Robin’s Newsletter #307

5 May 2024. Volume 7, Issue 18
Microsoft ties exec pay to security. Change Healthcare paid $22M ransom. The UK bans default passwords for smart tech.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Microsoft to tie executive pay to security improvements, makes governance changes

  • In an email to staff this week, CEO Satya Nadella said that Microsoft will prioritise security over new features. Security will be “[a] top priority at Microsoft, above all else,” Charlie Bell, executive vice president for security, added in a blog post. 
  • The changes fall under the “Secure the Future Initiative,” which is a potentially tacit acknowledgement of Microsoft’s importance in the global technology ecosystem. Under the initiative, some senior executives will have compensation linked to achieving security targets, and deputy CISOs will be paired with engineering teams. 
  • Good, I guess. It’s a shame it took such a serious incident and damning Cyber Safety Review Board report to spur Redmond into action. LINK,   

The UK has become the first country to ban bad default passwords on smart tech

  • From this coming Monday, manufacturers of smart devices sold in the UK are legally required to meet minimum security standards. Default passwords — like “admin” — are banned, and companies must publish details for how bugs and vulnerabilities can be reported. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) also requires manufacturers to clearly state a minimum period for which they will provide security updates.
  • The Office for Product Safety and Standards (OPSS) is charged with enforcing the rules. Noncompliance is a criminal offence carrying a financial penalty of up to £10 million ($12.5M) or 4% of worldwide revenue, whichever is higher. LINK, CSRB

German says Russia was behind cyberattacks

  • German foreign minister Annalena Baerbock says that cyberattacks in 2023 against German political, technology and defence organisations were “unambiguously” carried out by APT28, aka Fancy Bear, a group linked to Russian military intelligence. 
  • Several websites were taken offline, and a vulnerability in Microsoft Outlook was exploited to gain access to the networks of affected companies. The attacks occurred during a period when Berlin was debating further support for Ukraine. Baerbock described the attacks as “absolutely intolerable” and that they “will have consequences”. 
  • The Czech Republic has also said APT28 has targeted its institutions. LINK

Change Healthcare CEO confirms they paid $22 million ransom; the attack vector was Citrix with no MFA

  • Andrew Witty, CEO of Change Healthcare’s parent company, UnitedHealth Group, was testifying in front of the US Congress this week. Witty confirmed that Change Healthcare made the $22 million payment to ALPHV (aka BlackCat). The cybercriminals then pulled an exit scam on their criminal partners and made off with the money. 
  • Witty explained that the criminals had gained access to the company’s network nine days before carrying out the attack that crippled the systems processing a substantial portion of US medical claims. The entry point was a Citrix remote access portal that did not have multi-factor authentication enabled.
  • Witty’s decision to make the ransom payment was “one of the hardest decisions I’ve ever had to make.” LINK

Interesting stats

It’s that time of year… The Verizon 2024 Data Breach Investigations Report (DBIR) is out! LINK

So, what are some of the key takeaways?

It’s all about the money:

The vast majority of breaches are financially motivated (source: DBIR 2024)

Threat actors are largely using legitimate credentials to get in:

Credentials are the way in almost 40% of the time (source: DBIR)

The majority of folks are not paying ransoms to cybercriminals:

4% of ransomware attacks resulted in a payment;  $47,500 the median adjusted loss (after recovery of any funds by law enforcement); 1.34% the median ransom demand, as a proportion of revenue.

Very few ransoms are actually paid by victims (sourceP DBIR 2024)

No, cybercriminals are not using GenAI to attack you:

Mentions of GenAI alongside attack types on cybercrime suggests it’s just not happening (source: DBIR 2024)

Lastly, here is some interesting ‘survival analysis’ of Known Exploited Vulnerabilities (see also BitSight below):

Half of vulnerabilities on CISA’s KEV list are patched within 55 days (source: DBIR 2024)

(Finally, be sure to check out Kelly Shortridge’s summary below)

3.5x faster patching time for vulnerabilities that CISA adds to its Known Exploited Vulnerability (KEV) list, according to BitSight. But don’t get too excited…  174 days the median time to patch a KEV list item versus  621 days median time to patch non-KEV list vulnerabilities. LINK

2.28 million Android apps blocked by Google from the Google Play store in 2023 for security and privacy violations, up from  1.5 million in 2022 (+52%). That is a huge number. 333,000 Google Play developer accounts that uploaded malicious or fraudulent apps were banned. LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • Recorded Future interviews Bill Winters, the CEO of Standard Chartered about how cyber has become a ‘disproportionately huge topic’ at board meetings, plus a bit about artificial intelligence, cryptocurrency and combating financial crime. LINK, MORE

  • Kelly Shortridge on the Verizon Data Breach Investigations Report (DBIR). Great analysis and excellent points, especially around user expectations. Does Verizon really expect people to spend more than a handful of seconds reading emails? LINK

⚠️ Incidents:

  • A disgruntled New York IT consultant has been arrested for threatening to disclose confidential and proprietary customer information unless they pay him $1.5 million for ‘employment discrimination’. LINK
  • Dropbox says that someone breached its e-signature systems and gained access to customer information. All users of Dropbox Sign (formerly HelloSign) are somehow affected, with names, email addresses, and settings compromised, as well as phone numbers, hashed passwords, API keys, and multi-factor authentication methods for a subset of customers. The company’s SEC filing says it does not expect the incident to be “material”. It also says there is “no evidence” that attackers accessed the contents of Dropbox Sign customers. LINK
  • Lithuanian and Estonian officials have warned that Russian jamming of GPS signals in their countries near the Russian border is “too dangerous to ignore”. Finnish airline Finnair has ceased flights to Tartu, Estonia for the next month while the airport installs an alternative system to GPS. LINK
  • Ukraine’s military intelligence agency, the GUR, launched an attack against the digital infrastructure of Russia’s ruling political party. The attack, which rendered United Russia’s online presence “partially inaccessible”, coincided with the same day as “Victory Dictation”, where people are encouraged to take a Russian history test online. LINK
  • The Belarus’ security service (KGB) website has been offline for two months; this week, the Belarusian Cyber-Partisans claimed responsibility for the attack and released files of over 8,600 KGB agents and a Telegram bot to identify agents in photographs uploaded by users. LINK
  • Police have arrested a man in Sydney on charges of blackmail after the individual claimed to have breached Outbox, a system used in the hospitality sector, and stolen over 1 million records. The Outbox system collects personal data, including photographs and signatures of pub and club-goers. LINK, MORE

🏴‍☠️ Ransomware:

  • Canadian pharmacy company London Drugs closed its 80 stores last weekend due to a “cybersecurity incident”. The Daixin Team ransomware group claimed responsibility for the attack. LINK

🕵️ Threat Intel:

  • Okta is warning of the “unprecedented scale” of compromised devices ensnared in residential proxy networks and used to conduct credential stuffing attacks. Residential proxy networks offer (paying) users the ability to mask their traffic by appearing to come from different home broadband or mobile network connections. Some people knowingly install so-called ‘proxyware’ in return for financial rewards, while others may have been infected with malware and unwittingly participating. Okta says that a growing number of mobile app developers are being lured into using compromised Software Development Kits (SDKs) that include malicious code to turn their app into a proxy for malicious traffic surreptitiously. LINK
  • ‘Cuttlefish’ malware, which targets small office/home office routers, has been identified by Lumen Technologies. The malware intercepts data passing through the router and exfiltrates authentication credentials via a proxy or VPN tunnel. Other capabilities include the ability to hijack DNS and HTTP requests. LINK
  • Mandiant says a group linked to Iran’s Revolutionary Guard Corps is impersonating journalists, think tanks and event organisers in social engineering attacks against espionage targets of interest to the Tehran regime. LINK
  • US federal agencies say that North Korea is exploiting misconfigured DMARC policies to send apparently legitimate emails in social engineering attacks. LINK

🪲 Vulnerabilities:

  • HPE’s ArubaOS has four critical vulnerabilities. CVE-20204-26305/26304/33511/33512 (9.8/10) are all buffer overflow issues that can lead to code execution as a privileged user. LINK, ADVISORY
  • CISA says there is evidence that a critical vulnerability in GitLab is being exploited. CVE-2023-7028 (10/10) allows password resets without user interaction (for users without MFA). The fix was released back in January. Patch if you haven’t already. LINK, ADVISORY

🧰 Guidance and tools:

  • NCSC primer on business email compromise (BEC): what it is and steps to take to protect your organisation better. LINK

🛠️ Security engineering:

  • If you know the name of an AWS S3 bucket, you can spam PUT requests against it, which costs the owner every time. Maciej Pocwierz, a developer who picked an ‘unlucky’ name for a project, found his client on the receiving end of a $1,300 bill after the tool of an unnamed open-source tool made almost 100 million requests to store data in his S3 bucket in a single day. Amazon should only really be charging for authorised requests. H/t Lee LINK

🧿 Privacy:

  • The FCC has fined T-Mobile, AT&T, and Verizon $196 million for “illegally sharing access to customers’ location information without consent”. The practices originally came to light in 2018. LINK

📜 Policy & Regulation:

  • Experts and even the EU’s Data Protection Supervisor are sounding the alarm over EU plans to require messaging apps to scan for both known and unknown child sexual abuse material (CSAM). LINK

👮 Law Enforcement:

  • Aleksanteri Kivimäki, the man behind an attack on a Finnish psychotherapy centre where he subsequently attempted to blackmail their patients individually, has been sentenced to more than six years in prison. Kivimäki, a self-professed member of the Lizard Squad ‘cyber briefing collective’, was charged with over 20,000 counts of attempted blackmail and 9,200 counts of disseminating information infringing people’s private lives. LINK
  • Yaroslav Vasinskyi, a 24-year-old Ukrainian national, has been sentenced to almost fourteen years in prison for REvil (Sodinokibi) ransomware attacks, including against Florida software company Kaseya, and demanding over $700 million in ransom payments. LINK

💰 Investments, mergers and acquisitions:

  • Open-source developer security platform Aikido from Ghent, Belgium, has announced a $17 million Series A. LINK

🏭 Industry news:

  • The French government has approached Atos about buying its Big Data & Security (BDS) business unit. Atos has been trying to flog the BDS division, which includes its cybersecurity products business, and a deal with Airbus fell through earlier this year. The French offer is on a valuation of between €700 million and €1 billion ($750M—$1.07B). LINK vol. 7, iss. 12

And finally

  • If you’re in the market for a supercomputer, maybe as a password cracking rig, look no further than the US General Services Administration. The GSA is auctioning off the Cheyenne supercomputer, which operated between January 2017 and December 2023 and was once the world’s 20th most powerful supercomputer. The title is courtesy of the 145,152 CPU cores, 313 terabytes of memory and 40 petabytes of storage. Peak performance was 5,340 teraflops. (The current #1 supercomputer, Frontier at Oak Ridge National Labs, has almost 8.7 million cores and tops out at 1,679 _peta_flops.) You’d best have a good power supply, though: Cheyenne consumes 1.7 megawatts of power when fully operational. LINK, AUCTION

PS… 

10 LET Y = Y + 1
20 IF Y = "60" THEN GOTO 40
30 GOTO 10
40 PRINT "HAPPY "; Y; "th BIRTHDAY, BASIC!”

LINK

Robin

  Robin's Newsletter - Volume 7

  Microsoft Product Security and Telecommunications Infrastructure Act (2022) Change Healthcare UnitedHealth Germany Russia APT28 Fancy Bear Verizon DBIR Ransomware Known Exploited Vulerabilities (KEV) Disgruntled Employee GPS Jamming Proxyware Child Sexual Abuse Material (CSAM) REvil Amazon Web Services (AWS)