Robin’s Newsletter #347

This week

• UK demands Apple break iCloud encryption (This Week)
• Meta torrented pirated books to train AI models (And Finally)
• Hurricane-style categorisation of cyber incidents coming (This Week)
• Security and privacy lawsuits against Musk’s DOGE (Privacy)
• Malware using OCR To find data in victim’s photo libraries (This Week)
• Chinese antitrust investigations into US tech companies (Policy & Regulation)

The UK is demanding that Apple break its end-to-end encryption

• The Washington Post reports that the UK government has ordered Apple to give it access to the Cupertino company’s customers’ encrypted data. Sources told the Post that the order, made last month, requires Apple to offer blanket access to all of Apple’s customers’ encrypted iCloud data globally, rather than being restricted to a specific list of persons of interest. LINK
• The ubiquity of “no comment” remarks lends some credence to this rumour: the Investigatory Powers Act makes it a criminal offence to disclose such a technical capability notice. If it were not true, Apple would likely be denying the claims.
• The order is believed to have been made under the UK’s Investigatory Powers Act, which has the concept of ‘technical capability notices’ that require the recipient to develop something where existing functionality does not exist. (Australia’s Access and Assistance Act has similar provisions.)
• Apple’s ‘Advanced Data Protection’ (ADP) feature allows customers to end-to-end encrypt (E2EE) their data, such that Apple cannot access the data. E2EE is an important part of digital security — for example, encrypting payment transactions online — and creating ‘backdoors’ in encryption presents opportunities that bad actors may find and abuse. 
• Apple told a Parliamentary committee earlier this year that it would sooner withdraw encryption services from the UK market than comply with this sort of demand, adding it would “never build a back door” in its products. LINK
• Asking Apple to open up all user accounts is an astonishing demand that I can only assume the Home Office does not intend to actually achieve. Rather, perhaps it is a test case to understand what it can ‘reasonably’ obtain.
• How’d you like them apples? Withdrawing ADP from UK users and, by extension, high-profile individuals, I see more as a reminder (or threat) to officials that their data will be left exposed to demands from other regimes worldwide.
• Technical Capability Notices can be appealed (in secret), but such appeals are not allowed to delay work to act on the demands. TCNs almost explicitly mean that no such functionality exists today. If it is developing anything to comply with the order, I doubt Apple would seek to defeat the encryption algorithms it uses. Instead, it would be code that turned off the feature covertly to users and relied on the existing functionality to decrypt the data (e.g. to view your photos, etc.) that would, therefore, leave it accessible to search warrants, etc.
• I highly doubt this will be resolved as a two-party dispute between Apple and the UK government. Allies, like the US, will have some strong opinions to share via diplomatic channels on weakening protections, especially in the wake of recent Chinese intrusions into US wiretapping infrastructure. (Sometimes, though, Five Eyes allies offload intelligence gathering to each other where more favourable laws and regulations exist.)
• Cryptographer and security grandee Bruce Schneier described the move as “madness”. LINK

Cyber Monitoring Centre launches to categorise large UK cyber events

• The Cyber Monitoring Centre launched this week to “bring greater clarity to cyber events impacting UK organisations” and “enable better communication, preparation and response.” The independent, non-profit group is the result of work between insurance and cyber industry figures and will provide hurricane-style categorisation of significant UK cyber incidents. LINK
• The CMC will use a five-point scale to communicate the severity of incidents by considering the financial impact and affected population to reach an assessment:

• Categorisation will be based on the ‘best available data’ within 30 days of such an event, and be reviewed by a Technical Committee before being published. Ciaran Martin chairs the committee and shout-out to Dan Jeffery (former Detica colleague and now Daintta CEO).

Crypto-stealing malware uses OCR to find info in victim’s photo libraries

• A malicious software development kit (SDK) used in Android and iOS apps has been found to use optical character recognition to scan victims’ photo libraries, looking for cryptocurrency wallet IDs and recovery key information. 
• Any cryptocurrency information it finds hiding within the victim’s photo libraries is transmitted back to the operators, who then use it to gain access to and drain the wallets of their currency.
• While not entirely unimaginable, this is a pretty novel attack method, and many people take photos of, for example, important information for safekeeping. Advances in OCR, including Apple and Google’s own machine learning algorithms, now make it trivial to search for certain content amongst thousands of photographs quickly. LINK 

Interesting stats

1/3 drop in global ransomware payments last year, down from  $1.25 billion in 2023 to  $813 million in 2024, according to Chainalysis. LINK

Other newsy bits / in brief

🤓 Interesting reads:

• Anthropic makes of the Claude artificial intelligence platform is inviting members of the public to try and defeat a new ‘constitutional model’ that it says is designed to prevent whole classes of jailbreak. LINK
• Google researchers have figured out how to load unofficial microcode into AMD processors and make the ransom number generator always return 4 (a potential nod to XKCD, as noted by El Reg). LINK, XKCD

⚠️ Incidents:

• IMI, a British engineering firm, has disclosed a cyber security incident to the London Stock Exchange. The nature of the incident is not known. However, the UK Information Commissioner’s Office confirmed it had received a breach notification from IMI to Techcrunch. LINK
• Yazoo Valley Electric Power Association, a Mississippi utility company, is writing to 20,000 local residents to warn them of a data breach at the end of August 2024. LINK
• GrubHub, the US operation of Just Eat Takeaway, has disclosed a data breach exposing the personal information of its customers, food merchants, and delivery drivers. The intrusion “originated with an account belonging to a third-party service provider,” the company said. The data is mostly limited to names, email addresses and phone numbers, with some card types and last four digits being compromised too. LINK
• DDOS attacks against Czech video game company Bohemia prevent players from connecting to their DayZ and Arma Reforger games online. LINK
• Casio’s UK online store was compromised by card skimming scripts and used to steal payment card information of the watchmaker’s customers for 10 days in January. LINK
• The PowerSchool breach (vol. 8, iss. 4) affects “approximately 16,000” UK students. LINK
• Russia compromised UK Prime Minister Kier Starmer’s personal email account in 2022, according to reporting in a new book, which adds that the address was ‘dangerously obvious’ and lacked multi-factor authentication. LINK
• Kazakhstan is to audit the security of its Foreign Ministry after a breach by a threat actor group with suspected ties to Russia’s GRU intelligence agency (aka Fancy Bear, APT28). Kazakhstan declared independence from the Soviet Union in the early 90s, however Russia has a lease on Baikonur until 2050, from it conducts space launches. LINK
• Deloitte has paid $5 million to cover expenses incurred by the state of Rhode Island following a December (vol. 7, iss. 51) data breach of systems administered by the Big 4 consulting firm. LINK
• Label maker Avery says that it discovered card skimming malware on its website while investigating a December ransomware incident. LINK

🏴‍☠️ Ransomware:

• Ransomware attacks against NHS hospitals in northwest England “significantly” impacted waiting times for cancer treatments and missed “referral to treatment” targets. LINK

🕵️ Threat Intel:

• The Shadowserver Foundation says 2.8 million IP addresses are currently being used in a massive-scale brute force password guessing campaign against Palo Alto Networks, Ivanti, and SonicWall edge devices. LINK
• Fortinet says that the China-linked Evasive Panda (aka DaggerFly) cyber-espionage group is using new malware against the SSH daemon on network appliances. LINK
• Sweden has released a ship seized on suspicion of sabotaging undersea cables in the Baltic Sea. The Vezhen was boarded by Swedish police at the end of January (vol. 8, iss. 5). LINK
• Russia exploited a 0-day vulnerability in 7-Zip as part of its invasion of Ukraine, says Trend Micro. The 7-Zip vulnerability meant that files in double-encapsulated archives did not receive the Microsoft Windows Mark of the Web flag, which treats files with greater suspicion and prompts for user interaction on many activities. LINK

🪲 Vulnerabilities:

• Netgear says users of its WiFi 6 and Nighthawk Pro Gaming routers and access points should patch to protect against two critical vulnerabilities. The vulnerabilities, tracked internally as PSV-2021-0117 and PSV-2023-0039, are remote code execution and authentication bypass issues, respectively. They allow unauthenticated attackers to compromised WAX206, WAX214v2, WAX220, XR1000, XR1000v2, and XR500 products. LINK, ADVISORY
• Zyxel says it will not patch two actively exploited vulnerabilities in its end-of-life CPE Series network devices, directing customers to upgrade to new devices to protect themselves. CVE-2024-40891 (8.8/10) and CVE-2025-0890 (9.8/10) and command injection and weak default credential vulnerabilities, respectively. LINK, ADVISORY
• Cisco is advising customers to patch two critical vulnerabilities in its Identity Services Engine (ISE) suite. CVE-2025-20124 (9.9/10) and CVE-2025-20125 (9.1/10) “could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device[s]”. LINK, ADVISORY

🧰 Guidance and tools:

• Five Eyes intelligence agencies have issued guidance to vendors of network appliances to adopt Secure by Design and Secure by Default principles and improve logging and forensic capabilities to improve investigations and incident response. LINK

🛠️ Security engineering:

• Let’s Encrypt is to end expiry notice emails to reduce costs and improve privacy. LINK
• A Go module mirror hosted by Google has been serving up a typo-squatting malicious package containing remote access trojan for three years. LINK
• Research from WatchTower on ‘abandoned’ AWS infrastructure they say “would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant”. The infrastructure included 150 S3 buckets that, despite being no longer used (and therefore able to be re-registered by WatchTower), were still receiving requests for, amongst other things, software updates and virtual disk image files. If you’re winding up old infrastructure or migrating to a new platform, you should devise a decommissioning plan and continue monitoring for a period, though this may not be possible if, for example, the company in question has gone bust. LINK

🧿 Privacy:

• Over a dozen attorneys general are preparing privacy lawsuits to curtail Elon Musk’s Department of Government Efficiency (DOGE) access to sensitive US federal systems. Musk’s group of “special government employees” are reportedly plugging in computers and servers with unknown security controls to sensitive government networks. Systems and data at the Office of Personnel Management (OPM) and the Treasury Department are among those of greatest concern as questions are raised about the probity of the personnel on Musk’s team. LAWSUITS, FAILURES, PERSONNEL

📜 Policy & Regulation:

• China has launched antitrust proceedings against Google and Nvidia, which commentators say is likely to give leverage against Donald Trump’s proposed tariffs on Chinese goods. LINK

👮 Law Enforcement:

• Thai authorities cut off fuel, internet and electricity to three areas in bordering Myanmar where scam hubs are known to operate. Last week, China told Thai officials it believes 36 gangs ‘employing’ over 100,000 workers operate from the Myawaddy, Payathonzu and Tachileik regions. Those workers are often the victims of people trafficking at the hands of serious organised crime groups. LINK
• Spanish police have arrested a suspect in Alicante for conducting 40 attacks against various Spanish, foreign government, and international organisations, including NATO, the International Civil Aviation Organisation (ICAO) and the Ministry of Defence. LINK

💰 Investments, mergers and acquisitions:

• Riot has closed a $30 million Series B funding round. Originally focussed on phishing awareness campaigns, the French startup wants to use the money to help ‘nudge’ employees into steps to minimise their attack surface. Riot reported $10 million in revenue in 2024. LINK
• Private equity firm Turn/River Capital has agreed to a $4.4 billion acquisition of SolarWinds. The Austin, Texas-headquartered firm, which makes IT management software, was at the centre of the ‘Sunburst’ (more) supply chain attack against Microsoft and the US government by Russian threat actors. LINK
• Sophos has completed its acquisition of Secureworks for $859 million, positioning the company as the “largest pure-play Managed Detection and Response (MDR) provider” in the world, with a claimed customer base of 28,000 organisations. LINK

And finally

• Unsealed emails from a case brought against Meta show that Mark Zuckerberg’s social media company downloaded “at least 81.7 terabytes” of pirated books from file sharing Torrent sites to train its AI models while attempting to hide the activity, which would have also seen Meta also distribute the pirated material. LINK