This week
Outage at Ukraine’s largest mobile operator caused by cyber-attack
- Kyivstar mobile phone and home internet services were disrupted this week following what the company described as a cyber attack. Kyivstar is Ukraine’s largest telecommunications provider, with over 24 million mobile and 1 million home internet subscribers.
- The outage may have been a deliberate move by the telco to prevent further damage. Kyivstar’s CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday that “[The attack] significantly damaged [our] infrastructure,” continuing “we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access.”
- Solntsepek, a group associated with Russia’s Sandworm threat group (Russia’s GRU military intelligence Unit 74455) claimed responsibility for the attack, and reported to have ‘destroyed’ 4,000 servers, a claim refuted as “simply fake” by Kyivstar on X/Twitter.
- The outage had knock-on impacts across the country, with some street lights not turning off, ATMs and card payments not working, and missile attack warning sirens being disrupted. Queues formed in Kyiv on Tuesday to buy SIM cards from Vodafone and Lifecell.
- The UK Ministry of Defence intelligence update said that the effects of the attack lasted for over 48 hours and suggested that the incident is “likely one of the highest-impact disruptive cyber attacks” on Ukraine since the invasion began.
National Grid removing Chinese components from UK electricity network
- National Grid, who operate the UK’s electricity transmission network, have begun removing components manufactured by a Chinese company over security fears.
- Narai Technology’s UK subsidiary was relatively small, with the technology present at 15 sites across the UK. National Grid is understood to have terminated its relationship with the company earlier this year following advice from the National Cyber Security Centre.
Operational impact of PSNI breach expected to cost £24M-37M
- Human impact: An official review of the Police Service of Northern Ireland’s (PSNI) August data breach, which affected 9,483 officers, has revealed the impact on staff.
- An undisclosed number of officers have chosen to relocate themselves and their families, with more being financially unable to do so. Over 50 sickness absences have been linked to the breach and safety fears.
- More than 4,000 staff have contacted the ‘threat assessment group’ set up by the force, who expect operational impact to be £24-37 million ($30-46.5 million).
Interesting reads
- Microsoft has released incident response guidance that actually looks pretty good. It’s more suited for larger organisations but covers quite a bit of ground, with a few stages, questions to ask, and pitfalls to avoid. (PS, Cydea has a template incident response plan, if you need that, too.)
Interesting stats
It’s two years since Log4J reared its head (vol. 4, iss. 50). Thankfully, the immediate consequences were largely over-hyped, but the long tail of issues lingers…
~38% of apps using the Apache Foundation’s Log4J library are using a version that’s vulnerable to security issues, according to Veracode.
10 new Android banking trojans targeted 985 banking apps across 61 countries in 2023, according to Zimperium
Other newsy bits / in brief
-
AutoSpill: Malicious apps using Android’s WebView component, which is used to render web pages within apps, could be used to capture data from password manager apps. Make sure you’ve applied OS and app updates, and most users needn’t worry.
-
Google is changing how it stores user’s location history in a move that may end controversial ‘geofence warrants’ from law enforcement. Google’s announcement this week did not mention the warrants but focussed on giving users “more control” over their data, which will now be stored on their devices instead of in the cloud. Police and other agencies use geofence warrants to request details on devices and individuals based on location, starting with a net to catch anyone nearby rather than a suspected individual.
-
Microsoft has seized infrastructure and websites used by a prolific cybercrime group that the company tracks as Storm-1152. The group was responsible for creating around 750 million fraudulent Microsoft accounts, which, amongst other services, it sold to generate “millions of dollars in illicit revenue”, including to the Scattered Spider group behind the stacks on MGM Resorts and Caesar’s Entertainment.
-
Active Listening: A media company is claiming to have a product that uses conversations recorded from smart speakers and phones to target ads. It’s unclear how Cox Media Group (CMG) product works, or where they’re getting the data from. Apple devices show an icon in the top corner of the device when the microphone is active. Amazon, Microsoft and Google did not answer 404 Media’s questions.
-
TeamCity, a continuous integration platform from JetBrains, is being exploited by nation-state groups, including Russia’s foreign intelligence service and North Korea’s Lazarus and Andariel groups. Critical vulnerability CVE-2023-42793 (9.8/10) was patched in September 2023; however, around 800 servers on the Internet remain unpatched. It’s a more significant issue than it sounds because TeamCity forms part of the software development toolchains at these organisations. Gaining access to these systems potentially allows the attackers to slip maliciously into the build processes of legitimate software, leveraging their access and having a cascade effect.
-
Privacy: A congressional investigation has found that pharmacies in the US do not require a warrant to hand over sensitive medical records to law enforcement. Instead the seven largest pharmacy chains and Amazon will disclose data on the back of a subpoena, which does not require approval from a judge.
-
The Hunters International ransomware gang recently compromised the Fred Hutchinson Cancer Center and is now attempting to extort individual patients. The Seattle-based research and treatment centre is reported to have lost the names, social security numbers, contact information, medical history, labs results, and insurance history of more than 800,000 patients. Hunters International is believed to be a rebrand or related to the Hive ransomware group.
-
Toyota Financial Services is writing to customers to notify them about a data breach. During a ransomware attack last month, cybercriminals made off with data including file names, addresses, leasing/contract information and banking details. The Medusa gang behind the attack had demanded $8,000,000 for decryption keys and not to release the information.
-
Ubiquit has fixed an issue that, for around nine hours on Wednesday, caused approximately 1,200 accounts to be associated with another group, and giving them access to the first group’s IP cameras.
-
MOVEit: Seven million patients of Delta Dental of California had their data exposed during the mass exploitation of Progress Software’s MOVEit file transfer solution.
-
Struts: Threat actors have started scanning for and exploiting a remote code execution vulnerability in Apache Struts. CVE-2023-50164 (9.8/10) was recently fixed by Apache in version 6.3.02 and 2.5.33.
-
Perforce Helix Core Server has fixed a ‘perfect 10’ and three other vulnerabilities in its source code management system that could allow arbitrary remote code execution as LocalSystem.
-
Hive ransomware: French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims’ ransom payments.
-
CISA is seeking public comments on its secure configuration baseline for Google Workspace.
-
The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.
-
Interpol has arrested hundreds of people smugglers and rescued over 150 victims from forced cybercrime operations. Operation Turquesa V targeted cyber criminals who lured workers into servitude to carry out scams and involved law enforcement from 33 countries.
-
Industry news: Small business cyber security and insurance startup Guardz has closed an $18 million Series A funding round, and claiming ~200 partner MSPs, working with ~3,000 SMBs and ~36,000 seats.
And finally
- Disgruntled employee: Miklos Daniel Brody, a former cloud engineer at First Republic Bank, has been sentenced to two years in prison and restitution of $529,000 for a spree of malicious acts upon being fired in March 2020. Brody’s employment was terminated for connecting a USB drive containing pornography to company computers, but he refused to return his laptop and used his access to wipe servers, delete the bank’s code repositories and log files, and impersonate and taunt other employees.