Robin’s Newsletter #340

22 December 2024. Volume 7, Issue 51
US considering TP-Link ban. Nebraska sues Change Healthcare. False Claims Act whistleblowers.
Join hundreds of subscribers who get this first, every Sunday. Subscribe
  • Happy Holidays! I hope you’ll have the opportunity to relax and enjoy the company of those most important to you. The next couple of editions will be in a slightly different format for you to read at your leisure.
  • I’ve been reflecting on some major Cydea milestones in 2024: launching our risk platform, being chosen to deliver a major cyber risk programme for a UK critical infrastructure company, and selected to participate in Cyber Runway as one of the UK’s most promising cyber scale-ups. We’ve doubled the size of the team to meet demand for our cyber riskdue diligence and programme management services, all while maintaining an epic net promoter score of +90! A huge hats off to the wonderful Cydea team and all our customers and partners. Thank you!
  • If you’re considering upping your security game in 2025, please get in touch with Cydea, and we’ll work out how we can help.
  • And thank YOU for subscribing, and all your support this year, it means a lot to me.

This week

Need to Know, 22nd December 2024

  • US considers TP-Link ban (This Week)
  • Russia labels Recorded Future ‘undesirable’ (And Finally)
  • False Claims Act cyber whistleblowers (This Week)
  • North Korean cryptocurrency heists (Interesting Stats)
  • Nebraska sues Change Healthcare (This Week)
  • The US is investigating if TP-Link poses a national security risk and a potential ban on the sale of the company’s devices in the US. 
  • The Commerce, Defense, and Justice departments have opened independent investigations into TP-Link. Commerce Secretary Gina Raimondo cites the “unusual degree of vulnerabilities and required compliance with PRC [People’s Republic of China] law” as reasons for concern. TP-Link is a popular choice for home and business Internet routers, wireless access points, and other networking equipment. LINK

Nebraska sues Change Healthcare over February mega-breach

  • The US state of Nebraska is suing United Health’s ChangeHealthcare for failing to implement basic security controls that led to the firm’s massive February data breach. The complaint provides further details on how cybercriminals gained access to one of the US’ largest healthcare service providers. 
  • The credentials of a “low-level customer support employee” were obtained via a Telegram group selling stolen credentials. Using these, the attackers were able to access Change Healthcare’s medication management application, SelectRX, and create privileged accounts that allowed them to access and delete all files.
  • The complaint alleges that the cybercriminals moved through systems and exfiltrated “terabytes of sensitive data” for nine days without detection. Procedurally, the complaint also says that Change Healthcare failed to notify at least 575,000 Nebraskans affected by the breach until five months after the attack. LINK

Cyber whistleblowers and the False Claims Act

  • Supplier to the US government? Cutting corners on your cyber security programme? You might join the likes of Penn State, Dell Federal Systems, and Cisco, which have all settled cases under the False Claims Act. 
  • Multiple recent cases have been for failing to implement security controls. The US government relies on whistleblowers to kick-start these cases, and those individuals stand to make serious bank: six- or seven-figure payouts are the norm.
  • This isn’t about ‘malicious insiders’ as a source of risk, it’s a ‘governance failure’ at the supplier to deliver on its contractual obligations. LINK

Interesting stats

61% of all cryptocurrency stolen in 2024 was by North Korean-linked attackers, worth  $1.34 billion across 47 difference cases, according to Chainalysis. LINK

29% of UK adults don’t know how to wipe their personal information from an old mobile device or tech product, according to research by the UK Information Commissioner’s Office, with  21% of young people not thinking it’s important to wipe their personal information and  14% of those aged 18-34 admitted they wouldn’t bother wiping their old tech at all. LINK The NCSC has a guide on how to erase your data and why it’s important if you’re buying or selling second-hand devices. LINK

Other newsy bits / in brief 

🤓 Interesting reads:

  • Interpol wants to stop calling investment or romance scams “pig butchering” because it dehumanises and shames the victims and instead calls the practices “romance baiting” to make it easier for victims to come forward and seek help. The pig reference stems from language fraudsters use, drawing parallels with fattening up a hog before slaughter, i.e., building trust and rapport before running off with their life savings. Words do matter and this is probably a good thing. LINK
  • AlL yoU NeEd To dO to JaIlbReak AI iS gEt thE cApS rIGhT, according to Anthropic, Oxford, Standford and MATS researchers. LINK

⚠️ Incidents:

  • McDonald’s delivery system in India exposed customers’ personal data and would accept orders for $0.01. The delivery system used by McDonald’s India (West & South) is owned by Hardcastle Restaurants (McDonald’s operates a franchise operation). The API of the McDelivery system didn’t validate if a request was authorised or not. Traceable AI reported the issue in July and it was fixed in September. These are some pretty basic mistakes. LINK
  • The Securities and Exchange Commission has fined Flagstar Bank $3.5 million for allegedly making misleading statements about its 2021 cyberattack. LINK
  • Privileged access management company BeyondTrust confirmed a breach of its Remote Support systems early in December. Attackers gained access to a Remote Support SaaS API key, allowing them to potentially reset local application account passwords. The incident affected a “limited number” of customers, according to BeyondTrust, who said a root cause analysis linked the incident back to two product vulnerabilities. LINK

🏴‍☠️ Ransomware:

  • Deloitte says the RIBridges social services and benefits platform it runs for Rhode Island has suffered a “major security threat” and a “high probability” that cybercriminals have stolen sensitive health data. The Brain Cipher ransom gang has claimed responsibility for the attack. LINK
  • Telecom Namibia says that attackers stole customer data during a ransomware attack. The state-owned telco refused to pay the Hunters International cybercrime group that has begun publishing data in an attempt to ramp up pressure. LINK

🕵️ Threat Intel:

  • ‘Big Mama VPN’, used to cheat in the virtual reality game Gorilla Tag, is selling access to user’s home networks to cybercriminals for use in their cyberattacks. LIK
  • Clop ransomware gang has claimed responsibility for attacks against Cleo file transfer systems. If you use a specific file transfer appliance or cloud solution for exchanging data, you should pay special attention to hardening the system’s configuration and regularly applying patches. LINK
  • A suspected South Asian threat group calling itself ‘Bitter’ is targeting Turkish defence organisations with MiyaRAT malware. LINK
  • Malicious VSCode extensions are being used in software supply chain attacks targeted at developers and cryptocurrency projects, says Reversing Labs. LINK
  • HubSpot functionality is being abused in phishing campaigns targeting UK and German automotive, chemical and industrial companies. LINK
  • Researchers at a Chinese cyber security company say the Winnti (aka APT41) group has developed a PHP backdoor that utilises FastCGI functionality to avoid leaving files on disk. The backdoor, dubbed Glutton by XLab, is not only being used against foreign powers but also against cybercriminals themselves. “No Conor among thieves”. LINK

🪲 Vulnerabilities:

  • Fortinet Wireless Manager (FortiWLM) has a path traversal vulnerability. CVE-2023-34990 (9.8/10) was originally reported to Fortinet in May 2023, with a fixed being released ten months later (and four months after a proof of concept was released. The security advisory, published this week, is another nine months on. This isn’t what you want from your security vendor. LINK, ADVISORY
  • Juniper Networks says its Session Smart Routers can easily become infected with Mirai malware if you don’t change the default passwords. LINK, ADVISORY
  • Sophos Firewall has been patched against two critical and one high vulnerabilities. CVE-2024-12727 (9.8/10), CVE-2024-12728 (9.8), and CVE-2024-12729 (8.8), respectively, are a pre-authentication SQL injection, non-ransom SSH login passphrase, and code injection. LINK, ADVISORY
  • CISA is warning US federal agencies to address an elevation of privilege vulnerability that was patched in June. CVE-2024-35250 (7.8/10) allows attackers to gain SYSTEM-level access without user interaction. If you’re running a half-decent patch programme you should already be protected. CISA’s warning is because evidence has been seen of it being actively used to compromise systems. LINK, ADVISORY

🧰 Guidance and tools:

  • CISA has published guidelines to safeguard the communications of high-value government targets. The guide is in response to the Chinese Salt Typhoon espionage campaign. The main steps are using end-to-end encrypted services for voice and text communication, hardware-based FIDO security tokens for MFA, a password manager, regularly applying software updates and changing default PINs and passwords. All sensible stuff. LINK, GUIDE

🧿 Privacy:

  • The Irish Data Protection Commission (PDC) has fined Meta €251 million ($264 million) for exposing access tokens of 30 million users. The case has taken six years to conclude and stems from a ‘view as’ feature allowing users to see their profiles as if they were another user. Meta described the issue as a “complex interaction of multiple issues in our code”. LINK
  • The Dutch Data Privacy Authority (DPA) has fined Netflix €4.75 million ($5 million) for failing to give customers “sufficient” information about how it used their personal data from 2018 to 2020, even when customers asked for further details. The DPA says that Netflix disagrees with the fine. LINK

📜 Policy & Regulation:

  • The European Council has announced sanctions against 16 people and three entities for their part in an “intensifying campaign of hybrid actives” by Russia against the West, including cyberattacks. This is a well-established playbook from the West now: expel diplomats and apply sanctions to impose costs on the campaigns and individuals. LINK
  • CISA has published a draft update to the US National Cyber Incident Response Plan, with the coordination of public and private response efforts being a particular area of focus. Security is a (multi!) team sport. LINK

👮 Law Enforcement:

  • A third member of the LockBit ransomware group has been arrested and is awaiting extradition to the US. New Jersey prosecutors publicly named dual Russian-Israeli national Rostislav Panev, 51, this week. LINK
  • Daniel Christian Hulea, a Romanian man who pleaded guilty to involvement in NetWalker ransomware attacks, has been sentenced to 20 years in prison for computer fraud and wire fraud conspiracies. LINK

💰 Investments, mergers and acquisitions:

  • Arctic Wolf has acquired Cylance from Blackberry for $160 million — almost a 90% discount on the $1.4 billion that Blackberry paid in 2018. IDC reported that Cylance’s endpoint security solution has around 1.3% market share at the end of 2022. My guess is that Arctic Wolf will migrate those customs onto its platform rather than invest in updating a second platform. Meanwhile, BlackBerry CTO Tim Foote has indicated that spending would be redirected towards its secure communications business line (arguably what BlackBerry was best known for, alongside its keyboards). LINK

And finally 

  • Russian authorities have designated Recorded Future an “undesirable” company. The Russian Prosecutor General’s Office said, “[they] specialize in cyber threats, actively interact with the CIA and intelligence services of other countries. They provide information and technical support for the propaganda campaign launched by the West against Russia.” Recorded Future CEO Christopher Ahlberg described the move as a “rare compliment”. LINK
Robin

  Robin's Newsletter - Volume 7

  TP-Link China Nebraska United Health Group Change Healthcare False Claims Act Whistleblower Insider Cryptocurrency North Korean Pig butchering Romance baiting Artificial Intelligence (AI) Jailbreaking Gaming Device security Recorded Future Russia