Robin’s Newsletter #321

11 August 2024. Volume 7, Issue 32
CrowdStrike's underwhelming root cause analysis. Progress escapes SEC action. Dutch DPA rules data scraping has no legal basis.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Delta/CrowdStrike spat continues; root cause analysis underwhelms

  • Delta may be gearing up to sue CrowdStrike and has hired a law firm that has publicly accused the EDR vendor of being “grossly negligent”. Now CrowdStrike has hit back, pointing out that Delta’s competitors suffered much less disruption, suggesting that other factors were to blame. CrowdStrike also says that their CEO contacted Delta’s CEO to offer support but did not receive a response; presumably, they were a little busy. LINK
  • Microsoft, also the target of Delta’s frustration, has published a letter suggesting that, unlike American Airlines and United Airlines, “Delta… apparently has not modernised its IT infrastructure.” LINK
  • CrowdStrike has released an underwhelming root cause analysis. It uses many words to tell us not much we didn’t already know. Fundamentally, the issue boils down to a ‘channel file’ (ruleset) expecting 21 inputs but only receiving 20. CrowdStrike did run tests on this before deployment, but it wasn’t picked up because none of those test cases didn’t validate the number of input fields. Much like CrowdStrike’s testing, the root cause analysis isn’t holistic, though they have added additional deployment rings to catch system crashes, spikes in false positives and performance issues. LINK (PDF)
  • At Black Hat this week, CISA director Jen Easterly said that the CrowdStrike incident holds a “big lesson” for critical infrastructure and was a useful “dress rehearsal for what China may want to do to us.” Easterly said that cyber security solution providers, like software vendors in general, must focus on quality and design in their products. LINK
  • Reinsurance specialist Guy Carpenter expects insured losses from the botched update to range between $300 million and $1 billion. REPORT (PDF)

SEC not pursuing enforcement action against Progress Software

  • Progress Software says that the US Securities and Exchange Commission does not intend to pursue enforcement action against the software vendor.
  • Progress is the company behind the MOVEit file transfer solution that was mass exploited by cybercriminals in June 2023 (vol. 6, iss. 24). The Clop ransomware gang found and exploited a zero-day vulnerability in the MOVE it solution to steal data from thousands of organisations and the personal data of millions of people.
  • The SEC has been investigating Progress’s handling of the incident, with a spokesperson saying the firm was “pleased” with the outcome. The Federal Trade Commission is still considering the matter, and Progress also faces state-level and class-action lawsuits. LINK

Interesting stats

2,570 ransomware attacks in the first half of 2024, according to Rapid7 LINK

4%—68% of profiles successfully removed by people-search removal services that promise to remove personal information from the web, according to Consumer Reports. The firm concludes that the services aren’t worth paying for, noting the wide range of results and that a  70% success rate can be achieved by manually submitting requests. LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • Outgoing executive director of CISA Brandon Wales reflects on 20 years of cyber in this interview with Tim Starks for CyberScoop. LINK
  • RUSI on the effectiveness of ‘cyber power’ as a cyber policy objective. LINK

⚠️ Incidents:

  • The French newspaper Le Parisien reports a cyberattack against the Grand Palai Réunion, a venue hosting several Olympic events. The attack did not disrupt the games. LINK
  • Students in Singapore have faced disruption to lessons this week after data was erased from the school-issued iPads and Chromebooks. The breach relates to a compromise of the Mobile Guardian platform, the country’s mobile device management provider for public schools. Mobile Guardian says the incident “affected users globally,” impacting a “small percentage of devices”. That sounds like an attacker managed to gain administrator access to some customer accounts in the same way that cybercriminals recently used legitimate customer credentials to target multiple Snowflake customers. LINK
  • ‘Massive’ DDOS attack focussed on infrastructure in Russia’s Kursk region, coinciding with Ukraine’s push into Russian territory. LINK
  • Burglar alarm company ADT says “limited” customer data was stolen by attacks during a ‘recent’ incident. The SEC filing said that email addresses, phone numbers, and home addresses were amongst the data stolen, but there is no evidence of customers’ home security systems being accessed. LINK
  • Over 35,340 people’s data was stolen from the systems of CSC ServiceWorks, a New York-based laundry provider, during a September 2023 incident. The breach was detected five months later, in February of this year, and until June, to identify what data was stolen. The company employs over 3,000 people, and the data may relate to current and former employees, as it includes names, date of birth, contact info, government ID and Social Security numbers, banking information and some health and medical insurance data — not things you’d expect customers to be handing over to clean their clothes. LINK

🕵️ Threat Intel:

  • Cybercrime group Hunters International is targeting IT workers with a remote access trojan called SharpRhino. LINK
  • The ‘first contact safety tip’ — a banner displayed in Microsoft 365 for unrecognised email addresses — can be hidden by including CSS in the phishing email that causes the warning to be hidden by the user’s web browser. Microsoft has acknowledged that finding but determined it doesn’t meet their threshold for an immediate fix. LINK
  • Kaspersky says it discovered a new USB worm, dubbed CMoon, targeting Russians capable of stealing credentials and launching DDoS attacks. LINK
  • Researchers have seen an uptick in websites being used to target an “0.0.0.0 Day”. The eighteen-year-old vulnerability affects Google Chrome, Mozilla Firefox, and Apple Safari on Linux and macOS. The 0.0.0.0 IP address is interpreted to be a wildcard for any local IP address, so public websites on the Internet shouldn’t have reason to access locally running servers. LINK
  • Microsoft says that Iran is stepping up attacks against US political figures and is launching ‘covert news sites’ to spread disinformation ahead of US elections later this year. LINK

🪲 Vulnerabilities:

  • Threat actors are actively trying to exploit a remote code execution vulnerability in Progress Software’s WhatsUp Gold network monitoring solution. Progress patched CVE-2024-4885 (9.8/10) recently. LINK, ADVISORY
  • Password manager 1Password has fixed a bug that allows attackers to steal items from user’s vaults. Versions before 8.10.36 are vulnerable to CVE-2024-42219 (7.0/10) when an attacker has already gained the ability to execute code on the affected machine. Given the contents of those 1Password vaults, though, it’s an obvious high-value target for attackers, so while it hasn’t been knowingly exploited in the wild, I’d expect cybercriminals running infostealer malware to add this to their toolkit. LINK, ADVISORY
  • Cisco is warning of critical vulnerabilities in its SPA300 and SPA500 series VOIP telephones. Three critical and two high vulnerabilities will not be fixed by Cisco as the phones have reached the end of support. CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454 are the critical (9.8/10) issues. They allow an unauthenticated, remote attack to execute arbitrary commands as root on the underlying operating system. LINK, ADVISORY

🧑‍💻 End-user and consumer:

  • Apple is doing away with the control-click ‘open anyway’ option for un-notarised apps in macOS 15 Sequoia. Users will have to grant permission from within a System Settings dialogue box. Notarised apps and those downloaded from the App Store will be unaffected. LINK

🧿 Privacy:

  • The Dutch Data Protection Authority (DPA) has issued guidance on data scraping. The Dutch DPA deems that companies cannot rely on ‘legitimate interests’ as the basis for wholesale commercial collection of personal data: explicit consent must be obtained from each data subject. The DPA goes on to point out that it’s impractical to contact each data subject, so there is no legal basis for data scraping by commercial entities. (Personal, non-commercial purposes may be compliant without consent, but not the subsequent sharing of those data sets for, e.g., commercial purposes). LINK
  • Illinois has revised its Biometric Information Privacy Act (BIPA) to limit financial penalties for companies that illegally obtain or sell biometric information. Instead of victims being able to sue for between $1,000 and $5,000 for each violation, multiple violations will not be counted as a single violation. LINK
  • The Information Commissioner’s Office intends to fine Advanced Computer Software Group £6 million. Advanced it the IT services firm that suffered a ransomware attack in 2022 (vol. 5, iss. 33) that knocked out NHS 111 services and urgent treatment centres. The personal information of 82,946 people was also stolen during the attack. LINK

📜 Policy & Regulation:

  • Replacement for UK’s cybercrime reporting service, Action Fraud, delayed ’til “first quarter of 2025,” according to temporary assistance commissioner Nik Adams. LINK
  • The US is offering up to $10 million for information on Iranian military officials it says are behind the ‘CyberAv3ngers’ group that has targeted US critical infrastructure. LINK
  • The United Nations unanimously passed its first cybercrime treaty this week. The agreement, originally tabled by Russia, will establish the first global legal framework for cybercrime and data access. The treaty isn’t without opposition, citing text that allows authorities to obtain electronic evidence from other nations and request ISPs to hand over data. Generally, everyone seems to be on board with having something, even if it’s bad, as being better than nothing. The treaty will now go to the General Assembly for a vote, where it’s expected to pass. LINK

👮 Law Enforcement:

  • Interpol says that authorities have seized and returned over $41 million stolen from a Singaporean commodities firm in a business email compromise scam. LINK
  • Federal agents have arrested a man in Nashville for running a ‘laptop farm’ that allowed North Korean workers to pose as remote US IT workers and generate ‘hundreds of thousands of dollars’ for North Korea’s nuclear weapons programme. LINK

💰 Investments, mergers and acquisitions:

  • Private equity firm EQT has bought a majority stake in data protection company Acronis. Details of the deal have yet to be made public, but rumours suggest it values Acronis at $4 billion, a $500 million premium on its previous valuation during a 2022 investment. LINK
  • CrowdStrike is reportedly in talks to acquire Action1, a patch and vulnerability management outfit. Action1 is “on track to soon reach $100M [annual recurring revenue]” The deal would value the company approaching $1 billion. LINK
  • Trend Micro is exploring a sale. LINK
  • KnowBe4 is to ace UK email security firm Egress for an undisclosed amount. The deal will see Egress’s email security tools integrated into KnowBe4’s security awareness platform, according to KnowBe4 CEO Stu Sjouweman. LINK

🗞️ Industry news:

  • The EC-Council has pledged $15 million in scholarships to reach over 50,000 students. The scholarships, announced by the White House this week, will be split between the “Essentials Series” for US military families and the Certified Cybersecurity Technician scheme for IT works transitioning into cyber. LINK
  • Hats off to Georgia Bell, who works at Abnormal Security, for winning the bronze medal in the 1500-metre event at the Paris Olympics. LINK
  • Huntress and CyberCert have partnered to offer ‘SMB1001’ certifications to customers of Huntress’ managed service provider partners. LINK

And finally

  • PrivacyLens looks pretty neat. It uses RGB and thermal imaging to remove people from video and replace them with stick figures, protecting their privacy. This could be useful in, for example, smart devices that use cameras to understand their surroundings. The article talks about an incident where a woman’s Roomba uploaded 200 photos of her on the toilet to a cloud service, where they were subsequently compromised. LINK
Robin

  Robin's Newsletter - Volume 7

  CrowdStrike Microsoft Delta Airlines Securities and Exchange Commission (SEC) Progress Software MOVEit Cyber power United Nations Dutch Data Protection Authority Data Scraping GDPR Biometric Information Privacy Act (BIPA) North Korea Laptop farm