This week
Deepfake scammer nets £20 million
- Hong Kong police are investigating a scam at an unnamed company where an employee was duped into making payments totalling HK$200 million (£20M, $25M). The authorities said an employee reported the crime after “she received video conference calls from someone posing as senior officers of the company requesting to transfer money”.
- The company’s UK-based CFO invited the finance clerk to join a video call to discuss ‘confidential’ transactions, but police believe all other attendees on the call were deepfakes. Generative AI tools were used to synthesise the video and audio on the call, apparently sufficiently well for the employee to believe the request and execute fifteen transactions to five different accounts. The company discovered the scam a week later.
- Encourage your finance team always to validate unusual or urgent payment requests using a separate communication channel. They can also counter this sort of deepfake video by asking them to raise their hand, turn their head, and ask other questions to confirm their identity.
TfL has been trialling AI video surveillance
- London Underground Is Testing Real-Time AI Surveillance Tools to Spot Crime](https://www.wired.com/story/london-underground-ai-surveillance-documents/). Transport for London ran a proof of concept at Willesden Green tube station from October 2022 through September 2023, according to documents provided to Wired in response to a Freedom of Information request.
- TfL plans to roll out the technology more widely across its network to detect and alert staff to eleven ‘problematic behaviours’, ranging from unattended items and antisocial behaviour to a person on the tracks and wet floors. The trial did not involve facial recognition.
Interesting stats
$1.1 billion paid by victims of cyber criminals in 2023, up from $567 million (+94%) in 2022, as Chainalysis declares “a major comeback for ransomware”.
3,998 postings made on ransomware leak sites in 2023, up from 2,679 (+49%) in 2022, according to Palo Alto Networks, who link some spikes with MOVEit and Citrix Bleed vulnerabilities.
Other newsy bits / in brief
-
Software security liabilities: An interesting read over at Lawfare: Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor. The focus is on encouraging software vendors to adopt secure-by-design approaches and take more responsibility for the security of their products. “The goal here is not to create perfectly secure software;” writes Jim Dempsey, “it is instead to compensate users of software for losses caused by unreasonably dangerous defects in software.” Dempsey proposes three groupings: trivial stuff that should have been found and fixed during development, at the other end is complex stuff that you wouldn’t reasonably expect them to find, and then all the things in the middle. Bruce Schneier agrees, “We don’t let the fact that no restaurant can possibly fix all of the food-safety vulnerabilities lead us to the conclusion that restaurants shouldn’t be responsible for any food-safety vulnerabilities”.
-
Flipped off: Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown. Announcing a crackdown on car theft, Canadian Prime Minister Justin Trudeau and innovation minister François-Philippe Champagne both name-checked the hobbyist hacking device as an example of the ‘sophisticated electronic devices’ being used by thieves to copy car keys.
-
North Korea: Cyber-attacks by North Korea raked in $3bn to build nuclear weapons, UN monitors suspect. A UN panel is “investigating 58 suspected DPRK cyber-attacks on cryptocurrency-related companies between 2017 and 2023”; their report is expected to be made public in the next couple of months.
-
Middle East: Iran-backed hackers interrupt UAE TV streaming services with deep fake news. Microsoft says the Islamic Revolutionary Guards conducted the operation. They track the group as ‘Cotton Sandstorm’. Similar disruption was reported in Canada and the UK.
-
Volt Typhoon: China-backed hackers have lurked inside US critical infrastructure for ‘at least five years’. The admission comes as three US agencies warn about Chinese attempts to maintain persistent access to US critical national infrastructure. The joint CISA, NSA, and FBI alert says Volt Typhoon has intruded into the telecommunications, energy, transport, and water sectors multiple times, typically relying on living of the land techniques ((ab)using built-in management and admin tools). Of course, Western agencies are likely all up in China’s business, too, ‘defending forward’. That’s why agreement on cyber norms is so essential.
-
Apple: Cybercrime duo accused of picking $2.5M from Apple’s orchard. Noah Roskin-Frazee and Keith Latteri allegedly gained access to backend systems and manipulated orders for gift cards. In a strange twist, Roskin-Frazee was also credit by Apple for participating in the firm’s bug bounty programme around the same time.
-
Insider: Verizon data breach hits over 63,000 employees. Almost half the telco’s workforce is affected by the incident, which was caused when “an employee inappropriately handled a file containing certain personal information about some Verizon employees”. Verizon does not believe the data has been shared outside of the company.
-
Open house: ‘World’s biggest casino’ app exposed customers’ personal data. WinStar left a logging database accessible to anyone on the Internet without a password.
-
Ransomware: US offers up to $15 million for tips on Hive ransomware leadership. EquiLend back in the saddle as ransom payment rumours swirl. The company, who facilitate over $110 billion of transactions daily, said operations had been disrupted by the LockBit group two weeks ago (vol. 7, iss. 4). Hyundai Motor Europe hit by Black Basta ransomware attack.
-
Ivanti’s Groundhog Day: Patch new Connect Secure auth bypass bug immediately. Another week, another Ivanti vulnerability. Perhaps CISA was right to ask US agencies to unplug their devices (vol. 7, iss. 5). This one, CVE-2024-22024 (8.3/10), is in a SAML (authentication) component and “allows an attacker to access certain restricted resources without authentication”. Advisory.
-
Fortinet: New Fortinet RCE bug is actively exploited, CISA confirms. CVE-2024-21762 (9.6/10) is a critical remote code execution vulnerability in FortiOS. If you can’t immediately patch, you can disable SSL VPN as a workaround. Advisory.
-
Cisco: Critical Cisco bug exposes Expressway gateways to CSRF attacks. Two critical vulnerabilities, CVE-2024-20252 and CVE-2024-20254, can be exploited by unauthenticated attackers. Advisory.
-
Linux shim: Critical vulnerability affecting most Linux distros allows for bootkits. The buffer overflow vulnerability, tracked as CVE-2023-40547 (8.3/10), is only exploitable during the early boot stage, and must be combined with an attacker-in-the-middle attack.
-
Events: DEF CON is cancelled! – at Caesars – but the show will go on. “We don’t know why Caesars canceled us,” said Jeff Moss, AKA Dark Tangent, before confirming that the event will still be August 8-11 2024, at the Las Vegas Convention Center (LVCC) instead, with workshops and training at the Sahara.
-
Gemini: Google saves your conversations with Gemini for years by default. Human ‘annotators’ routinely read conversations with Google’s Gemini generative AI apps, and that it retains conversations for up to three years.
-
Privacy: Mozilla Monitor’s new service removes your personal info from data broker sites automatically. The subscription service is part of Mozilla Monitor, which also notifies you if your email has been part of a data breach.
-
Spyware: US State Department will not issue visas to individuals linked to spyware abuse. It’s intended to dissuade those involved in the commercial spyware market who may sell sophisticated tools to regimes that abuse the capabilities.
-
Investments, mergers & acquisitions: Attack surface management platform Ionix adds another $15M to its $27M Series A round. Entrust is buying AI-based ID verification startup Onfido, sources say for more than $400M. Endpoint security startup NinjaOne lands $231.5M Series C, $1.9 billion valuation, claiming management of seven million endpoints for 17,000 customers.
And finally
-
Spam filter: Andretti Cadillac didn’t snub Formula 1—F1’s email went to spam folder. F1 didn’t follow up via any other methods when it didn’t hear back. Andretti was pursuing a bid to join the F1 grid, and F1 declined their application partly because they hadn’t responded. It’s a stupid situation highlighting the need for a balanced approach to security.
-
Keeping the dentist away: Lastly… no, three million toothbrushes were not used in a DDoS botnet.