Robin’s Newsletter #293

28 January 2024. Volume 7, Issue 4
Australia names Medibank attacker. Microsoft comes under criticism for config blunder that let Russia snoop on mailboxes.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Australia doxes, sanctions Medibank attacker

  • Australia has named Russian citizen Aleksandr Ermakov as being behind the data breach at Medibank in 2022 (vol. 5, iss. 47). 
  • Home Affairs Minister Clare O’Neil made the announcement while also saying that Australia was applying sanctions to Ermakov for “the single most devastating cyber-attack we have experienced as a nation”. O’Neill was bullish, saying “[these] people are cowards and scumbags… we’ll unveil who you are and we’ll make sure you’re accountable.”
  • The breach was particularly egregious because data sets were published online containing medical information and claims information in “naughty-list” and “good-list” files, including those seeking abortions and with mental health problems.
  • It’s the first time Australia has Magnitsky-style sanctions laws passed in 2021, allowing asset freezes and travel bans on those involved in significant cyber-attacks — the UK and US joined Australia in applying their own sanctions.
  • The Australia Federal Police and Australian Signals Directorate, with cooperation from international partners, identified Ermakov and also linked him to the REvil ransomware gang. Photos accompanying the press release appear to show the Russian sat in front of his computer, suggesting that the ASD may have been all up in his personal computer.

Criticism of Microsoft grows in the wake of recent nation-state breach

  • As details of the recent Midnight Blizzard (aka Nobelium, Cozy Bear) attack on Microsoft come to light, security experts and politicians are raising criticism of the company. The threat actor, linked to Russia’s foreign intelligence agency, has used password spraying to gain access to a “legacy non-production test tenant account”, said Microsoft.
  • In an update, Microsoft essentially admitted that the account must have been provisioned with admin privileges over the main Microsoft network. Having gained access to the test tenant, “[the] threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes”. Questions loom large as to how or why legacy non-production test tenant account could grant itself permission to the mailboxes of senior executives and legal counsel. 
  • Earlier this week, Microsoft said that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.” Hewlett-Packard Enterprise (HPE) says it was also compromised by the same Russian group from May 2023 onwards, though an HPE spokesperson said “we’re unable to link the [Microsoft and HPE breaches] at this time”. HPE’s regulatory filing said the incident “has not had a material impact” on operations.
  • Alex Stamos, chief trust officer at SentinelOne, was particularly disparaging of Microsoft on LinkedIn, pointing out how they were downplaying the event (I’m sure Microsoft’s legal team don’t consider their email a “legacy” system), and lambasting them for taking the opportunity to upsell their own security products.

Interesting stats

70,000 domains used in the ‘VexTrio’ traffic distribution system to redirect victims to phishing pages, exploit kits and other malware downloads, according to Infoblox.

Other newsy bits / in brief

And finally

Robin

  Robin's Newsletter - Volume 7

  Microsoft Russia Australia Medibank Hewlett Packard Enterprise (HPE) Artifical Intelligence (AI) Data brokers National Security Agency (NSA) Privacy Amazon Ring Doorbell Forta