Answering my question last week… 312 is important because 312/52=6. Last week’s edition (#312) marks six years that, every Sunday, I’ve been publishing this newsletter! 🤯 Thanks for subscribing, recommending it to your friends and colleagues, and for your feedback. If you’d like to show me some love, share it with (at least) one other person you think would find it useful. Ta! ❤️
This week
You can help the response to a ransomware attack by giving blood
- NHS Blood and Transplant is appealing for donations — especially from those with type O blood — following last week’s ransomware attack. DONATE
- It’s a knock-on impact from the disruption to services and testing facilities at Synnovis. Hospitals affected by the cyberattack cannot match patients’ blood at the usual speed. However almost half the UK population is blood group O, and because group O red blood cells do not have any A or B antigens, it can safely be given to any other group. LINK
- Synnovis’ recovery from the attack and restoration of NHS services is expected to take “many months”, a senior NHS official told The Guardian. LINK
‘Significant’ volume of data stolen from Snowflake customers, says Mandiant
- Mandiant says 165 organisations may have had data stolen as part of a campaign targeting customers of ‘data-as-a-service’ company Snowflake. Snowflake has engaged Mandiant to conduct an investigation following the TicketMaster and other data breaches linked to the company’s platform.
- The attacks were carried out by UNC5537, a yet-to-be-classified commercially motivated threat actor, using credentials compromised in historic infostealer malware infections. The attackers used the compromised credentials to access the victim’s Snowflake accounts and exfiltrate data from the platform. Snowflake has stated that its systems were not compromised as part of the attack. That appears to be true—legitimate credentials were used—though it did not provide customers with a way to enforce multi-factor authentication (each user had to manually configure it), and access without it could not be blocked. In an update on Friday, the company said it is “developing a plan” to enforce MFA. No timeline was provided.
- Mandiant has identified one incident where the threat actor may have collaborated with the Scattered Spider (aka Octopus) group but was not drawn to linking the two groups.
- LINK, MANDIANT
Microsoft knew about vulnerability months before SolarWinds attack on US gov
- A whistleblower says that Microsoft knew about the ‘Golden SAML’ issue months before it would be used in the SolarWinds attack against the US government. The vulnerability wasn’t publicly acknowledged or fixed, allegedly because Microsoft didn’t want to jeopardise its bid for a large federal government cloud computing contract.
- “The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft,” said former Microsoft employee Andrew Harris (who now works at CrowdStrike). Microsoft declined to make officials available as part of ProPublica’s write-up but did not dispute the findings. LINK
Interesting stats
Ransomware is ‘getting more brutal’: 42—67 Medicare patients are estimated to have been killed due to ransomware disruption at hospitals between 2016 and 2021. LINK 75% jump in data leak sites cybercriminals use to ‘shame’ their victims. LINK
76 federal agencies have >80% EDR coverage, 53% achieved it independently, with 47% having assistance from CISA. … I’m unclear what the baseline is here — the FISMA report (see Interesting Reads below) doesn’t say, but we’re potentially talking about 76 out of 439 total US federal agencies.
Other newsy bits / in brief
🤓 Interesting reads:
- Avoiding another Horizon: Hayaatun Sillem, CEO of the Royal Academy of Engineering, discusses the importance of the engineering profession in guarding against system failure if repeats of the Post Office Horizon IT scandal are to be avoided. LINK
- Federal Information Security Modernisation Act annual report for FY2023. Incidents are up 9.9% year-on-year to the end of FY2023. LINK (PDF)
⚠️ Incidents:
- Security vendor Cylance has confirmed a data breach. Cybercriminals claim to be selling details of 34 million customer and employee emails for $750,000. Cylance, despite the legitimacy of the data, says it’s old data from a “third-party platform”. Parent company BlackBerry says that Cylance is not a Snowflake customer. LINK
- Arlington, Massachusetts, has lost $455,945.73 in a business email compromise attack. Town manager Jim Feeney said that attackers impersonated a vendor working on a high school building project and requested to change the payment details. The town’s bank recovered $3,308 (6%) of the funds. LINK
- Blackbaud will pay $6.75 million and be forced to improve its cyber security as part of a settlement after lying about the scope of its May 2020 incident. LINK, vol. 3, iss. 30
🏴☠️ Ransomware:
- The City of Cleveland, Ohio, has taken services offline while dealing with a cyberattack. Ransomware is the most likely culprit, though no groups have claimed responsibility. Fortunately, emergency services are unaffected. City governments in Michigan and New York have also announced ransomware incidents. CLEVELAND, OTHERS
🕵️ Threat Intel:
- GitHub developers are being targeted with malicious OAuth apps after being tagged in spam comments and pull requests. The phishing attempts redirect victims to githubcareers[.]online or githubtalentcommunity[.]online. LINK
- Dutch military intelligence says that a Chinese campaign targeting a zero-day vulnerability (CVE-2022-42475; 9.8/10) in FortiGate firewalls started at least two months before Fortinet announced the vulnerability. During that time, the Chinese group may have infected as many as 14,000 devices with the ‘COATHANGER’ remote access trojan. LINK
- The ‘TellYouThePass’ ransomware group has exploited the recent PHP remote code execution vulnerability to access victims’ networks. The group started their campaign 48 hours after the vulnerability was announced, partly thanks to publicly available exploit code. LINK
- A new strain of Linux malware uses emojis sent via a Discord server as a command and control channel. LINK
🪲 Vulnerabilities:
- Google Pixel users have patches for 50 security vulnerabilities, including a ‘high’ elevation of privilege bug in the Pixel firmware. LINK, ADVISORY
- There’s a proof-of-concept exploit for an authentication bypass vulnerability in Veeam’s Backup Enterprise Management solution (CVE-2024-29849; 9.8/10). If you use VBEM, get patching promptly. LINK, ADVISORY
- JetBrains IntelliJ development environment may expose GitHub access tokens due to a critical vulnerability. CVE-2024-37051 (9.3/10) only affects JetBrains users with the GitHub plugin enabled and configured. A patch is available. LINK, ADVISORY
🧰 Guidance and tools:
- Microsoft and Google will offer a discount of up to 75% on services in a programme to provide ‘low cost’. Cyber security services to rural hospitals. The “non-profit pricing” will help boost cyber defences at facilities where diverting patients to other hospitals may be difficult. LINK
- Microsoft recommendations for teams looking to manage a mass password reset as part of their incident response efforts. LINK
🧿 Privacy:
- The UK ICO and Canada’s Office of the Privacy Commission of Canada (OPC) have announced an investigation into 23anMe, the genetic testing company that disclosed a breach affecting 7 million users last year. 23andMe took an aggressive stance, asserting that the breach was not their fault and that it was the individual user’s fault, for example, reusing passwords. LINK, vol. 7, iss. 1
- Verisk, a data broker, has closed its driver behaviour pattern product in response to a growing backlash over connected car data protection practices. LINK
- Meta won’t train its AI models on EU users’ Facebook and Instagram posts after complaints to data protection agencies. LINK
👮 Law Enforcement:
- Ukraine cyber police have arrested a man suspected of working with the Conti and LockBit cybercrime groups. The 28-year-old Russian man was arrested in Kyiv on 18th April this year as part of Operation Endgame. The man is believed to have been responsible for helping to make their malware undetectable by antivirus software. LINK
- The suspected ringleader of the Oktapus (aka Scattered Spider) group was arrested in Spain when they tried to board a plane to Italy. Tyler Buchanan, a 22-year-old from Dundee, Scotland, is accused of conducting SIM-swapping attacks and breaking into corporate accounts to steal sensitive information. At one point, Buchanan, who went by the ‘alias’ tylerb in cybercrime telegram channels, controlled $27 million worth of cryptocurrency proceeds from the group’s antics. LINK
- A QA employee of Singtel subsidiary National Computer Systems has been sentenced to two years and eight months in prison for deleting 180 virtual servers after they were fired. LINK
💰 Investments, mergers and acquisitions:
- Everfox (fka Forcepoint Federal) is to acquire Garrison, a British ‘hardsec’ (hardware security) startup, for an undisclosed sum. Congrats to the team at Garrison — many of whom are BAE Systems/Detica alums and former colleagues — which looks like a great fit 👏 LINK
- Fortinet has announced that it will acquire Lacework for an estimated $200 million — $230 million. That’s more than Wiz was offering in April, but a far cry from the Lacework’s previous 2021 valuation of $8.3 billion. Lacework had raised $1.8 billion in funding; some VCs will be angry. LINK
- The French government is offering €700 million ($748 million) for Atos’ Big Data and Security division. LINK
And finally
- A Turkish student has been arrested for an elaborate scheme to cheat on university entrance exams. The unnamed student used a camera disguised as a shirt button to take photos of exam questions and relay them via a device in their shoe to an unnamed artificial intelligence solution to determine the correct answer. The results were recited back via an earpiece. LINK
- Meanwhile, US bank Wells Fargo terminated over a dozen employees last month for using devices to simulate activity on their computers. LINK