This week
- Microsoft notification centre used to send sextortion emails (Threat Intel)
- Spotify playlists advertising pirate software sites (And Finally)
- Facebook take down of 2 million pig butchering accounts (Interesting Reads)
- 16,000 scams reported to Action Fraud following Black Friday last year (This Week; Interesting Stats)
- Microsoft announces Windows changes following CrowdStrike outage (This Week)
Black Friday scam warning from NCSC chief
- The shopping season kicks off with Black Friday this week, and NCSC chief exec Richard Horne is warning consumers to be careful with online purchases as the festive period has become “prime time for cybercriminals”. LINK
Microsoft announces Windows improvements in the wake of CrowdStrike outage
- Microsoft announced plans to improve Windows security and resilience with new APIs to allow EDR companies to implement more product functionality outside of the Windows kernel and a recovery boot mode that will allow admins to roll back changes without needing to physically visit the device. Both are in response to the CrowdStrike outside earlier this year. LINK
UK warning over Russian cyber-threat linked to Ukraine
- Pat McFadden, Chancellor of the Duchy of Lancaster, gave a speech at the NATO Cyber Defence Conference in London to warn UK allies that “no-one should underestimate the Russian cyber threat to NATO”. LINK
Change Healthcare says clearinghouse services back online
- Change Healthcare says clearinghouse services are back online, nine months after a cyberattack against the company disrupted them. The ALPHV/Blackcat attack and subsequent disruption affected 94% of US hospitals the following month. The total recovery is estimated to ultimately cost $2 billion. LINK
Interesting stats
16,000 reports of online shopping fraud reported to Action Fraud between November 2023 and January 2024, with £695 being the average loss per victim. (Black Friday, above).
308/1062 drinking water systems in the United States have cyber security shortcomings, according to the Environmental Protection Agency (EPA), serving 109 million people. LINK
Incidents at UK water companies are also up: 6 incidents reported by water companies under NIS regulations in 2024 to 21st October LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Facebook parent company Meta says it has taken down over 2 million accounts linked to pig butchering scams run out of Myanmar, Laos, Cambodia, the UAE, and the Philippines. LINK
- The national security case for end to end encryption (E2EE). LINK
- Microsoft president Brad Smith has called on president-elect Trump to “push harder” against cyber attacks from Russia, China and Iran, saying, “We should not tolerate the level of attacks that we are seeing today.” LINK
- State cyber campaigns from China have shifted from the People’s Liberation Army (PLA) to the Ministry of State Security (MSS) since 2015, according to an analysis by Sekoia. LINK
⚠️ Incidents:
- Finastra is warning customers about a breach of its systems after a threat actor began listing data allegedly stolen from the company on cybercrime forums. The financial software company says cybercriminals obtained the data from a file transfer platform on 7th November. Finastra services 45 of the world’s top 50 banks. LINK
- Patient data at a French hospital was exposed after an attacker accessed its MediBoard patient records system. Around 750,000 people are believed to be affected. A spokesperson for the software vendor told BleepingComputer, “We can confirm that our software is not responsible, but rather, a privileged account within the client’s infrastructure was compromised by an individual who exploited the standard functions of the solution”. LINK
- Swedish police have identified a Chinese bulk carrier as a ship “of interest” in the suspected sabotage of undersea cables in the Baltic Sea. A Danish navy patrol board is shadowing the Chinese vessel, Yi Peng 3. LINK
- Microlise, a UK telematics company, has confirmed that attackers compromised corporate data during an incident a few weeks ago. Systems were taken offline as a precautionary measure, resulting in disruption to some tracking services, including some prison transport vehicles. No customer data was compromised during the breach. LINK
- US satellite manufacturer Maxar Space Systems employees are finding out that a threat actor has compromised their personal data. The attacker was inside Macao’s systems for a week before being detected on 11th October. LINK
🏴☠️ Ransomware:
- The Akira ransomware gang published details of 35 claimed victims. Security researchers are speculating if this is a sign of a last push before shuttering the operation or a demonstration of the group’s capabilities. LINK
- CISA says that the BianLian ransomware group is now focussing solely on data theft extortion. LINK
🕵️ Threat Intel:
- Russia’s Fancy Bear group compromised wi-fi enabled devices in buildings nearby to use as a staging post for their intended target. Security firm Volexity calls the attack GruesomeLarch. LINK
- Scammers are abusing Microsoft 365’s message centre to send sextortion messages to victims. As the messages come from a legitimate Microsoft email address, they are passing email filters, where they would otherwise be sent to spam. The Microsoft portal allows you to share a message with a personal note, and scammers use this box to include their demands. LINK
- Researchers at Veloxity say that a Chinese group is exploiting a weakness in Fortinet’s Forticlient VPN Client on Windows. The zero-day vulnerability, which was acknowledged in July 2024 but does not yet appear to have been fixed or assigned a CVE, allows the threat actors to dump the VPN credentials from memory after a successful authentication. This means they’d need to have already compromised a device; however, knowing the VPN credentials would give the group a way of pivoting into the VPN network. LINK
🪲 Vulnerabilities:
- Google’s OSS-Fuzz large language model fuzzing tool has found 26 vulnerabilities, including one in OpenSSL that it believes has been present for 20 years. LINK
- Palo Alto Networks has patched two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls. CVE-2024-0012 (9.3/10) and CVE-2024-9474 (6.9/10) are real doozies, with the former allowing authentication bypass by setting the HTTP header
X-PAN-AUTHCHECK
to “off”. Just tell the system to turn off the authentication check. Brilliant. Meanwhile, PAN quarterly earnings were strong, up 14% to $2.14 billion. LINK, ADVISORY, EARNINGS - Apple has patched two zero-day vulnerabilities in its Intel Macs running macOS Sequoia. CVE-2024-44308 (8.8/10) and CVE-2024-44309 (6.3/10) are remote code execution and cross-site scripting issues in JavaScriptCore and WebKit, respectively. LINK, ADVISORY
🛠️ Security engineering:
- GitHub has launched a $1.25 million fund to boost security in open source projects. “We’re looking for the outsized impact, which tends to be big projects with few maintainers that we all rely on,” GitHub COO Kyle Daigle told TechCrunch. The programme includes hands-on support, tools, and funding for maintainers. The programme aims to fund 125 projects. LINK
- SQL Injection is still amongst the most dangerous software weaknesses, as MITRE has published its top 25 list for this year. LINK
🧿 Privacy:
- The UK Information Commissioner’s Office (ICO) is marking its 40th anniversary with a digital exhibition looking at important moments from the last four decades. A physical version will open in Manchester in April next year. LINK
- The Office of the Australian Information Commissioner says that hardware store Bunnings violated privacy rules by using facial recognition technology across 63 stores between 2018 and 2021. Bunnings implemented the systems after violent incidents in their stores. However, the ruling follows a two-year probe, during which the OAIC concluded facial recognition was not a proportionate response. Bunnings intends to appeal the ruling. A similar proportionality case was made by German regulators in 2021 over the use of CCTV to monitor employees. LINK, GERMANY
- Niantic, the company behind Pokemon Go, has announced a “Large Geospatial Model” to bring what large language models have to text to the physical environment. The training data for the model comes from the millions of Pokemon Go players. LINK, BLOG
📜 Policy & Regulation:
- US Rail and pipeline companies are pushing back on proposed new cyber regulations. The Transportation Security Administration (TSA) is requesting feedback on proposals to increase cyber resilience in the wake of the 2021 Colonial Pipeline ransomware attack. Regulation under the forthcoming Trump administration may be scaled back, and the Republican hearing this week may give an indication of the direction of travel. The TSA faced criticism this week after a Government Accountability Office report found four out of six recommendations made to the body in 2018 still need to be addressed. LINK, TSA
👮 Law Enforcement:
- US authorities have charged five men linked to the Scattered Spider group with wire fraud. Ahmed Hossam Eldin Elbadawy, 23, of Texas; Noah Michael Urban, 20, of Florida; Evans Onyeaka Osiebo, 20, of Texas; and Joel Martin Evans, 25, of North Carolina, have been charged, and a separate complaint has been brought against Tyler Robert Buchanan, 22, from the United Kingdom. Scattered Spider, aka 0ktapus, drew its members from a loosely affiliated online community called “the Com” and was behind the attacks against 45 companies, including MGM Resorts. LINK
💰 Investments, mergers and acquisitions:
- Wiz is acquiring application security posture management (ASPM) and continuous threat and exposure management (CTEM) platform, Dazz, for $450 million in cash and shares. LINK
🗞️ Industry news:
- Jen Easterly is to step down as CISA Director on 20th January 2025, coinciding with the inauguration of President-elect Donald Trump. LINK
- Microsoft has announced new custom chips for data processing and security. The Azure Boost DPU (data processing unit) and Azure Integrated Hardware Security Module will be implemented within the company’s Azure cloud environment. LINK
- New Jersey insurer Crum & Foster has started offering professional liability insurance to CISOs. LINK
And finally
- Spotify is being used to promote pirated software. The music streaming service’s web pages are indexed by search engines and rank highly; public playlists promote websites where cracked software can be downloaded. LINK