Robin’s Newsletter #354

This week

• SignalGate: journalist added to sensitive US gov chat group
• Oracle continues to deny Oracle Cloud breach…
• … while Oracle Health notifies 79,000 affected individuals
• Euro organisations looking for alternatives to US cloud hyperscalers
• Ukraine railway ticketing systems knocked offline for 89 hours
• 23AndMe bankruptcy isn’t a cyber thing

Interesting stats

$4.6 million being paid by US defence contractor MORSE to settle False Claims Act charges that it did not maintain sufficient cyber security protections for its government contracts. LINK

£3.1 million ($4M) penalty issued to Advanced, an IT provider to the UK National Health Service, for the data breach of over 79,000 people’s personal data during a LockBit ransomware attack in August 2022. LINK

Five things

1. SignalGate: “U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling,” writes Jeffery Goldberg for The Atlantic. Goldberg’s inclusion in a Signal chat group discussing US military action and other diplomatically incendiary comments was somewhat of a bombshell moment itself. Trump administration officials claimed that no classified information was shared, then the chat messages were published, leaving little doubt that the information — including times, locations, and weapons in use — must have been classified at the time. The issues are not about Signal, an encrypted message platform, but rather confidentiality and legal issues associated with government by WhatsApp (as it’s sometimes called in the UK). The use of personal devices, which seems to be the case for many in the chat, presents a softer target for attackers. Foreign adversaries, already known to target personal accounts, will undoubtedly be redoubling efforts against high-profile US lawmakers. Some of the messages in the chat appear to be copied/pasted from classified systems, suggesting poor segregation between personal devices and ‘high side’ national security systems, too. Mike Waltz left his Venmo account public, too, with the app syncing and displaying phonebook connections that also have the app, another potential counterintelligence blunder. LINK, NOT SIGNAL, MESSAGES, VENMO

2. Oracle customers are confirming that sample data posted by a threat actor is legitimate. An account called ‘rose87168’ claims to have stolen account data of 6 million people. The 10,000-line sample file appears to cover more than 1,500 organisations. Oracle continues to deny the incident, telling The Register that “There has been no breach of Oracle Cloud,” Oracle said. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” Separately, Oracle Health (formerly Cerner) has suffered a breach resulting in the compromise of patient data on “legacy servers”. The compromise came to light on 20 February 2025 and is believed to have started sometime after 22 January 2025. LINK, HEALTH

3. Troy Hunt, operator of HaveIBeenPwned, says he fell for a phishing lure that gave attackers access to the details of 16,000 subscribers of his Mailchimp mailing list. In a blog post apologising for the incident and describing being “enormously frustrated with myself for having fallen for this,” Hunt described how the attack was automated, using compromised credentials to immediately export a CSV of subscriber data before he could take preventative measures. Jetlag was partially to blame. However, there’s more that services like Mailchimp could do to re-authenticate or authorise ‘critical’ functions like full audience exports. LINK, BLOG POST

4. Ukraine state railways have restored online ticket sales after a cyberattack described as “systematic, complex, and multi-layered” brought down its systems for 89 hours. Operator Ukrzaliznytsia says there was no breach of sensitive information and hasn’t revealed technical details of the incident or group behind it as the investigation is ongoing. LINK

5. Tom Clementi, the CEO of Pool Re, a UK insurance backstop setup to cover terrorism risk, has told the Financial Times that it could become “obsolete or irrelevant” with the rise of state-sponsored cyberattacks. Difficult to model, systemic risk is part of the problem, as is the blurring of groups and what constitutes acts of war. LINK

In brief

🤓 Interesting reads:

• European organisations are looking for alternatives to the three major US cloud providers, amidst backlash against changing US government policies. Australian domestic violence victims are being urged to take safety precautions after an attacker gained unauthorised access to over 9,000 files at New South Wales (NSW) justice department. CLOUD, NSW

⚠️ Incidents:

• Google Maps has rolled out an update that appears to have deleted many users’ location history (more recently called timeline). It’s not recoverable because of a change, meaning the data is stored locally rather than in Google’s cloud by default. China-linked Weaver Ant attackers spent four years in a major Asian telecommunications provider. South Africa’s largest chicken producer Astral Foods says that a recent week-long cyberattack will result in around 20 million rand ($1 million) lost profit. MAPS, WEAVER, ASTRAL

🏴‍☠️ Ransomware:

• Malaysian Prime Minister Anwar Ibrahim confirmed a ransomware attack against Kuala Lumpur International Airport (KLIA) this week, saying a $10 million ransom demand was rejected, “There is no way this country will be safe if its leaders and system allow us to bow to ultimatums by criminals and traitors, be it from inside or outside the country.” KLIA

🕵️ Threat Intel:

• European officials ‘increasingly certain’ that subsea cable breaks in the Baltic Sea were accidental, not Russian sabotage. CABLES

🪲 Vulnerabilities:

• Kubernetes clusters may be vulnerable to remote code execution. Researchers at Wiz say there are vulnerabilities in how K8s clusters handle ingress with Nginx, the worst of which is CVE-2025-1974 (9.8/10). CrushFTP users are being advised to update immediately to fix an authentication bypass issue, CVE-2025-2825, in Crush FTP versions 10 and 11. Qualys has found three ways for unprivileged Ubuntu users to bypass restrictions and gain access to privileged namespaces. KUBERNETES (RESEARCH), CRUSHFTP (ADVISORY), UBUNTU (DISCUSSION)

🧰 Guidance and tools:

• NCSC’s guidance on what they’re calling privileged access workstations (PAW) and principles associated with protecting administrator access. PAW

🧿 Privacy:

• London’s Met Police have installed their first permanent, live facial recognition cameras in Croydon. The two cameras will apparently only be activated when officers are in the area and able to make an arrest should a criminal be identified. CAMS

👮 Law Enforcement:

-  Connor Moucka, 26, a Canadian citizen allegedly involved in the Snowflake attacks, has consented to extradition to the US to face 20 federal charges. The US Department of Justice has seized cryptocurrency valued at around $8.2 million that was stolen in romance scams. SNOWFLAKE, ROMANCE

🗞️ Industry news:

• The European Commission will invest €1.3 billion ($1.4B) in artificial intelligence, cyber security, and digital skills through its Digital Europe Programme 2025—2027. LINK

And finally 

• 23AndMe has declared bankruptcy. The firm suffered a major security incident in October 2023, however I don’t think the security breach led to the business failure. The $30 million class-action settlement was mostly ($25 million) covered by cyber insurance. Fundamentally, the company never turned a profit, had little financial resilience, and had a seemingly flawed business model. Wired has a guide on how to delete your data (if you used the service) before your genetic data is sold off as part of the company’s assets. LINK, FINANCIALS, DELETE