Robin’s Newsletter #330

This week

Thanks for your feedback on the Need to Know Matrix last week. Hopefully, this size is more legible on smaller screens. (The more feedback, the merrier: let me know what you think!) 

• Marriott required to certify cyber compliance for 20 years in FTC settlement (This Week)
• Chinese compromise of major US ISPs (This Week)
• Anti-abortion group may have breached booking systems (Incidents)
• The FBI created its own cryptocurrency (Interesting Reads)
• LEGO website compromised to push scam (Incidents)
• Ukrainian hacktivists knocked Russian TV off-air on Putin’s birthday (Incidents)

Chinese actors gained access to AT&T, Lumen, Verizon

• Chinese actors have compromised three US telecommunication and internet providers in a “potentially catastrophic” breach. The Wall Street Journal broke the news that the Chinese ‘Salt Typhoon’ group had gained unauthorised access to systems at AT&T, Lumen (formerly CenturyLink), and Verizon. WSJ, CNN
• Access is believed to have been by way of a ‘backdoor’ to wiretap systems required under federal law. The systems allow law enforcement and other agencies access to call and internet records. Of course, what’s useful for your investigations is also useful to your adversaries. While the objective of the compromise is unknown, access to these wiretap systems would provide the ability to see which Chinese nationals the US was surveilling, as well as misappropriating the systems to monitor other individuals of interest. LINK
• Zack Whittaker has a good write-up on the Communications Assistance for Law Enforcement Act, or CALEA, and law intercept more generally. LINK
• Telco breaches involving Chinese actors have featured prominently in recent months, with a large botnet being dismantled by the FBI in September and reports of four ISPs being compromised in August to steal downstream customers credentials.

Marriott settles data breach case with FTC for $52 million

• Marriott will pay $52 million to settle a series of breaches between 2014 and 2020 that impacted 344 million customers worldwide. The largest breach was the hotel chain’s Starwood Preferred Guest loyalty programme in 2018.
• The FTC settlement includes the usual provision to improve their security regime, but perhaps more interesting is the commitment to certify compliance with this for the next 20 years, including two-yearly independent assessments. LINK
• The UK Information Commissioner announced an £18.4 million penalty for Marriott four years ago, in November 2020 (vol. 3, iss. 44).

Interesting stats 

150% jump in open-source repositories containing malicious packages, with more than  500,000 out of 7 million projects containing malicious code, according to Sonatype. LINK

$122,000 average claim in the first half of 2024 (up 14%), rising to  $353,000 for ransomware-specific claims, according to insurer Coalition. LINK

Other newsy bits / in brief

🤓 Interesting reads:

• Filippo Menczer, for The Conversation, on how foreign influence campaigns manipulate social media feeds. LINK
• The Atlantic Council’s Stewart Scott’s thinking on how to measure the effectiveness of government cyber policy. LINK
• The FBI created its own cryptocurrency — NexFundAI — to watch and understand how suspected fraudsters operate. LINK

The two different versions of “outcome” metrics held in policymakers’ minds are based on two questions: (a) How secure is the cyber ecosystem? and (b) How much damage results from the ecosystem’s current insecurity? The first question seeks to predict how much harm could result from the current state of the ecosystem, while the second examines how much harm has been inflicted. The first is a policymaker’s outcome: How has policy shaped the cyber ecosystem? The second is a practitioner’s outcome: What has the state of the ecosystem cost us?

⚠️ Incidents:

• Russian state TV and radio broadcaster VGTRK has said an ‘unprecedented’ cyberattack disrupted its operations on Monday. Several channels were off-air for around an hour, with Russian sources pointing the finger at a Ukrainian hacktivist group. The websites of a Russian court filing system were offline for several days following an attack claimed by pro-Ukrainian attackers. The attacks coincide with Russian president Vladimir Putin’s 72nd birthday. TV, COURTS
• New Jersey-based American Water has confirmed a cyber security incident in a filing with the SEC this week. The water supply and sewerage company, which services 14 million people across the US, says it detected unauthorised activity on 3rd October and that, “at this time,” facilities are operating without disruption. LINK
• Block chain: LEGO’s website was compromised this week and used to push a fake cryptocurrency token. The company quickly reverted the changes, and overall, it seems that the scam only netted a few hundred dollars. LINK
• Physical security company ADT has suffered a second breach in as many months. Threat actors gained access via a third party, and ADT says they made off with “encrypted internal ADT data associated with employee user accounts”. That could euphemistically be their Active Directory database. LINK 
• MoneyGram says that attackers stole customers’ personal information and transaction data during a cyberattack last month. LINK
• Star Health and Allied Insurance has confirmed “unauthorised and illegal access to certain data” during a recent cyberattack. Star Health is one of India’s largest health insurance firms, and a threat actor group has claimed to be in possession of data belonging to 31 million policyholders. LINK
• Attackers have compromised the user account information of up to 31 million Internet Archive users, including encrypted passwords. Unusually, they also disclosed the threat actors disclosed the breach to Troy Hunt’s Have I Been Pwnd breach notification service. It sounds like a disgruntled user or security researcher whose concerns were not taken seriously. LINK
• An anti-abortion group appears to have somehow compromised a women’s health clinic and used this access to engage and confuse those seeking an abortion, telling women they require and administering unnecessary tests to delay their treatment. LINK
• Golf tech business Trackman left 110 TB of data in an open Azure storage bucket. LINK

🕵️ Threat Intel:

• ‘Trinity’ ransomware is targeting healthcare organisations in the UK and US. LINK
• According to ESET, the cyber-espionage group GoldenJackal has developed malware primarily designed to target air-gapped systems, which believe the malware’s developers are Russian speakers. LINK, MORE
• The ‘Mamba 2FA’ phishing kit is being used in attacker-in-the-middle attacks to capture Microsoft 365 login credentials and tokens to bypass multi-factor authentication. LINK
• A zero-day vulnerability in Qualcomm chipsets was being used “under limited, targeted” circumstances to compromise Android devices. LINK
• Akira and Fog ransomware actors are targeting Veeam Backup & Replication (VBR) servers, according to Code White. LINK
• INC ransomware is rebranding to ‘Lynx’, according to researchers at Palo Alto, who say the group’s malware shares a “significant overlap” in code. LINK
• US and UK authorities have issued an updated warning outlining the tactics used by Russia’s SVR intelligence agency and urging organisations to keep their software patched (especially Zimbra and TeamCity). LINK

🪲 Vulnerabilities:

• Ivanti is warning of three vulnerabilities in its Cloud Services Appliance (CSA) that are actively being exploited. SQL injection, command injection, and path traversal issues are resolved in version 5.0.2. LINK, ADVISORY
• A critical GitLab vulnerability allows unauthorised users to trigger CI/CD pipelines. CVE-2024-9164 (9.6/10) is part of a suite of security issues being addressed in both the Community Edition and Enterprise Edition of the version control software. LINK, ADVISORY
• Mozilla has patched a bug in Firefox that was being exploited in the wild. CVE-2024-9680 (9.8/10) is a use-after-free issue that can allow attackers to execute malicious code. LINK, ADVISORY

🧰 Guidance and tools:

• Some top tips from NCSC on engaging and communicating with boards on cyber risk and improving decision-making. (Note: I was interviewed by Social Machines as part of producing this guidance.) LINK
• The ICO has released a new data protection audit framework that organisations can use to assess their compliance with data protection law. LINK

🛠️ Security engineering:

• Apple has fixed an issue in its macOS 15 operating system that prevented some cyber security tools (such as those from CrowdStrike and Microsoft) from operating properly. LINK

🏭 Operational technology:

• Electric vehicle manufacturer Fisker has filed for bankruptcy, leaving customers unsure of how their vehicles will operate. Now Fisker also says its stock of Ocean SUVs “cannot, as a technical matter, be ‘ported’ from the Fisker server”. Perhaps there are some PKI issues at play here. Either way, with more and more devices becoming dependent on a cloud component, this is an interesting case study on what happens if that fails or the company goes bust. LINK

🧿 Privacy:

• The European Commission says that US authorities have put in place safeguards to limit intelligence agencies’ access to Europeans’ personal data. LINK
• The one-man-band data broker National Public Data, who was compromised earlier this year (vol. 7, iss. 33), has filed for bankruptcy, claiming to have less than $75,000 assets, against potential liabilities to provide credit monitoring to over 1 million people. LINK

📜 Policy & Regulation:

• The US is wavering on a United Nations treaty on cybercrime. Human rights activities have concerns that it will facilitate surveillance in authoritarian regimes, while tech companies share some concerns over having to store data for longer and turn it over to law enforcement more freely. Provisions are made for the extradition of cybercriminals without requiring country-by-country treaties. There may be a danger of letting perfection be the enemy of success here. LINK
• Australia is set to introduce legislation that would require organisations to notify the government if they make ransomware payments. The provision is part of the Cyber Security Bill 2024, and failure to notify within the 73-hour window will result in 60 civil penalty points (around A$18K / $12K / £9K). LINK

👮 Law Enforcement:

• Ukrainian national Mark Sokolovsky, 28, pleaded guilty to running the Raccoon Infostealer malware and has agreed to pay over $910,000 in restitution. LINK
• Two former RAC employees have been given suspended prison sentences and ordered to complete unpaid work for copying and selling over 29,500 personal information records. LINK

💰 Investments, mergers and acquisitions:

• Cloudflare has acquired Kivera to expand its SASE portfolio. LINK

🗞️ Industry news:

• Kaspersky is closing its UK office and laying off its “less than 50” UK staff as it ‘reorients’ to a channel model. LINK
• The UK Department for Science, Innovation and Technology has kicked off a search for 18-25-year-olds to represent the UK Cyber Team in global competitions. LINK
• Vodafone and CybSafe are partnering on a new SME human risk offering. LINK

And finally

The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later — while out house-hunting in a brand new Lamborghini. Prosecutors say the couple was beaten and briefly kidnapped by six young men who traveled from Florida as part of a botched plan to hold the parents for ransom.

• Brian Krebs has the write-up on this incident, which revolves around members of ‘The Com’, a loosely affiliated group of online criminal communities. Acts are becoming increasingly violent as members try to one-up each other. And, of course, there’s no honour amongst thieves. LINK