This week
Australia doxes, sanctions Medibank attacker
- Australia has named Russian citizen Aleksandr Ermakov as being behind the data breach at Medibank in 2022 (vol. 5, iss. 47).
- Home Affairs Minister Clare O’Neil made the announcement while also saying that Australia was applying sanctions to Ermakov for “the single most devastating cyber-attack we have experienced as a nation”. O’Neill was bullish, saying “[these] people are cowards and scumbags… we’ll unveil who you are and we’ll make sure you’re accountable.”
- The breach was particularly egregious because data sets were published online containing medical information and claims information in “naughty-list” and “good-list” files, including those seeking abortions and with mental health problems.
- It’s the first time Australia has Magnitsky-style sanctions laws passed in 2021, allowing asset freezes and travel bans on those involved in significant cyber-attacks — the UK and US joined Australia in applying their own sanctions.
- The Australia Federal Police and Australian Signals Directorate, with cooperation from international partners, identified Ermakov and also linked him to the REvil ransomware gang. Photos accompanying the press release appear to show the Russian sat in front of his computer, suggesting that the ASD may have been all up in his personal computer.
Criticism of Microsoft grows in the wake of recent nation-state breach
- As details of the recent Midnight Blizzard (aka Nobelium, Cozy Bear) attack on Microsoft come to light, security experts and politicians are raising criticism of the company. The threat actor, linked to Russia’s foreign intelligence agency, has used password spraying to gain access to a “legacy non-production test tenant account”, said Microsoft.
- In an update, Microsoft essentially admitted that the account must have been provisioned with admin privileges over the main Microsoft network. Having gained access to the test tenant, “[the] threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes”. Questions loom large as to how or why legacy non-production test tenant account could grant itself permission to the mailboxes of senior executives and legal counsel.
- Earlier this week, Microsoft said that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.” Hewlett-Packard Enterprise (HPE) says it was also compromised by the same Russian group from May 2023 onwards, though an HPE spokesperson said “we’re unable to link the [Microsoft and HPE breaches] at this time”. HPE’s regulatory filing said the incident “has not had a material impact” on operations.
- Alex Stamos, chief trust officer at SentinelOne, was particularly disparaging of Microsoft on LinkedIn, pointing out how they were downplaying the event (I’m sure Microsoft’s legal team don’t consider their email a “legacy” system), and lambasting them for taking the opportunity to upsell their own security products.
Interesting stats
70,000 domains used in the ‘VexTrio’ traffic distribution system to redirect victims to phishing pages, exploit kits and other malware downloads, according to Infoblox.
Other newsy bits / in brief
-
NCSC says that “Artificial intelligence (AI) will almost certainly increase the volume and heighten the impact of cyber attacks…” and that this “will likely contribute to the global ransomware threat over the next two years”. The AI threat assessment says that threat actors will receive the most significant capability uplift in social engineering, but also highlights the potential uses of AI to summarise large quantities of data and assist in identifying valuable data to exfiltrate.
-
The SEC says that its X/Twitter account compromise was caused by someone conducting a SIM swapping attack on the phone number associated with the regulator’s account.
-
The NSA has admitted to purchasing data on American citizens from data brokers. The Department of Defense (DoD) responded saying that it “adheres to high standards of privacy and civil liberties protections” when buying location data and that is not aware of a legal requirement for it to obtain a court order for commercially available information that “is equally available for purchase to foreign adversaries, US companies, and private persons as it is to the US government.”
-
Amazon is ‘sunsetting’ the Request for Assistance (RFA) tool that allowed law enforcement and fire departments to gain access to its Ring Doorbell video feeds without a warrant.
-
Someone abused an exposed API to match 15.1 million public Trello profiles to their email addresses.
-
Ukraine’s Ministry of Defence claims that pro-Ukranian hacktivists gained access to the Russian Center for Space Hydrometeorology and wiped 2 petabytes of data.
-
A new ransomware strain uses an antivirus driver to kill other AV and security monitoring software. The Kasseika malware abuses TG Soft’s ‘Martini’ driver to terminate 991 processes, and the codebase shares similarities with that of the now defunct BlackMatter ransomware group.
-
An exploit to create new admin accounts on Fortra’s GoAnywhere MFT file transfer software has been released. The software vendor released a patch in December and privately notified customers about the severity of the remotely exploitable CVE-2024-0204 (9.8/10) vulnerability. The Clop ransomware group mass-exploited Forta GoAnywhere devices at the beginning of 2023.
-
Cisco is warning of a vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code in its Unified Communication and Contact Center Solutions products. CVE-2024-20253 (9.9/10) advisory.
-
Ransomware: US mortgage lender loanDepot has confirmed a ransomware attack and says that attackers also stole personal data of 16.6 million people. UK water company Southern Water confirmed that the Black Basta ransomware group gained unauthorised access to its IT systems; the cybercriminals claim to have stolen 750GB of data. New York-based fintech EquiLend says operations have been disrupted this week by a LockBit ransomware attack. Akira ransomware gang is claiming responsibility for a digital break-in at Lush, reportedly stealing 110GB of data, including personal documents and passport scans (presumably from employees).
-
Researchers from MIT have discovered that it is possible to use the ambient light sensor found in most smartphones (and increasingly in other devices) to detect the gestures being performed by a user. There are some pretty hefty limitations — large screens, in darker environments, displaying known content — and, of course, it can’t detect who the user is, however, the research is designed to highlight the potential threat so it can be considered in future product development.
-
A malware developer behind the Trickbot malware has been sentenced to 64 months in prison. Russian national Vladimir Dunaev was extradited to the US after being arrested in South Korea. The 40-year-old oversaw the development of the browser injection component. Dunaev pleaded guilty to conspiring to commit computer fraud, identity theft, and wire fraud.
-
Investments, M&A: Identity security startup Silverfort has raised $116 million for its platform which provides “a second opinion” on authentication requests from other identity providers. Clerk has announced a $30 million Series B for its suite of developer tools to manage users and authentication. Also, a massive congratulations to Nadia, Chris and the naq team on the €3 million seed round for their automated compliance platform for healthcare.
And finally
- This week Apple released iOS 17.3, including a new Stolen Device Protection feature, which requires biometric authentication and adds delays to specific account changes, designed to prevent thieves from quickly being able to take over iCloud accounts. Please turn it on: Settings > Face ID & Passcode > toggle on Stolen Device Protection. (While Manhattan District Attorney Alvin Bragg warns that many fintech apps need to do more to protect user’s cash).