This week
Australian port operator back up and running after cyber-attack
- The Australian arm of logistics giant DP World ‘pulled the plug’ on Internet access across its four ports last week after detecting an intruder on its network. With systems offline, operational technology running gates and cranes on the quayside in Melbourne, Sydney, Brisbane, and Perth were rendered inoperable. The firm handles around 40% of Australian imports and exports.
- Details of the threat actor are unknown, though researchers identified a Citrix server vulnerable to CitrixBleed which may have been the original attack vector.
- The Australian Cyber Security Centre has been providing technical advice, and operations resumed on Monday. Getting through the backlog of around 30,000 containers will be hampered due to previously planned strike action by dock workers.
- DP World joins ICBC and Allen & Overy as victims of the vulnerability in Citrix’s NetScaler ADC and NetScaler Gateway platforms, with LockBit appearing to be the common threat actor.
Sixteen Danish critical infrastructure providers were compromised in May 2023
- Denmark’s SektorCERT, which helps protect the nation’s critical infrastructure providers from cyber-attacks, published a report this week detailing a ‘hell week’ where 16 CNI organisations were targeted.
- Zyxel published details of a critical vulnerability (CVE-2023-28771) in their firewalls a fortnight prior, which were the attackers’ entry points. On 11th May, they conducted a coordinated attack against the sixteen organisations, with a single packet sent to the vulnerable routers. Eleven companies were immediately compromised, while the remaining five, it is speculated, did not receive correctly formatted packets.
- SektorCERT had warned about patching these devices. However, in all cases, the CNI operators had applied the patches. “Many believed that because the firewall was relatively new, it must be assumed to have the latest software,” others “mistakenly assumed that their vendor was responsible for the updates,” or had opted-out of support contracts on cost-grounds, while a final group “simply did not know they had the devices in question in their network,” the report says.
- Having booted the attackers out of the network, a second wave of attacks occurred at the end of May, exploiting new vulnerabilities and communicating with IP addresses linked to the Russian Sandworm APT, linked to the GRU military intelligence unit. Surprisingly for me, SektorCERT is not a 24x7 operation.
- The full report (PDF), which includes indicators of compromise and recommendations, is worth a read for those operating critical national infrastructure.
- In the UK, this week, the NCSC warned that, while it doesn’t think actors pose the intent and capability “to significantly disrupt infrastructure within the UK,” that “we aren’t where we need to be” when it comes to CNI resilience.
Ransomware group files SEC complaint claiming victim didn’t meet notification obligations
- New tactics: The ALPHV/BlackCat ransomware gang filed a complaint with the US Securities and Exchange Commission this week, because it says one of its victims has not complied with the four-day cyber-attack disclosure rule (though the rule in question doesn’t come into force until 15th December 2023).
- Ransomware has always been about ‘pressure to pay’. Removing access to essential files, disrupting business operations, and, latterly, raising media awareness and threatening to leak stolen data. All of these are about ratcheting up the pressure on victims so they feel compelled to pay.
- However, I’m not convinced that this is a sensible tactic: drawing government attention to a victim (and presumably the offer of help from associated agencies) will reduce the likelihood of ransom demands being paid and is obviously unworkable if the group in question is subject to sanctions.
Interesting stats
350 organisations have been breached by the Royal ransomware gang since September 2022, with $275 million in ransom demands being made, according to a joint FBI/CISA advisory.
Cyber Essentials scheme updates from NCSC’s 2023 annual review: 28,399 certificates awarded (+21%) 9,037 Cyber Essentials Plus certificates awarded (+55%) 80% fewer insurance claims with Cyber Essentials in place (Insurer’s data)
… also some interesting sector data, too:
£10.5 billion (up ~3%; $13.1B) size of the UK cyber security sector, with 1,979 (up 7.7%) firms actively providing cyber products and services, employing 58,005 (up 10%) people, and exports of £5 billion (up 20%; $6.2B) exports in 2022.
4,000 unique secrets (occurring 57,000 times) inside of 450,000 PyPI projects were found by GitGuardian.
LockBit has instigated rules for affiliates of its ransomware operation following concerns over law values and frequencies of payments: 3%—10% for businesses with revenues of up to $100 million, 0.5%—5% for revenues of up to $1 billion, and 0.1%—3% for businesses with more than $1 billion in revenue. 50% is the maximum discount from the original ransom demand to be offered, according to Analyst1.
Other newsy bits / in brief
-
Intelligence failure: Bangladesh’s National Telecommunication Monitoring Centre, a national communications intelligence and lawful intercept agency, appears to have left a database containing large volumes of sensitive personal data exposed to the Internet. Attackers claim to have stolen all the information, which includes 120 different indexes and substantial amounts of “who, what, how, and when” metadata, before wiping the database and demanding a $360 payment not to release the information (seems low to me, but perhaps it’s intended to initiate dialogue).
-
Key recovery: Researchers from the University of California, San Diego have shown that private key material used to encrypt SSH and IPSec connections can be recovered when naturally occurring computational errors occur during connection setup The vulnerability affects keys using the RSA cryptographic algorithm. In their paper (Passive SSH Key Compromise via Lattices), the authors demonstrate they were able to recover the private portions of 189 key pairs from historical internet scan data collected over the last seven years. They also acknowledge that modern OpenSSH and OpenSSL implementations support countermeasures to validate signatures before they are sent and have deprecated the affected SSH-RSA signature scheme since 2021.
-
Ransomware remediation costs: Rackspace’s bills from an incident in December 2022 have reached $11 million, with cyber insurance covering half. Royal Mail says recovery from its ransomware attack in January will cost £10 million ($12.4M).
-
Electric vehicle manufacturer Rivian took to Reddit to apologise to customers for a software update that ‘bricked’ some cars, which will require towing to a service centre for repair. The cause? “fat finger[ing]” the build to include incorrect security certificates.
-
Samsung UK discovered a data breach this week at a third-party it used between July 2019 and June 2020 in its online store.
-
Health care continues to be a target: through the first three weeks of August, McLaren Health Care suffered a breach during which sensitive personal and health information of 2.2 million patients was compromised. The Michigan-headquartered company operates 13 hospitals, employs 28,000 people and revenues exceeding $6 billion in 2022. Also in August, ‘B2B pharmacy platform’ Truepill was compromised and lost the name, demographic, medication and prescribing physician of over 2.3 million people. Between the end of March and beginning of May 2023, Perry Jonson & Associates (PJ&A), a medical transcription service provider, exposed the data of over 8.9 million patients. At the same time The US Center for Medicare & Medicaid Services (CMS) lost details of over 330,000 individuals when the Cl0p ransomware group compromised its MOVEit file transfer appliance.
-
Global Tel*Link, a company that provides phone services to US prisons, has settled with the Federal Trade Commission over a data breach of 650,000 people’s personal data it copied to an insecure cloud environment for testing. The company took nine months to issue any notifications, and even then, it only did so to 45,000 individuals, all the time it was bidding for new contracts and claiming to have never been breached.
-
A tablet for kids comes pre-installed with malware and out-of-date software. The Dragon Touch KidzPad Y88X has been pulled from shelves by Walmart.
-
Pattern recognition: Chinese CCTV vendor Hikvision has been tied to a contract to develop a video surveillance system that would allow for the identification of ethnic minority students, such as Muslim’s fasting during Ramadan, for the Chinese government. China is accused of accused of committing human rights violations against Muslim minorities, especially the Uyghur population in Xinjiang province.
-
Vulnerabilities: VMWare Cloud Director appliances running version 10.5 are vulnerable to a critical, unpatched authentication bypass (CVE-2023-34060), a workaround is available, and fresh installations are unaffected. Fortinet is warning of a critical command injection vulnerability (CVE-2023-36553) in FortiSIEM report server.
-
Industry news: Software vulnerability scanning company Vulcan Cyber has raised $55 million in equity financing for product innovation and expand into new markets. Vulcan says it has over 200 customers, including 60 that are “enterprise-sized”. SonicWall is buying US-based MSSP Solutions Granted to get into the MDR and SOC-as-a-Service game, and promising a European-based SOC in the coming months. VC firm Ballistic Ventures is looking to raise a second $300 million fund, according to regulatory filings.
And finally
-
Cryptomining: A court in Poland discovered a cryptomining operation running under its floors and through ventilation ducts. The mining rig had an independent Internet connection, so did not traverse the court’s network. An IT provider has had its contract terminated.
-
Long read: Andy Greenberg’s The Mirai Confessions tells the story of how three young hackers broke the Internet and then went to work for the FBI.