Robin’s Newsletter #308

12 May 2024. Volume 7, Issue 19
RSA 2024 Recap. New US international cyber strategy. Three fascinating incidents.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

RSA 2024 Recap

  • It’s been a busy week for me at the RSA Conference. Lots of great sessions, meetings and — of course — time spent in the expo hall digesting and trying to make sense of the cyber market. For those of you unable (or uninterested!) in the travel and vendor overload, don’t worry; I’ve got you covered. Here are five observations from San Francisco:
  • ✨ Artificial Intelligence: AI-powered is the new next-gen labelled. The majority of vendors now use it somewhere in their product marketing. Few understand exactly what it does.
  • 🛒 Retail vibes: Multiple vendor stands were decked out like pastel supermarkets, sweet shops or fashion stores… for reasons I don’t quite understand. I guess it’s not black and green/red/orange and therefore makes you stand out?
  • 🤖 Simplicity & automation: Similar to AI, many folks say they will help you simplify your security. Few follow through by taking action and remediating issues, however. Instead, they generate lists of work for already overworked security teams. One example was a chat interface to the firm’s AI with an example of casually “asking what I missed” over the last month. Who has time for this? Why isn’t it just surfaced automatically?
  • 📣 Product marketing: There are still loads of three- and four-letter acronyms, many from analyst firms, bandied around like they’ve been around forever and that you will know what they mean. Three stands back-to-back-to-back offered ‘ASPM solutions’ without an explanation of what they were (Application Security Posture Management).
  • 🌐 Observability: Another theme across people (human/insider threat), inside software (bills of materials), and across all your security systems (as a meta platform to simplify, see above). It’s not a specific category in its own right (yet?).
  • Check out the full video from me and Tim Orchard on LinkedIn VIDEO

US launches new cyber strategy

  • I was also present when US Secretary of State Anton Blinken announced a new international cyber strategy at the RSA Conference this week. The strategy responds to three trends: foundational technologies transforming economies (including semiconductors, AI, and synthetic biology), the dissolving boundaries between physical and digital realms, and the need to understand the ‘full stack’ (“from tech… to talent”).

  • The need for technology to “support” rather than “suppress” human rights and currying cooperation between “rights-respecting” countries were recurrent themes in Blinken’s speech. He called out the need to support domestic innovators and 5G as an example of where this has gone wrong in the recent past. Securing the supply of critical minerals needed for semiconductors and batteries was also touched on.

  • Secretary Blinken set out four “areas of action” where the US will seek to engage the rest of the world on tech and security:

  1. Efforts to “promote, build and maintain an open, inclusive, secure, and resilient digital ecosystem.”
  2. More coordination among allied countries on digital and data governance.
  3. Developing tactics to advance “responsible” state behaviour and norms in cyberspace.
  4. Building capacity in more countries to combat cybercrime.

“Committed not to digital sovereignty, but to digital solidarity.” — Antony Blinken

  • Digital solidarity, rather than sovereignty, was another theme and counter-point to the Balkanisation of the internet that’s currently underway. LINK

Interesting stats

3,000+ incidents were reported to the UK Information Commissioner’s Office in 2023, with the top three sectors being  22% finance,  18% retail, and  11% education. LINK

The ICO’s data security incident trends data set is also worth looking at; below is a chart of 2023 incidents by type, showing 16% involved data being emailed to the wrong recipient and 12% being attributed to ransomware. LINK

A chart showing the proportion of 2023 incidents reported against the incident type (Source: ICO)

Other newsy bits / in brief

🤓 Interesting reads:

  • GhostStripe: Abusing the ‘rolling shutter’ effect of video sensors to trick the camera systems on autonomous vehicles into ‘seeing’ different road signs. LINK, PAPER (PDF)

⚠️ Incidents:

Three fascinating incidents to kick things off…

  • The solar storm (responsible for many sightings of the Aurora Borealis at unusually low latitudes this weekend) caused issues with GPS receivers and prevented some farmers from planting crops. Modern tractors and farm machinery come equipped with centimetre-accurate receivers to assist in efficiently planting, spraying and harvesting crops. A John Deere dealership warned its farmers that the accuracy of John Deere’s StarFire ‘real-time kinematic’ system was “extremely compromised”. LINK
  • Mark Read, chief exec of advertising and PR giant WPP, was the target of a deepfake scam aimed at his senior executives. The scammers used a photo to set up a fake WhatsApp account before getting execs to join a Teams meeting where the scammers used cloned video footage of another executive with the “ultimate aim of extracting personal information and money”. The attackers, despite their sophistication, were not successful. LINK
  • Google Cloud CEO Thomas Kurian and UniSuper CEO Peter Chun have issued a joint apology to UniSuper’s 620,000 workplace pension customers after an “unprecedented sequence of events” and “inadvertent misconfiguration” resulted in UniSuper’s Private Cloud subscription being deleted. It’s extraordinary to think that a misconfiguration could lead to a deleted cloud tenant. It underscores why you need copies of your cloud data: Service-, Platform- or Infrastructure-as-a-Service providers help with redundancy, but they don’t negate the need for backups. Fortunately, Google and UniSuper restored services within a week, and customers can now access their accounts. H/t Glenn LINK

Other incidents… 

  • The UK suspects Chinese threat actors are behind an intrusion at a payroll provider to the Ministry of Defence. The supplier is Shared Services Connected Ltd (SSCL), a subsidiary of Sopra Steria, who hold the names and bank details of 270,000 current and former British military personnel. The MOD’s networks were not affected by the incident. LINK
  • A security researcher discovered almost 1.3 million documents belonging to Amberstone Security. The physical security business fixed the misconfiguration within 24 hours, protecting the documents, which included theft reports from retail locations, CCTV images, and copies of its personnel clocking on for their security guard shifts. LINK
  • Game developer Square Enix has blamed distributed denial of service attacks on game servers for the difficulties experienced by players trying to log in and play Final Fantasy. LINK
  • The US Patent and Trademark Office (USPTO) is writing to thousands of patent holders after their private addresses were exposed in public records between 23rd August 2023 and 19th April 2024. USPTO published data sets that included details of around 14,000 applicants. LINK
  • Dell has notified customers that it has lost their names and physical addresses in a data breach. The IT vendor is investigating “an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell.” Reportedly, 49 million records are now available for sale on the dark web. The information also includes service tag, order and warranty information. In an interview with TechCrunch, the attacker says they registered on a partner portal and brute forced the service tag information — former of seven consonants and numbers — to submit 50 million requests over three weeks without being detected by the Texas-based firm. The email notice came from an address that doesn’t exist and didn’t provide a method to learn more about the breach. Poor handling. LINK, SCRAPED
  • Model integrity: OpenAI and Stack Overflow announced a deal to train responses using user-submitted responses to technology and coding problems on the popular website this week. Some stack overflow users have responded by deleting or editing their accepted, popular responses to include protest messages. Repurposing user-generated content like this without consultation is always likely to generate backlash. The repurposing also provides a way for a huge audience to potentially affect the model’s integrity. Other AI firms take note. LINK
  • Attackers hijacked 15 Ukrainian TV channels owned by Starlight Media to broadcast Russia’s Victory Day parade in Moscow. LINK

🏴‍☠️ Ransomware:

  • Russian national Dmitry Khoroshev has been identified and sanctioned by the US, UK and Australia as being ‘LockBitSupp’, the previously faceless leader of the notorious LockBit ransomware group. Attorney General Merrick B. Garland said that, under Khoroshev’s leadership, over 7,000 ransomware attacks were launched, claiming 2,110 victims and collecting over 5100 million in cryptocurrency, of which LockBit retained 20%. Of course, the LockBitSupp account has denied being Khoroshev. Timed to coincide with the naming of LockBitSupp, Boeing has confirmed that an October 2023 incident resulted in the cybercriminal group demanding a $200 million ransom. LINK, MORE BOEING 
  • “An utterly abhorrent criminal act”: INC Ransom has released another batch of sensitive information — this time children’s health records — it stole from NHS Dumfries and Galloway in an attempt to extract a ransom payment. LINK
  • Ascension, a US healthcare provider with 140 hospitals in 19 states, has suffered “disruption to clinical operations” following a “cyber security event” on Wednesday. It’s a suspected ransomware attack attributed to the Black Basta ransomware group. LINK, ATTRIBUTION

🕵️ Threat Intel:

  • A network of 76,000 websites has been used to scam more than 800,000 people in Europe and the US by promoting luxury designer brands at discounts of up to 50% off. The operation to steal card details apparently operates out of China, is highly organised, and is ongoing. If you see an offer that’s too good to be true… it probably is. LINK
  • TunnelVision technique uses a malicious DHCP server and the ‘option 121’ setting to reroute traffic via itself and bypass other protections, such as VPNs. Option 121 allows specific routes to be added to particular networks, and setting something more specific when the device connects to the network will take precedence over the ‘catchall’ routing of the VPN service. It is a novel and neat misappropriation of a legitimate protocol feature. LINK
  • Attackers have been targeting WordPress websites running an outdated LiteSpeed Cache plugin to create administrator accounts and take over websites. LINK

🪲 Vulnerabilities:

  • F5 has fixed two high-severity issues in its BIG-IP Next Central Manager solution that could be abused to gain admin control and create accounts on managed devices. CVE-2024-26026 (7.5/10) is an SQL injection vulnerability, while CVE-2024-21793 (7.5/10) is an ‘OData injection’ vulnerability. LINK, ADVISORY 1, ADVISORY 2
  • Google has patched a zero-day in Chrome. CVE-2024-4671 is a ‘use after free’ vulnerability that can be abused in certain conditions to run malicious code. LINK

🧿 Privacy:

  • BetterHelp, the online counselling service, has reached a $7.8 million settlement agreement with the US Federal Trade Commission for sharing personal data with advertisers. BetterHelp will refund the money to around 800,000 customers who used its services between 1st August 2017 and 31st December 2020. LINK
  • The US Office of the Director of National Intelligence has released a document outlining how intelligence agencies use data obtained from commercial data brokers. The Policy Framework for Commercially Available Information sets out the ‘general principles’ covering the access, collection and processing of ‘commercially available information’ (CAI). LINK, POLICY

📜 Policy & Regulation:

  • The Chairwoman of the Federal Communications Commission has written to Congress about the shortfall in funding for US telcos to replace Huawei and ZTE equipment in their networks. The Secure and Trusted Communications Act created a programme to rip and replace Chinese gear over fears it presented a potential strategic cyber risk to the US. $1.8 billion (or $11 per taxpayer) was allocated to the programme in 2020, but the FCC says that $3 billion short of what’s needed. LINK
  • Changes to the makeup of the US Cyber Safety Review Board. LINK

💰 Investments, mergers and acquisitions:

  • Akamai has confirmed its acquisition of API protection business Noname Security for $450 million. At its last raise, in December 2021, Noname was valued at over $1 billion, representing a sale at less than half that valuation. (Lacework is another example of offers well below the previous valuation, though that deal fell through at due diligence). LINK
  • Cloud security firm Wiz has closed a $1 billion Series E funding round, which values the company at $12 billion. Co-founder and CEO Assad Rappaport says that they plan to continue with organic growth and deploy the capital to “ex-unicorns” and “exciting, younger startups” as the company eyes a future initial public offering. LINK

And finally

  • Hackers have discovered that you can use Tetris’ “kill screen” (which occurs around level 151) to reprogram other parts of the game. Most people can’t get past level 29 because the pieces are moving too quickly. However, holding down specific controller inputs during the crash can cause the game to read in the high score table, which is user input and can be set to include code that the can will execute. Top-tier geekery. LINK
  • 1234 — the passcode to ‘non-sensitive areas’ (such as the loos) at NCSC’s London headquarters, according to journalists attending a speech by Foreign Secretary Lord Cameron. H/t Keith. LINK
Robin

  Robin's Newsletter - Volume 7

  RSA Conference Cyber strategy US cyber strategy Digital solidarity Balkanisation GhostStripe Autonomous Vehicles Rolling shutter Solar storm GPS Farming Deepfake Cloud LockBit Operation Cronos TunnelVision Networking Network routing Tetris National Cyber Security Centre (NCSC)