Robin’s Newsletter #329

6 October 2024. Volume 7, Issue 40
LockBit arrests. Evil Corp linked to Russian intelligence. Meta Ray Bans used in creepy facial recognition concept.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Thanks for your feedback on the Need to Know Matrix last week. Hopefully, this size is more legible on smaller screens. (The more feedback, the merrier: let me know what you think!) 

Need to Know, 6th Oct 2024

  • Ransomware is a ‘low’ priority for business execs (Interesting Stats)
  • UK, FR LockBit arrests (This Week)
  • Evil Corp linked to FSB (This Week)
  • Creepy facial recognition specs (This Week)
  • FIN7 using deepfake nude sites to infect victims (Threat Intel)
  • AI code tools hallucinate dependencies (Security Engineering)  

LockBit arrests; Evil Corp linked to Russian intelligence

  • A host of activities from the UK’s National Crime Agency, partner agencies, and allied nations relating to the notorious Russian cybercrime group Evil Corp this week.
  • The UK, US, and Australia have sanctioned 16 individuals they accuse of being connected to the cybercrime group.
  • The NCA reveals that ringleader Maxim Yukabets’ Evil Corp was a family affair, with his father, father-in-law, brother, and cousins all being sanctioned.
  • Eduard Benderskiy, Yukabets’ father-in-law, was formerly a high-ranking official in Russia’s FSB domestic intelligence agency. The NCA says, “Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities.” In return, the NCA believes the Russian government tasked Evil Corp with carrying out attacks against NATO countries.
  • Russian national Aleksandr Ryzhenkov is also being named at the LockBit affiliate known as “Beverley”. The NCA believes that Ryzhenkov is “second in command” at Evil Corp. LockBit has always denied any connections to Evil Corp.
  • Four suspected LockBit members have been arrested, including two in the UK and one holidaying in a country that has an extradition treaty with France. Their identities have been determined by analysing troves of data obtained from the seizure of LockBit’s leak site in February of this year.
  • While it may not result in direct action, revealing and drawing attention to the connections may destabilise the privileged relationships between cyber criminals and the Russian state. It also strengthens the case in broader diplomatic efforts with Russia and other nations.
  • LINK, MORE, LOCKBIT, ARRESTS

Harvard undergrads build AI tool to ID passers-by using Meta Ray-Bans

  • AnhPhu Nguyen and Caine Ardayfio, undergraduates at Harvard University, have built a pair of AI glasses “that reveal anyone’s personal details… just from looking at them.” In a video posted to X/Twitter they show how they can pull back details on people they can use in what are essentially the beginning of social engineering attacks. VIDEO
  • The glasses work by streaming the built-in camera in the Meta Ray-Ban glasses to Instagram, with a bot monitoring this feed for faces. When it detects one, it performs a reverse image search and then queries various people’s search engines and public records to build a dossier on the individual. LINK, MORE
  • The techniques used here basically automate open-source intelligence searches on a person. The input happens to be novel (streaming from smart glasses) but could just as easily be input from a LinkedIn profile picture or other photo taken of a subject. Nguyen and Ardayfio are not releasing the project, citing their desire to demonstrate current capabilities and raise awareness of these technologies.
  • The duo’s writeup of the glasses, which they call I-XRAY, also contains details on how to remove your details from services they’ve stitched together. REMOVE

Interesting stats

Ransomware is less of a concern to other business execs than CISOs, with the top five being: 42% concerned with cloud threats,  38% hack and leak operations,  35% third-party breaches,  33% attacks on connected products, and 27% ransomware, according to PwC’s survey of 4,020 business leaders. LINK

22% of healthcare ransomware victims manage to recover in a week, while  42% recovered within one month, and  36% took over 1 month to fully recover, according to Sophos (n=271). LINK

1,273 ransomware attacks were reported to the UK ICO in 2023, with  7% being investigated, down from 99% in 2020.  This could be because the modus operandi of cybercriminals, and therefore potential harm from personal data breaches, is better understood. LINK

$403,000 median North American CISO pay, according to IANS Research (n=755). LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • The shift of national cyber strategies from deterrence to persistence and the ‘continuous contesting’ of cyberspace. The language in NATO and US allies’ national cyber strategies is shifting and aligning. LINK
  • Hurricane Helene has disrupted operations at high-purity quartz mines in Spruce Pine, North Carolina. HPQ, as it’s often referred to, is an important material in semiconductor production, and facilities at Spruce Pine account for 70% of the world’s production. Disruptions to tech supply chains are unlikely to be felt for a month, and it’s unclear if or where stockpiles of HPQ may exist. During COVID, automobile manufacturer was severely hampered by shortages and price-sensitivity of semiconductors. 60% of the US’ intravenous fluid (IV) supply originates from a plant in North Carolina, too. QUARTZ, IV FLUID

⚠️ Incidents:

  • News agency Agence France-Presse (AFP) says that it’s experienced a cyberattack affecting “part of its delivery service to clients”. LINK
  • Cloud hosting business RackSpace’s monitoring infrastructure was compromised, and ‘limited’ customer details wereaccessed. The attackers gained access by exploiting a zero-day vulnerability in a piece of software bundled with the ScienceLogic monitoring suite used by RackSpace. (H/t Lee) LINK
  • Two men stole $1 million from DoorDash delivery workers by hijacking their accounts and misdirecting their wages. LINK

🏴‍☠️ Ransomware:

  • Texas-based UMC Health System diverted patients the week after a ransomware attack affected its ability to operate. LINK
  • 237,000 Comcast customers have had their personal information stolen from debt collector Financial Business and Consumer Solutions (FBCS) during a ransomware attack. LINK

🕵️ Threat Intel:

  • FIN7 uses a network of AI deep fake nude generator sites to infect victims with info-stealing malware. LINK
  • North Korea is targeting Southeast Asian countries with ‘Shrouded Sheep’ malware, according to Securonix. LINK
  • Malware called Perfctl has stealthily been infecting thousands of Linux machines since 2021, according to Aqua Security. The compromised hosts are often used to mine cryptocurrency and use various techniques to hide themselves, making it difficult to remove the infection. LINK

🪲 Vulnerabilities:

  • DrakTek has released updates to fix 14 vulnerabilities in its routers, including a CVSS 9.1 scoring commend injunction issue. Over 700,000 devices are exposed online, and patches have been released for supported and end-of-life devices (bravo). LINK, DOWNLOADS
  • CISA is warning about critical authentication and remote code execution vulnerabilities in Optigo Networks ONS-S8 switches. CVE-2024-41925 (9.8/10), CVE-2024-45367 (9.1/10). LINK, ADVISORY

🛠️ Security engineering:

  • AI code tools are hallucinating package names of dependencies that don’t exist. Researchers from the University of Texas at San Antonio, the University of Oklahoma, and Virginia used 16 popular large language models (LLMs) to generate 576,000 code samples. Commercial LLMs hallucinated non-existent packages in over 5% and open source models in nearly 22% of cases. Attackers could register commonly hallucinated names and wait for a developer to copy/paste the code into a business application. (A similar threat exists today from cops/pasting snippet from Stack Exchange). LINK, PAPER (PDF)

🧿 Privacy:

  • T-Mobile has agreed to pay $15.75 million and improve its security to settle data breaches affecting millions of US customers in 2021, 2022 and 2023. LINK
  • The ICO has fined the Police Service of Northern Ireland (PSNI) £750,000 for publishing personal details of all its officers and staff. The ICO says the fine would have been £5.6 million if not for a policy to minimise penalties to publicly funded bodies. LINK
  • Ryan Air Is facing an investigation from Ireland’s Data Protection Commission over its identity verification checks imposed on customers who do not purchase their tickets directly from the budget airline. LINK

📜 Policy & Regulation:

  • White House deputy national security advisor Anne Neuberger has penned an oped in the Financial Times promoting good cyber hygiene and saying that the practice of insurance companies paying ransomware demands “must end”. LINK, MORE

👮 Law Enforcement:

  • The DOJ and Microsoft have seized 41 domains that they say have been used by Russia’s Callisto Group (aka Star Blizzard, Coldriver), part of the FSB, in phishing campaigns. LINK
  • US Immigration and Customs Enforcement has signed a $2 million contract with an Israeli spyware maker. Paragon Solutions will supply a “fully configured proprietary solution” to ICE’s Homeland Security Investigations Division 3. LINK
  • Russian authorities have arrested almost 100 in raids connected to the UAPS and Cryptex cryptocurrency exchange — both connected to money laundering in US indictments unsealed last week. LINK

💰 Investments, mergers and acquisitions:

  • Harmonic Security has announced a $17.5 million Series A funding round led by Next47. Harmonic will use the investment to scale up engineering and go-to-market teams behind its “zero-touch data protection” solution. Huge congrats to Al, Bryan, and the rest of the team. (Disclosure: Harmonic is a Cydea customer). LINK
  • Eon, a startup specialising in backing up cloud infrastructure, has emerged from ‘stealth’ with $127 million in funding. LINK
  • Dragos has announced the acquisition of Network Perception, an OT network visualisation vendor. LINK

🗞️ Industry news:

  • Kevin Mandia has joined SpecterOps as chair of its board of directors. Mandia founded Mandiant and will continue his advisory role at Google Cloud, which acquired Mandiant two years ago. SpecterOps is a Virginia-based startup behind the BloodHound attack path visualisation product. LINK

And finally

  • Happy eighth birthday, NCSC. Richard Horne, former cyber security partner at PwC, joins the organisation as CEO this coming week. LINK
Robin

  Robin's Newsletter - Volume 7

  LockBit Operation Cronus Evil Corp Federal Security Service (FSB) Russia Cybercrime Meta Ray-Ban Facial Recognition Defend Forward Cyber Strategy RackSpace FIN7 DrayTek Optigo Networks Artificial Intelligence (AI) Hallucination Software supply chain T-Mobile Police Service of Northern Ireland (PSNI) White House Cyber Insurance Spyware National Cyber Security Centre (NCSC)