Robin’s Newsletter #296

18 February 2024. Volume 7, Issue 7
FBI disrupts GRU botnet. Dozens of Romanian hospitals impacted by ransomware. European court rules on encryption backdoors.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

DOJ, FBI disrupt Russian intelligence botnet

  • DOJ quietly removed Russian malware from routers in US homes and businesses.
  • The operation dismantled a botnet of over 1,000 Ubiquiti Edge OS routers that Russia’s GRU military intelligence unit had compromised due to using default credentials. The GRU then installed ‘Moobot’ malware (a Mirai variant).
  • The FBI’s Operation Dying Ember, approved by a court in January 2024, used the Moobot malware to copy and delete stolen information before modifying the compromised router’s firewall rules to block remote management and kick the GRU out.
  • It comes only a few weeks after US authorities took action to dismantle a similar botnet used by the Chinese Volt Typhoon group (vol. 7, iss. 5). The botnets provide a way for their operators to proxy or tunnel traffic, hiding within a target or friendly country rather than explicitly being observed as coming from (e.g.) Russia or China.

Ransomware attack against dozens of Romanian hospitals

  • Hospitals offline across Romania following ransomware attack on IT platform.
  • Mostly overnight on Monday, 25 hospitals have encrypted systems, while services at another 75 have been disrupted following precautionary measures. The attackers demanded 3.5 bitcoin (~£130,000 / $170,000) to decrypt the data, which seems low based on comparable attacks.
  • Officials say that data had recently been backed up, reducing the impact and that they had identified the malware used. However, the group behind the attack has yet to be identified.

Encryption backdoors not compatible with a democratic society

  • Backdoors that let cops decrypt messages violate human rights, EU court says.
  • The Russian government had been trying to compel the encrypted chat app Telegram to hand over the decrypted messages of six of its users, whom Russia says it believes are terrorists.
  • Telegram said the request was impossible to comply with and that building a backdoor would compromise the confidentiality of all of its users. The case ended at the European Court of Human Rights (ECtHR), an international court in Strasbourg, after a Russian national applied for a judgment.
  • The ruling concluded that the “confidentiality of communications is an essential element of the right to respect for private life and correspondence” and that law enforcement requiring messages be encrypted “cannot be regarded as necessary in a democratic society.”

Interesting stats

3,205 total data compromises in 2023, according to the Identity Theft Resource Center analysis of US data… 2,365 were attributed to cyberattacks, 729 to system and human errors, 242 were within supply chains, and 53 were linked to physical attacks. 1,400+ (~2x year-on-year) public data breach notices did not contain information on the attack vector.

Other newsy bits / in brief

⚠️ Breaches:

🏴‍☠️ Ransomware:

🕵️ Threat Intel:

🪲 Vulnerabilities:

📜 Regulation:

👮 Law Enforcement:

💰 Investments, mergers and acquisitions:

And finally

  • Integrity matters: Air Canada must honour refund policy invented by airline’s chatbot. The airline argued that “it cannot be held liable for information provided by one of its agents, servants, or representatives—including a chatbot,” after it’s AI customer service bot told a passenger it would be entitled to a refund for travel after a family bereavement. The bot also linked to the ‘official’ policy. However, the airline failed to argue why users should trust content on one part of its website but not another.

  Robin's Newsletter - Volume 7

  Botnet Russia GRU Takedown Romania Ransomware Hospitals Healthcare Encryption End-to-End Encryption (E2EE) Backdoor Crypto-wars Identity Theft Southern Water Microsoft Exchange SolarWinds Volt Typhoon Turla Zeus Air Canada Chatbot