This week
DOJ, FBI disrupt Russian intelligence botnet
- DOJ quietly removed Russian malware from routers in US homes and businesses.
- The operation dismantled a botnet of over 1,000 Ubiquiti Edge OS routers that Russia’s GRU military intelligence unit had compromised due to using default credentials. The GRU then installed ‘Moobot’ malware (a Mirai variant).
- The FBI’s Operation Dying Ember, approved by a court in January 2024, used the Moobot malware to copy and delete stolen information before modifying the compromised router’s firewall rules to block remote management and kick the GRU out.
- It comes only a few weeks after US authorities took action to dismantle a similar botnet used by the Chinese Volt Typhoon group (vol. 7, iss. 5). The botnets provide a way for their operators to proxy or tunnel traffic, hiding within a target or friendly country rather than explicitly being observed as coming from (e.g.) Russia or China.
Ransomware attack against dozens of Romanian hospitals
- Hospitals offline across Romania following ransomware attack on IT platform.
- Mostly overnight on Monday, 25 hospitals have encrypted systems, while services at another 75 have been disrupted following precautionary measures. The attackers demanded 3.5 bitcoin (~£130,000 / $170,000) to decrypt the data, which seems low based on comparable attacks.
- Officials say that data had recently been backed up, reducing the impact and that they had identified the malware used. However, the group behind the attack has yet to be identified.
Encryption backdoors not compatible with a democratic society
- Backdoors that let cops decrypt messages violate human rights, EU court says.
- The Russian government had been trying to compel the encrypted chat app Telegram to hand over the decrypted messages of six of its users, whom Russia says it believes are terrorists.
- Telegram said the request was impossible to comply with and that building a backdoor would compromise the confidentiality of all of its users. The case ended at the European Court of Human Rights (ECtHR), an international court in Strasbourg, after a Russian national applied for a judgment.
- The ruling concluded that the “confidentiality of communications is an essential element of the right to respect for private life and correspondence” and that law enforcement requiring messages be encrypted “cannot be regarded as necessary in a democratic society.”
Interesting stats
3,205 total data compromises in 2023, according to the Identity Theft Resource Center analysis of US data… 2,365 were attributed to cyberattacks, 729 to system and human errors, 242 were within supply chains, and 53 were linked to physical attacks. 1,400+ (~2x year-on-year) public data breach notices did not contain information on the attack vector.
Other newsy bits / in brief
- CEO of Ukraine’s largest telecom operator describes Russian cyberattack that wiped thousands of computers. Russian attackers did not consider the diversity of Kyivstar’s network vendors, a quick response, and conflicting attacks limited the impact of the attack on physical infrastructure in December 2023 (vol. 6, iss. 51).
⚠️ Breaches:
- Southern Water customers affected by cyber attack. Hackers may have made off with the names, dates of birth, national insurance numbers, bank account details and reference numbers of “5 to 10%” (470,000) of the UK water company’s customer base. The Black Baste ransomware group claimed to have gained access to Southern Water and stolen 750GB of data in late January (vol. 7, iss. 4).
- Integris Health says data breach impacts 2.4 million patients. Integris is Oklahoma’s largest not-for-profit healthcare network. It’s interesting because the threat actor demands $3 and $50 per record to see or (allegedly) remove the data, respectively.
- Prudential Financial breached in data theft cyberattack. In a regulatory filing with the SEC, Prudential says they believe the attack was perpetrated by a cybercrime group, who gained access to ‘Company administrative and user data’.
- BMW security lapse exposed sensitive company information, researcher finds. The carmaker misconfigured a cloud storage ‘bucket’ so that it was left public instead of private, exposing scripts, secret keys and other development information.
🏴☠️ Ransomware:
- LockBit claims cyberattack on Indian broker Motilal Oswal.
- Bank of America warns customers of data breach after vendor hack. The bank is pointing the finger at Infosys McCamish Systems (IMS), who reported 57,028 people were affected in a breach notification. LockBit has claimed responsibility for the breach, which occurred in November 2023.
- Pennsylvania county pays $350,000 cyberattack ransom. “While paying the ransom was not the county’s first choice, we decided that after weighing all factors, it was the best approach,” the county’s solicitor said.
- Free Rhysida ransomware decryptor for Windows exploits RNG flaw — the vulnerability in Rhysida’s malware had been known, and exploited, but blue teams for months to help victims, and now the cybercriminals will fix the issue. Is this a responsible disclosure?
🕵️ Threat Intel:
- Ongoing campaign compromises senior execs’ Azure accounts, locks them using MFA. Proofpoint says hundreds of Azure accounts are being targeted to steal sensitive data and financial assets.
- Volt Typhoon targeted emergency management services, per report. Dragos says that it has seen the Chinese group targeting emergency dispatch operations. The targeting suggests that Volt Typhoon sought to hamper response and recovery efforts from potential disruptive attacks.
- Turla hackers backdoor NGOs with new TinyTurla-NG malware. Cisco Talos says it has analysed new malware used by the Turla group, linked to Russia’s FSB intelligence agency, that uses compromised WordPress sites for command and control.
🪲 Vulnerabilities:
- New critical Exchange bug exploited as zero-day, says Microsoft. CVE-2024-21410 (9.8/10), patched in this month’s update, was discovered internally but exploited in the wild. “An attacker who successfully exploited this vulnerability could relay a [previously obtained] user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user,” says the Microsoft advisory.
- Zoom patches critical privilege elevation flaw in Windows apps. CVE-2024-24691 (9.6/10) is a flaw in input validation that could allow an unauthenticated attacker to obtain privilege escalation over the network. Advisory.
- SolarWinds fixes critical RCE bugs in access rights audit solution. CVE-2024-23476 (9.6/10) and CVE-2024-23479 (9.6) are path traversal vulnerabilities, while CVE-2023-40057 (9.0) allows for deserialisation of untrusted data. Advisory.
📜 Regulation:
- FCC orders telecom carriers to report PII data breaches within 30 days. It’s 2024 and these proposals have been doing the rounds for a couple of years now. America has a long way to go to catch up with European consumer data protection.
👮 Law Enforcement:
- Ukrainian national pleads guilty for roles in Zeus, IcedID malware operations. Vyacheslav Igorevich Penchukov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act, for his role in the Zeus banking trojan malware.
💰 Investments, mergers and acquisitions:
- Bugcrowd snaps up $102M for a ‘bug bounty’ security platform that taps 500K+ hackers — the “dating services for people who break computers” will use the money to expand its US operations, but isn’t beloved by those hackers, some of which complain that the company is slow to investigate issues and penalises those who try to warn it’s corporate customers of issues to minimise harm during these delays.
And finally
- Integrity matters: Air Canada must honour refund policy invented by airline’s chatbot. The airline argued that “it cannot be held liable for information provided by one of its agents, servants, or representatives—including a chatbot,” after it’s AI customer service bot told a passenger it would be entitled to a refund for travel after a family bereavement. The bot also linked to the ‘official’ policy. However, the airline failed to argue why users should trust content on one part of its website but not another.