This week
FBI disrupts Volt Typhoon operation
- According to FBI director Christopher Wray, the US disrupted the infrastructure of a Chinese-linked espionage group in December 2023. Speaking at a select committee hearing on the cyber threat posed by China, Wray said that hundreds of US-based small business and home routers had been infected with the ‘KV Botnet’ malware by the Volt Typhoon group.
- The FBI was able to issue a command to the affected routers — mainly end-of-life Cisco and Netgear devices — that removed the malware. A court had to approve the action, technically known as a ‘seizure’, and now plans to contact ISPs so they can notify affected customers, as the devices will return to a vulnerable state if they’re rebooted.
- The infected devices were used as VPN endpoints to tunnel traffic into the US to provide cover and minimise suspicion in other attacks.
Moody’s cited cyber threat while downgrading the rating of UK water sector
- Interestingly, credit rating agency Moody’s cited “elevated” risk of cyber attack against UK water companies while downgrading the sector from stable to negative. Moody’s also expects sector spending on cyber security to increase sevenfold over the next five years, from £100 million collectively to around £700 million.
Stolen FTX $400 million linked to three US SIM swappers
- The $400 million stolen from FTX as the company went bankrupt has been linked to three Americans engaged in SIM swapping. Robert Powell, Carter Rohn, and Emily Hernandez — the “Powell SIM Swapping Crew” — were named in an indictment last week, with Brian Krebs spotting the dates and values match the FTX incident. The charged three don’t appear to have had brilliant OpSec, variously using parts of their real names as pseudonyms.
Interesting stats
127,147,851 data subject have been affected by breaches “involving economic or financial data” between 1st October 2019 and end of 2023, according to a Freedom of Information request of the UK ICO. The number exceeds the population of the UK, but likely includes individuals not resident within the UK, and does not account for duplicates.
29% of ransomware victims paid ransom demands in Q4 2023, a record low, according to Coveware, down from 85% — the ransom payment rate at the start of 2019:
![Ransomware payment rates have steadily declined from 85% in Q1 2019 to 29% in Q4 2023 (Source: Coveware)](/img/newsletter/294-coveware_ransom_payment_rates.png
The size of the organisation targeted and median ransom payment has increased over the same period, though, as cybercriminals shifted from opportunistically extorting individuals to more organised attacks against organisations.
Quiz
What does the FBI estimate losses to ‘liquidate savings’ scams from May to December 2023? A) $10 million; B) $25 million; C) $55 million. Answer ⤵
Other newsy bits / in brief
-
Ivanti can’t catch a break: two more vulnerabilities in its Connect Secure, Policy Secure and ZTA gateway products are being actively exploited. CVE-2024-21893 (8.2/10) is a server-side request. Forgery vulnerability that allows attackers to bypass authentication routines, while CVE-2024-21888 (8.8/10) allows privilege escalation to administrator. A patch is available. Advisory. The critical, actively exploited vulnerabilities have got to the point that CISA has ordered all federal civilian agencies to disconnect Ivanti devices.
-
Transactions of Monero, the privacy-focussed cryptocurrency which claims to be untraceable, may still be identifiable: Investigators at Finland’s National Bureau of Investigation (KRP) managed to trace funds being moved from Bitcoin, through Monero, back to Bitcoin while identifying Julius Aleksanteri Kivimäki (vol. 5, iss. 45) as the suspect behind the attack on a psychotherapy clinic in 2020 (vol. 3, iss. 44). Details of the techniques have not been made public.
-
Cloudflare has provided more details of its breach in November 2023. The company says that one access token and three service accounts were compromised during the Okta’s October 2023 breach (vol. 6, iss. 45). The company then failed to rotate the credentials because it thought they were unused (though it doesn’t say why they weren’t disabled or deleted, given this assumed status).
-
SolarWinds has filed a motion to dismiss the SEC’s lawsuit which claims the company’s management made materially misleading statements about the businesses exposure to cyber risk in regulatory filings (vol. 6, iss. 45).
-
Europcar is denying they have been breached, suggesting that the 50 million records being sold on criminal forums contains made-up place names that don’t match ZIP codes.
-
Sensitive code, infrastructure diagrams and internal passwords for Binance have been in a publicly accessible GitHub repository for months.
-
Ukraine’s CERT is warning that at least 2,000 computers in the country have been infected with PurpleFox malware.
-
Remote administration firm AnyDesk says that attackers gained unauthorised access to its production servers and made off with source code and code signing keys. Customers should upgrade to the latest version, which contains a new signing certificate.
-
Qualys has found a local privilege escalation vulnerability in the GNU C Library. CVE-2023-6246 (7.8/10) affects glibc and can be used to gain root access on common Linux distributions including Debian, Ubuntu and Fedora.
-
Ransomware: Industrial control giant Schneider Electric became victim to the Cactus ransomware group in January, with the criminals claiming to have stolen terabytes of company data. ALPHV (aka BlackCat) claims to have stolen 300GB of data possibly relating to the US Defense Counterintelligence and Security Agency from Technica, an IT services company. LockBit is claiming responsibility for an attack on Chicago children’s hospital Saint Anthony Hospital, with the hospital saying no medical or financial information was stolen.
-
Attack impacts: Johnson Controls International says its September 2023 attack cost the company $27 million. Clorox says it incurred $49 million of expenses responding to its September cyberattack (vol. 6, iss. 39).
-
The FTC has ordered Blackbaud to improve its cyber security posture and ensure it deletes customer data that is no longer needed, following a 2020 ransomware incident (vol. 3, iss. 30). The company paid the attackers a ransom of 24 Bitcoin (~$250,000) but never confirmed that the criminals deleted the stolen data.
-
Interpol has arrested 31 people and identified 1,300 servers used for command and control of phishing, banking trojan, and ransomware campaigns. 70% of the servers have been ‘dismantled’ as part of Operation Synergia. Interpol also identified a further 70 suspects in the operation, which spanned 55 countries.
-
Investments, mergers & acquisitions: Machine-to-machine identity startup Oasis Security has emerged from stealth with $40 million funding.
-
Industry news: Thoma Bravo-owned Proofpoint is laying off 280 employees, or 6% of its workforce (Side note: I’m also here for TechCrunch pointing out the leadership team of the 4,500 employee business contains no women). Okta is making similar cuts, laying off approximately 400 employees, or 7% of its workforce, almost a year to the day since its last layoffs.
And finally
- The Silk Dress cryptogram has been solved. Ten years ago, Sara Rivers-Cofieldm, a curator and archaeologist, bought an 1880s bustle dress from an antique shop in Maine and discovered a hidden pocket containing two sheets of paper with coded messages. Wayne Chan, a data analyst at the University of Manitoba, cracked the code, linking the phrases back to a US Army code book. The messages are weather observations, likely encoded because telegrams were charged per word, and code books allowed more information to be transmitted with fewer words.
Answer
C) $55 million: the FBI is warning of a new wave of ‘tech support’ style telephone scams that encourage the victim to liquidate their savings into cash or precious metals to prevent them from being stolen by hackers, before sending a courier to collect the funds. Return ⤴