Robin’s Newsletter #283

18 November 2023. Volume 6, Issue 47
Australian port operations disrupted by cyber-attack. 16 Danish CNI orgs hit simultaneously earlier this year. Ransomware group files SEC complaint.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Australian port operator back up and running after cyber-attack

  • The Australian arm of logistics giant DP World ‘pulled the plug’ on Internet access across its four ports last week after detecting an intruder on its network. With systems offline, operational technology running gates and cranes on the quayside in Melbourne, Sydney, Brisbane, and Perth were rendered inoperable. The firm handles around 40% of Australian imports and exports. 
  • Details of the threat actor are unknown, though researchers identified a Citrix server vulnerable to CitrixBleed which may have been the original attack vector.
  • The Australian Cyber Security Centre has been providing technical advice, and operations resumed on Monday. Getting through the backlog of around 30,000 containers will be hampered due to previously planned strike action by dock workers.
  • DP World joins ICBC and Allen & Overy as victims of the vulnerability in Citrix’s NetScaler ADC and NetScaler Gateway platforms, with LockBit appearing to be the common threat actor.

Sixteen Danish critical infrastructure providers were compromised in May 2023

  • Denmark’s SektorCERT, which helps protect the nation’s critical infrastructure providers from cyber-attacks, published a report this week detailing a ‘hell week’ where 16 CNI organisations were targeted
  • Zyxel published details of a critical vulnerability (CVE-2023-28771) in their firewalls a fortnight prior, which were the attackers’ entry points. On 11th May, they conducted a coordinated attack against the sixteen organisations, with a single packet sent to the vulnerable routers. Eleven companies were immediately compromised, while the remaining five, it is speculated, did not receive correctly formatted packets.
  • SektorCERT had warned about patching these devices. However, in all cases, the CNI operators had applied the patches. “Many believed that because the firewall was relatively new, it must be assumed to have the latest software,” others “mistakenly assumed that their vendor was responsible for the updates,” or had opted-out of support contracts on cost-grounds, while a final group “simply did not know they had the devices in question in their network,” the report says.
  • Having booted the attackers out of the network, a second wave of attacks occurred at the end of May, exploiting new vulnerabilities and communicating with IP addresses linked to the Russian Sandworm APT, linked to the GRU military intelligence unit. Surprisingly for me, SektorCERT is not a 24x7 operation.
  • The full report (PDF), which includes indicators of compromise and recommendations, is worth a read for those operating critical national infrastructure.
  • In the UK, this week, the NCSC warned that, while it doesn’t think actors pose the intent and capability “to significantly disrupt infrastructure within the UK,” that “we aren’t where we need to be” when it comes to CNI resilience.

Ransomware group files SEC complaint claiming victim didn’t meet notification obligations

  • New tactics: The ALPHV/BlackCat ransomware gang filed a complaint with the US Securities and Exchange Commission this week, because it says one of its victims has not complied with the four-day cyber-attack disclosure rule (though the rule in question doesn’t come into force until 15th December 2023).
  • Ransomware has always been about ‘pressure to pay’. Removing access to essential files, disrupting business operations, and, latterly, raising media awareness and threatening to leak stolen data. All of these are about ratcheting up the pressure on victims so they feel compelled to pay.
  • However, I’m not convinced that this is a sensible tactic: drawing government attention to a victim (and presumably the offer of help from associated agencies) will reduce the likelihood of ransom demands being paid and is obviously unworkable if the group in question is subject to sanctions.

Interesting stats

350 organisations have been breached by the Royal ransomware gang since September 2022, with  $275 million in ransom demands being made, according to a joint FBI/CISA advisory

Cyber Essentials scheme updates from NCSC’s 2023 annual review: 28,399 certificates awarded (+21%) 9,037 Cyber Essentials Plus certificates awarded (+55%) 80% fewer insurance claims with Cyber Essentials in place (Insurer’s data)

… also some interesting sector data, too: 

£10.5 billion (up ~3%; $13.1B) size of the UK cyber security sector, with  1,979 (up 7.7%) firms actively providing cyber products and services, employing  58,005 (up 10%) people, and exports of  £5 billion (up 20%; $6.2B) exports in 2022.

4,000 unique secrets (occurring 57,000 times) inside of  450,000 PyPI projects were found by GitGuardian

LockBit has instigated rules for affiliates of its ransomware operation following concerns over law values and frequencies of payments: 3%—10% for businesses with revenues of up to $100 million,  0.5%—5% for revenues of up to $1 billion, and  0.1%—3% for businesses with more than $1 billion in revenue. 50% is the maximum discount from the original ransom demand to be offered, according to Analyst1.

Other newsy bits / in brief 

And finally

Robin

  Robin's Newsletter - Volume 6

  “DP World" Port Logistics Denmark Critical National Infrastructure (CNI) Sandworm Zyxel Securities and Exchange Commission (SEC) Ransomware Tactics Regulatory filling Cyber Essentials Cyber sector National Telecommunication Monitoring Centre (Bangladesh) Surveillance Lawful intercept Health care Cryptomining Mirai CCTV Facial Recognition