Robin’s Newsletter #342

This week

• Doom as a  CAPTCHA (And Finally)
• UN approves cybercrime convention (This Week)
• HIPAA set to be updated (Policy & Regulation)
• Clop Cleo threats turn to nothing (yet) (This Week)
• 5.6M swept up in Ascension health data breach (Ransomware)
• Sanctions for Chinese Flax Typhoon cyber company (This Week)

UN Cybercrime Convention passes after five years of negotiations 

• The United Nations has adopted a cybercrime convention on Christmas Eve. The Convention against Cybercrime is the result of five-year negotiations on cyber-norms.
• The treat aims to strengthen international cooperation and countries to request legal assistance from each other, harmonise legal provisions, and defines specific crimes for cyber-enabled offences.
• The convention was introduced by Russia and was finally approved after the US and UK fell in behind the measure. Some rights groups and tech companies fear that the convention could provide a route for human rights violations and surveillance. LINK, PDF

Clop threatens to release names of companies in Cleo file transfer breach

• On Christmas Eve, the Clop ransomware group threatened to release the names of 66 companies in 48 hours if they didn’t respond to demands. The compromise allegedly took place via the company’s Cleo file transfer solutions. LINK
• No names were released over Christmas, with social media posts saying the cybercriminals changed their demands to release the names “in the new year”. Presumably, they learned that many of their victims shut down over the Christmas break, though four entries were removed since the original list was published. 

Sanctions for Chinese cyber business linked to Flax Typhoon attacks

• The US has sanctioned a Chinese cyber security company for its involvement in the Flax Typhoon campaign. The Treasury Department describes Integrity Technology as a “large [People’s Republic of China] government contractor with ties to the Ministry of State Security”. The firm allegedly provided infrastructure and support to state-backed groups between the summer of 2022 and fall 2023.
• All US assets of Integrity Technology, also known as Yongxin Zhicheng, have been frozen, and there are limits on the services that financial institutions can provide. LINK

Interesting stats

Paul Brucciani’s (now annual?) round-up of cyber security predictions is a worthy read. A few choice stats from it, which you can read in full on LinkedIn:

20% of 205 predictions from 29 organisations Paul reviewed centre around artificial intelligence (AI). 8% of employees are responsible for 80% of security incidents (via Mimecast) $2.73+ million average ransom demands will ‘surge passed’, according to Forescout. 3:2 costs from class action lawsuits will surpass those of regulatory penalties, respectively, according to Forrester. 

Other newsy bits / in brief

🤓 Interesting reads:

• The Record’s Alexander Martin has a fascinating read into the UK National Crime Agency’s (NCA) Operation Destabilise into Russian money laundering networks. LINK
• Zack Whittaker and Carly Page have a write-up of their ‘badly handled breaches’ of 2024. Take this and compare it to your response playbook and treat it as an anti-pattern: if things look and sound like this, consider changing them! LINK
• ProPublica’s Renee Dudley has a write-up on the FTC probe into Microsoft’s bundling practices, which looks likely to continue under the Trump administration. This will take a long time to play out; however, if you’re ‘all in’ on the Microsoft ecosystem, perhaps you want to have some discovery work in your security strategy this year. LINK
• Dan Goodin has a good summary of the problems with passkeys for Ars Technica. LINK

⚠️ Incidents:

• The Chrome extension from security start-up Cyberhaven was compromised around Christmas. The firm uses the extension to monitor user behaviour and detect data loss. The unidentified actor had access to customers’ web browsers like Canon, Reddit, and Motorola for around 30 hours; fortunately, I’m guessing most users were likely on holiday. Cyberhaven is amongst a list of suspected 33 extensions that were compromised. LINK, LIST
• Japan Airlines (JAL) attributed disruption to its operations on Boxing Day to a “system malfunction” that sounds a lot like a denial of service attack. Over 40 flights were disrupted, though some of these were attributed to bad weather. The timing seems to line up with a distributed denial of service attack against Japan’s largest mobile carrier, NTT Docomo. JAL, NTT
• VW Group subsidiary Cariad left location data of 800,000 Volkswagen, Audi, Seat, and Skoda vehicles in a publicly accessible cloud storage bucket. Precise geolocation data of 460,000 ID.3 and ID.4 vehicles were included in the data set, shared with the German newspaper Spiegel and the Chaos Computer Club. LINK
• Suspected Chinese threat actors compromised the US Treasury Department via BeyondTrust’s identity and access management solution. LINK

🏴‍☠️ Ransomware:

• French systems integrator Atos has dismissed claims of the ‘Space Bears’ ransom group that it has been compromised. LINK
• Ascension says that its May 2024 ransom attack (vol. 7, iss. 19) resulted in the loss of 5.6 million patients sensitive data. LINK
• American Addiction Centers has been issuing breach notification letters to 422,424 people whose Social Security and health insurance information was leaked during a September ransomware attack. LINK

🕵️ Threat Intel:

• Insurer Beazley says that AI-generated phishing emails are being used to target company executives. The use of AI allows for messages to be better tailored, based on the target’s interests and company’s style, to increase the chances of a successful attack. LINK

For what it’s worth… I’m not so convinced about these yet, here’s an example I received on Friday that went viral on LinkedIn over the weekend:

• The FBI linked the North Korean ‘TraderTraitor’ group to a cryptocurrency heist in 2024. LINK
• Two botnets — Ficora and Capsaicin — have been seen targeting end-of-life D-Link SoHo routers. LINK

🪲 Vulnerabilities:

• Adobe is warning customers about a ‘priority 1’ ColdFusion vulnerability. CVE-2024-53961 (7.4/10) is a path traversal issue that allows attacks to read arbitrary files on the affected server. LINK, ADVISORY
• Palo Alto Networks says a vulnerability is being used to remote its firewalls and put them into maintenance mode. CVE-2024-3393 (7.8/10) is a denial of service issue in the DNS Security feature of PAN-OS. LINK, ADVISORY

🧿 Privacy:

• 404 Media looks at the capabilities built into Tesla’s Cybertruck and how quickly Elon Musk was personally able to unlock a vehicle and hand over video footage to police in the wake of a bombing in Las Vegas. LINK
• Apple will pay $95 million to settle a lawsuit alleging Siri routinely recorded private conversations. The recordings may have been shared with third parties and used for targeted ads. The ad tracking is disputed, and recordings appear to result from mishearing “Hey Siri” rather than continuous surveillance of conversations. Google faces a similar suit. LINK

📜 Policy & Regulation:

• HIPAA, the Health Insurance Portability and Accountability Act, which sets out data protection requirements for US health companies, is set to be updated. Introduced in 2003, HIPAA was last updated in 2013, so this will make the first changes in over a decade and follows huge breaches at Change Healthcare and Ascension (see above). LINK

👮 Law Enforcement:

• Skylar Dalziel, 22, from Luton, has pleaded guilty to 11 copyright offences after selling unreleased songs by Coldplay, Shawn Mendes, and others that she stole by compromising record exec’s cloud storage accounts. LINK

🗞️ Industry news:

• Amit Yoran, the CEO and chairman of Tenable, passed away on Friday at the age of 54 following a battle with cancer. LINK
• CrowdStrike has more than recovered the value it lost due to the outage it caused in July 2024. LINK

And finally

• Doom has been turned into a CAPTCHA test by developer Guillermo Rauch. “Play DOOM and kill at least 3 monsters,” the prompt reads. LINK