This week
US passes legislation to force sales of US TikTok business
- This week, the US Senate approved, and President Biden signed, a bill ordering Chinese-headquartered ByteDance to sell its US TikTok business in the next 270 days. The legislation classifies TikTok as a “foreign adversary controlled application”. Failing to sell the business would result in TikTok losing access to the American market. LINK
- TikTok is set to be influential in the US Elections later this year, and its foreign ownership and control of the recommendation algorithm have spooked US lawmakers. (This is a little ironic, given how many other countries have social media controlled by US-headquartered companies).
- Unsurprisingly, ByteDance is prepared to “move to the courts” with Michael Beckerman — the social media network’s US chief — describing the move as a “clear violation of the First Amendment rights of TikTok’s 170 million American users” in a memo to staff. LINK
UnitedHealth confirms it paid a ransom
- UnitedHealth Group, the parent company of Change Healthcare, confirmed on Monday that it paid a ransom to the attackers in an effort to protect patient data. LINK
- It’s unclear if the statement refers to the $22 million sum reportedly paid to AlphV, who subsequently went to ground, or a second group called RansomHub, who has since removed the listing from their breach site.
- A “substantial proportion of people in America” had their personal information accessed during the February ransomware attack on Change Healthcare. Citing the “ongoing nature and complexity” of the review, the healthcare company said it would likely take “several months” before they can identify and notify affected individuals. LINK
Interesting stats
10 days median dwell time for attackers on victim’s networks in 2023, down from 16 days in 2022, according to Mandiant’s M-Trends 2024 report. 54% of compromised organisations learned about their incident from an external source, rising to 70% for ransomware attacks specifically (not entirely surprising given the nature of these incidents). REPORT (PDF)
Other newsy bits / in brief
⚠️ Incidents:
- Russian threat actor Cyber Army of Russia has claimed responsibility for a breach at the Tipton Wastewater Treatment Plant in Indiana. Mandiant believes the group shares a close operational relationship with Russia’s GRU military intelligence group, Sandworm. LINK
- Customers of India’s eScan antivirus software may have gotten more than they bargained for after an attacker-in-the-middle compromise of software updates pushed the GuptiMiner crypto mining malware to users. The threat actor is believed to be tied to North Korea, and this was possible because the AV provided updates over plain HTTP without verifying any integrity signatures. LINK
- Sticking with India, Mumbai-based ICICI Bank “erroneously mapped” around 17,000 credit cards to the “wrong” users. The bank’s digital channels displayed the full card number and verification value. Around 0.1% of the bank’s card portfolio was affected. LINK
🕵️ Threat Intel:
- Microsoft is attributing a malware called ‘GooseEgg’ to Russia’s Fancy Bear (aka APT28, Forrest Blizzard) group. GooseEgg exploits a vulnerability in the Windows Print Spooler service (patched in 2022) to elevate privileges and traverse target networks before installing other modules to carry out an action on objectives. LINK
- Performanta says cybercriminals are increasingly experimenting and refining techniques on businesses in Africa, Asia and South America before targeting Western companies with more financial resources. LINK
- The UK Security Service, MI5, is warning universities that hostile foreign states are targeting sensitive research. New funding will be available to improve the security of certain ‘duel-use’ civilian and military research projects. NCSC has built a tool to help universities assess their research security. LINK
🪲 Vulnerabilities:
- Proof of concept exploit code has been released for a critical vulnerability in Progress Software’s Flowmon network monitoring tool. Attackers can exploit CVE-2023-2389 (10/10) to gain remote, unauthenticated access and execute arbitrary system commands. LINK
- Attackers are targeting a critical vulnerability (CVE-2024-27965; 9.9/10) in the WP Automatic plugin for WordPress. LINK
🧰 Guidance and tools:
- ‘Pathways’ will provide a route for larger, complex organisations to achieve Cyber Essentials certification by demonstrating they’re achieving the desired outcomes of the scheme instead of having to implement the prescribed controls. LINK
🧿 Privacy:
- Dating app Grindr is facing a legal challenge in the UK over claims it shared HIV status and testing dates with advertising partners. LINK
- Kaiser, a US healthcare group, is notifying 13.4 million current and former customers after confirming it shared patient data with third-party advertisers via tracking code in its website and apps. LINK
- The FTC will be issuing $5.6 million in refunds to Amazon Ring customers affected by lax privacy protections that allowed attackers and ‘rogue’ workers to spy on customers. LINK
📜 Policy & Regulation:
- China has announced a reorganisation of its military to establish an “Information Support Force” so that the People’s Liberation Army (PLA) is capable of “winning modern wars.” LINK
- Undersea cables, ‘trustworthy’ data centres and securing 5G networks are key themes for the US cyber ambassador’s $50 million foreign aid fund. LINK
- Europol is getting involved in the end-to-end encryption (E2EE) debate, citing it as a blocker to preventing “the most heinous of crimes”, including terrorism, human trafficking and child sexual abuse. The announcement was in cooperation with the UK’s National Crime Agency. LINK
- Sweden is bringing its National Cyber Security Centre under the control of its signals intelligence agency (similar to the model in the UK) to address funding challenges and a lack of results stemming from a lack of “clear goals, missions, and division of responsibilities”. LINK (I don’t think it’s a knee-jerk reaction to low supplies of booze at the state-controlled liquor company LINK)
- US cloud companies are pushing back on ‘know-your-customer’ checks required by a forthcoming executive order. The White House is seeking to make it more difficult for foreign powers to rent infrastructure from which to attack US organisations. The cloud providers claim it’s costly and a logistical challenge, and they claim spooks can easily circumvent the checks. (KYC checks are increasingly commonplace in financial services to prevent money laundering and financial crime). LINK
💰 Investments, mergers and acquisitions:
- Security automation outfit Tines has raised a $50 million ‘extension’ to its Series B funding round and reports revenues growing 200% in the last 18 months. Tines says it will use the funds to diversify beyond security into infrastructure and engineering. LINK
🏭 Industry news:
- Rubrik went public on Thursday, with its shares on the New York Stock Exchange (RBRK) up 16% on the first day of trading. LINK
- And Darktrace said it will go private, agreeing to a £4.25 billion ($5.3 billion) takeover by private equity firm Thoma Bravo. Darktrace floated in April 2021 at 250p a share and has had a rocky time on the markets, reaching over 940p in October 2021 and sinking below 250p in early 2023. Thomas Bravo’s offer — its second attempt at acquiring the business — is for 620p a share, a 20% premium on Thursday’s closing share price. LINK, MORE
And finally
- Leicester City Council can’t turn its street lights off due to their recent cyberattack. As El Reg notes, firms are usually concerned with whether they’ll be able to ‘keep the lights on’ in the wake of a substantial breach. LINK, vol. 7, iss. 14
- Japanese police are placing “Virus Token Horse Removal Payment Card” and “Unpaid Bill Later Fee Payment Card” in convenience stores to warn elderly customers of cybercriminal scams. It’s not stupid if it works. LINK