I’m travelling these few weeks, so these newsletters will be in a slightly different format.
I’ve had some interesting feedback: please share your thoughts!
This week
- US takes eye off Russian cyber threat (Five Things)
- Over 7,000 freed from Myanmar scam centres (Five Things)
- Australia bans Kaspersky from government systems (Five Things)
- North Korea fingered for $1.5B Bybit (This Week)
FBI says North Korea behind $1.5B Bybit crypto-heist
- The FBI says that North Korea’s Lazarus Group (known in the agency as TraderTraitor) was behind the theft of $1.5 billion worth of Ethereum cryptocurrency from the Bybit exchange.
- A memo released this week includes the wallet addresses used by the North Koreans in an attempt to block transactions using the stolen funds. “TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” the statement reads. $40 million worth of tokens have been frozen, but that’s small beer compared to the total stolen.
- Bybit has also announced a bounty to aid in the recovery of the funds, promising 10% to those who can trace and halt the transfer of the funds.
- More details on how the Lazarus group orchestrated the heist have also come to light. Bybit was storing these funds in so-called ‘cold wallets’ with the private keys held offline and using ‘multisig’ wallets that, like nuclear codes, require multiple people to execute an action. Lazarus attackers managed to comprise the devices of multiple senior Bybit employees and install malware that manipulated the UI of their wallet, allowing the employees to execute the transactions unwittingly. (Early suggestions that the wallet vendor, Safe, had been compromised are false.)
- While using multisig, cold wallets is considered the ‘gold standard’ in crypto, other potential security protections you might find in traditional banking systems were missing. Read-only file systems, application allowlisting, and unannounced purchase of hardware all form part of how you could protect against these sorts of attacks. It’s also how UK bank Monzo conducts its key signing (somewhat analogous to a large crypto transaction).
- LINK, MORE, HOW, MONZO
Interesting Stats
97.5% reduction in the amount claimed on cyber insurance due to cyber-attacks where Managed Detection and Response (MDR) services are present and 83.3% reduction when using self-managed Endpoint Detection and Response (EDR) tooling, according to a vendor-agnostic survey commissioned by Sophos. (282 claims, 19 EDR/14 MDR vendors). LINK
2.3 billion rows of infostealer malware logs have been added to Have I Been Pwned, 284 million unique email addresses were amongst them, and 61% were already recorded in HIBP’s database. LINK
Five things
-
US/Russia: There seem to be big changes to US cyber policy occurring behind closed doors, with multiple reports that the US state cyber apparatus is deprioritising Russia. Defense Secretary Pete Hegseth has ordered US Cyber Command to stand down planning for defensive and offensive actions against Russia. A recent memo to the Cybersecurity and Infrastructure Agency (CISA) set out priorities, including China and domestic systems, but did not mention Russia. One insider described the moves as “truly shocking”. CYBERCOM, CISA
-
Backdoors are still in the news. President Donald Trump told British PM, Sir Keir Starmer, “You can’t do this,” and likened British demands to access global iCloud accounts to the sort of thing “you hear about with China” during a meeting this week. US Director of National Intelligence Tulsi Gabbard also shared “grave concern” about the UK demand that would allow access to Americans’ data. Meanwhile, Sweden’s law enforcement and security agencies are seekingsimilar backdoor access to Signal and WhatsApp. Meredith Whittaker, Signal President, threatened to withdraw from the Swedish market, echoing her previous threat to a similar request from the UK. Commentators have been describing how this could be the start of an avalanche of government requests — friend and foe — to technology and communication companies. Intelligence agencies have enjoyed privileged access to global communications for decades and are grappling with handling the rise of, and shift to, end-to-end encrypted communication. TRUMP, GABBARD, SWEDEN
-
Southern Water may have paid the Black Basta group $750,000 following their ransomware incident in early 2024. Leaked chat logs from the cybercriminals appear to include messages from Southern Water and that “the Board is ready to increase our numbers to show you that we’re taking this negotiation seriously”. Subsequent messages reference the UK water company’s domain name and “these have already paid”. A Southern Water spokesperson dodged questioning from The Register. LINK
-
Wallbleed: Researchers spent over two years using a buffer over-read vulnerability to understand more about the Great Firewall of China (GFW). The vulnerability in the DNS injection subsystem of the GFW allowed them to include up to 125 bytes of memory at a time. While research has focussed on what is censored, less research has been done into the architecture and operation of the GFW. It’s heavy in places but an interesting read. LINK
-
Scam centres: Over 7,000 people have been freed from scam centres in Myanmar following action taken by Thailand to disconnect power and Internet services, but BBC reports found them stranded on the border and in appalling conditions. Many do not have passports or identification because gang bosses confiscated their documents, after luring them in with promises of high-paying IT jobs. One victim said they had a target to ‘earn’ $5,000 every week. If they failed, they would be given electric shocks and be locked in dark rooms with no windows. This human cost is the reality of ‘business email compromise’ and ‘romance scam’ frauds. LINK
In brief
-
⚠️ Incidents: US-based background and drug screening firm DISA Global Solutions has suffered a data breach affecting 3.3 million people. The breach occurred between early February and late April 2024, with name, identification numbers (Social Security, Driver’s licence, government ID), financial information and “other data elements” being exposed — presumably, the latter results from background, drug, and alcohol screening tests. DISA posted a notice on its website stating they had not found evidence of the data being shared on the dark web and ‘took measures’ to dissuade publication of the information. The firm has since deleted the notice. DISA
-
🕵️ Threat Intel: Dragos’ 8th annual OT cyber security report, plus Australia has banned using Kaspersky products on government systems due to the “unacceptable security risk” posed. Agencies have until 1st April to remove the software. Canada, the UK, and the USA already have similar bans. A spokesperson told Techcrunch that the company was “disappointed with the decision”. KASPERSKY DRAGOS
-
💰 Industry news: Israeli firm Skybox Security has announced an immediate closure, layoffs for its 300 staff, and the sale of its tech to competitor Tufin. Karen Evans has been named executive assistant director for cybersecurity at CISA. SKYBOX, EVANS
And finally
- I was reminded of Michael McIntyre’s sketch on passwords. It’s worth a few minutes for a chuckle, even though you probably already know where it’s going. It might be useful if you’re looking for something different to help people see how unoriginal password creation can be and develop a secure password for their password manager. VIDEO