Robin’s Newsletter #285

3 December 2023. Volume 6, Issue 49
Iranian attack on US water facility. Chinese espionage group in Netherlands chip maker for years. US
Join hundreds of subscribers who get this first, every Sunday. Subscribe

I got a lovely message from a subscriber this week:

“Thanks to Robin’s newsletter I’ve become more and more interested in Cybersecurity and I’ve gone from doing IT Support as my main job, to now landing a SOC Analyst role”

Congrats on your new role!

I always love to hear from you. Feedback, tips and other messages are always very welcome (or just hit reply).

This week

Iranian group compromises Pennsylvania water facility

  • A group linked to Iran’s Islamic Revolutionary Guard Corps (IGRC) gained unauthorised access to a remote water station belonging to the Municipal Water Authority in Aliquippa, Pennsylvania. The remote system alerted the company, who switched the system to manual operations. The breach did not affect the water supply to the 7,000 local residents.
  • In an interview with local media, Matthew Mottes, chairman of the water company, said that the group who called themselves the “Cyber Av3ngers” did not gain access to “anything in our actual water treatment plant”. 
  • The attackers displayed an image reading, “You have been hacked. Down with Israel. Every equipment ‘made in Israel’ is a Cyber Av3ngers legal target.” The plant uses programmable logic controllers from Unitronics, a publicly traded Israeli company. CISA has issued a warning to the broader water sector over the exploitation of Unitronics PLCs.
  • Iran’s intent here may be to increase friction on and discourage businesses from using Israeli-manufactured systems and exaggerating the results of its actions.
  • A second attack this week on a Taxes water company was attributed to DAIXIN, a ransomware group, who stole 33,844 files and phone systems remained offline, but water and wastewater services were also unaffected.

Chinese espionage group was in security chip maker for 2.5 years

  • Phish & Chips: NXP, a Netherlands-based chipmaker, was compromised by a Chinese espionage group, who remained undetected for over two years
  • The ‘Chimera’ group intrusion, which occurred between 2017 and early 2020, was detected by a third party with network connections to the company. NXP — which makes chips which end up in NFC transit cards (like London’s Oyster), FIDO2 security keys, and iPhones — has remained tight-lipped about the incident, with only a passing mention in a 2019 annual report (where “investigation [was] ongoing”).
  • Understanding how security chips work and their potential weaknesses would be of obvious interest to an espionage-focused national intelligence agency.

Interesting stats

$107 million in ransom payments have been made to the Black Basta ransomware gang since early 2022, according to Elliptic and Corvus Insurance

£1.1 million ($1.39 million) spent by Gloucester City Council to recover from a ransomware attack in December 2021. The ICO reprimanded the council in England for failing to have logging or monitoring to aid the investigation of the “sophisticated” attack that turned out to be a spearing-phishing email.

Other newsy bits / in brief

  • Incident updates: DP World, whose Australian subsidiary had to suspend operations recently due to a cyber security incident, has confirmed that data was stolen, but that no ransomware was used. DP World resumed normal service on 17th November and the backlog of 30,000 contained was cleared by 30th November. 23AndMe has disclosed that personal data of around 0.1% (roughly 14,000 people) of its customer base was accessed by attackers in October (vol. 6, iss. 41). - Okta confirmed this week that attackers ran and downloaded a report containing data belonging to “all Okta customer support system users”. Initially (vol. 6, iss. 44), the firm said only 1% of customers had been affected. Fortunately, for over 99% of customers, this may have extended to only full names and email addresses; however, even that gives the attackers a great list of potential super-administrators at Okta customers.

  • Poem poem poem: Asking ChatGPT to repeat the word “poem” forever results in it spitting out parts of its training data. Around ~5% of output obtained through this data extraction attack is believed to be verbatim training data, often scraped from the internet. Meanwhile, in related news, a stock-trading AI engaged in simulated insider trading despite knowing that it was ‘wrong’.

  • LogoFail: Vulnerabilities in a common BIOS image parser can enable attackers to bypass secure boot systems and inject malicious UEFI firmware or bootkits. “[We] are dealing with continued exploitation with a modified boot logo image,” the researchers said in a blog post, “triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”

  • NameDrop: I’ve seen quite a few hysterical posts on social media about a new feature for Apple devices called NameDrop that allows users to share their contact information. TL;DR: It’s safe, and you don’t need to reshare the posts. The posts seem to stem from local US police forces, who may not have understood the technology, or how it works, and caused panic that brushing passed someone would be enough to steal their personal information. To transfer contact information you have to bring the phones within a couple of centimetres of each other (much as you would exchange a business card) and then press a button after a second or two to exchange information. You can turn it off if you want, but equally, you may “pay no attention to the police” because you won’t be exchange details with random passers-by on the street, bus or train.

  • OK Google, where are my files? Google has acknowledged an issue for some users of Google Drive for Desktop, where user’s files have been going missing. While the problems are investigated, Google is encouraging user’s not to disconnect accounts, or delete local data caches. ‘The cloud’ is often seen as being resilient for file storage, negating worries about single copies of files on individual disks, however, they can’t be relied upon to prevent accidental or malicious file deletion.

  • Ukraine says that it has compromised Russia’s Federal Air Transport Agency (Rosaviatsia) and stolen documents showing how Western sanctions have brought Russia’s civil aviation to “the verge of collapse”. This is an interesting combination of offensive cyber security action to provide data for an information warfare campaign.

  • Windows Hello: Security researchers have managed to bypass biometric authentication on fingerprint sensors built into popular Dell, Lenovo ThinkPad and Microsoft’s Surface Pro. Microsoft has developed the Secure Device Connection Protocol (SDCP) to handle comms with hardware where trust is essential, though its adoption seems to be poor (or entirely lacking on Microsoft’s own device), meaning that “any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in,” according to researchers Jesse D’Aguanno and Timo Teräs. The Dell device did properly implement SDCP, but only in Windows and, as fingerprints are stored on-chip, booting into Linux to add another print allowed them to use this to authenticate to Windows.

  • Ongoing Operations, an IT provider, has suffered a ransomware attack impacting around 60 credit unions across the US. The recent Citrix vulnerability was believed to be exploited to gain access to the IT provider’s infrastructure. The same vulnerability is suspected to cause a similar breach of UK legal tech provider CTS.

  • Aerospace: LockBit has claimed an attack against India’s National Aerospace Laboratories and threatened to publish stolen data if the state-owned research lab doesn’t pay up. Earlier this year, the Japan Aerospace Exploration Agency (JAXA) was compromised, and attacks gained access to the agency’s Active Directory (AD) server. Access to the AD server would probably give access to lots of sensitive technology and data.

  • Ardent Health, who run 30 hospitals in the US states of Oklahoma, New Mexico, and Texas, had to close emergency rooms over the Thanksgiving weekend (last weekend) due to a ransomware attack

  • Automotive parts manufacturer Yanfeng has suffered a ransomware attack at the hands of the Qilin group. The Chinese parts company supplies General Motors, Volkswagen Group, Ford, BMW, Toyota and many more. ‘Just in time’ manufacturing is popular in the auto industry, and earlier this month, Stellantis (which owns the Fiat, Chrysler, Jeep and Dodge brands) was forced to suspend production at its North American plants as a result of a cyberattack at one of its suppliers (presumably Yanfeng).

  • Games developer Gellyberry Studios suffered a ransomware attack on their MMORPG title Ethyrial: Echoes of Yore this week, wiping data and backups for 17,000 early access players. The studio is manually recreating user profiles and attempting to restore game progress for its customers, having chosen not to pay the ransom demands. The comms and response are pretty decent: explaining what happened, taking responsibility, what improvements are being made and how customers will be ‘made whole’.

  • Almost two million employees of US discounter Dollar Tree and Family Dollar have had their personal information stolen after a breach at a third-party supplier called Zeroed-In

  • Secure AI: The UK and US, along with seventeen other international partners, have published guidelines for secure AI system development. Common cyber security concepts, such as threat modelling, asset management, supply chain, incident management and system monitoring, all feature in the voluntary guidelines (PDF)

  • Sanctions: The US government has issued sanctions against North Korea’s ‘Kimsuky’ cyber-espionage group. The group, which US officials believe operates as part of the Reconnaissance General Bureau (RGB), the country’s primary intelligence agency, is tasked with gathering intelligence, particularly in support of the country’s nuclear programme. North Korean groups have increasingly turned to cybercrime to help fund their activities and these sanctions will make it more difficult for the attackers to get payment from their victims.

  • Law enforcement: This week Europol says that international collaboration led to raids on thirty properties in Ukraine and the arrest of five individuals, including the leader and four of their “most active” accomplices. The group used ransomware from LockerGoga, MegaCortex, Hive, and Dharma to attack organisations in over 71 countries and is believed to be behind the attack on Norse Hydro (vol. 2, iss. 12). Also, a Russian national has pleaded guilty to charges around their involvement in developing the TrickBot malware. Vladimir Dunaev now faces up to 35 years in prison for the two offences.

And finally


  Robin's Newsletter - Volume 6

  Iran Islamic Revolutionary Guard Corps (IGRC) Water Critical Infrastructure Information Warefare China NXP Espionage Black Basta ChatGPT Data extraction Artificial Intelligence (AI) Large Language Model (LLM) NameDrop LogoFail UEIF BIOS