Robin’s Newsletter #282

This week

Ransomware attack against China’s biggest bank

• The US arm of the Industrial and Commercial Bank of China suffered a ransomware attack this week, which disrupted trading on the US Treasuries market. The FT broke the news, and its sources say that ICBC Financial Services was forced to resort to sending trading data via USB stick to BNY Mellon to settle trades. ICBC also required a $9 billion capital injection from its Chinese parent company to cover unsettled trades.
• Security researchers believe that the LockBit cybercrime gang may be behind the attack, while a Chinese foreign ministry spokesperson told The Guardian that “ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication,” before adding that head office and other subsidiary operations remained unaffected.
• It’s unusual to see successful attacks of this nature against financial services firms. IBCB employs over 400,000 people globally and had over $4 trillion in total assets in 2018. Having been disconnected from trading partners like BNY, they will likely need to provide significant assurances between reconnecting systems.

A busy month for LockBit operators

• Magic circle law firm Allen & Overy has suffered a ransomware attack “impacting a small number of storage servers”. The LockBit ransomware group has claimed responsibility for the attack and threatened to release files stolen from the firm on 28th November.
• LockBit also published 50GB of data that it says it stole from aerospace giant Boeing last month. 

ChatGPT outages caused by DDOS attack

• OpenAI has confirmed that outages of its flagship ChatGPT service were caused by a distributed denial-of-service (DDOS) attack. Users of the artificial intelligence chatbot received notices that the service was “at capacity” or could not log in to the service.
• TechCrunch reports seeing Telegram messages in which Anonymous Sudan claimed responsibility for the disruption. While presenting as a hacktivist group from Africa, researchers believe Anonymous Sudan to be a front for Russian state-linked activity.
• The disruption from a reflective DDOS attack — called so because the attacker spoofs requests for data, with other services ‘reflecting’ their responses to the victim’s IP address — lasted just over 24 hours. 

Sandworm behind Ukraine power outage in October 2022

• Mandiant says that Russia’s Sandworm group was behind a disruptive attack against Ukraine’s power grid in October 2022. The attack coincided with missile strikes against critical infrastructure targets in Ukraine.
• The Sandworm attackers utilised ‘living off the land’ techniques (using existing IT system administration tools), having breached an energy facility in June 2022, eventually gaining access to the operational technology environment controlling circuit breakers. In the second stage of the attack, the intruders deployed wiper malware on the IT network to delete data and render the devices unusable, delaying response and covering their tracks.
• “There’s not much evidence that this attack was designed for any practical, military necessity,” said Mandiant’s chief analyst John Hultquist. Instead, Sandworm — linked to Russia’s Main Intelligence Directorate (GRU) — appears to have been psychological.

Interesting stats

Double the number of facial recognition searches in the next year, police forces urged by UK Policing Minister.

Other newsy bits / in brief

• Signal president Meredith Whittaker and trade group TechUK’s CEO Julian David have [spoken out against the investigatory powers amendment bill]https://www.ft.com/content/b9f92f62-9895-4ff4-9e4a-659d217dc9af) announced in the King’s Speech this week, which would oblige companies to notify the UK Home Office in advance of any security or privacy features they wish to add to their platforms.

• The European Union is getting to the final stages of legislation that would allow them to intercept HTTPS connections. The electronic IDentification, Authentication and trust Services (eIDAS) will require web browser developers to include a government-approved list of Certificate Authorities — which campaigners say will make it trivial to issue fake certificates for websites and services that intelligence agencies wish to intercept traffic for — and prevent developers from being able to distrust those CA’s if they suspect or detect misuse. The Electronic Frontier Foundation says the law will roll back web security by 12 years.

• Privacy campaigner Alexander Hanff is challenging YouTube’s rollout of adblocker detection technology. Hanff asserts that YouTube’s javascript, which “gain[s] access to information stored in the terminal equipment of a subscriber or user”, violates their privacy and Article 5 (3) of the ePrivacy directive. A YouTube spokesperson highlighted that ads generate revenue for the platform’s creators and that “ad blockers violate YouTube’s Terms of Service”. 

• US mortgage company Mr. Cooper is investigating a data breach that may have affected its 4 million customers, though it believes financial and mortgage data, which a third party holds, was not affected. (H/T Tim)

• The Maine government has confirmed that 1.3 million people’s data was stolen from its systems during the mass-compromise of MOVEit file transfer appliances by LockBit earlier this year. The data includes name, date of birth, Social Security number, driver’s license or other state identification numbers, and some individuals’ medical and health insurance information. 

• Gambling: Luxury resort and casino Marina Bay Sands has disclosed a data breach affecting 665,000 of its MBS loyalty programme, including names, emails, mobile numbers and country of residence. Meanwhile, the FBI has warned that ransomware Ganges are targeting game vendors to breach casino networks. 

• Sumo Logic is advising customers of its data analytics and log analysis service to reset their API keys after discovering evidence that the firms AWS account has been compromised.

• Threat intel: Apache ActiveMQ servers are being targeted by TellYouThePass ransomware attacks as over 4,770 instances remain exposed to CVE-2023-46604, a ‘perfect 10’ critical remote code execution vulnerability. Over 2,300 Python developers downloaded ‘pyobfgood’, ostensibly a code obfuscation library containing backdoor malware that includes key logging, password stealing and data exfiltration capabilities. Users of SysAid should apply patches for CVE-2023-47246 because Cl0p ransomware gang are using the path traversal vulnerability to gain access to victim’s environments.

• Vulnerabilities: Veamm has patched four vulnerabilities in its ONE IT monitoring system, including two remote code execution vulnerabilities, CVE-2023-38547 (9.9/10) and CVE-2023-38548 (9.8/10). QNAP has published security advisories for vulnerabilities in its QTS operating system. CVE-2023-23368 (9.8/10) and CVE-2023-23369 (9.0/10) both allow command injection by remote parties.

• Industry news: Palo Alto Networks has acquired enterprise web browser company Talon Cyber Security in a deal rumoured to be valued at $625 million. (Palo Alto has spent over $1 billion acquiring Dig and Talon in the last fortnight.) Congrats to Haydn and the Risk Ledger team, who have announced a £6.25 million ($7.6M) Series A round and say the supply chain security startup is on a pathway to being profitable in the next two years. SentinelOne has announced its intention to acquire advisory firm Krebs Stamos Group for an undisclosed sum: founded by Chris Krebs, CISA’s first director, and former Facebook CSO Alex Stamos, with the pair becoming chief intelligence and public policy officer and chief trust officer respectively. Malwarebytes has renamed its business-to-business arm as ThreatDown. 

And finally

• This is a reminder that your incident response report is unlikely to be legally privileged. This time, it’s Australian telco Optus, who has lost a federal court bid to keep a report commissioned from Deloitte secret.