This week
NCSC, NIS warn over Lazarus supply-chain attacks as more details come to light
- The UK National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) released a joint advisory on North Korean software supply chain attacks this week.
- Supply-chain attackers are a favourite of the Lazarus group right now, with hundreds of millions of dollars being stolen from cryptocurrency companies earlier this
- The advisory goes on to warning of attacks against MagicLine4NX, an authentication system used widely in South Korea.
- Also this week, Microsoft said that it believes North Korea is behind a compromise at Taiwanese software company CyberLink. You may be scratching your head trying to work out why you know that name: CyberLink’s products include the PowerDVD player that came bundled with many early computer DVD drives. The company makes an attractive supply-chain attack, shipping over 400 million apps. The “LambLoader” malware was included in a modified installer file hosted on the official update servers.
Australia’s cyber security strategy 2023-30 published
- Australia’s cyber security strategy 2023-30 was published this week, with a vision of becoming a “world leader in cyber security by 2030”. Six ‘shields’ are set out to protect Australian citizens and businesses:
- Strong businesses and citizens — includes support for small businesses to strengthen their posture and deter threat actors from attacking Australia
- Safe technology — standards for IoT and safe adoption of AI
- World-class threat sharing and blocking — a ‘whole of economy’ threat intelligence network
- Protected critical infrastructure — CNI regulation and government security improvements
- Sovereign capabilities — growing local talent and accelerating the domestic cyber industry
- Resilient region and global leadership — become the ‘partner of choice’ in the region
- Data retention: A review to see if existing federal data retention legislation is “appropriately balanced” is planned. Businesses in Australia have been voicing concerns that the requirement to store lots of data for an extended period makes them higher-value targets for cybercriminals, especially in the wake of the Optus and Medibank breaches.
- Ransomware: The strategy also includes plans to introduce mandatory reporting of ransomware incidents and banning ransomware payments.
Interesting stats
2,620 organisations and 77 million individuals have been affected by the Clop ransomware group’s mass-compromise of Progress Software’s MOVEit file transfer appliances.
Other newsy bits / in brief
-
Idaho National Laboratory is investigating a possible data breach after hacktivist group SeigedSec claimed to have stolen data from the US Department of Energy nuclear research facility.
-
Optus outage: Kelly Bayer Rosmarin has resigned as CEO of Optus following a 6-12 hour outage on 8th November left more than 10 million customers, including 400,000 businesses, without connectivity, disrupting payment systems and train services.
-
Property breaches: In the US, Fidelity National Financial, a Fortune 500 mortgage and real estate service provider, has announced a cyber security incident that was impacting its title insurance, escrow and other mortgage transaction operations. BlackCat has claimed responsibility for the FNF attack. Meanwhile, in the UK, managed service provider CTS, who serves the legal sector, reported a “service outage… caused by a cyber-incident”. Between 80 and 200 law firms are believed to be affected by the CTS outage, which is preventing some from being able to complete new home purchases.
-
London & Zurich, a direct debit collection company, has been struggling to restore customer services since a ransomware attack on 10th November, leaving some customers with ‘6-figure’ backlogs in payments.
-
LitterDrifter: A USB worm written by Russia’s Gamaredon (Federal Security Service) has been seen spreading outside of Ukraine in recent months, according to Check Point. The malware, written in Visual Basic, spreads from device to device by infecting USB drives and removable media.
-
No, Nothing: Android phone maker Nothing has been hyping an app that will bring iMessage to the platform so users can enjoy ‘blue bubbles’ in their chats with iPhone contacts. Nothing Chat was pulled from the Google Play Store in under 24 hours after it became clear that the app’s security was nonexistent. Connections over standard HTTP, including authentication tokens, storing messages and media in plaintext, and logging this user data to multiple places were just some of the “bugs” that need fixing.
-
Qbot successors: Cofense says that DarkGate and Pikabot malware campaigns use similar techniques to those of Qbot, which the FBI seized control of in September (vol. 6, iss. 36).
-
Mirai: Security researchers at Akamai have discovered zero-day remote code execution vulnerabilities being used to compromise routers and security cameras and infect them with Mirai malware. Akamai is not naming the vendors, as a patch is scheduled for release in December. However, one is a Japanese company producing “outlet-based wireless LAN routers” used in hotels, and the camera vendor makes around 100 IP cameras and network video recorders.
-
Citrix: Admins of Citrix NetScaler appliances are being reminded to wipe previous and terminate active session as part of an upgrade to protect against the ‘Citrix Bleed’ vulnerability (CVE-2023-4966). Failing to do so can allow attackers back in if they have already exploited the vulnerability to steal authentication tokens.
-
Pwn cloud: Open source project ownCloud is warning of three critical vulnerabilities that can expose administrator credentials and expose data.
-
OpenCart: El Reg has a brief history of the open source shopping cart’s less-than-ideal security practices and profanity-laden contributions from its lead developer, following a recent vulnerability submission by a researcher. Given the attitude on display, if you’re a user, you might want to consider an alternative.
-
Cookie changes: The UK Information Commission has written to the UK’s top websites warning of enforcement action if they do not make it as easy to ‘reject all’ as ‘accept all’ cookies.
-
Corruption: Yurii Shchyhol, the head of Ukraine’s State Service of Special Communications and Information Protection of Ukraine (SSSCIP), and Victor Zhora, his deputy, have been fired in a crackdown on corruption. Allegedly the pair were involved in a scheme to buy cyber security software for Ukrainian agencies at an inflated price and pocket the difference, which amounted to $1.2 million between 2020 and 2022.
And finally
- First do no harm: Vikas Singla, former COO of Securolytics has pleaded guilty to deliberately attacking two hospitals and using the breaches as examples in his sales presentations.