Robin’s Newsletter #331

20 October 2024. Volume 7, Issue 42
Chinese accusations of Intel backdoors. Microsoft loses customer security logs. Hong Kong arrests in multi-milloin deepfake video scams.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Thanks for your feedback on the Need to Know Matrix last week. Hopefully, this size is more legible on smaller screens. (The more feedback, the merrier: let me know what you think!) 

Need to Know, 20th Oct 2024

  • Anonymous Sudan arrests… in Sudan (Law Enforcement)
  • Microsoft loses two weeks of security logs (This Week)
  • Iran brute-forcing creds and selling them to criminals (Threat Intel)
  • $46 million deepfake video romance scam (This Week)
  • IBM says the cost of data breaches is up (Interesting Stats)
  • Russian intelligence using cyber crime groups (Interesting Reads)
  • Chinese accusations of Intel backdoors (This Week)

Chinese group accuses Intel of security flaws

  • A Chinese industry group is accusing Intel of introducing security flaws and backdoors into its chips in partnership with the US National Security Agency.
  • The “major defects in product quality and security management show its extremely irresponsible attitude towards customers,” the group said on WeChat (naturally). The Cybersecurity Association of China (CSAS) called on the Chinese government’s Cyberspace Administration to open an investigation into the American chip manufacturer. 
  • This is likely a bit of tit-for-tat PR diplomacy, given the recent accusations that Chinese actors had infiltrated lawful intercept systems of three US telcos. However, it could also relate to some domestic Chinese politics.
  • The Register notes that the US has introduced sanctions preventing the export of AI chips to China over national security concerns, while Intel inked several deals with Chinese agencies for Xeon processors this year. Around a quarter of Intel’s revenues come from China.
  • Intel issued a rebuke ‘noting’ the media reports, and saying it “strictly abides by the laws and regulations applicable to its business locations,” continuing that it is “actively working with customers and the industry to ensure product safety and quality.” It is not the strongest denial, but it is presumably contingent that an NSA backdoor would be illegal in China. LINK, RESPONSE

Microsoft loses two weeks of customer security logs

  • Microsoft has admitted that some customer security logs are missing from the 2nd through the 19th of September. The company says it was caused by an “operational bug within our internal monitoring agent.”
  • Affected customers “may have experienced potential gaps in security related logs or events” in Microsoft Entra, Sentinel, Defender for Cloud, and Purview. This would leave those organisations potentially blind to suspicious activity and unable to detect threats during that period.
  • It’s important to have ‘heartbeat’ checks that confirm log collection is working correctly for your security operations and that the data you’re expecting it being received. It’s a bit embarrassing for Microsoft that this went on for over two weeks before being detected.
  • The notification appears to have gone to Microsoft tenant admins, so if you’re in your company’s security team and not in that group, it’s worth checking with someone that is to understand if you’re affected. LINK

27 Arrested in deepfake video romance scams

  • Realtime deepfake videos were used in romance scams that defrauded victims of $46 million, according to the South China Morning Post.
  • Twenty-seven people were arrested by authorities in Hong Kong in connection with the scams. Five are believed to have organised crime connections.
  • The use of video calls to build rapport and relationships with the victims sets them apart from typical romance scams. These often rely on fake social media profiles of attractive women approaching men with conversations that quickly turn to unbelievable investment opportunities. LINK

Interesting stats

$4.88 million the global average cost of a data breach, according to IBM, representing  10% increase over the last year, with over half of those breached choosing to invest in IR planning and testing and threat detection and response technologies following a breach. 3% recover in less than 50 days, however  35% take more than 150 days to recover. LINK, PDF

70% of actively exploited vulnerabilities in 2023 were zero-days, meaning exploitation began before the vendor could produce a software patch. 5 days was the average time-to-exploit in 2023, a massive drop from  32 days in 2021 and 2022. LINK

£571 million stolen by criminals in authorised push payment (APP) fraud during the first half of 2024, according to industry body UK Finance. LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • 84% of CISOs interviewed for a report by Trellix and Vinson Bourne think that the CISO role should be split into technical and business-focused roles. Is it that many have come from a technical background and struggle with ‘business’ communication, or perhaps don’t want to be managers? I’m unsure, but I suspect this is the growing pains of security being taken more seriously as a business risk. Given the anecdotal obsession with ‘technical skills’ for security leadership on social media, I can’t say I’m surprised. LINK
  • Tom Uren’s Seriously Risky Business piece (now on Lawfare) discusses the evidence behind Russia’s GRU intelligence agency’s use of cybercriminals to help achieve its objectives in the Ukraine conflict. LINK
  • Not cyber, but this piece looks at the contradictory ads run by the Elon Musk-funded ‘super PAC’ Future Coalition that simultaneously paint Kamala Harris as both pro-Palestine and pro-Israel, depending on your demographics. LINK

⚠️ Incidents:

  • Cisco is investigating a breach after a cybercriminal started selling alleged source code, credentials, API tokens, certificates, confidential documents and more belonging to the networking giant on the dark web. LINK
  • GPS jamming in northeastern Norway has become so frequent that its aviation regulator no longer wants to know about it. Disruption to GPS signals across Eastern Europe has become common since Russia’s invasion of Ukraine. LINK
  • Japan’s ruling Liberal Democratic Party (LDP) and other Japanese institutions reported DDOS attacks this week, coinciding with the launch of the country’s general election campaign period, and that have been claimed by pro-Russia groups. LINK
  • The Internet Archive has restored access to its Wayback Machine as it recovers from a breach last week. LINK
  • A year on from a crippling ransomware attack, the British Library has restored access to its physical collection, digitised manuscripts, and other core services. LINK (I have a non-exec role on one of the Library’s committees)

🏴‍☠️ Ransomware:

  • The ‘8Base’ ransomware group claims to have breached car giant Volkswagen and threatened to release files it swiped during the attack. Speaking to a French IT publication, a VW spokesperson was ‘unsurprised’ saying the group “has been aware of this for some time,” and that “[the] IT infrastructure of the Volkswagen group is not affected.” 8Base had set a deadline of 26th September and is yet to post any files, so it may be a hoax or a failed attempt. LINK
  • The BianLian ransomware group has claimed responsibility for an attack on Boston Children’s Health Physicians (BCHP). BHCP operates a network of 60 locations across New York and Connecticut affiliated with Boston Children’s Hospital. Assholes. LINK
  • Globe Life, a US insurance giant, has confirmed an extortion attempt with attackers claiming to have stolen the names, addresses, Social Security, and health information of 5,000 people from a subsidiary. LINK
  • Watchmaker Casio says there is “no prospect of recovery yet” following a ransomware attack on 5th October that “rendered several [servers] unusable.” LINK

🕵️ Threat Intel:

  • Western cyber agencies are warning of Iranian groups conducting brute force and other aggressive techniques to crack passwords and gain access to health care, government, IT, energy, and engineering targets. Rather than keeping those credentials for their use, it appears the Iranians are selling the information on cybercrime forums (presumably to achieve disruption in Western targets) while maintaining distance and plausible deniability. LINK
  • Attackers behind the ‘ClickFix’ campaign have been spoofing Google Meet pages to trick victims into downloading infostealer malware. LINK
  • Red-team tool EDRSilencer, used by penetration testers to prevent security tools from sounding alarms, is being used by cybercriminals to avoid detection, too, says Trend Micro. Quelle surprise. LINK
  • Unknown attackers are impersonating cyber firm ESET in attempts to deploy wiper malware against Israeli targets. LINK
  • North Korean threat actors developed a Linux version of the FASTCash malware, which is used to tamper with ATM and other transaction messages on interbank networks and make unauthorised withdrawals. LINK
  • Sticking with North Korea, the country has been using ‘laptop farms’ in US locations to apply for remote IT jobs and earn a wage. Since that was exposed, those same IT workers have been looking for proprietary data and seeking to extort their employers, according to SecureWorks. LINK 

🪲 Vulnerabilities:

  • Kubernetes Image Builder contains a critical vulnerability that may allow unauthorised SSH access. CVE-2024-9486 (9.8/10) relates to default SSH credentials being left behind during the build process. Anyone with knowledge of those credentials may be able to log in to servers created with the image builder project (version 0.1.37 and earlier). LINK, ADVISORY 
  • GitHub has patched a critical vulnerability in the Enterprise Server edition of its software. CVE-2024-9487 (9.5/10) is an authentication bypass issue, allowing attackers to gain unauthorised access to exposed on-premise deployments. LINK, ADVISORY

🧑‍💻 End user and consumer:

  • The FIDO Alliance has published a spec for them to be securely transferred between platforms and service providers. This will be useful for allowing consumers (and business users) to migrate between devices and, for example, between Chrome and Safari, but the interoperability will surely become a target for cybercriminals, too. LINK
  • Researchers at the University of Toronto’s Citizen Lab say the custom version of TLS used by WeChat contains flaws that are not present in the original network protocol. Whilst that may open the door to attacker-in-the-middle (AITM) attacks, there’s already heavy monitoring and moderation of content on the platform. LINK

🧰 Guidance and tools:

  • NCSC is encouraging UK schools to sign up for its Protective DNS service. LINK
  • More from NCSC, guidance on communication during a cyber incident. Start way beforehand and plan out what you may want to say. LINK

🧿 Privacy:

  • A European Commission-funded ‘gait recognition’ study kicked off this week. The three-year pilot, which received a €3.2 million grant, will attempt to see how easy it is to identify people based on their walking style. LINK

👮 Law Enforcement:

  • Two Sudanese nationals were named in unsealed charges this week, accused of being part of the Anonymous Sudan group. The prior operations, conducted by the FBI with commercial and international partners, seized infrastructure used by the group to conduct large distributed denial of service (DDOS) attacks. Anonymous Sudan first surfaced on a Russian-speaking Telegram group and is suspected to have ties to Russian groups. LINK
  • Brazilian federal police have arrested an individual they say is behind the ‘USDoD’ moniker, who has claimed responsibility for breaking into the FBI’s InfraGard system, Airbus, and most recently, data broker National Public Data. LINK

💰 Investments, mergers and acquisitions:

  • European cyber insurance startup Stoïk has closed a €25 million ($27M) Series B funding round led by Alvin, with insurers like Tokio Marine HCC International and Munich Re Ventures participating. Stoïk says it will have 5,000 policyholders by the end of 2024, representing around €25 million in premiums. LINK
  • Israeli unicorn startup Cyera is acquiring Trail for $162 million. Cyera is building an AI ‘data security posture management’ platform, while Trail Security is building a data loss prevention solution. LINK

🗞️ Industry news:

  • Insurer Coalition has launched a ‘fund recovery service’ that deploys lawyers knowledgeable in the banking system to prevent stolen funds before they can be moved offshore. LINK

And finally

What’s with that right-hand axis, Microsoft? How are we meant to read it? (Source: Microsoft)

  • Microsoft wins the prize for poor stats: Redmond says there has been a “3x,” “threefold decrease in ransom attacks reaching encryption stage” in the last two years. It’s unclear if they mean it was 10% and has since dropped 30%, or it’s a drop to 25% of the previous level, or… well… what. The same page on ransomware also features a pretty poor bar chart, with the ‘percentage of organisations ransomed’ being largely illegible. However, there is some useful information in the rest of the Microsoft Digital Defense Report 20204. LINK, PDF
Robin

  Robin's Newsletter - Volume 7

  China Intel Microsoft Security logs Hong Kong Romance Scam Deepfake Scam Data breach IBM Zero-day vulnerability Authorised Push Payment (APP) Fraud CISO Responsibilities Russia Iran Cybercrime North Korea Banking Kubernetes WeChat Gait recognition Biometrics Anonymous Sudan National Public Data