Robin’s Newsletter #322

18 August 2024. Volume 7, Issue 33
Large data set published from US Data broker. Trump campaign blames Iran for leaked emails. Critical zero-click TCP/IP vulnerability in Windows.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Data broker confirmed security incident leaking millions of US social security numbers

  • A Florida-based background check company believes that a “bad actor” gained access to its systems in December 2023. National Public Data is a data broker that has amassed profiles of people, including their names, addresses, phone numbers, social security numbers, and email addresses.
  • A data set of around 4TB or 2.9 billion rows was put up for sale on a cybercrime forum in April 2024 with an asking price of £3.5 million. Further leaks and samples were posted in June and July.  Now, the full data set has been posted for free. LINK
  • The data, analysed by Troy Hunt, spans multiple data sets that may not be linked. For example, 70 million cows of US criminal records data and 137 million unique email addresses are not linked to social security numbers. LINK
  • Another analysis suggests that, while there may be 272 million unique SSNs in the data set, and most have a name and home address, only 26% include a phone number. Atlas Data Privacy says the average age of consumers in these records is 70, with the date of birth for 2 million records representing people who are almost certainly dead (or over 120 years old.)
  • Data brokers amass much of their data from public records, such as birth, marriage, death certificates, voter rolls, and court records. 
  • If you haven’t already, request a ‘freeze’ on your credit file at each of the major consumer credit bureaus, making it much less likely that criminals cannot establish new lines of credit. LINK

Trump campaign blames Iran for email leaks

  • Donald Trump’s presidential campaign has said that internal campaign emails have been compromised, and it blames Iran for the breach. Microsoft and Google have published intelligence linking APT42, part of the Islamic Revolutionary Guard Corps (IGRC), to the attack. LINK, ATTRIBUTION
  • It appears that the Iranian threat actors compromised Trump associate (and supervillain wannabe) Roger Stone’s personal email account and used it to send phishing messages to Trump campaign staffers. LINK
  • Speaking at Defcon, former NSA cybersecurity director Rob Joyce said it was “pretty surprising” to see the hack and leak operations starting this early in the election cycle, suggesting the US was in for a “wild ride”. LINK

Microsoft warns over critical ‘zero-click’ TCP/IP RCE

  • Microsoft has patched a critical vulnerability in its IPv6 implementation. CVE-2024-38063 (9.8/10) is an integer inflow weakness that can be used to gain remote code execution on the affected device. LINK, ADVISORY
  • Attackers can send specially crafted packets to trigger the vulnerability in code that processes incoming network data before controls such as Windows Firewall are applied. It also means that no user interaction is required, hence the ‘zero-click’ label. These factors make it extremely ‘wormable’ and an ideal candidate vulnerability for self-propagating malware to exploit. While you can protect against it by disabling IPv6, doing so may impact connectivity and some Windows features. It’s best to get patching!

Interesting stats

6 cybercrime groups were responsible for  50% of all ransomware attacks in the first half of 2024 LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • DARPA ran a challenge at Defcon with 90 teams tasked to build systems that can identify and patch open-source software vulnerabilities. LINK
  • Researchers have worked out how to keep clocks on the Earth and Moon in sync. Wibbly wobbly timey wimey stuff gets pretty difficult in space, where lower gravity leads to faster clocks, while high velocities lead to slower clocks. Keeping time will be important for space exploration and any future ‘lunar positioning system’. LINK, PAPER (PDF)
  • An AI model modified its own code to run longer. Fortunately, it was within a contained environment, but models do not need to be ‘self-aware’ to potentially have an impact beyond their intended design parameters. LINK
  • A timeline of the Change Healthcare ransomware attack. LINK

⚠️ Incidents:

  • South Korea says that North Korean attackers have stolen data on the country’s main battle tank and two spy planes. LINK
  • A Luxembourg-based chemicals company has reported a $60 million cybercrime loss. Orion filed documents with the SEC disclosing the business email compromise incident, where a non-executive employee was targeted and convinced to make wire transfers to accounts controlled by the criminals. LINK
  • AutoCanada, a large car dealership, has taken some of its systems offline as a preventative measure in response to a cyber attack. The company employs over 4,700 people and reported $6 billion in revenue last year. The sector faced disruption recently with a ransomware attack against software vendor CDK. LINK
  • Enzo Biochem has agreed to pay $4.5 million for failing to protect the personal data of 2.5 million people that wascompromised during a 2023 incident. LINK
  • Elon Musk claimed that Twitter/X was subject to a massive DDOS, but this has widely been panned, and insiders say the claims are wrong. LINK

🏴‍☠️ Ransomware:

  • The US, German, and UK law enforcement have announced a takedown of the Radar/Dispossessor ransomware operation. ‘Dozens’ of servers were seized or dismantled. The FBI says that the group has attacked 43 companies. The ‘leak site’ where the group promotes its attacks is similar to that of LockBit, leading to speculation that it may be a rebrand of that criminal enterprise. LINK
  • Idaho’s Kootenai Health has disclosed a data breach affecting 464,000 patients at the hands of the 3AM ransomware group. LINK

🕵️ Threat Intel:

  • Chinese attackers believed to be part of the APT31 and APT27 groups have been targeting the Russian government and IT companies, according to Kaspersky. LINK
  • Researchers have identified a new macOS infostealer dubbed Banshee Stealer. The malware is available as a service costing $3,000 per month via a Russian language Telegram channel. LINK

🪲 Vulnerabilities:

  • Ivanti’s Virtual Traffic Manager (vTM) has a critical authentication bypass vulnerability. CVE-2024-7593 (9.8/10) may allow an attacker to create their own administrator account on the system. A public exploit has been released that will presumably drive compromise attempts. LINK, ADVISORY
  • SAP’s August security update addresses 17 vulnerabilities, including a critical authentication bypass issue. CVE-2024-41730 (9.8/10) stems from a “missing authentication check”. SAP BusinessObjects Business Intelligence Platform is affected when Single Sign On is enabled. A second critical server-side request forgery vulnerability, CVE-2024-29415 (9.1/10) in SAP Build Apps, is also addressed. LINK, [ADVISORY](SAP’s bulletin for this month
  • All Google Pixel devices shipped to consumers since 2017 have included ‘Showcase’ software developed for Verizon designed to demo features of the handsets. The software runs with system privileges and allows for remote software installation… with configurations downloaded on unencrypted HTTP connections that can be hijacked. Google says it will remove the software “in the coming weeks” from all Pixel handsets, but it’s unclear why it was necessary to include Verizon’s software as part of the gold image on every Pixel device, even long after the telco stopped using it. LINK
  • CISA has added a critical vulnerability in SolarWinds Web Help Desk application to its Known Exploited Vulnerabilities (KEV) list. CVE-2024-28986 (9.8/10) is a remote code execution vulnerability that was fixed by a hotfix this week. LINK, ADVISORY 

🧰 Guidance and tools:

  • NIST has released three post-quantum cryptographic algorithms “ready for immediate use”. New algorithms are needed because a cryptographically relevant quantum computer (CRQC) will theoretically be able to solve the mathematical problems that underpin current encryption techniques easily. LINK
  • Microsoft is warning admins to enable multi-factor authentication (MFA) on their M365 tenants before 15th October, or their users may lose access to their admin portals. MFA will be required to sign in to Azure, Entra, and InTune admin portals. This is sensible: admin accounts are highly prized and oft-targeted. Guidance and good practice have recommended this for admin accounts (and all user accounts) for years. LINK

🧿 Privacy:

  • A federal appeals court has ruled that ‘geofence warrants’ are illegal searches under the US Fourth Amendment. Geofence warrants are ‘reverse’ used by law enforcement to request details from telcos and technology companies for user information that matches a certain geographical area. For example, they may request details on all mobile phones known to have been within a certain distance of a location around the time that a murder took place. The ruling from the US Court of Appeals of the 5th Circuit contradicts a judgement from the 4th Circuit, which rejected a different challenge to geofence warrants last month. Therefore, the topic will likely go on to be heard by the Supreme Court at some point. LINK
  • Texas Attorney General Ken Paxton is suing General Motors for collecting driving data on its customers and selling it to insurance companies without consent. LINK

💰 Investments, mergers and acquisitions:

  • Kiteworks (formerly Accellion; yes that one) has raised $465 million, valuing the company at over $1 billion. The money will be used to fuel a “pretty aggressive” acquisition strategy. LINK

🗞️ Industry news:

  • Wiz is to open a European headquarters in London and is looking to hire 100 staff locally by the end of the year. LINK

And finally 

  • “We got this horribly wrong”: CrowdStrike president Michael Sentonas accepted the Pwnie award for Most Epic Fail at Defcon last week. Props to him for being a good sport. The (hilariously oversized) trophy will be displayed in a prominent place at the CrowdStrike HQ as a reminder to “make sure everybody understands these things can’t happen.” LINK
  • Palo Alto Networks has apologised for having women dressed as lamps at a Black Hat hospitality event. There’s been a lot of talk on social media about this. For me, it’s a shame that the multiple marketing/PR/events people involved in setting up the event didn’t think it was an issue or were afraid to speak up about it. LINK
Robin

  Robin's Newsletter - Volume 7

  Data broker National Public Data Social securtiy number Donald Trump Iran Hack and leak Microsoft Windows Wormable Time Artificial Intelligence (AI) Change Healthcare Business Email Compromise (BEC) Ivanti SAP SolarWinds Post-Quantum Cryptography Cryptography Geofence CrowdStrike Pwnie Palo Alto Networks