of a vulnerability in the WinRAR archiving tool (vol. 6, iss. 15) to both Russia and China this week.

Two ransomware groups taken out

  • Good news! The Ragnar Locker and Trigona ransomware gangs have both been disrupted this week! Europol seized the Ragnar Locker group’s leak site in an international operation to take down the cybercrime operation. Meanwhile a group calling itself the Ukrainian Cyber Alliance comprehensively trashed the Trigona ransomware gang’s infrastructure.
  • The Europol operation, conducted 16th-20th October, saw searches in Czechia, Spain, and Latvia, while a “key target” — believed to be a developer of the group’s malware — was arrested in Paris. Ukrainian police also raided premises and seized devices. As noted by Europol, the Ragnar Locker group warned their victims not to contact law enforcement, threatening to release stolen data.
  • Meanwhile, activists calling themselves the Ukrainian Cyber Alliance were business infiltrating the systems of the Trigona ransomware group, using a recent critical vulnerability in Confluence. The UCA claim to have spent six days mapping out the criminal’s infrastructure, before running steps from the cybercriminal’s playbook and exfiltrating data from their admin panels, leak site and other internal tools. As those behind Trigona panicked, the UCA deleted and defamed their sites.

Thousands of Cisco devices compromised using 0-day vulnerability

Interesting stats

>2% of admin portals use “admin” as the password, according to Outpost24, who have also published a list of the top (bottom?) 20 password choices.

$3.5 trillion, the weighted average of three scenarios modelled by Lloyd’s of London and the Cambridge Centre for Risk Studies, of the costs resulting from a major attack against a global payments system.

3 million ‘lines of customer information’ claimed to be for sale on a cybercrime forum when only ~700 customer records had been stolen, according to D-Link and Trend Micro, following an investigation into the breach.

99% accuracy achieved by researchers using neural networks to identify attacker-in-the-middle attacks against unmanned vehicles. Paper (PDF).

In case you were under any illusion that Elon Musk’s assertion that bots and fake news outlets wouldn’t cough up $8/mo for verified status… 74% of the most engaged posts on the social network spreading false or unsubstantiated narratives about the Israel-Hamas war were posted from accounts verified by X (Twitter).

Other newsy bits / in brief

And finally

  • The Canadian Broadcasting Corporation has (abruptly) stopped broadcasting a daily time signal. A common part of national broadcasters over the years, a series of ‘pips’ allowed citizens to set their clocks and watches. However, modern transmission systems supporting digital or internet radio can’t guarantee the sound’s arrival time. Encoding, decoding, and buffering all play a part, meaning that while the signal can be generated accurately, it may be subject to a 2-8-second delay.
  • Fun fact: In the UK, the time signal from The Royal Greenwich Observatory played a constant tone, which was inverted to generate the pips so that any errors could be identified quickly.

  Robin's Newsletter - Volume 6

  “Hacktism" Five Eyes China Espionage Russia Advanced Persistent Threat (APT) Ransomware Ragnar Locker Trigona Cisco International Criminal Court (ICC) Okta India 23andMe SolarWinds ClearView AI Keyword Warrants Privacy Joseph Sullivan Time Backups