This week
- BT ransomware attack (Incidents)
- South Korean firm added DDOS tools to set-top boxes (And Finally)
- Spyware infections may be higher than previously thought (Interesting Reads)
- Zipcar outage caused by SMS volumes (Incidents)
- FCC proposes new cyber regulations (This Week)
- Salt Typhoon campaign affects more telcos (This Week)
- Ukraine DDOS of Russian bank (Incidents)
Salt Typhoon campaign scope increases; FCC proposes new cyber rules
- According to US deputy national security adviser Anne Neuberger, the Chinese state-back Salt Typhoon campaign that gained access to wiretap systems affected at least eight US telcos.
- Neuberger also says that the campaign “has been underway … likely one to two years” and that “a couple dozens of countries were impacted,” thought to be in the Indo-Pacific and European regions. LINK
- When the story originally broke, it was believed to impact three or four telcos (vol. 7, iss. 41).
- Jessica Rosenworcel, chair of the Federal Communications Commission (FCC), presented draft regulations this week aimed at improving cyber security. The proposal is a new interpretation of part of the Communications Assistance for Law Enforcement Act (CALEA), passed 30 years ago, forcing telco providers to comply with lawful intercept requests.
- Telcos would be required to submit an annual attestation stating that they have implemented a cyber risk management plan or face potential fines. LINK
Interesting stats
430 incidents required support from NCSC during Sep 2023 - Aug 2024, up +59 in the previous 12-month period. Of those, 89 were ‘nationally significant’ and 12 were considered a the ‘top end’ of the scale, a 3x increase on the previous 12 months. LINK, PDF
£30 million, cost of TfL’s September 2024 cyber attack to date. LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Is Anyone Happy With the UN Cybercrime Convention? Karine Bannelier and Eugenia Lostri take a look at the compromises made to reach a consensus on the Cybercrime Convention likely to be passed by the UN General Assembly in early 2025. LINK
- Certain names cause ChatGPT to grind to a halt. It appears they’re people that have (threatened) to sue OpenAI for defamation. LINK
- Spyware infections may be higher than previously thought after a study revealed that 2.5 in every 1,000 devices were infected. It is worth noting that the participants in this study self-selected and, therefore, may be more likely to be victims, but it’s still a high rate. LINK
- Lorenzo Franceschi-Bicchierai on the story of a Russian programmer who says the FSB planted spyware on his phone. LINK
⚠️ Incidents:
- Zipcar customers were locked out of cars they had rented due to “SMS delivery service constraints”, with some people missing flights and exams because their belongings were stuck inside the vehicles. The company’s customer service line appears to have been completely overwhelmed by the incident, with reports of users waiting over three hours to speak to someone. LINK
- The personal data of 760,000 Xerox, Nokia, Koch, Bank of America, and Morgan Stanley employees is being leaked by a threat actor who claims to have obtained the information by exploiting the critical vulnerability in Progress Software’s MOVEit file transfer system. LINK
- Up to $155,000 was stolen in a software supply-chain attack from blockchain companies. Somebody added malicious code to the solana-web3.js library, used to interact with the Solana blockchain and to create and run decentralised apps. LINK
- Customers of the privately owned Gazprombank in Russia have been reporting difficulties accessing their accounts. Ukraine’s military intelligence agency claimed responsibility for a distributed denial of service (DDOS) attack against Gazprombank. LINK
🏴☠️ Ransomware:
- BT confirmed an incident relating to its conferencing services affecting non-production servers. The affected systems were “rapidly taken offline and isolated”, a company spokesperson said. It sounds like cybercriminals accessed a development or test system; no disruption to BT’s customer operations is reported. The Black Basta ransomware group has claimed responsibility for the attack. LINK
- ENGlobal, an Oklahoma-based energy contractor, has filed a report with the US Securities and Exchange Commission advising that “a threat actor illegally accessed the Company’s information technology system and encrypted some of its data files”. No ransomware group has claimed responsibility for the attack. LINK
- Vodka maker Stoli blames ransomware attack as a contributing factor to the bankruptcy of its US operations, though it has also been the subject of political turmoil after Russian president Vladimir Putin issued an executive order in March 2000 to return the company under state control. LINK
🕵️ Threat Intel:
- Cybercriminals favour new, top-level domains, such as top, xyz, shop, vip, and club. While new gTLDs account for just 11% of domain registrations, they account for 37% of cybercrime domains reported between September 2023 and August 2024. LINK
- Russian state-sponsored threat actors compromised Pakistani threat actor infrastructure to spy on targets in India and Afghanistan, according to Microsoft and Lumen Technologies. Reporting doesn’t explain how Secret Blizzard (aka Turla) gained access to the infrastructure of Storm-0156 or if the Pakistani group knew they were providing a platform for Russian espionage operations. LINK
🪲 Vulnerabilities:
- Veeam has released a security patch addressing a critical remote code execution (RCE) vulnerability in its Service Provider Console. CVE-2024-42448 (9.9/10) allows attackers to execute arbitrary code on affected devices. A second vulnerability, CVE-2024-42449 (7.1/10), may leak the Windows NTLM hash of the account running the service. LINK, ADVISORY
- SailPoint has reported a ‘perfect 10’ vulnerability in its IdentityIQ identity and access management platform. CVE-2024-10905 (10/10) is a directory traversal bug, meaning attackers can provide input that returns details of files from the affected system. As The Register notes, MITRE called directory or path traversal bugs “unforgivable” back in 2007. It’s a bit of a clanger. LINK, ADVISORY
🧑💻 End user and consumer:
- The FBI is encouraging people to share a secret word or phrase that can be used to verify their identity with loved ones and help combat the rip of AI-generate voice scams. LINK
🛠️ Security engineering:
- Amazon is adding an Incident Response offering to its suite of AWS services. AWS Security Incident Response builds on the firm’s GuardDuty logging and other third-party services and provides access to an AWS Customer Incident Response Team. Pricing starts from $7K/mo. LINK, AWS
🧿 Privacy:
- A new site — theyseeyourphotos.com — shows the level of (slightly creepy) detail that Google’s AI models are able toextract from uploads to the Google Photos service. LINK
- BlueSky social media posts are being slurped up into datasets to train artificial intelligence. LINK
📜 Policy & Regulation:
- The US has banned exports to 140 Chinese companies that manufacture processors, memory chips, and fabrication tools. LINK
👮 Law Enforcement:
- Operation Passionflower, a joint European law enforcement operation, has seized and shut down the encrypted message service ‘MATRIX’ used by cybercriminals to coordinate activities. LINK
- The UK’s National Crime Agency says it has disrupted two Russian money laundering networks that criminals and ransomware gangs use. Operation Destabilise has led to 84 arrests. LINK
- US authorities have arrested a teenager believed to be part of the Scattered Spider gang and charged them with breach of a financial institution and two telcos. Remington Goy Ogletree, 19, aka “Remi”, stole credentials from the three victims by posing as their IT department. LINK
💰 Investments, mergers and acquisitions:
- Cloud security startup Upwind has closed a $100 million Series A funding round, led by Craft Ventures, that values the company at $900 million post-money. LINK
- An investment fund has acquired the assets of Russian cybersecurity company F.A.C.C.T., and a new firm is expected to be established. F.A.C.C.T. was a spin-off of Group-IB after the latter relocated to Singapore and exited the Russian market. LINK
🗞️ Industry news:
- Snyk reports reaching $300 million annual recurring revenue; CEO Peter McKay says he “can pick the time when I go public”. LINK
And finally
”South Korean police have arrested a CEO and five employees for manufacturing over 240,000 satellite receivers pre-loaded or later updated to include DDoS attack functionality at a purchaser’s request.”
- A wild story of a company requesting its set-top box manufacturer to add functionality so it could use its customer’s set-top boxes to launch distributed denial of service (DDoS) attacks. LINK