Robin’s Newsletter #281

This week

SEC charges SolarWinds CISO with fraud

• There’s been a lot of posts and chatter about the US Securities and Exchange Commission bringing charges against SolarWinds and its CISO, Timothy Brown. There’s a lot of speculation and inaccuracies floating around on social media.
• The SEC alleges that at least from the point of SolarWinds initial public offering in October 2018, through the Sunburst incident in December 2020 (vol. 3, iss. 51), investors were misled by not disclosing known risks and inaccurately representing its cyber security measures. It’s the first time the SEC has attempted to hold a chief information security officer personally liable.
• “SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement. The SEC complaint highlights that, in October 2018, when the company filed its initial public offering, an internal presentation authored by Brown said that “current state of security leaves us in a very vulnerable state for our critical assets”, while the IPO filing only mentioned “generic and hypothetical cyber security risk disclosures”. 
• Brown is also alleged to have been involved in drafting the 8-K filing submitted after the December 2020 incident, which “[failed] to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times”.
• Other examples in the charges from internal emails, messages and presentations will be all-to-familiar to security teams: comments like “[we’re] so far from being a security minded company”, to calls to make backend infrastructure more resilient, and “[t]he volume of security issues… outstripp[ing] the capacity of engineering teams”.
• Lawyers for Brown said he had acted with “diligence, integrity, and distinction” and that they “look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint”.
• There’s a lot of “CISO is a scapegoat” rhetoric, and I think it’s important to realise that in the two notable examples of this — Uber/Joe Sullivan (vol. 5, iss. 41) and this SolarWinds/Timothy Brown case — the CISO was at the ‘top table’ and they were involved in the decision making. If you are in a similar position, an incident occurs, and you have acted unethically or illegally, then yes, you should be worried. If you need advice to understand what you’re being asked to sign off on, ask for it! But, if you don’t have a seat at the top table, if you’re not making the decisions, then it will be a massive stretch for a court to find you guilty for actions demonstrably taken by others. Either way, it will get the attention of leadership in your organisation, and I think you can expect some questions from the board to come (through line management) in the coming weeks and months. Use this opportunity to communicate posture and discuss how you can improve/maintain communication on this important topic in the future.
• In the meantime, regardless of the seniority of your position, it almost certainly is your duty to accurately communicate cyber risks and the security posture of your organisation and to raise concerns if it’s being misrepresented. 

Forty-nine countries vow not to pay ransomware demands

• Forty-nine countries in the International Counter Ransomware Initiative (CRI), plus the European Union and Interpol, have signed a pledge never to pay cybercriminal’s ransom demands. Members agreed that “relevant institutions under our national government authority should not pay ransomware extortion demands.” CRI members also committed to helping any other member with incident response should government or critical sectors be victims of a ransomware attack.
• Two information-sharing platforms, hosted by Lithuania and Israel/UAE, will also be used to share threat intelligence. The US Department of the Treasury will also share details of illicit crypto-currency wallets ransomware actors use.
• TechCrunch looks at sanctions against ransomware groups and concludes they are undoubtedly a step in the right direction.

Major update to spec for Common Vulnerability Scoring Standard

• FIRST (the Forum for Incident Response and Security Teams) has announced CVSS v4.0. It’s a major update to the common vulnerability scoring system used to communicate information about security issues in software and wrap them all up into a single severity score.
• A significant change is the introduction of ‘nomenclatures’ used to communicate nuances stemming from threat or environment variables. A ‘base’ nomenclature (CVSS-B) will contain the base metrics about a vulnerability, while ‘threat’ (T) and ‘environmental’ (E) metrics can be added by consuming organisations to tailor the assessment to their specific needs.
• That’s a good thing because it will allow vulnerability management solutions to better rank issues depending on, for example, user-specific confidentiality, integrity or availability requirements. It also means that, while CVSS-B scores are comparable, any CVSS-BT or -BE scores will be specific to that organisation. The FIRST user guide is also keen to emphasise that CVSS measures severity, not risk.

Interesting stats

47% of cyber pros have had to deal with layoffs, budget cuts and hiring or promotion freezes, with  22% explicitly experiencing layoffs, and  31% expect additional cutbacks in the next year, says ISC2, who estimate that there has been  8.7% growth in the global cyber workforce to 5.5 million people, however, demand appears to be outstripping supply, with a  12.6% increase in the ‘workforce gap’, which now stands just shy of 4 million. Source: ISC2 Cybersecurity Workforce Study 2023 (PDF)

Interesting data on authorised push payment (APP) fraud from the UK’s Payment Systems Regulator, which show a huge disparity in how banks look after their customers:

94% of reported APP fraud cases were fully reimbursed by TSB, 91% for Nationwide, and 79% for Barclays, who take the top three spots by volume, with just  6% of cases raised with Monzo being fully reimbursed, putting them at the bottom with Danske Bank (7%) and AIB (12%). (Original article at The Guardian).

Other newsy bits / in brief

• AI safety: Twenty-eight countries have signed The Bletchley Declaration following an AI Safety Summit hosted in the UK this week. The UK, US, EU, China, India and others agreed that AI has the “potential for serious, even catastrophic, harm”. In the United States, President Biden has issued an executive order directing AI companies to notify the US government where models pose national security risks and charging NIST to develop a framework for adversarial testing of AI models.

• Okta has told 4,961 current and former employees that their personal information was compromised in a breach at Rightway Health, a third-party benefits company. Meanwhile, in an update about the recent attack affecting customers like Cloudflare, 1Password and BeyondTrust, Okta’s CSO pointed to the source of the compromise as an employee signing into their personal Google account on a work computer. As Dan Goodin points out for Ars Technica, that’s a problem with company policies and technical countermeasures, not the employee.

• Safeguards Rules: The FTC has amended its ‘Safeguards Rules’ which now require non-banking financial firms to disclose cyber breaches within 30 days. Incidents affecting over 500 consumers, but exemptions are made from reporting if the data is encrypted and the attackers did not gain access to the encryption key. The new rules will come into force in April 2024.

• Bluetooth Low Energy (LE) has a spam problem, with researchers releasing new tools that allow pairing packets to be sent rapidly and repeatedly to nearby Android, Windows, and iOS devices, resulting in annoying and disruptive popups to victims to confirm/deny the pairing request.

• Send My: Apple’s Find My network can be abused to transmit data stealthily. The network is intended to help identify and track lost items by having other Apple devices collectively helping out and passing on details. This proof of concept abuses the network to pick up data from a modified USB keyboard and relay it to the recipient.

• The .US top-level domain is a ‘cesspool of phishing activity’: Researchers at Infoblox say they’ve seen ‘several dozen’ domains registered every day to obfuscate malicious URLs used in phishing messages.

• Chinese IoT botnet Mozi has been shutdown after a ‘killswitch’ command was issued through August and September. ESET, who noticed the change, is unsure if it was the operator’s choice or if Chinese law enforcement may have instigated the shutdown.

• Two libraries suffered cyber-attacks this week. The British Library’s website, catalogue and digital collections are unavailable, following a “major technology outage, as a result of a cyber incident”, that is affecting services at its sites in London and Yorkshire. The Black Basta ransomware group has attacked Toronto Public Library, which is facing similar technical outages.

• Boeing says that the LockBit ransomware group has stolen sensitive data and disrupted operations at its parts and distribution business.

• Insurance company Hilb Group is warning 81,000 employees that cybercriminals broke into corporate email systems at the start of 2023 and may have stolen their personal information.

• Ransomware gangs: ‘Hunters International’ malware shares 60% of its code with Hive. Are they just Hive rebranded? The group claims they aren’t, saying they purchased the code from Hive’s developers. The operator of RansomVC has listed the operation for sale and almost immediately discounted the price by 20%, ostensibly because they want to avoid “being monitored by federal agencies”, but which could also be an exit scam. 

• Vulnerabilities: Atlassian is urging “immediate action” to avoid “significant [customer] data loss” as it fears widespread exploitation of an improper authorisation vulnerability (CVE-2023-22518). Attackers are mass-exploiting the Citrix Bleed vulnerability (CVE-2023-4966) with some estimates suggesting 20,000 instances have been compromised. F5 says a vulnerability in its BIG-IP suite (CVE-2023-46747) is being exploited less than five days after a patch was made available. NGINX has three high-severity bugs (CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886) in its ingress controller that can be used to steal credentials and secrets from Kubernetes clusters. Thousands of Apache ActiveMQ installs are vulnerable to a recent remote code execution vulnerability (CVE-2023-46604; 10/10).

• Leap seconds may be a thing of the past following calls to abolish the relatively frequent, if minor, adjustments in favour of letting discrepancies build up to be tackled with leap minutes. While Universal Coordinated Time (UTC) is tied to super-accurate atomic clocks, the Earth flies through space a little more erratically. Applying those changes can lead to outages and other headaches for global companies as adjustments are made in different ways and at different times.

• Discord is making changes to its service to prevent its content delivery network from being used to host malicious files. 

• Industry news: Palo Alto Networks has confirmed that it is acquiring Dig Security for a rumoured $400 million, with the latter folding into Palo’s Prisma cloud security line of business. Log analysis firm Graylog has raised $9 million in equity and $30 million of “flex debt” facility, says it is “close to being cash-flow positive” and serves 200,000 users across 50,000 installations of paid and open-source tools. Accenture has agreed to acquire UK digital, data and cyber consultancy 6point6, in a move to enhance strategy and architecture capabilities and boost its government business.

And finally

• Windows CE has reached end of life. From PDAs (remember the Compaq iPaqs, anyone?) to small laptops, ATMs, and a host of other embedded devices, Windows CE (or Pocket PC or Windows Mobile in some of its guises) powered them all.