I’m going to run a few cyber risk quantification and user research sessions for small groups (<10-20 people) between now and Christmas.
There will be pizza, beer, good chat + networking and, of course, some geeking out on CRQ and cyber risk management. All experience levels welcome. 🍕💬📉
📍 I’m trying to work out which locations would be best for folks. If you’ve missed my posts on LinkedIn. If you’re interested in attending, click the link below based on where you’d be interested in attending, and then vote for the best option.
Polls close Monday morning at ~10:00, so get a wriggle on if you’re interested! (Or leave a note in the comments after): LinkedIn.
This week
Thanks for your feedback on the Need to Know Matrix. I’m making some further adjustments to font size this week. Let me know what you think!).
- Schneider Electric attacker wants payment in baguettes (And Finally)
- Auth bypass for long Okta usernames without MFA (Threat Intel)
- FreeBSD ransomware malware (Threat Intel)
- Copyright infringement notices used to drop infostealer malware (Threat Intel)
- Haliburton reports $35M charges for August cyberattack (Incidents)
- TSA rules for railway, pipeline companies (Policy & Regulation)
Interesting stats
1/3 small and medium businesses (SMBs) have suffered a cyberattack in the last 12 months, with $254,445 (£196,977) being the average total cost of an attack, according to a survey of 2,000 businesses with 25-299 employees conducted for Microsoft. LINK, REPORT (PDF)
Other newsy bits / in brief
🤓 Interesting reads:
- Former NATO secretary-general Anders Fogh Rasmussen has an opinion piece in the Financial Times on Russian sabotage and the need for European investment in the protection of critical infrastructure. _“Thanks to a combination of ingenuity and upgrades to its networks, Ukraine is managing to survive [the onslaught of cyber, missile and drone attacks]. But if such an assault targeted European infrastructure, it is not clear that we would cope nearly as well.” LINK
- Tom Uren’s writeup on Sophos’s “five-year-long cyber knife fight” with Chinese APTs, including discussion on how the firm targeted specific devices in its so-called ‘hack back’ attempt against the Chinese group and acknowledgement that NCSC and the NSA were “incredibly supportive”. LINK
- Cloud market and AI oversight, cyber policy, and the CHIPS act: four tech areas to watch in Trump’s second term, writes Roberto Torres for CIO Dive. LINK
- The Association of British Insurers (ABI) and Lloyd’s of London have published guidance on defining a major cyber event. LINK, REPORT (PDF)
⚠️ Incidents:
- Cybercriminals are selling what they say is the source code, SSH keys, RSA keys, and other sensitive materials belonging to Finnish telecom equipment manufacturer Nokia. LINK
- According to Bloomberg, the Chinese Volt Typhoon threat actor allegedly compromised Singapore’s SingTel in June this year as a precursor to attacks against US telcos. LINK
- Haliburton has reported $35 million in direct charges relating to an August cyber attack. That’s 5% of the oil services company’s $641 million quarterly net income. LINK
🏴☠️ Ransomware:
- The City of Columbus, Ohio, says that the Rhysida ransomware group made off with the personal data of 500,000 residents this summer. LINK
🕵️ Threat Intel:
- Checkpoint says cybercriminals are using copyright infringement notices are being used to drop the Rhadmanthys infostealer malware. The malware is attached in a password-protected ZIP, preventing email protection systems from scanning it. Legal counsel — presumably the place where these requests typically end up — are often privy to sensitive information, and their authority can be abused for further access, making them an attractive target. LINK
- Scammers are targeting UK pensioners with fraudulent Winter Fuel Payment text messages. LINK
- For a small number of you — you know who you are — there’s a ransomware group called Interlock that’s developed malware and is targeting FreeBSD servers. LINK
- Okta users who have long domain names or usernames (and no MFA — tut tut!) should check their logs because a bug, seemingly introduced in July 2023, has meant that attackers could bypass authentication for accounts with usernames greater than 52 characters. LINK
- Criminals are abusing DocuSign’s ‘Envelopes’ API to send fraudulent invoices that, by virtue of coming from a legitimate DocuSign domain, often are not flagged by email protection tools. LINK
- An attacker is uploading hundreds of malicious packages to the node package manager (NPM) in an attempt to install malware on the software developer’s devices. LINK
- Fortinet says that attackers increasingly use the Winos4.0 post-exploitation toolkit instead of Cobalt Strike or Sliver. LINK
- According to Sentinel One, The North Korean BlueNoroff group targets cryptocurrency businesses with new macOS malware. LINK
🪲 Vulnerabilities:
- Cisco has patched a perfect 10 severity vulnerability in its Ultra-Reliable Wireless Backhaul system. CVE-2024-20418 (10/10) can be exploited by a remote, unauthenticated attacker who can grant themselves administrator privileges. LINK, ADVISORY
- HPE also has two critical vulnerabilities in its Aruba Access Points. CVE-2024-42509 (9.8/10) and CVE-2024-47460 (9.0/10) both relate to the firm’s Access Point Management Protocol (PAPI), running on port 8211, and allow for unauthenticated command injection. LINK, ADVISORY
- Android has patched two vulnerabilities with “limited, target exploitation” in its 2024-11-05 release. CVE-2024-43047 (7.8/10) is a use-after-free bug in the driver for a Qualcomm chipset. The second, CVE-2024-43903, has not had any information published at the time of writing. LINK, ADVISORY
🛠️ Security engineering:
- Apple has introduced an ‘inactivity reboot’ in iOS 18.1, resulting in iPhones reverting to a more secure state; law enforcement is ‘freaking out’. LINK
🧿 Privacy:
- South Korea’s Personal Information Protection Commission (PIPC) has announced a 21.6 billion won ($15.6M, £11.9M) fine for Facebook’s parent Meta. The social media giant compiled and distributed advertising profiles based on 980,000 Facebook users’ personal data to 4,000 advertisers without their consent. LINK
📜 Policy & Regulation:
- The US Transportation Security Administration (TSA) has issued a ‘notice of proposed rulemaking’ that will define cyber security expectations for around 300 owners and operators of freight railroad, passenger railroad, rail transit, and pipeline systems. The rules are a response to the May 2021 ransomware attack against Colonial Pipeline (vol. 4, iss. 19). LINK
- Germany’s Federal Ministry of Justice has published draft legislation protecting security researchers reporting vulnerabilities to software vendors. LINK
👮 Law Enforcement:
- Interpol is reporting 41 arrests and the seizure of hardware used by cybercriminals. Operation Synergia II has taken control of 22,000 IP addresses, 59 servers, and 43 other devices. A further 65 people are still under investigation. LINK
- Shan Hanes, 53, the Heartland Tri-State Bank CEO, has been sentenced to 24 years in prison for embezzling $47 million of customers’ funds in a pig butcher scam. LINK
- Canadian authorities have arrested a man on suspicion of being behind the June data-theft attacks against SaaS data platform Snowflake (vol. 7, iss. 22). Alexander Moucka (aka Connor Moucka) is believed to be behind the ShinyHunters, and their arrest was requested by the United States, which is seeking Moucka’s extradition to face charges. LINK
- Babatunde Francis Ayeni, 33, a Nigerian national who had been living in the UK, has been given a 10-year sentence for business email compromise scams that netted him almost $20 million from 400 victims. LINK
💰 Investments, mergers and acquisitions:
- CrowdStrike is acquiring cloud security company Adaptive Shield in a deal reportedly worth $300 million. LINK
- Multi-million-pound investment in Manchester-based CloudGuard by Praetura Equity Finance. LINK
And finally
- Schneider Electric has experienced a pain-ful cyberattack. A threat actor calling themselves “Grep” appears to have compromised the firm via its Jira server and claimed to have made off with 40GB of data. The attackers are demanding $125,000 in… baguettes, or they will release the data. The attackers haven’t released what they intend to do with all that dough, or if it will rise as the deadline approaches. LINK