This week
- Ransomware actor abusing AWS native function to encrypt data (Threat Intel)
- GoDaddy’s FTC-mandated security programme (This Week)
- 100,000 sites likely swept up in UK’s Online Safety Act (Interesting Stats)
- FortiGate firewall config leak recycled (Interesting Reads)
- UK government ransomware consultation (This Week)
- DORA comes into force (Policy & Regulation)
UK government launches ransomware consultation
- The UK government is considering a ban on UK public bodies making ransomware payments. The proposed measures would also extend to critical infrastructure companies, such as energy and transport providers.
- Mandatory reporting of ransomware incidents is also being considered to give a better insight into the scale of the problem. A ‘intention to pay’ regime would also allow the government to block a payment.
- The proposed changes are intended to make these organisations less of a target to cyber criminals, improve visibility of the problem, and disrupt the flow of funds to criminal gangs. However, their position in delivering essential services would make for some potentially tough decisions in the event of a serious incident.
- The proposed plans are open for consultation until 5:00pm on 8th April 2025. LINK, CONSULTATION
The FTC is mandating security improvements on US hosting giant GoDaddy
- The Federal Trade Commission (FTC) is requiring US hosting giant GoDaddy to improve its cyber security programme after “several major breaches” between 2019 and 2022.
- The FTC complaint says that GoDaddy exaggerated the security it offered customers and failed to track and manage software updates, log cyber security incidents, or properly segregate its systems. Within 90 days, GoDaddy is also ordered to implement an SIEM (or equivalent) program to “support near real-time analysis of events,” suggesting the firm did little in the way of monitoring, too.
- Check out the full order if you want to see what a regulator’s legally enforced security programme looks like. LINK, ORDER
Interesting stats
100,000 online platforms, including smaller forums and message boards, are estimated to fall within the scope of the UK’s Online Safety Act, which comes into force in two months. LINK
50% reduction in average remediation times (from 60 days to 30 days) for critical infrastructure organisations enrolled in CISA’s vulnerability scanning service from August 2022 to August 2024. LINK
Significant discrepancies between CEOs and CISOs when asked which organisational cyber risk concerns them the most:
30% of CEOs vs 57% of CISOs said ransomware, 26% of CEOs vs 7% of CISOs said cyber-enabled fraud (phishing, BEC, etc), according to the World Economic Forum. LINK (PDF)
£32.7 million ($39.8M) estimated costs incurred following the June 2024 ransomware attack against NHS supplier Synnovis, more than 7x the £4.3 million ($5.2M) profit made in the firm’s 2023 reporting period. LINK
1,042 Russian-linked cyber incidents impacting Ukraine’s government, defence, and critical infrastructure identified and addressed by the county’s cyber agency (2.9/day). LINK
Other newsy bits / in brief
🤓 Interesting reads:
- CISA director Jen Easterly’s blog post on the Salt Typhoon attacks, and that CISA threat hunters had previously detected the same actors in US government networks, aiding a more prompt response effort. The US Treasury Department sanctions “a Shanghai-based cyber actor” this week for including in the Salt Typhoon campaign. LINK, SANCTIONS
- The leak of 15,000 FortiGate firewall configurations is being passed off as a new breach but dates back to the exploitation of a vulnerability in 2022, says Fortinet. LINK
- The EU is ordering Elon Musk’s X (formerly Twitter) to hand over documents relating to its recommendation algorithm amidst concerns over political influence. LINK
- Re-registering domain names of defunct startups can give access to SaaS applications they used (and may not have properly shut down) due to the ‘Sign in with Google’ OAuth implementation. TALK
⚠️ Incidents:
- Part of Microsoft’s authentication services responsible for multi-factor authentication to Azure and Microsoft 365 had a four-hour outage this week, preventing some users from logging on to apps on Monday morning. LINK
- Label company Avery says its website was compromised, and attackers stole customers’ personal data and payment card details. The avery.com website was compromised on 18th July, and the card skimming code remained present until 9th December 2024. LINK
- Cybercriminals claimed to have stolen almost 8TB of data from Otelier, a hotel management platform. The data was accessed through Otelier’s AWS S3 buckets from July through October 2024. Otelier’s MyDigtialOffice is known to be used by over 10,000 hotels in the Marriott, Hilton and Hyatt systems. Millions of guests’ personal and payment information may have been accessed. LINK
- Path of Exile 2 developers have confirmed that an administrator account was compromised and users to change the login details on at least 66 accounts to steal valuable in-game items that took many players hundreds of hours game play to acquire. A log retention limit has hampered a full investigation of the compromised accounts since November 2024. LINK
- Attackers have compromised thousands of WordPress sites, creating a new admin account wpx_admin and exfiltrating data via the domain wp3[.]xyz. The initial infection vector is not yet known. LINK
- Not a good look: UnitedHealth Group’s Change Healthcare used a ‘noindex’ tag to hide the data breach notice from search engines. LINK
🏴☠️ Ransomware:
- The Clop ransomware gang has named 59 organisations is says that it has compromised via Cleo’s file transfer appliances. LINK
- Medusa ransomware says it has gained access to Gateshead Council, a local authority in the North East of England. Hackney Council, which was attacked in 2020, was in the news this week as it is still addressing the fallout of their incident four years on. LINK, HACKNEY
- Fog ransomware group claims attack on University of Oklahoma amid an increase in remote working due to a snow storm. LINK
🕵️ Threat Intel:
- Attackers are using FastHTTP to launch brute force attacks against Microsoft Azure Active Directory accounts. While 49% are blocked by security controls (including account lockouts, conditional access restrictions or MFA) and a further 42% fail because they have the wrong password, 9.7% of attempts are successful; not bad going for a brute force attack. The requests are coming from Brazil, so if you don’t have any offices or users log in from there, consider adding that to the aforementioned conditional access rules. LINK
- The Codefinger ransomware group steals AWS keys with S3 read and write permissions and then encrypts data with AWS server-side encryption (SSE-C). AWS doesn’t store the keys, so the only way to decrypt the data is with the help of the criminal gang. LINK
- Microsoft says that a Russian group it tracks at Star Blizzard has shifted tactics from email to focus on WhatsApp and, in some cases, attempted to use QR codes to link victims’ WhatsApp accounts to the web interface, allowing them access to view their messages. LINK
- Criminal smishing (SMS phishing) lures increasingly ask recipients to reply to get around iOS protections that disable links from unknown senders. LINK
- Cybercriminals are using Google Ads to promote fake login pages hosting on Google Sites to steal… Google Ads logins. LINK
🪲 Vulnerabilities:
- Fortinet is warning of attacks exploiting a new critical severity zero-day vulnerability in its FortiOS and FortiProxy solutions. CVE-2024-55591 (9.8/10) is an authentication bypass issue, and attackers are using it to create randomly generated admin users and grant themselves VPN permissions. LINK, ADIVSORY
- Rsync, an open-source utility used to synchronise files on Unix-based systems, contains six vulnerabilities, including CVE-2024-12084 (9.8/10), a critical heap buffer overflow issue that can allow a user with anonymous read access to achieve code execution. LINK, ADVISORY
- Microsoft has patched a vulnerability that allowed attacked with privileged access to run malicious firmware. LINK
🛠️ Security engineering:
- Snyk published some suspicious looking packages to NPM while researching dependency confusion in VS Code extensions. LINK
- Developers using a popular Python package for Discord are being targeted in a dependency confusion attack aimed at stealing authentication tokens. LINK
🧿 Privacy:
- Texas Attorney General Ken Paxton is suing insurance company Allstate for [aying app developers to embed geolocation tracking code into popular apps and then using and selling that data without the user’s knowledge to adjust insurance quotes. LINK
📜 Policy & Regulation:
- The EU’s Digital Operational Resilience Act (DORA), aimed at financial services institutions, has come into effect. DORA includes potential civil liability for board directors. LINK
- The European Commission is seeking input on an action plan to address ransomware attacks against EU hospitals. LINK
- The United Nations Security Council has held a meeting to discuss commercial spyware. LINK
- Nine major issues included in the 11th-hour Biden cyber security executive order, including measures to improve the effectiveness of sanctions against ransomware actors, software security, AI cyber security, and protection of space systems, amongst others. LINK
👮 Law Enforcement:
- The FBI and France’s Gendarmerie Cyber Unit C3N have acted to remove the PlugX malware from thousands of infected computers worldwide. The infections, a form of remote access trojan (RAT), have been linked to a Chinese-sponsored group known as Mustang Panda. LINK
💰 Investments, mergers and acquisitions:
- DarkTrace has announced a proposed acquisition of UK-based cloud incident response provider Cado Security. LINK
- SudoCyber, a gamified cyber training provider based in Wales, has secured a £1 million investment from the British Business Bank’s investment fund for Wales. LINK
🗞️ Industry news:
- Stephanie Crowe has been appointed the new head of the Australian Cyber Security Centre (ACSC). LINK
- Karl Triebes has joined Ivanti as Chief Product Officer “at a pivotal time” as the company battles with a slew of critical vulnerabilities in the company’s products. LINK
And finally
- You can play Doom in a PDF. Cool, but I’d wager there’ll be some fake PDFs laced with malware doing the rounds, too. LINK