Robin’s Newsletter #310

26 May 2024. Volume 7, Issue 21
Microsoft Recall is a 'privacy nightmare'. UK/China threat not being takn seriously. FBI says Scattered Spiter is ~1,000 people.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Recall for Microsoft Recall?

  • Microsoft introduced a Copilot Plus feature called ‘Recall’ at an event this week that takes screenshots of a user’s on-screen activity so that it can be searched through and resurfaced at a later date. Redmond admitted that while it will store and encrypt content locally, it does not hide sensitive information, such as passwords.
  • Understandably, this has everyone in a bit of a tiz. Privacy campaigners call the feature a “privacy nightmare,” while Microsoft points out that it is an “optional experience” (with some serious hardware requirements). The ICO is “making enquiries” with Microsoft to understand privacy safeguards.
  • I wonder if it’s a product of the lack of security culture that’s developed within Microsoft (and highlighted by the Cyber Safety Review Board): the primary ambition to allow people to search back through what they’ve browsed and been working on is fine, but the collection of sensitive information is so obviously a target for cybercriminals and espionage alike. I suspect that if this feature survives, some serious changes will be seen before widespread adoption. LINK

Martin: UK not taking China threat seriously

  • Ciaran Martin, former head of NCSC, has warned that the UK is not taking the cyber threat from China seriously enough. Martin highlighted a US warning earlier this year that Chinese state-backed actors were targeting critical infrastructure to preposition themselves for future attacks. While China may not be directly targeting the US or UK, being able to distract or delay responses to its actions could be helpful if it chose to take action in the South China Sea, where there has been an uptick in cyber threat activity. LINK, THREAT

FBI says Scattered Spider made up of 1,000 people

  • FBI assistant director Bryan Vorndran says that ‘the Com.’ (Aka Scattered Spider, or oktapus) is a “very, very large, expansive, disbursed group of individuals”. They reckon around 1,000 people make up the group, many of whom don’t know each other, known for its attacks on MGM Resorts and Okta. LINK

Interesting stats

70% of 1,600 CISOs surveyed by Proofpoint worry their organisation is at risk of a material cyber-attack.  41% said that ransomware was their top threat, and  62% said they would likely pay to restore systems (contrary to most posts on social media). LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • Bishop Fox on unpixelating text. Redacting things can be difficult - make sure you’re using a proper tool for it - drawing a black box over the top (especially in a PDF/doc) isn’t a guarantee it can’t be highlighted or copied and pasted. LINK
  • Apple’s Wi-Fi Positioning System (WPS) is ‘exceptionally chatty’ and operates less privately to competitors by returning hundreds of wifi hardware BSSIDs and their known locations rather than using the BSSIDs and sending back just the estimated user location. LINK

⚠️ Incidents:

  • Justice AV Solutions, a software vendor making a courtroom video and audio suite, pushed out an update containing a backdoor within the JAVS Viewer 8 package. The backdoor, reported by Rapid7, gives an unknown threat actor persistent access to infected devices. LINK, RAPID7
  • Check-in systems of at least three Wyndham hotels in the US have been compromised with spyware. The information contained within screenshots taken by the spyware and uploaded to a public location on the internet contains guest reservations and partial payment card information. The spyware vendor, pcTattletale, has had a bad week, with its website being defaced and internal information published by a hacker. LINK, DEFACEMENT
  • One of the Internet’s thirteen root domain name servers was out of sync for over four days this week, causing instability and delaying some changes to DNSSEC configuration for the .gov and .int domains. The ‘C-root’ servers, operated by Cogent Communications, may have desynchronised due to a peering change. However, the statement from the ISP didn’t confirm the root cause. LINK

🏴‍☠️ Ransomware:

  • Canadian pharmacy London Drugs has confirmed its recent cybersecurity incident was a ransomware attack, with LockBit demanding a $25 million ransom. The company says it is “unwilling and unable” to pay the cybercriminals. London Drugs does not believe any patient or customer databases have been compromised. LINK

🕵️ Threat Intel:

  • Rockwell Automation is recommending its customers remove internet connectivity from its industrial control system (ICS) devices “due to heightened geopolitical tensions”. The advisory highlights seven vulnerabilities, some dating back to 2022, and CISA has also issued an alert. This looks to be well-founded intelligence, and those with Rockwell operational technology should take note. LINK, ROCKWELL, CISA
  • Cryptomining malware called GhostEngine has been spotted using techniques to disable anti-malware and endpoint security protections. This sort of more sophisticated approach hasn’t been typical of this type of malware. LINK 
  • Mandiant says Chinese actors increasingly use “operational relay box networks” (or ‘ORBs’) to proxy their traffic and frustrate detection and defence. Russian and, let’s face it, Western intelligence agencies will also have been using this sort of obfuscation technique to try and fly under the radar of their targets and counterparts. Small office and home broadband routers are popular targets, though cloud servers, smart/IoT devices, and other infrastructure may also be targeted to make traffic appear to originate from other jurisdictions. LINK
  • Living off the land: the ShrinkLocker ransomware variant uses Microsoft Bitlocker to encrypt files on victim systems. LINK

🪲 Vulnerabilities:

  • GitHub has fixed a critical authentication bypass vulnerability for single sign-on users of its GitHub Enterprise Server solution. CVE-2024-4985 (10/10) allows a threat actor to gain administrator privileges without authentication. LINK, DOCS
  • Veeam Backup Enterprise Manager also has a vulnerability that allows unauthenticated actors to sign in to any valid platform account. CVE-2024-29849 (9.8/10) only affects Veeam instances where the web-based VBEM has been enabled. LINK, ADVISORY

🛠️ Security engineering:

  • The Open Source Security Foundation (OpenSSF) has announced a new mailing list, Siren, to share threat intelligence about open-source projects. LINK

🧿 Privacy:

  • The UK Information Commissioner has concluded that a Police Service of Northern Ireland (PSNI) breach brought a “tangible feat of threat to life” and a “perfect storm of risk and harm” when it published the personal information of all 9,483 serving police officers and staff. The ICO has fined PSNI £750,000 over the breach for failing to have “simple and practical-to-implement policies and procedures” in place. LINK
  • Comprehensive, federal privacy legislation made it a step closer this week as the House Energy and Commerce subcommittee unanimously approved the American Privacy Rights Act. LINK

📜 Policy & Regulation:

  • Former US defence secretary James Mattis has come out against a dedicated US ‘Cyber Force’. Instead, Mattis proposes finding a way to let Cyber Command operate domestically, potentially under the direction of the FBI and a FISA-style court. LINK
  • The Securities and Exchange Commission (SEC) has fined Intercontinental Exchange (ICE) $10 million for failing to notify its subsidiaries, which includes the New York Stock Exchange, of a breach in April 2021. LINK

💰 Investments, mergers and acquisitions:

  • CyberArk is to acquire machine-to-machine identity management outfit Venafi in a $1.54 billion cash and shares deal. Venafi’s certificate, PKI, and IoT capabilities will help “establish a unified platform”, CyberArk says. LINK
  • Bugcrowd is acquiring UK-based attack surface monitoring company Informer. The terms of the deal have not been disclosed. TechCrunch reports that this is Bugcrowd’s first-ever acquisition and that Informer is a profitable, bootstrapped ASM provider. LINK
  • Phishing protection firm Bolster has announced a $14 million funding raise led by Microsoft. LINK

And finally

  • Farewell to ICQ, which is shutting down in a month after 28 years. LINK
Robin

  Robin's Newsletter - Volume 7

  Microsoft Microsoft Recall China Scattered Spider Oktapus Ransomware Redaction Wi-Fi Positioning System (WPS) Geolocation Operational Technology (OT) Industrial Control System (ICS) Cryptomining Police Service of Northern Ireland (PSNI)