OK. This crept up on me. Every week for the last 300 weeks, I’ve written this newsletter. I probably should have planned something to celebrate the milestone. Thanks for subscribing and your generous feedback. I love to hear from you. It would mean a lot if you encourage someone — a friend, colleague, peer — to subscribe, or share this on LinkedIn, Mastodon, Twitter, Discord, or wherever you hang out. Keep defending! 🛡️
This week
British Library publishes lessons learned from 2023 ransomware incident
- The British Library has said it didn’t make a payment or even engage with the cybercriminals behind the October 2023 ransomware attack on its systems. “Ransomware gangs contemplating future attacks such as this on publicly-funded institutions should be aware that the UK’s national policy, articulated by NCSC [National Cyber Security Centre], is unambiguously clear that no such payments should be made,” it said.
- Digital collections are secure; however, the recovery, which is still underway, has been “hampered by the lack of viable infrastructure on which to restore it” — either because of a lack of vendor support or the platforms are incompatible with a new, secure infrastructure being rolled out.
- Props to the BL for releasing the lessons they learned from the incident. You probably won’t consider them groundbreaking advice, but I also suspect many organisations wouldn’t be able to hand-on-heart say they have them all covered. LINK, LESSONS LEARNED
French unemployment agency may have leaked personal info of 43 million citizens
- France Travail, the French government department responsible for unemployment benefits, has announced the loss of information on up to 43 million citizens, dating back 20 years. Names, dates of birth, social security numbers, email and postal addresses and phone numbers were all compromised; passwords and banking details were not. LINK
Probe launched into UnitedHealth Group over Change Healthcare disruption
- The US Department of Health and Human Services is investigating UnitedHealth Group’s HIPAA compliance. It follows the significant ransomware attack against its subsidiary Change Healthcare, which processes half of all medical claims in the US. UHG says it will comply with the investigation. LINK
McDonald’s outage blamed on supplier configuration change
- McDonald’s says a configuration change at a third-party supplier was responsible for a global outage that forced many of its outlets to close this week. A spokesperson rather cryptically said the outage was “not directly caused by a cybersecurity event” (my emphasis), though this could mean that a vulnerability required patching, hence the update.
- Somewhat staggeringly, McDonald’s ‘Systemwide’ sales (those from McDonald’s operated and franchised locations) are worth approximately $1 million every 4 minutes. That’s an expensive outage. LINK
- Of course, Burger King’s marketing team didn’t miss the opportunity:
Interesting stats
12.8 million: the number of auth secrets and keys leaked on GitHub in 2023. The majority remained valid after five days. LINK
$10 million (down $2M) paid by Google in bug bounty rewards last year. LINK
Other newsy bits / in brief
-
Singapore is introducing passportless immigration clearance using QR codes. The system is being rolled out on crossing from the land border with Malaysia and will require registering passport details with a government app. LINK
-
You can download GPT-2, a precursor to ChatGPT, in an Excel spreadsheet. Software developer Ishan Anand achieved the feat to educate people about how large language models (LLMs) work. The project is called spreadsheets are all you need. LINK, PROJECT
⚠️ Incidents:
- NHS Dumfries and Galloway says there “may be some disruption to services” resulting from a “focused and ongoing cyber attack.” NHSDG has warned patients that there have been “incursions” into healthcare systems and that “there is a risk that hackers have been able to acquire a significant quantity of data.” LINK
- Leicester City Council took systems offline as a precautionary measure. The attack has affected services, including child protection and adult social care, with disruption expected to last two weeks while systems are brought back online in a “safe and controlled manner”. LINK
- UK supermarket chain Sainsbury’s has apologised after a software update meant it couldn’t take contactless payments or make home deliveries. LINK
- First beer, now coffee: the Belgian village of Breendonk has had a rough couple of weeks, with brewer Duvel being hit first, and now local coffee roasters Koffie Beyers also suffering a cyber-attack. LINK, DUVEL
- The time cybercriminals take between gaining access and executing ransomware attacks has fallen over recent years. However, Standford University says it had failed to detect the breach for four months before its September 2023 incident. LINK
- Insider threat: Facebook parent company Meta has sued a former senior employee for “brazenly disloyal and dishonest conduct” and using their access to abscond with 100 documents of a “confidential, non-public, and highly sensitive” nature. LINK
- Evil maid: A cleaner leaked information from the Drug Enforcement Administration to her suspected drug-dealing cousin, allowing him to evade arrest for over a month. LINK
🕵️ Threat Intel:
- Burglars may be starting to use Wi-Fi jammers to block home security cameras. LINK
- SIM Swapping: A former manager at a telco has pleaded guilty to conspiracy charges and performing SIM swaps; they charged $1,000 to switch the phone numbers, plus an unspecified percentage of any gains. SIM Swappers are turning to functions allowing the replacement or restoration of eSIMs to transfer phone numbers from the victim’s device to their own, according to Russian firm F.A.C.C.T. LINK, ESIM
- French government agencies are being hit by DDOS attacks of ‘unprecedented intensity’. LINK
- A Linux version of the NerbianRAT malware has existed undetected for at least two years, according to Checkpoint. LINK
🪲 Vulnerabilities:
- Fortinet has patched a critical remote code execution vulnerability (CVE-2023-48788; 9.8/10) in its FortiClient Enterprise Management Server (EMS) solution. LINK, ADVISORY
🧰 Guidance and tools:
- The NCSC has released a free service to help UK organisations check common email security protections that help protect email privacy and prevent spoofing. Other tools exist from commercial vendors. It’s neat to have an independent one tied to impartial, trusted advice. LINK
- Misconfiguration manager: SpecterOps researchers have released a knowledge base of attacks based on faulty Windows Configuration Manager (System Center Configuration Manager) setups and how to prevent them. LINK, REPO
🧿 Privacy:
- Airbnb will ban indoor security cameras in its rental properties starting at the end of April. ‘Bout time. But with some installing secret cameras, will hosts actually listen? LINK
- The Tor project has released WebTunnel, a new feature to blend Tor traffic with standard encrypted web traffic to help those in heavily censored regions. LINK
📜 Policy & Regulation:
- The ICO has a consultation underway on “consent or pay” business models. LINK
- Software vendors must attest to the US federal government that their products are engineered following secure development practices. LINK, FORM
- The FCC has voted to approve the US Cyber Trust Mark, a voluntary security labelling scheme for consumer IoT and smart devices. The marks will include a QR code that should link to a “consumer-friendly” page detailing the device’s current security state, allowing for updates to the information. This is a good thing. LINK
- Sanctions not only frustrate cybercriminals’ attempts to monetise their attacks, but they also “[contribute] to sowing discord within certain groups”, according to Will Lyne, the NCA’s head of cyber intelligence. LINK
👮 Law Enforcement:
- Roman Sterlingov, a dual Russian-Swedish national, has been convicted for operating the Bitcoin Fog darknet money laundering service. The DOJ says over 1.2 million bitcoin (~$400 million) was moved through Bitcoin Fog between 2011 and 2021. LINK
- Dual Canadian-Russian national Mikhail Vasiliev has been sentenced to four years in prison. Vasiliev was arrested in November 2022 and pleaded guilty to eight charges and infecting more than 1,000 victims with the LockBit ransomware. LINK
And finally
- A new side-channel attack can detect keyboard entry in noisy environments with a ~43% success rate. LINK