Robin’s Newsletter #289

31 December 2023. Volume 6, Issue 53
Chinese group still targeting Barracuda ESGs. Kaspersky details on 'Trangulation' operation. A look back on 2023.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

I hope you’re having a peaceful and enjoyable time with family and friends. Here’s a bonus fifty-third edition to round out 2023.

This week

A few things of note from ‘Betwixtmas’:

The last year

Carly Page summarises the most significant data breaches of 2023 for TechCrunch. Fortra, Royal Mail, 3CX, Capita, MOVEit, Microsoft, CitrixBled, and 23andMe get a look-in.

I made some smart predictions for 2023. Here’s how they stood the test of one solar orbit:

1. A managed security provider will be compromised, and attackers will leverage their privileged access to compromise their customers.

Yes, kinda, half- or full- marks if you’re feeling generous.

Does Okta count? In the loose sense that they are a SaaS provider of security services. But not the original type of outsourced SOC service provider I originally had in mind. (If I missed one here, please let me know!) 

I still believe that the volume of cyber security service providers — dedicated cyber outfits or IT-managed service providers seeking to upsell opportunities — makes these an attractive target for cybercriminals.

On a side note, and around the importance of identity, and detection and response techniques: Around ten years ago — when ‘advanced SOC’ was the label de jour — I hypothesised that if SIEM were SOC 1.0, and analytics SOC 2.0, then SOC 5.0 would all be about identity and intent. When you no longer have a network, or the majority of your services (neé servers) are in the cloud and outside of your network visibility, you don’t need traditional network and device log data; you need telemetry on your identities to determine or extrapolate what their intent is. There’s still a way to go here, though, and in part, more is needed from SaaS providers to expose log data programmatically for teams to analyse. At the moment, you’re lucky if you get login/reset password events in the web portal itself, let alone as a feed. (FWIW, I think Push Security (hi Adam, Mike, Kelly et al.) is a step in the right direction, and their SaaS Attack Matrix is worth checking out if you have lots of web apps in use).

2. The number of ransomware victims will fall year-on-year.

No, they did not. (Though the percentage who pay has been falling year-on-year.)

The Record data show ~2,500 victims named on ransomware leak sites in 2022, increasing 1.6x this year to ~4,000 in 2023. Those numbers are probably way under the actual number, from those that aren’t reported or where the ransomware gangs don’t exfiltrate data or are caught before complete execution. I’m a long way off!

In 2023 we saw ransomware as activism, crime gangs misunderstanding regulation and filing SEC complaints, and mass-exploitation of vulnerabilities in Progress Software’s MOVEit file transfer solution. Through it all, we also learned that most ransomware attacks occur overnight.

That’s not to say ransomware activities haven’t been unmitigated, though: The International Ransomware Taskforce, a coalition of 36 counties and the European Union, began operations this year, multiple ransomware groups have been disrupted by law enforcement, 49 countries have vowed not to pay ransomware demands, and recently, following criminal money-laundering charges, Binance agreed to adopt US regulatory regimes and file Suspicious Activity Reports (SARs). The ‘system’ is catching up, though Russia’s absence is a hindrance through all of this.

Perhaps a better prediction would have been the percentage of victims that are paying. In 2022, data from Chainalysis show ransomware payments falling 41%. Even similar companies, events, and consequences can yield different results: MGM didn’t pay; Caesars did.

3. A wiper attack will disrupt a critical infrastructure provider and cause real-world consequences.

Yes, at least twice.

Critical infrastructure is, by its nature, a target for almost all threat groups: kiddies craving kudos, activists after awareness, criminals coveting cash, and spies seeking secrets; CNI operators must contend with the lot.

Unfortunately two national-scale attacks spring to mind from 2023: a Russian group who claimed responsibility for taking out Ukraine’s largest telco, Kyivstar; and Israeli-linked Predatory Sparrow taking out three-quarters of Iranian petrol stations.

We’re more connected and more reliant on technology than ever before. That makes the prospect of being able to control, disrupt, degrade or destroy the technology that supports everyday life an attractive target for military planners. However, gaining the intelligence and persistence needed to execute such attacks is costly. The Russia-Ukraine conflict has shown that, more often than not, militaries prefer firing a rocket to launching a cyber-attack.

Of course, for some nation-state groups, cyber is the means to the end: North Korea stole $1.7 billion in cryptocurrency in 2023 from various digital break-ins and scams, in part to funnel towards its nuclear weapons programme.

And finally

Happy New Year! Wishing you a peaceful, prosperous, and protected 2024. Thanks for subscribing, and I will speak to you all next week.


  Robin's Newsletter - Volume 6

  EasyPark Group RingGo ParkMobile China Barracuda Email Security Gateway (ESG) Kaspersky Apple ARM Triangulation Google Ransomware Cloud Legal