This week
An interesting read on the ransomware ecosystem and details on three incidents…
🤓 Interesting reads:
- Law enforcement action against the ransomware ecosystem may be causing fragmentation. Alexander Martin at The Record reports that cybercriminals are avoiding large ransomware-as-a-service (RaaS) platforms to develop their own malware variants and conduct attacks independently. Large RaaS operations and high-profile attacks drew significant law enforcement attention, and a series of exit scams sparked doubt amongst the criminal underground. LINK
⚠️ Incidents:
- Malware dubbed ‘FrostyGoop’ has been discovered that is believed to be behind a January attack against a Ukrainian energy company that left 600 households without heating during freezing temperatures. The malware, analysed by Dragos, directly communicated over the Modbus protocol used in industrial control systems. Unsurprisingly, a Moscow-based IP address is linked to the attack. LINK
- AT&T’s February 2024 outage resulted from the telco pushing out an untested update. The action blocked 92 million phone calls, including 25,000 emergency 911 calls, over 12 hours. US telco regulator, the FCC, isn’t happy that AT&T didn’t follow best practices. AT&T corrected the original mistake within 2 hours, but the outage, which affected all AT&T customers, was exacerbated because device registration systems were overwhelmed by reconnection requests from the 125 million devices. LINK
- Cyber training business KnowBe4 hired a fake North Korean IT worker who wasted no time loading malware onto their company-provided laptop. The individual had been through four video interviews and used a stolen US-based identity with an AI-modified stock photo to fake their identity. KnowBe4 says their SOC handled the incident within 25 minutes of detecting the unusual activity and that no illegal access was gained or data compromised. LINK
Interesting stats
$1 billion the ‘lower end’ estimated insured loss of the IT outages stemming from CrowdStrike’s botched update last week, according to broker Burns & Wilcox. LINK $5.4 billion cost estimated for the Fortune 500 in another study by Parametrix. LINK 674,620 direct CrowdStrike customers are estimated to have been affected by supply chain firm Interos. LINK
$2.3 billion are the expected costs incurred by UnitedHealth in response to the cyberattack against Change Healthcare. LINK
69% of ransomware proceeds go to Russian ransomware gangs, according to blockchain intelligence firm TRM Labs. LINK
Other newsy bits / in brief
🕵️ Threat Intel:
- Chinese group ‘Evasive Panda’ has been spotted using new version of the Macma malware to target MacOS users by Symantec. LINK
- Over 3,000 GitHub accounts have been used to push info-stealer malware in a ‘distribution as a service’ operation called Stargazers Ghost Network. LINK
- Meta has nuked 63,000 Instagram accounts associated with sextortion scams out of Nigeria. The accounts are thought to be linked to a group of 20 people called the ‘Yahoo Boys’ that target men in the US. LINK
- Secure Boot on over 200 device models sold by Acer, Dell, HP, Lenovo, Gigabyte, Intel, and Supermicro can be bypassed because they use a cryptographic key compromised in 2022. The firms ship firmware that includes test cryptographic keys labelled ‘DO NOT SHIP’ and ‘DO NOT TRUST’, which means anyone with those keys and admin privileges can trivially bypass Secure Boot and install their malicious firmware. LINK
🪲 Vulnerabilities:
- Docker has fixed a critical vulnerability in Docker Engine. The vulnerability, CVE-2024-41110 (10/10), is an authentication bypass issue in the AuthZ plugin that was discovered and fixed in January 2019, but the fix wasn’t carried forward to future versions and so has been present for around five years. LINK, ADVISORY
- Progress Software has released a patch for a critical vulnerability in its Telerik Report Server software. CVE-2024-6327 (9.8/10) is an issue with the deserialisation of data that can lead to remote code execution. LINK, ADVISORY
- Acronis Cyber Protect (ACI), a remote endpoint management and backup solution, is vulnerable to remote code execution by attackers using default credentials. CVE-2023-45249 (9.8/10) was patched nine months ago. However, Acronis is now warning that the bug is being exploited in the wild, prompting it to release a specific update to patch the issue. LINK, ADVISORY
🧰 Guidance and tools:
- Attackers use encrypted ZIP files to avoid scanning by antimalware systems. Now, Google Chrome will prompt users to enter the password for encrypted ZIP downloads so that they can be sent off to Google’s cloud for analysis before being delivered to the user (should they wish). LINK
🧿 Privacy:
- Oracle will settle a class action lawsuit against its ad tech business for $115 million. Oracle has announced it is shuttering its ad tech business. There are 220 million complainants in the case, so presumably, they won’t receive much compensation after legal fees. LINK
- Google has halted plans to turn off tracking cookies in Chrome. The ICO isn’t pleased. LINK, ICO
- Researchers at the University of California argue that Google’s reCAPTCHA service is a dud and just an excuse to exploit users for profit. Google refutes the accusations. LINK
📜 Policy & Regulation:
- Closing soon: NCSC’s call for views on AI cyber security runs through 9th August 2024. LINK
- The European Central Bank says lenders need to improve their cyber response capacity after its first ‘cyber stress test’ found “room for improvement”. The testing involved questionnaire-based documentary evidence from all 109 banks and an onsite visit from the ECB During an IT recovery test at 28 banks chosen as a representative cross-section of the industry. LINK
💰 Investments, mergers and acquisitions:
- Wiz has turned down Google’s $23 billion acquisition offer. “Saying no to such humbling offers is tough,” Wiz’s CEO Assaf Rappaport wrote in an email to all staff. “Let me cut to the chase: our next milestones are $1 billion in ARR and an IPO” as the firm sets its sights on floating on the public markets. LINK
- Vanta has announced a $150 million Series C fundraise led by Sequoia Capital. The compliance firm claims 8,000 customers (up ~2x in the last 12 months) and will use the funds to develop (you guessed it) AI features. Some of the claims in CEO Christina Cacioppo’s LinkedIn post seem… a bit weak: 100 hours saved annually isn’t to be sniffed at, but I’m surprised to see it touted as a headline efficiency saving number. LINK
- Identity management startup Linx, based out of Tel Aviv, has just announced $33 million in funding as it emerges from stealth. The premise is to link identities from different apps to active employees and identify orphaned or forgotten accounts that are no longer used. LINK
- Dazz, a vulnerability remediation solution for cloud services, has announced a $50 million funding raise, valuing the firm at around $400 million. LINK
- Internet of Things (IoT) security startup ZeroTier has raised a $13.5 million Series A round, claiming to support over 3 million connected devices in over 230 countries. LINK
- Cowbell, a cyber insurance company for SMEs, has announced a $60 million Series C equity investment from Zurich Insurance. LINK
And finally
- If you’re still struggling with machines offline following the CrowdStrike debacle last week, Microsoft has released a bootable image to help restore systems. It can be used on a USB thumb drive or as a PXE boot network option. LINK
- Plus, hats off to this ingenious method used by infrastructure managers at Grant Thornton in Australia to help get machines back up and running: using barcode scanners to input 48-character BitLocker keys quickly and accurately. LINK