Robin’s Newsletter #305

21 April 2024. Volume 7, Issue 16
Significant breach at data analytics firm Sisense. UK trade unions targeted. Perfect 10 vulnerability in Palo's GlobalProtect VPN product.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Cydea Risk Platform launched

  • Indulge me, please, because this week we launched Cydea Risk Platform to a packed auditorium in London. Cyber risk is a burning issue—from the security team to the board—and tackling it requires clear communication and coordination. The tools for managing it don’t make it easy. Plus, there are lots of other things wrong with existing approaches.
  • It’s the culmination of a lot of effort from the Cydea team, our development partner and early adopters (many of them subscribers ☺️). It was a fantastic event, and we’ve had some super feedback from organisations large and small about how they see huge potential for improving their security programmes and saving lots of effort!
  • I also announced that we’d provide free access to 100 charities through the Cydea x Good Causes programme. If you’re involved or know someone in IT/senior management at a charity that would benefit, then please put them in touch with me on LinkedIn or any of these other methods
  • Close the loop! LINK

Change Healthcare ransomware incident costs to top $1 billion

  • UnitedHealth, parent of Change Healthcare, says that the February ransomware incident has caused $872 million in losses and expects the total bill to exceed $1 billion. The financial impact includes $593 million direct costs associated with responding to the cyber attack and a further $279 million in business disruptions. LINK, vol. 7, iss. 9
  • Meanwhile, RansomHub group has started leaking data stolen from Change Healthcare. The ALPHV group originally claimed responsibility, then went dark after it’s believed Change Healthcare paid a ~$22 million ransom to prevent data release. The cybercrime ecosystem is well developed, and many ransomware ‘groups’ are loosely affiliated contractors around a core developer. It’s likely that ALPHV (the developer) took the ransom and stiffed the contractor out of their share of the proceeds, hence the release now. LINK, vol. 7, iss. 10

Interesting reads

  • Eric Geller looks at recent Microsoft security issues and concludes the US Government has a Microsoft problem. LINK
  • The Japanese government has rejected a security improvement plan for a Yahoo subsidiary following a leak of customer data to Chinese actors in 2023. I could be wrong… but I think this is the first time a government has reviewed and rejected a company’s security plans following a breach? (UK gov was critical of Huawei, but that’s different). LINK
  • Researchers from the University of Illinois claim OpenAI’s GPT-4 can find and exploit real vulnerabilities. The large-language model (LLM) agent successfully exploited 87% of fifteen real-world vulnerabilities using CVE descriptions to aid its exploitation. Without this information, it dropped to a 7% success rate. No other LLMs (or open-source vulnerability scanners) found or exploited the same vulnerabilities. The researchers estimate it’s cheaper to use AI than human labour to find and exploit vulnerabilities (see stats, below). LINK, PAPER (PDF)
  • Doxing and the Trump criminal trial problem. LINK

Interesting stats

2.8x cheaper to use an LLM agent to find and exploit vulnerabilities than human labour (see above)

$3.5 million of stolen computing power used to generate just  $1 million of cryptocurrency in a scam against cloud providers in Seattle and Redmond. LINK

$300 offered in SMS messages to T-Mobile and Verizon employees to carry out SIM swaps, where a customer’s phone number is associated with a new SIM card owned by the scammer so they can receive phone calls and messages, often as part of account takeover attacks. LINK

28% —an all-time low — for ransomware payment rates, according to Coveware: LINK

Ransomware payment rates have declined over time (Source: Coveware)

Other newsy bits / in brief

⚠️ Incidents:

  • MITRE says that nation-state attackers gained access to its network in January using vulnerabilities in Ivanti appliances. The threat actors gained access to an unclassified research and development environment. LINK
  • Cisco Duo says attackers stole phone and SMS logs of multi-factor authentication messages from a third-party telephony provider. Thankfully, the logs do not contain message contents (i.e. the second-factor code). LINK
  • The OpenJS Foundation says it stopped a “credible” takeover of one of their projects that shares characteristics with the recent XZ Utils backdoor incident. LINK, vol. 7, iss. 13
  • Frontier Communications is restoring systems following a breach by cybercriminals. The US communications provider says the attack forced it to partially shut down some systems to prevent lateral movement, leading to business disruption. LINK

🏴‍☠️ Ransomware:

  • The Daixin ransomware gang has claimed responsibility for an attack on Omni Hotels. LINK

🕵️ Threat Intel:

  • LastPass says cybercriminals are targeting its users in a convincing phishing campaign using the CryptoChameleon phishing-as-a-service kit. Seeing the company on the front foot of campaigns like this is good. LINK
  • Cisco Talos is warning of 4,000 IP addresses attempting logins using lists of 2,000 usernames and 100 passwords against VPN, RDP and other remote access solutions. LINK
  • According to the Food And Ag-ISAC, There were at least 167 ransomware attacks against US food and agriculture organisations in 2023. LINK
  • US police can force a suspect to unlock their phone with their thumbprint. According to the US Court of Appeals 9th Circuit, such action does not violate the US Constitution’s Fifth Amendment protection from self-incrimination and is “firmly in the same category as a blood draw or fingerprint taken at booking.” The court ruling continued, “Payne was never compelled to acknowledge the existence of any incriminating information. He merely had to provide access to a source of potential information.” Lesson here: use a complex PIN if you’re concerned about this kind of thing. LINK
  • Computer gamers targeted with Redline information stealing malware posing as game cheat software. LINK

🪲 Vulnerabilities:

  • Flaw in PuTTY SSH client may allow attackers to recover private keys from around 60 SSH logins or, more realistically, signed GitHub commit messages. CVE-2024-31497 applies to NIST P-521 ECDSA keys generated by affected versions of PuTTY, FileZilla, WinSCP, TortoiseGit and TortoiseSVN. If you have generated P-521 keys using those software, you will need to update and replace your keys to be safe. LINK, ADVISORY
  • Delinea (formerly Thycotic) Secret Server has a critical (10/10) vulnerability that allows attacks to gain admin access to, well, your secrets. LINK, ADVISORY
  • More critical vulnerabilities for Ivanti, this time in its Avalanche mobile device management (MDM) solution. In total, 27 vulnerabilities have been fixed, including the critical ones (CVE-2024-24996 and CVE-2024-29204) that attackers could exploit to gain remote command execution. LINK, ADVISORY

🧰 Guidance and tools:

  • NCSC has released Cyber Assessment Framework 3.2 reflecting the ‘increased threat’ to UK critical national infrastructure (CNI) organisations. LINK

🛠️ Security engineering:

  • Roku is forcing multi-factor authentication on its users after a breach of 600,000 accounts. LINK

🧿 Privacy:

  • OpenTable backtracks after backlash about adding backdated names to reviews. LINK
  • A service called Spy Pet is hoovering up billions of Discord messages and user information from public servers, then offering it for sale. LINK
  • The EU’s Data Protection Board (EDPB) has published an opinion saying that tech companies like Meta should not offer “consent or pay” models. The crux appears that consumers do not fully understand the binary choice of ‘pay’ or ‘let us use your data’. There is a cost to running services, and plainly, it would be unreasonable to expect firms to offer things for free. LINK

📜 Policy & Regulation:

  • NATO is launching a new cyber centre in Belgium to ensure “cyberspace is contested at all times”. The NATO Integrated Cyber Centre (NICC) (a working title) will be based on the UK’s National Cyber Security Centre model, with civilian, industry and military staff working alongside each other. LINK

👮 Law Enforcement:

  • Global law enforcement has seized LabHost, a phishing-as-a-service site estimated to have generated over £1 million in profits for its operators. Europol says the investigation “uncovered at least 40,000 phishing domains,” and the site had “10,000 users worldwide.” LINK

💰 Investments, mergers and acquisitions:

  • Wiz is reportedly in discussions to acquire rival Lacework for $150 million — $200 million. Both companies are in the ‘cloud security’ space, though not direct competitors: the deal would be based on tech, talent and customer acquisition benefits. They have annual recurring revenues of $350 million and $100 million, respectively. It would mark a significant haircut for Lacework, though, with previous fundraising valuing the company at $8.3 billion. LINK 
  • Evolution Equity Partners has raised a new $1.1 billion cybersecurity and AI fund. Evolution Technology Fund III will pursue investments of up to $20 million to $150 million in around 30 companies in North America, Europe, and Israel. LINK

🏭 Industry news:

  • PwC UK cyber partner Richard Horne has been announced as the next CEO of the UK’s National Cyber Security Centre. Horne will join this autumn, succeeding Felicity Oswald, NCSC’s COO and interim CEO. LINK

And finally

  • Microsoft has released VASA-1, an AI model that “paves the way for real-time engagement with lifelike avatars”. The model needs a single photo and audio track, which would seem to be ripe for creating deepfakes, though this is not their intention. One of the example videos is of the Mona Lisa rapping, if that’s your kinda thing. LINK
  • There were hours of delays at Sacramento International Airport (SMF) on Thursday after the AT&T internet and phone line serving the airport was cut in a “deliberate act”. Seemingly, there is no reason why an airport serving over 12 million passengers doesn’t have a suitably diverse internet connection. LINK
Robin

  Robin's Newsletter - Volume 7

  Cydea Change Healthcare UnitedHealth Ransomware Microsoft Yahoo Artificial Intelligence (AI) Cryptomining SIM Swapping Ivanti Cyber Assessment Framework NATO