This week
Telegram CEO charged by French authorities
- French prosecutors have charged Telegram CEO Pavel Durov in Paris for his role in building a platform to support illegal transactions and for refusing to cooperate with law enforcement on criminal investigations. Durov is banned from leaving France and must report to police twice weekly. The billionaire must also post a €5 million bail. LINK
- The charges relate to criminals’ widespread use of Telegram and the company’s laissez-faire attitude to engaging with authorities. Contrary to some posts, the arrest and charges are not an attack on encryption. Despite promoting itself as a ‘secure messenger’, Telegram does not automatically apply end-to-end encryption to chats. NO E2EE
- The lack of E2EE means that Telegram can see the content of messages passing through their servers. It is why French authorities are, ahem, disappointed it’s not helping with criminal investigations into money laundering and distribution of child pornography. They say Durov’s lack of cooperation makes him “complicit” in these crimes. CHARGES
- Telegram has seemed shady for a long time. This is not just because of the content and lax attitude to tackling abuse but also misleading practices about ‘disappearing’ messages (just hidden in the app with the content stored permanently) and suspicious undocumented APIs for dumping the contents of group chats. SUS
- The EU is also investigating if Telegram downplayed user numbers to come in below the 45 million user threshold, which would have led to its being regulated under the bloc’s Digital Services Act. REGS
Ukraine launches new cyber range
- Ukraine has launched a new programme and ‘cyber range’, uniquely allowing a wide range of citizens. Students, researchers, state officials and employees of CNI organisations can apply to take part in exercises and practice responding to known tactics used by Russian adversaries.
- It’s a neat capability, and I like that the authorities are making it open and free to a wider audience. LINK
Interesting stats
20%—30% of successful attacks are being publicised on ransomware group BlackByte’s leak site, according to Cisco Talos. LINK
42 days the average time between the first and last ‘on-chain’ scam activity so far in 2024, down from 271 days in 2020, suggesting that scammers are recycling their infrastructure faster than ever before, according to Chainalysis. LINK
Other newsy bits / in brief
⚠️ Incidents:
- ‘Volt Typhoon’ attackers with ties to the Chinese government compromised four Internet Service Providers (ISPs) and installed malware to steal the credentials of downstream customers. Security researchers at Lumen believe a vulnerability in the network management tool Versa Director was used to gain initial access. This kind of ‘on the wire’ or ‘in the middle’ access presents a great opportunity to target the ISP’s customers and potentially redirect traffic. LINK, MORE
- Staff at Seattle-Tacoma International Airport were hand-writing boarding passes, and passengers faced delays this week after systems outages stemming from a ‘cyberattack’ persisted for days. The Port of Seattle’s websites, email, and phone have all been affected. Aircraft departure and security check systems are functioning as normal. LINK
- A security researcher has discovered a publicly accessible database containing almost 2.7 TB of data, including HIPPA patient consent forms, contracts, invoices and other business data. The database belongs to ServiceBridge, a software-as-a-service field force management platform. Documents exposed date back to 2012, and it’s unknown how long the trove of over 31.5 million documents was exposed; ServiceBridge has secured the database but has not responded to the researcher or request for comment. LINK
- Cognizant subsidiary TriZetto is suing Infosys for stealing intellectual property shared under non-disclosure agreements and using the trade secrets to improve its software. The data was shared to work together on mutual clients for a limited purpose. It’s an interesting case of misuse. Infosys denies the allegations. LINK
- Microsoft’s malware detection systems incorrectly categorised and quarantined emails this week, leading to a flood of false positive notifications for system administrators. LINK
- A service provider that helps verify flight crew was vulnerable to SQL injection attacks, allowing security researchers to add themselves to an airline’s roster. LINK
🏴☠️ Ransomware:
- The US Marshalls Service denies that the Hunters International ransomware gang has compromised its systems. LINK
- Haliburton’s disruption has been linked to the RansomHub ransomware gang. LINK
- The City of Columbus has sued a man after he shared evidence contradicting the City’s statement on the severity of the incident. A judge in Ohio has issued a temporary restraining order against the security researcher to prevent them from sharing data obtained from the publicly accessible Rhysida leak site. LINK
🕵️ Threat Intel:
- Microsoft Sway is being abused to host landing pages that redirect users to phishing pages. LINK
- Iranian state-sponsored actors act as access brokers for ransomware gangs, according to the FBI, CISA, and DoD. LINK
- Microsoft says that Iranian threat actor group ‘Peach Sandstorm’ (aka APT33) is using new malware dubbed Tickler to backdoor networks of government, defence, satellite and oil & gas companies in the US and the United Arab Emirates. REPORT
- Google says that Russia’s Cozy Bear (aka Midnight Blizzard, APT29) have been using exploits first associated with commercial spyware vendors. LINK, REPORT
🪲 Vulnerabilities:
- SonicWall has patched a critical access control vulnerability in its SonicOS software. CVE-2024-40766 (9.3/10) doesn’t require an attacker to authenticate and can result in them crashing the firewall or gaining access to the management interface. LINK, ADVISORY
🧰 Guidance and tools:
- CISA has launched a cyber incident reporting portal to report attacks and breaches voluntarily. LINK
🏭 Operational technology:
- Researchers at Akamai say attackers are exploiting a zero-day vulnerability in a surveillance camera to build a Mirai botnet. LINK
🧿 Privacy:
- The Dutch Data Protection Authority is moving to fine Uber €290 million ($325 million) for transferring driver data from Europe to the US without adequate safeguards. Uber intends to appeal the penalty. LINK
👮 Law Enforcement:
- The US Department of State is offering a $2.5 million reward for information leading to the arrest or conviction of Belarusian national Volodymyr Kadariya, aka Stalin, Essex, and baxus. LINK
💰 Investments, mergers and acquisitions:
- Check Point has announced it intends to acquire Cyberint, a threat intelligence firm, for a rumoured $200 million. Cyberint’s capabilities will be rolled into Check Point’s managed services. LINK
🗞️ Industry news:
- CrowdStrike’s Q2 revenue grew 32% to $963.9 million, though full-year guidance was revised down to between $3.89 billion and $3.90 billion, from $3.98 billion to $4.01 billion. LINK
- Abigail Bradshaw, current chief of the Australian Cyber Security Centre (ACSC), has been selected as the new head of parent agency, the Australian Signals Directorate (ASD). LINK
- Former Lacework and Twitter CISO Lea Kissner is replacing Geoff Belknap as CISO at LinkedIn. LINK
And finally
- A disgruntled employee who tried to extort his employer after changing administrator account passwords to lock them out of 254 servers has been arrested. Daniel Rhyne, 57, from Kansas City, Missouri, was identified due to his incriminating web searches from a hidden virtual machine on his laptop for information on deleting domain accounts, clearing Windows logs, and… how to change domain passwords. LINK