Robin’s Newsletter #320

4 August 2024. Volume 7, Issue 31
Electoral Commission slammed for 'basic errors'. CrowdStrike faces multiple legal challenges. $75 million record-breaking ransomware payment.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Electoral Commission slammed for basic errors leading to theft of data on 40 million people

  • The UK’s election authority didn’t take “basic steps” to protect personal data, leaving the door open to Chinese threat actors to steal the personal information of 40 million people, according to the regulator. LINK
  • The ICO’s report has reprimanded the Electoral Commission for ineffective security patching and password management. Deputy Commissioner Stephen Bonner said it is “highly likely” the breach could have been avoided if systems hadn’t been left exposed. ICO
  • The reprimand confirms that two threat actor groups used the ProxyShell vulnerability against the Electoral Commission’s on-premise Exchange email server and that subsequent web shells persisted on the system for a year from August 2021. REPRIMAND (PDF)
  • Despite the entirely preventable nature of the breach, the ICO has chosen not to fine the Electoral Commission. TechCrunch notes that the breach occurred during a trial period of a raised approach for public sector organisations. Information commissioner John Edwards wrote at the time, “I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector.” LINK
  • Separately, science secretary Peter Kyle says the UK is ‘desperately exposed’ and that concerns over cyber-threats to Britain led to a change in the king’s speech, with an AI bill being bumped for a new cyber security and resilience bill. EXPOSED
  • Delta Airlines hired a law firm to sue CrowdStrike after it suffered an estimated $500 million in operational losses from the botched update. CrowdStrike’s T&Cs limit claims to refunding money paid for services provided. However, large enterprise customers may have negotiated bespoke terms with the cyber vendor. LINK
  • Meanwhile, investors in the cyber security vendor have filed a class action lawsuit. The Plymouth County Retirement Association names CEO George Kurtz and CFO Burt Podbere as defendants for alleging that the company misled investors about the quality of its software testing practices. CrowdStrike says the case “lacks merit,” adding that it will “vigorously” defend itself. LINK
  • I suspect these are the sorts of cases that will run for a long time.
  • CrowdStrike shares are down over one-third since Thursday, 18th July (the day before the faulty update), but, to put it in context, they are still up over 40% since this time last year. 

Interesting stats

$4.88 million is the average data breach cost, according to a study by IBM and the Ponemon Institute of 604 breaches between March 2023 and February 2024. LINK

The healthcare sector dominates with the highest costs, followed by finance, with industrial, tech and energy rounding out the ‘top 5’:

Cost of a data breach by industry, showing Healthcare, Financial, Industrial, Technology and Energy, being the most costly sectors (source: IBM)

7% increase in customer churn following a data breach, also from Ponemon research, back in 2017. LINK

$5,000 in bandwidth charges incurred by repair website iFixIt when  73 terabytes of data were downloaded in May (inc. 10TB in a single day) by AI company Anthropic’s web crawler. (See Threat Intel below).

~7% of web traffic is malicious, says Cloudflare, based on what is blocked in its networks. LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • Lily Hay Newman and Matt Burgess have a write-up on infostealer malware. These wholesale cybercriminal ‘espionage’ operations are designed to stay undetected and slurp up passwords, cookies, and other data needed to gain unauthorised access to accounts using legitimate credentials. LINK

⚠️ Incidents:

  • French telcos suffered another “sabotage” attack this week, which disrupted some fixed and mobile subscriber services. The incident was described as vandalism, however the cables targeted were in places “that are little known to the general public and that required precise information.” Organisers of the Paris Olympic Games said they were unaffected by the incident. It follows similar sabotage of the French railways ahead of the Olympic Games opening ceremony, which authorities are linking to far-left extremists. LINK, RAIL
  • Google has apologised for shipping a Chrome update that broke its built-in password manager on Windows. The root cause is “a change in product behaviour without proper feature guard” — vague. LINK
  • Health savings account provider HealthEquity has confirmed that its incident in early July resulted in the compromise of 4.3 million people’s information. LINK
  • Microsoft Azure services, including the admin centre, Intone, Entra, and PowerBI, were “degraded” by a distributed denial-of-service (DDoS) attack this week. LINK
  • DigiCert has had to revoke and reissue “approximately 0.4%” of SSL/TLS certificates, or around 83k certs from 7K customers,  due to a bug in Domain Control Verification checks dating back five years where an underscore character was missed off the DNS configuration. This is more procedural than anything else but will require customers to change their certificates. LINK
  • Mining giant Fesnillo says it suffered “unauthorised access” to IT systems and data in a filing with the London Stock Exchange. LINK

🏴‍☠️ Ransomware:

  • ZScaler says that a Fortune 50 company has paid a record-breaking $75 million ransom demand to the Dark Angels cybercrime group. It dwarfs the previously highest known ransomware payment of $40 million, paid by CNA Financial to Evil Corp in 2021. The Fortune 50 victim is not named in the report. LINK
  • OneBlood, a not-for-profit organisation critical in providing blood to hospitals in the Southeastern United States, has suffered a ransomware attack and resorted to manual processes. LINK
  • UK immigration service firm Sable International has suffered a data breach, with BianLian claiming responsibility and reportedly contacting affected individuals to pressure the company to pay. LINK

🕵️ Threat Intel:

  • The Chinese threat group Evasive Panda (aka StormBamboo) compromised an internet service provider to conduct attack-in-the-middle attacks against a target by poisoning DNS requests and serving up malicious software updates. LINK
  • Proofpoint’s email protection service was letting an average of 3 million phishing emails a day through to its customers, and 14 million at peak. The ‘EchoSpoofing’ campaign used an overly permissive default recommended configuration, allowing any Microsoft 365 account to send email through the Proofpoint service while passing SPF checks. LINK
  • Artificial intelligence (AI) companies are data-hungry and use web crawlers to ingest and index the web. If you’re a content business, you may consider blocking crawlers (though this is a movable feast) to protect your intellectual property and save bandwidth bills: iFixit got a $5K bill in May ‘cos of Antropic’s crawler. LINK
  • The Black Basta and Akira ransomware groups are creating AD permission groups called “ESX Admins” to gain administrative permissions over VMware installations. VMware ESXi automatically assumes that users in that group are administrators when joined to an Active Directory group. Some call it expected behaviour because it’s in the manual, but I think documented behaviour might be more appropriate: no one is expecting this out of the box in 2024, but hey, the devil is always in the detail. LINK
  • A write-up on EvilProxy — the “LockBit of phishing” — an increasingly prevalent phishing-as-a-service toolkit. LINK, MORE
  • Cybercriminals are answering queries on StackExchange to promote malicious Python packages in the PyPI repository to disseminate infostealer malware. Gaining access to developer devices may give them access to other, more lucrative systems where these developers administer systems. LINK

🪲 Vulnerabilities:

  • ServiceNow users should patch the ‘MID Server’ on-premise proxy component after a proof of concept for two critical and one medium vulnerabilities were released. CVE-2024-4879 (9.3/10) for improper input validation, CVE-2024-5178 (6.9/10) for incomplete input validation, and CVE-2024-5217 (9.2/10) also for input validation can be chained together to gain access to all ServiceNow data. LINK, CHAIN, ADVISORY 1, 2, 3

🛠️ Security engineering:

  • Mozilla is to distrust Entrust a root certificate authority after 30th November 2024. It follows a similar move by Google Chrome and stemming from repeated failures by Entrust to address issues. If you’re renewing SSL/TLS certificates in the next quarter and are an Entrust customer, you may want to begin looking for a new certificate authority to avoid users receiving errors. LINK

🏭 Operational technology:

  • The US Environmental Protection Agency ‘urgently’ needs to roll out a strategy and support for the water industry to help address cyber risk in the sector, according to the Government Accountability Office (GAO). LINK

🧿 Privacy:

  • The US government is suing TikTok for unlawfully collecting children’s data and not acting when parents request their children’s accounts to be deleted. LINK
  • Facebook owner Meta will pay $1.4 billion to the state of Texas to settle claims that it collected biometric data on “millions of Trans” without the proper consent. The settlement, which is to be paid over five years, relates to using the facial geometry of users to recommend which users should be tagged in photos. LINK
  • Researchers say that vulnerabilities in dating apps, including Bumble and Hinge, may have allowed stalkers to track the location of victims to a precision of 2 meters. While exact locations aren’t displayed in the apps, precise locations are used when filtering for nearby matches. The exact location can theft be triangulated by making repeated filter requests using spoofed locations to determine when a user moves in/out of range. LINK
  • The NFL is rolling out facial recognition software at all 32 league stadiums to verify the identity of staff, officials, media and visitors, with the Browns, Falcons and Mets all rolling it out to verify fans, too. LINK

📜 Policy & Regulation:

  • Malaysia’s Parliament is working on legislation to give it an internet “kill switch”. The legislation is part of broader efforts to improve the country’s cyber security in the broad sense. It increases responsibilities on social media and messaging firms to take greater responsibility for preventing cybercrime and the dissemination of child sexual abuse material. LINK
  • The UK NCSC has announced the ‘next generation’ of its Active Cyber Defence policy. Amongst the principles is an interesting note that NCSC will look to divest successful services to other government departments of the private sector for long-term operation. LINK

👮 Law Enforcement:

  • Three people, including a former Avaya employee, have been sentenced to 4 years in prison for running a scheme to pirate software licences worth $88 million. LINK
  • The NCA has announced a takedown of the ‘Russian Coms’ spoofing service fraudsters use to initiate calls from spoofed phone numbers. More than 1.3 million calls have been detected by police, to 500,000 unique phone numbers including 170,000 victims in the UK. LINK
  • Two Russian nationals held by the US for cybercrime were included amongst those in a historic prisoner swap between the US, Russia, and Germany this week. LINK

💰 Investments, mergers and acquisitions:

  • Lineaje has closed a $20 million Series A funding round for its tools to detect tampered, outdated and vulnerable packages in software supply chains. LINK

And finally

  • Ford has filed a patent with the US Patent and Trademark Office for “systems and methods for detecting speeding violations”. If implemented, the proposed systems would use cameras and sensors on Ford’s vehicles to detect the speed of other nearby vehicles and share photos of those it determines are speeding with local police. A Ford spokesperson says it’s only intended for use on vehicles it sells to law enforcement. LINK
Robin

  Robin's Newsletter - Volume 7

  Electoral Commission CrowdStrike Data breach IBM Infostealer Sabotage Entrust Ransomware Evasive Panda EvilProxy ServiceNow TikTok Malaysia Geolocation Facial recognition