Robin’s Newsletter #352

16 March 2025. Volume 8, Issue 11
Apple/UK gov hearing held in private. Garantex founder arrested on holiday in India. American fraud losses up 25%.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Please share your thoughts on this new format.

This week

Need to Know, 16th March 2025

  • Garantex founder arrest on holiday in India
  • American fraud losses up 25% year-on-year
  • PowerSchool breach the result of compromised creds
  • Medusa ransomware targeted 300 US CNI organisations
  • Sean Plankey nominated for top CISA job
  • IPT held Apple/UK gov hearing in private

Interesting stats

Fraud losses rose 25% in 2024 to $12.5 billion (Source: FTC)

$12.5 billion Americans lost to fraud in 2024, up  25% from 2023, according to new data from the Federal Trade Commission (FTC).  1/3 people who report a scam also lost money. LINK

82% of 5,000 K-12 schools experience a cyber security incident between July 2023 and December 2024, according to the Center for Internet Security. LINK

60% of the time, AI search engines cite incorrect sources, with paid premium plans often performing worse than free tiers. LINK

UK Cyber security sectoral analysis

£13.2 billion revenue (+12%) from  2,165 firms (+3.5%) employing  67,300 people (+11%) raising  £206 million across 59 deals in 2024, according to DSIT. LINK

Five things

  1. The FBI and CISA say the Medusa ransomware gang has attacked over 300 critical infrastructure organisations. Affiliates of the group are known to us vulnerabilities in products from ScreenConnect and Fortinet. Notably, on one occasion, a victim paid the ransom, only to be contacted by another party claiming the negotiator had stolen the ransom payment and demanding 50% of the ransom be paid again for the “true decryptor”. Triple ransom, anyone? LINK

  2. A US appeals court has upheld the sentence of Joe Sullivan, former CISO at Uber, for obstruction of justice. In 2023, a federal jury convicted Sullivan for covering up a 2016 security incident. Uber was required to disclose all breaches to the FTC following a compromise in 2014. Still, Sullivan and other Uber executives instead paid the attackers and made them sign non-disclosure agreements, calling the incident a ‘bug bounty’. LINK

  3. PowerSchool has published CrowdStrike’s report on its December 2024 data breach. Attackers used compromised credentials to access the company’s systems and exfiltrate teachers’ and students’ data between 19th and 28th December. The threat actor claims it stole 72 million people’s personal information. The CrowdStrike investigation found that the same account credentials were used by an unknown actor in August and September 2024, months before the breach occurred. LINK, REPORT (PDF)

  4. CISA has a new director. Donald Trump has nominated Sean Plankey for the post. Plankey has previous cyber security experience within the Department of Energy, was CIO for the Navy, and private sector experience as an advisor at Willis Towers Watson. Earlier this week, former NSA cyber director Rob Joyce warned Congress that DOGE’s mass layoffs threatened US national security. PLANKEY, JOYCE, CUTS

  5. The Investigatory Powers Tribunal heard Apple’s case against the Home Office’s technical capability notice in private on Friday last week. The case relates to an order for Apple to provide UK security services global access to encrypted iCloud content via a so-called ‘backdoor’ in end-to-end encryption (E2EE). Calls from rights groups, lawmakers, academics, the press, and even experts from the intelligence agencies themselves on both sides of the Atlantic had been mounting to hold the session in public. Google has refused to deny that it has also received a similar technical capability notice, telling Senator Ron Wyden’s office that if it had received such a notice, “it would be prohibited from disclosing that fact”. TRIBUNAL, GOOGLE

In brief

  • ⚠️ Incidents: Elon Musk blamed “IP addresses originating in the Ukraine area” for a “massive” cyberattack on his X social media platform. Attackers only ever use their legitimate IP address, right? ‘Uber for nurses’ firm ESHYFT left an AWS S3 bucket containing over 86,000 records totalling 108.8GB of nurses’ medical records, identity documents, and other data, open to the internet for months. A developing software supply-chain incident involving the tj-actions/changed-files GitHub Action, which is used in 23,000 repositories and the compromised version will output CI/CD secrets. MUSK, ESHYFT, TJ-ACTIONS (h/t Nipun)

  • 🕵️ Threat Intel: Five Android apps on the Google Play Store have been found to collect and transmit data back to suspected North Korean government actors. SuperBlack ransomware is abusing two vulnerabilities disclosed earlier this year to bypass authentication on Fortinet devices. The Black Basta ransomware gang has developed a brute-forcing framework, dubbed BRUTED, to automate and scale initial access to vulnerable endpoints. So-called ClickFix is going mainstream: tricking the user into running commands on their device that load malware in the guise of ‘verifying you are human’. ANDROID, SUPERBLACK, BRUTED, CLICKFIX (h/t Matt)

  • 🪲 Vulnerabilities: 0-days a plenty this week: Apple has patched a vulnerability in WebKit and affecting iPhones and iPads; Microsoft patched six o-days in its patch Tuesday update, with four being added to CISA’s known exploited vulnerabilities list. Meanwhile, Juniper has released a fix for a medium-severity vulnerability (CVE-2025-21590) abused by Chinese actors to gain access to Junos OS devices. APPLE, MICROSOFT, JUNIPER (ADVISORY

  • 📜 Policy & Regulation: Swiss critical infrastructure organisations will be obliged to report cyberattacks to the country’s National Cybersecurity Centre within 24 hours of discovery under new reporting requirements. The FCC has launched a ‘Council on National Security’ to help address cyber threats to the US telecommunications sector. SWITZERLAND, FCC

  • 👮 Law Enforcement: The alleged co-found of cryptocurrency exchange Garantex, Aleksej Besciokov, has been arrested while on holiday in India. The US sanctioned Garataex in 2022 for its role in laundering criminal proceeds. Bold move to go on holiday somewhere with US extradition treaties. Russian/Israeli national Rostislav Panev, 51, has been extradited to the US from Israel over his alleged role as a developer for the LockBit ransomware gang. GARATEX, LOCKBIT

  • 💰 Investments, mergers and acquisitions: Pentera has raised a $60 million Series D round on a $1 billion valuation as it doubles customers on its attack simulation platform. PENTERA

  • 🗞️ Industry news: UK Civil Service COO, Cat Little has told the Public Accounts Committee that the UK government must pay senior cyber employees more than the Prime Minister. Little told the PAC “to attract the very [best]… We have got to pat these people more.” CIVIL SERVICE

And finally 

  • An AI coding assistant refused to write code for a user, suggesting they “develop the logic [themselves]” so they “understand the system and can maintain it properly.” The large language model finished up by suggesting that “generating code for others can lead to dependency and reduced learning opportunities.” LINK

  • AT&T technician Mark Klein, a whistleblower who exposed US mass surveillance, has died aged 79. Klein revealed that the NSA was using post-9/11 powers for warrantless wiretapping of all internet communications passing through the AT&T facility in San Francisco from inside ‘Room 641A’. LINK

Robin
  Apple Investigatory Powers Act End-to-End Encryption (E2EE) Back door Surveillance Garantex Fraud PowerSchool Medusa Sean Plankey Cybersecurity and Infrastrcuture Agency (CISA) Investigatory Powers Tribunal Education UK Cyber Sector Critical National Infrastructure Joe Sullivan Uber North Korea Google Play Store Black Basta BRUTED LockBit ClickFix Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #353
Previous:
Robin’s Newsletter #351