Robin’s Newsletter #327

This week

US dismantles large Chinese botnet

• The FBI has dismantled a massive botnet that has comprised 260,000 devices over the past four years. The US authorities say that the Flax Typhoon threat actor group, linked to the Chinese government, operated the botnet. LINK
• At its peak in July 2023, Raptor Train contained over 60,000 devices, of which 75% were located in North America and Europe and were part of the botnet.
• Botnets like this are useful tools for cyber espionage campaigns. They aid threat actors in covering their tracks and circumventing IP or geographic detections or filtering capabilities in use by targets. 
• It’s the second takedown the FBI has affected this year, with a similar botnet being covertly nixed in January. 

Kevin Mandia’s five ‘confidence questions’ for CISOs

Kevin Mandia says he encourages CEO’s to ask the following five questions to test confidence in their CISO’s security programme. LINK

1. How would you break into us? What is our weak spot?
2. What is our worst-case scenario?
3. What would you do if the worst-case scenario occurred?
4. How resilient are we? How long would it take to recover our systems and applications?
5. What do you need?

A bumper round of interesting reads

🤓 Interesting reads:

• “The only thing that we kept from the old environment into the new environment was the cables” — UnitedHealth Group CISO Steven Martin, on the “start over” at Change Healthcare in response to their February 2024 ransomware attack. LINK
• The US’ first cyber ambassador, Nate Fick, on the “urgent” need for ‘cyber deterrence’. “[Russia and China are] pushing and prodding, they’re testing, and we need to ensure that we enforce the norms and don’t allow them to expand the box of what is tolerated”. LINK
• Jen Easterly, CISA director, delivered a keynote at Mandiant’s mWISE conference this week, during which she lamented the “glamorising” of threat actors with fancy names (amen) and called on more to be done about “product defects” (software vulnerabilities). “Despite a multi-billion-dollar cyber security industry, we still have a multi-trillion-dollar software quality issue leading to a multi-trillion-dollar global cyber crime issue,” Easterly said. LINK
• Suzanne Smalley has interviewed five former Trump officials about what cyber policy would look like under a second Trump presidency. LINK
• Hezbollah’s exploding pagers and walkie-talkies weren’t the result of a cyber attack, and you needn’t be worrying about your mobile phone, say Lily Hay Newman and Matt Burger for WIRED. LINK

Interesting stats 

2/5 critical infrastructure intrusions in the US government 2023 fiscal year (to end September 2023) used valid user accounts, often compromised as the result of spear phishing. LINK

28% of people have been targeted by an AI voice cloning scam at least once in the past year, according to Starling Bank, who are trying to raise awareness of scammers using social media clips to spoof victim’s voice in voice mails and messages to friends and family asking for cash. LINK

I’m unconvinced by this stat; it seems high to me (over 1/4 of people you know have had their voice cloned?!), but I’m interested and willing to be proved wrong. So… Have you been targeted by an AI voice cloning scam in the last year? YES, NO

1/10 organisations will ditch their security vendors following the CrowdStrike attack, according to a survey of 311 affected organisations interviewed by Germany’s Federal Office for Information Security (BSI). 4% say they already have switched, while 6% say they plan to do so in the near future. LINK

Other newsy bits / in brief

⚠️ Incidents:

• Russian antivirus company Doctor Web (Dr.Web) has declared a security breach after detecting “signs of unauthorised interference” to its systems. LINK
• Several British MPs and organisations, including the World Health Organisation and TV show Great British Menu, had their Twitter/X accounts compromised to promote a cryptocurrency scheme. LINK
• The Chinese e-commerce platform Temu denies that it suffered a data breach after a threat actor put an alleged 87 million customer records up for sale on a cybercrime forum. Temu says it has checked the data samples and has not found any matches with its own systems. LINK
• The FBI says that Iranian threat actors were behind copies of Donald Trump campaign emails sent unsolicited to the Biden-Harris campaign (as it was then) earlier this year. LINK
• Attackers broke in and stole data from Harvey Nichols’ systems. Customers of the high-end department store, understandably, aren’t happy. The company hasn’t explained how or when the incident occurred. LINK
• TfL has written to 5,000 customers whose details were compromised in a recent data breach. LINK

🏴‍☠️ Ransomware:

• A volunteer radio station in Germany was forced to broadcast from an ‘emergency tape’ after ransomware actors encrypted “all music files and are demanding a large ransom from the station.” LINK
• The Qilin ransomware group published more than 900,000 people’s information after an attack on NHS supplier Synovis in June this year (vol. 7, iss. 25), according to an analysis by CaseMatrix. LINK

🕵️ Threat Intel:

• Ukraine has banned Telegram on state, military and critical infrastructure devices over national security fears that Russia has backdoor access to messages on the platform. LINK
• The PKFail incident (vol. 7, iss. 30), where Secure Boot root-of-trust keys marked “DO NOT TRUST” were used in production devices, affects far more devices than originally known. Researchers at Binarly now believe 972 models, rather than 513 models used the test keys, including medical devices, games consoles, ATM, point of sale terminals and electronic voting terminals. LINK
• Recorded Future says that a cybercrime group called Marco Polo targets cryptocurrency users through social media scams. The so-called ‘traffic team’ (because they redirect victims’ web traffic) lure victims in with fake job opportunities and encourages them to install compromised software. LINK
• Ransomware gangs are using Microsoft’s Azure Storage Explorer and AzCopy utility to quickly copy data from compromised environments to attacker-controlled Azure Blob storage. LINK
• Threat actors are targeting accountancy software used by the construction industry. The Foundation software includes a Microsoft SQL Service component that needs to be publicly accessible to support an associated mobile app. Attackers are gaining access using the default credentials and brute-forcing weak passwords on the default ‘sa’ and ‘dba’ accounts. LINK
• Researchers at Russian cyber firm FACCT say crypto-mining malware is being delivered as hyperlinks in out-of-office emails from email accounts compromised by cybercriminals. Presumably, in response to a legitimate outbound email, the replies find it easier to pass email security filters and have higher trust with recipients. LINK

🪲 Vulnerabilities:

• D-Link fixed critical vulnerabilities in its DIR-X WiFi 6 routers and COVR mesh networking systems. One of the five vulnerabilities, CVE-2024-45697 (9.8/10) relates to a telnet service being enabled when the router’s WAN port is plugged in, which allows remote access via (you guessed it) hard-coded credentials. This is the kind of thing that just Shouldn’t Be A Thing™ and what Jen Easterly is getting at when she says we have a software quality problem (above). LINK, ADVISORY
• GitLab has fixed a critical SAML authentication bypass vulnerability in its Community Edition and Enterprise Edition self-managed software. CVE-2024-54509 stems from a flaw in the OmniAuth-SAML and Ruby-SAML libraries used by GitLab to handle authentication. If you can’t update, you can enforce MFA as an alternative. LINK, ADVISORY
• Ivanti warns customers about an actively exploited vulnerability in its Cloud Services Appliance (CSA) product. CVE-2024-8963 (9.4/10) is an admin bypass vulnerability caused by a path traversal weakness. LINK, ADVISORY

🧑‍💻 End user and consumer:

• Google is rolling out passkey syncing for its password manager built into Chrome. LINK

🛠️ Security engineering:

• ServiceNow instances with knowledge base articles may expose internal articles to the web. Instead of the access control system, the older ‘User Criteria’ permission system can allow external actors to brute for the knowledge base ID and view the articles. LINK
• Apple’s macOS 15 update, released this week, has caused some security tools — including CrowdStrike, SentinelOne and Microsoft — to stop working. LINK

🧿 Privacy:

• The FTC has a lengthy report examining how streaming services and social media have become ‘mass surveillance’ machines with vast data collection systems. Quelle surprise. It’s based on an analysis from 2019- 2020, but it’s good work to have been published nonetheless. LINK  
• AT&T has settled their January 2023 data breach for $13 million with the Federal Communications Commission (FCC). LINK
• LinkedIn is training its AI on user data before updating its terms of service and via a ‘default on’ privacy setting. The “Data for Generative AI Improvement” setting (under Data Privacy) has since been removed following a quick backlash from users and concerns raised by regulators, such as the ICO. LINK, MORE, ICO

📜 Policy & Regulation:

• Four of the US’ largest internet service providers (ISPs) have told the Supreme Court that they don’t want to disconnect users accused of copyright infringement by major record labels and movie studios because it “would harm innocent people by depriving households, schools, hospitals, and businesses of Internet access.” LINK

👮 Law Enforcement:

• Twelve people have been sentenced this month for their roles in cryptocurrency thefts that involved SIM swapping, kidnapping, torture and ransom. Florida man Jarod Seemungal stole $3 million alone from one victim and was sentenced to 20 years in prison, while co-conspirator Remi St. Felix was sentenced to 47 years on nine counts relating to firearms and violent crime. It’s the five dollar wrench playbook. LINK
• A Europol investigation has led to 51 arrests and the shutdown of a crime mobile messaging platform called Ghost. LINK
• German authorities have seized 47 cryptocurrency exchanges, known to be used for money laundering and by ransomware gangs, that operated out of the country. LINK

💰 Investments, mergers and acquisitions:

• Code security startup Picus Security has closed a $45 million Series C funding round led by Riverwood Capital. LINK
• EasyDMARC has announced a $20 million Series A round left by Radian Capital. LINK

🗞️ Industry news:

• Congrats to Joe and the team at Mishcon de Rey on becoming the first law firm to be recognised by NCSC for cyber incident response. LINK
• Cisco has let go of thousands of employees in its second round of lay-offs this year. In August, the networking and cybersecurity company announced it would reduce its workforce by around 5,600 employees on top of 4,000 layoffsearlier in 2024. LINK
• Crest has landed funding from the UK Foreign, Commonwealth and Development Office (FCDO) to boost overseas countries’ cyber security ecosystems. Armenia, Bahrain, Georgia, Ghana, Lithuania, Kenya, Thailand, Oman and the Philippines are all set to benefit. LINK

And finally

• Not cyber, but a paper on using mushrooms to control robots. LINK