This week
Thanks for your feedback on the Need to Know Matrix last week. Hopefully, this size is more legible on smaller screens. (The more feedback, the merrier: let me know what you think!)
- JP Morgan ATMs allowed fraudulent withdrawals (And Finally)
- 25% of new Google code written by GenAI (Interesting Stats)
- Strava leaking the location of world leaders (This Week)
- ICO ‘expects more’ from firms following data breaches (Privacy)
- Delta suing CrowdStrike (This Week)
Delta files suit against CrowdStrike
- Delta has filed a lawsuit against CrowdStrike for $500 million in lost revenue caused by its having to cancel 7,000 flights in the wake of the botched content update. The airline hired David Boies, special counsel for the DOJ’s antitrust case against Microsoft, earlier in the year, prompting speculation that it would be bringing legal action.
- CrowdStrike is counter-suing and accusing Delta of not following good practices, including those set by the Transportation Security Administration, which led to the airline’s slow recovery compared to its rivals.
- In the UK, the Financial Conduct Authority (FCA) has encouraged firms to better prepare for similar incidents.
- DELTA, CROWDSTRIKE, FCA
Fitness workouts reveal the location of the French president
- A dozen members of France’s Security Group for the Presidency of the Republic (GSPR) — the equivalent of the US Secret Service — have been leaking their physical locations through workouts recorded on the Strava fitness app.
- As they travel with President Macron, it essentially reveals the French president’s location. French newspaper Le Monde first reported the story, promising further details on other world leaders, including US President Biden and Russian President Putin.
- Strava’s Global Heatmap function was used in a similar manner back in 2018 to reveal the location of secret military bases, where squaddies tracking their runs clearly outlined airstrips and other installations. LINK
Interesting stats
80%+ of transcripts created with OpenAI’s Whisper tool contain false text, according to a researcher at the University of Michigan, in a warning that the tool is also being used in “high-risk” settings, such as by 30,000+ clinicians to document patient interactions. LINK
25% of new Google code is generated by AI, says CEO Sundar Pichai. LINK
$30 for consumers who want to continue receiving Windows 10 security updates for another year after October 2025. Microsoft would much prefer you upgrade to its current Windows 11 operating system. LINK
Other newsy bit / in brief
🤓 Interesting reads:
- Sophos’ five-year cat-and-mouse game with Chinese threat actors, dubbed Pacific Rim, contains a lot of novel exploits and bespoke malware in the pursuit of surveillance, sabotage, and cyber-espionage. LINK, SOPHOS
- Suzanne Smalley has an interview for Recorded Future News with the Federal Communication Commission (FCC)’s Loyaan Egal, head of their enforcement bureau and data protection task force. LINK
- John Thornhill, writing for the FT, compares the cybersecurity industry to lightbulbs, concluding that “this may be the ultimate industry for providing very lucrative but ineffective solutions”. LINK
⚠️ Incidents:
- Four people in Italy have been arrested over an alleged conspiracy between security services and a private intelligence company to build illegal dossiers on high-profile individuals. LINK
- Peru’s Interbank has confirmed a data breach that may affect up to 3 million customers. The financial institution has taken some systems offline after posts on the dark web emerged from someone trying to sell financial and personal information purloined from the bank. The data allegedly includes card numbers and CVVs, online banking logins, and other credentials for internal systems. Interbank is Peru’s fourth largest bank. LINK
- Cyberwar: Ukrainian Cyber Alliance claims to have taken down “dozens” of IT assets in the Russian city of Tver. Residents have been able to park for free. Meanwhile, a group calling itself NoName057(16) — featuring a Russian flag on its profile — has claimed responsibility for distributed denial of service attacks on UK councils this week. LINK
- A disgruntled Disney employee compromised menu management software used by Walt Disney World to alter allergy information, add profanity to menus, and switch fonts to Wingdings. LINK
- MoneyGram has replaced its CEO. The money transfer business suffered a data breach less than a month ago. With immediate effect, Anthony Soohoo replaced Alex Holmes, who joined in 2019. A spokesperson says the switch was the result of a “several-months long process” and “not related to the recent cyber issue.” Holmes will remain as an advisor to MoneyGram’s board of directors. LINK
🏴☠️ Ransomware:
- Over 22,000 CyberPanel instances were encrypted by PSAUX ransomware this week. The web hosting control panel software had defective authentication and security filters, leaving the software vulnerable to command injection. As a result, unauthenticated attackers were able to gain remote root access to machines running the control panel software. Fortunately, there may be a weakness in the ransomware malware, and a decrypted has been released to help victims recover their files. LINK, DECRYPTOR
- AEP, a German pharmaceutical wholesaler, has taken “far-reaching protective measures” after discovering IT systems were partially encrypted. Supplies of some medicines to over 6,000 pharmacies may be disrupted. LINK
- The Housing Authority of the City of Los Angeles (HACLA) has confirmed a ransomware attack by the Cactus ransomware gang. HACLA is one of the largest public housing authorities in the US. LINK
- Palo Alto Networks says evidence has been seen that North Korean threat actors have been involved in Play ransomware attacks. LINK
🕵️ Threat Intel:
- Microsoft says that Russia’s foreign intelligence agency (SVR) is sending targets RDP configuration files as attachments to gather information. The new technique and specially crafted RDP files cause the victim’s computer to connect to infrastructure operated by the spooks and map their local storage drives, allowing the SVR access to their contents. LINK
- Fog and Akira ransomware groups are targeting SonicWall VPN servers vulnerable to CVE-2024-40766, says Arctic Wolf, who report seeing 30 such intrusions since the vulnerability was published in late August. LINK
- Security researcher Alexander Hagenah has released a tool to defeat Google Chrome’s ‘App-Bound cookie encryption’ protections. Some info stealer malware had already built similar capabilities, but the existence of Hagenah’s publicly available tool — Chrome-App-Bound-Encryption-Decryption — raises broader concerns, though the tool requires administrator permissions to operate successfully. LINK
- Chinese attackers are using the Quad7 botnet to steal credentials. Small office/home office routers from TP-Link, Asus, Zyxel and others are targeted. Compromised devices end up running telnet remote access servers on high ports. LINK
🪲 Vulnerabilities:
- A critical vulnerability in the Spring framework, popular with Java developers, has been disclosed. CVE-2024-38821 (9.1/10) is an authorization bypass issue. To be exploited, the following three conditions must be met: it must be a WebFlux application, using Spring’s static resources support, and have a non-permitAll authorisation rule for the static resources support. LINK, ADVISORY
- Cisco says a vulnerability in its Adaptive Security Appliance and Firepower Threat Defense products is being actively exploited. CVE-2024-20481 only scores 5.8/10 severity but can be used by unauthenticated attackers to cause a denial of service. LINK, ADVISORY
- CISA has added a recently patched vulnerability in Microsoft Sharepoint to its Known Exploited Vulnerabilities (KEV) list. CVE-2024-38094 (7.2/10) allows attackers to gain remote code execution on affected installations. The issue was patched in July. LINK, ADVISORY
🧑💻 End user and consumer:
- The FakeCall malware redirects phone calls to legitimate bank phone numbers on Android handsets to those controlled by scammers. LINK
- LastPass is warning users about a campaign where scammers promote fake customer support phone numbers in reviews of its products, particularly its Chrome extension. LINK
🛠️ Security engineering:
- Over 15,000 cloud credentials were found in Git configuration files hosted on open AWS S3 buckets by researchers at Sysdig. LINK
- Microsoft is removing the option to skip multi-factor authentication enrolment on Entra tenants where security defaults are enabled. LINK
🏭 Operational technology:
- Telematics provider Microlise has confirmed a cyberattack. The company’s fleet tracking systems, used by companies such as DHL and over 400 others, have been disrupted, causing knock-on disruption to supply chains to supermarkets and convenience stores. LINK
🧿 Privacy:
“To many organisations, a data breach might seem like a temporary setback - something that can be patched up with technical fixes and compliance reviews. But from the perspective of individuals - especially those in vulnerable situations - a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate.” — John Edwards, UK Information Commissioner.
- The ICO ‘expects more’ from organisations when responding to data breaches, and they are publishing guidance on communicating with empathy to those whose sensitive information may have been compromised. “Data protection has never been about computers or robots – it’s about people.” LINK
- Meta has acknowledged an investigation by the US Consumer Financial Protection Bureau (CFPB) in a filing with the Securities and Exchange Commission (SEC), citing “our alleged receipt and use for advertising of financial information from third parties through certain advertising tools.” LINK
👮 Law Enforcement:
- Dutch police have seized infrastructure used by cybercriminals to run the Redline and Meta info steal operations. US prosecutors have charged Maxim Rudometov with developing the malware after a series of operational security (opsec) failures that allowed them to identify the Russian national. LINK ID
💰 Investments, mergers and acquisitions:
- OpenCTI vendor Filigran has announced a $35 million Series B funding round. In addition to the open-source threat intel platform, the French company offers enterprise versions of that platform. LINK
- Italian training startup Cyber Guru has announced a $25 million Series B funding round. LINK
🗞️ Industry news:
- UnitedHealth Group has named Tim McKnight as CISO. McKnight succeeds Steven Martin, who was appointed CISO in May 2023 after previously serving as CTO at the subsidiary Change Healthcare. Martin will move into a new position as chief recovery officer. LINK
And finally
- JP Morgan is suing fraudsters who stole thousands from ATMs after an “infinite money glitch” went viral on social media. The exploit in business logic allowed fake cheques to be deposited and then withdraw funds as cash before the cheques bounced. In one case, the bank says a $335,000 cheque was deposited by a masked man who subsequently withdrew over $290,939. LINK