It’s been a pretty incredible week, starting with a visit to 10 Downing Street last weekend. On Monday, we finally announced Cydea’s selection for the UK’s largest cyber security accelerator, Cyber Runway. On Wednesday, I joined the British Library as a board advisor on cyber security. Thursday was five years since I founded Cydea, and it was great to celebrate with colleagues, clients, and collaborators at a rooftop bar in London!
This week
TfL admits customer data stolen, will require in-person password reset for 30,000 staff
- As the incident affecting Transport for London rolled into its second week, a line on their cyber incident page that read “There is no evidence that any customer data has been compromised” was quietly replaced with one saying, “The security of our systems and customer data is very important to us.” LINK
- TfL says that “Some Oyster card refund data may have been accessed”, including the bank account numbers and sort codes of around 5,000 customers. TfL’s transport network continues to operate normally, though some Oyster card (contactless ticket) top-ups cannot be processed.
- As rumours of wide-scale environment rebuilds swirl, TfL has told its 30,000 employees to attend in person to verify their identities and reset passwords. LINK
- The National Crime Agency announced that they had arrested a 17-year-old male in Walsall, England, on Thursday concerning the incident. A 17-year-old male was also arrested in July in connection with the attack on MGM Resorts, carried out by Scattered Spider, though no link has been officially acknowledged. LINK
UK designates data centres as critical national infrastructure
- UK Science and Technology Secretary Peter Kyle announced that data centres are critical national infrastructure. The move means the government will provide data centre operators additional support with threat assessments and emergency response efforts. LINK
- While no new regulations come with classification, it’s likely that the government will also set higher expectations in the forthcoming Cyber Security and Resilience Bill, which will be tabled later this year. LINK
Interesting stats
Cyber workforce numbers:
5.5 million people in the global cyber security workforce, up just
0.1% year-on-year (YoY), according to ISC2’s annual study, while
4.8 million additional people (up 19% YoY) are needed to fill the ‘workforce gap’.
Lack of budget, budget cuts, and hiring freezes are the top three reasons given by respondents for the shortfall. There are some interesting trends and data in the report, but take some of it with a pinch of salt that you’d expect from a source that shows a 2% drop on an exaggerated chart like this. Bad ISC2:
LINK
US Crypto scams: $5.6 billion in losses (up 45%) from 69,468 complaints with a ‘cryptocurrency nexus’ to the FBI in 2023. REPORT (PDF)
Other newsy bits / in brief
🤓 Interesting reads:
- watchTowr’s CEO was able to register a domain previously used by the .mobi domain name administrators. It turns out that many places are still using the old domain to verify various bits of information, which could have been a bad thing. It’s dressed up around the security and purpose of the WHOIS service, but to me, it as much highlights the shortcomings or misplaced reliance on other services, such as those issuing SSL/TLS certificates! LINK
- Researchers could identify what Apple Vision Pro users were typing by tracking the eye movements of their virtual avatars in video calls. They could identify passwords 77% of the time within five guesses, while accuracy improved to 92% in messages. When joining a video call with a Vision Pro headset, Apple renders a (mostly) lifelike digital avatar of the user, down to their facial reactions and eye movements. The issue? Vision Pro also uses your eyes to type information on the virtual keyboard. Apple patched the issue at the end of July. LINK
⚠️ Incidents:
- Around 1.3 million Android-based streaming TV boxes have been compromised with the Android.Vo1d malware, but researchers are unsure how. LINK
- Slim CD, an online payment gateway in the US and Canada, has reported a breach affecting 1.7 million individuals. The perpetrators gained unauthorised access starting in August 2023, culminating with access to credit card information for two days in June this year. Slim CD says that the cardholder’s name, physical address, card number and expiration date were all compromised during this period, though the card verification number (CVV) was not exposed. LINK
- Fortinet has confirmed a data breach after threat actors claimed to have stolen 440GB of data from Fortinet’s Microsoft 365 environment. The threat actor, calling themselves “Fortibitch”, has published the data and credentials to access it to an AWS S3 bucket after a failed attempt to extort the cyber security vendor. Fortinet says that the incident affects less than 0.3% of its customer base. LINK
- A cybercriminal claims to have stolen 20GB of data from Capgemini, including staff information, hashed passwords, and client data backups. LINK
- 23AndMe has agreed to pay $30 million to settle its 2023 data breach affecting 6.9 million people. The genetic testing company’s cyber insurance will cover around $25 million of those charges. LINK
- A Tennessee school district has lost $3.36 million to a fraudulent online curriculum provider. The US Secret Service tracked the business email compromise scam to accounts owned by a 76-year-old Texan, John Crowson, who admitted to opening the accounts for his fiancee, who has subsequently had to “go overseas to take care of unfinished business from her father”. I don’t think she’s coming back, John. LINK
🏴☠️ Ransomware:
- The Hunters International ransomware gang claims to have stolen over 5.2 million files from the London branch of the Chinese state-owned Industrial and Commercial Bank of China (ICBC). LINK
- Pennsylvania healthcare provider Lehigh Valley Health Network (LVHN) is to pay out $65 million to settle a class-action lawsuit brought by 134,000 patients whose data was swiped by the ALPHV/BlackCat cyber criminals during a ransomware attack in February 2023. LINK
- The Port of Seattle says it has refused to pay the demands of the Rhysida ransom groups and warns that the cyber criminals may publish the stolen data on the dark web. The contents of the data are unknown, but the Port says it will contact those affected with “employee or passenger personal information.” LINK
🕵️ Threat Intel:
- Trend Micro says that the Chinese espionage group Mustang Panda has switched malware use to exfiltrate data from target networks. Malware called FDMTP and PTSOCKET are ultimately installed after the HIUPAN worm and PUBLOAD stager are dropped through infected USB drives. LINK
- The Quad7 botnet is expanding and Team Cymru has seen custom malware developed to infect Zyxel VPN appliances and Ruckus wireless routers. LINK
- Palo Alto says they’ve seen an increase in the use of HTTP refresh headers to redirect users to malicious URLs. LINK
- US officials believe the likelihood of Russian sabotage of undersea communications and electricity cables is increasing, following an increase in military activity around key undersea cables by a dedicated unit, the “General Staff Main Directorate for Deep Sea Research,” or GUGI (its Russian acronym). LINK
- The US Department of State says that Russian intelligence has embedded an operational cyber capability within the state-controlled RT media company. LINK
- Polish authorities say they have dismantled a joint Belarusian/Russian cyber-espionage group. LINK
🪲 Vulnerabilities:
- Progress Software is warning of a critical vulnerability in its LoadMaster and LoadMaster Multi-Tenant hypervisors. CVE-2024-7591 (perfect 10) gives attackers unauthenticated remote code execution. LINK, ADVISORY
- Ivanti also warns of a perfect 10 vulnerability in its Endpoint Manager software. CVE-2024-29847 affects Ivanti EPM 2022 SU6, or 2024 with the September update applied, and allows an attacker to achieve remote code execution. Nine other critical vulnerabilities are referenced in the same security advisory, with a ‘hot patch’ being released to address the issues. LINK, ADVISORY
- Adobe has fixed a critical zero-day vulnerability (CVE-2024-41869) in its Acrobat Reader product that was exploited in the wild. LINK, ADVISORY
🛠️ Security engineering:
- Android users with side-loaded apps are reporting some starting to see ‘get this app from Google Play’ prompts that restrict their local version from running. LINK
🏭 Operational technology:
- The majority of OT environments contain at least four remote access tools, and 4 in 5 contain ‘non-enterprise grade’ tools that lack crucial authentication and audit capabilities, according to Claroty. LINK
🧿 Privacy:
- WhatsApp’s view once privacy feature may be bypassed. LINK
- Ireland’s Data Protection Commission is investigating Google’s use of personal data in the Mountain View company’s Pathways Language Model 2, or PaLM 2. LINK
📜 Policy & Regulation:
- The Australian government is bringing forward a bill to make doxing a crime, punishable by up to seven years in prison. LINK
💰 Investments, mergers and acquisitions:
- There are some things money can’t buy; Recorded Future isn’t one of those things. Mastercard has agreed to acquire threat intel outfit Recorded Future from Insight Partners for $2.65 billion. The two companies have been collaborating on an AI solution to detect card fraud, which apparently doubled detection rates, so the transaction may quickly pay for itself. Recorded Future’s services will ‘bolster’ Mastercard’s competitive advantage in the cyber security services it sells to banks and fintechs. LINK
- Quorum Cyber has acquired Defend, a Canadian MSSP with around 80 employees, to accelerate growth in the North American market. Quorum was founded in Edinburgh in 2016 and reports over 200 customers. LINK
And finally
- Nightsleeper, a thriller on BBC iPlayer about a ‘hack-jacking’ of a sleeper train from Glasgow to London airs tonight. I’ve not watched it, but it sounds a bit like Michael Bay cast Michael Portillo in a railway version of Speed. Helpfully, Auntie has an article covering if this could happen in real life: “fairly unlikely”. LINK