This week
- WhatsApp banned on House-issued devices
- Patient death linked to Qilin ransomware attack on NHS supplier
- Canadian telco compromised by Salt Typhoon
- Scattered Spider believed to be behind Hawaiian incident
- US behind China in exploit pipeline
- Cambodia location to 50-100 scam centres, says Amnesty
- Microsoft, endpoint vendors working on API for anti-malware
Interesting stats
£1.3 million worth of laptops, phones, and tablets are lost or stolen annually from UK government departments. LINK
2.3% drop in US cyber insurance premiums year on year in 2024, according to credit rating outfit AM Best, citing data collected by the National Association of Insurance Commissioners. LINK
5% of GDP, NATO members will spend on defence by the end of the decade, with 1.5% earmarked for ‘indirect’ spending, such as on cyber security capabilities. LINK
Five things
-
WhatsApp: The US House of Representatives has banned WhatsApp from government-issued devices, recommending Signal, iMessage, and Teams as alternative text messaging apps. The memo sent to House staffers said that WhatsApp represented a “high risk to users due to the lack of transparency in how it protects user data” and the “potential security risks involved with its use,” according to Reuters. A spokesperson for Meta, who owns WhatsApp, said the company disagreed with the “strongest possible terms.” I suspect that the issue here is probably less with the end-to-end encryption of messages and more with WhatsApp as a target for device exploitation by spyware vendors. WHATSAPP
-
Telco threats: The Canadian officials say that the Chinese-linked Salt Typhoon group compromised a Canadian telco. The group obtained unauthorised access in February 2025 by exploiting a critical vulnerability in Cisco networking equipment (CVE-2023-20198; 10/10) patched 16 months ago. Telco equipment has very high uptime requirements. However, it’s hard to imagine that they couldn’t find an opportunity in over a year to apply an update protecting against this type of ‘perfect 10’ vulnerability. The attackers created a GRE tunnel (generic routing encapsulation; or type of VPN) to collect traffic from networks connected to the equipment. The Canadian Centre for Cyber Security’s threat bulletin says the investigations suggest that the targeting is broader than just the telecommunication sector. SALT TYPHOON, BULLETIN
-
Cambodia: Amnesty International says Cambodian authorities are not doing enough to crack down on scam compounds operating within the country. A two-year study has identified 53 compounds where they believe activities are ongoing and a further 45 “suspicious” locations with unusual features, such as barbed wire and armed guards. The compounds are inhabited by people trafficked by organised crime gangs to run cryptocurrency and other online scams. Cambodian authorities have conducted ‘crackdowns’ at 28 locations, though “In many of the ‘rescues’,” Amnesty writes, “instead of entering the compound and investigating, the police would simply meet a boss, manager or security guard at the gate, who would hand them the individual(s) who had requested the rescue.” Thousands of individuals are believed to be held in captivity, victims themselves of gangs perpetrating cybercrime. COMPOUNDS
-
Exploit pipeline: The Atlantic Council has released a report examining the differences between the Chinese and American ‘offensive cyber supply chain’ to develop or acquire zero-days. Crash (exploit) and burn analyses the difference in approaches between the two superpowers. It’s an interesting dive into the pipeline of each nation, with China having the upper hand with its domestic talent, while US agencies favour contracts with large defence primes, which take longer and demand higher levels of stealth and trust. The good news is that zero days of this type are becoming harder to find, with the “amount of time and capital required to develop an impactful capability has escalated dramatically in the last decade.” EXPLOITS
-
Patient safety: One patient died, and 170 cases of patient harm have been identified due to the Qilin ransomware group’s attack on Synnovis, an NHS blood testing provider, last year. Stocks of the universally accepted O- blood type remain low following the attack. Please donate if you can. HARM, MORE, DONATE
Other newsy bits
-
City councils: Two UK city councils have reported cyber events in the last few weeks. Oxford City Council suffered a breach affecting “historic data on legacy systems” belonging to election officials and volunteers between 2001 and 2022. ‘Legacy systems’ is increasingly cited to try and downplay incidents, though, if it’s a legacy system, shouldn’t you have decommissioned it? Meanwhile, Glasgow City Council is experiencing disruption and the possible theft of customer data on “servers managed by a third-party supplier,” CGI. OXFORD, GLASGOW
-
Hawaiian Airlines has suffered a breach, likely at the hands of members of the Scattered Spider group. The airline reassured customers that it could still safely fly a full schedule while some IT systems were down. HAWAIIAN
-
OpenAI: Judge Ona Wang has denied creating a “mass surveillance program” in their order that OpenAI must preserve all ChatGPT logs as part of a copyright case brought by the New York Times. The order applies regardless of whether users opt for anonymous sessions or make requests under data protection regulations. I find it odd that the order isn’t required to be more precise and scoped to specific users or classes of query. In the meantime, an ever-increasing store of data is being created that needs protecting. Future litigation may be able to access the data, too. It’s a pretty blunt order, in my view. CHATGPT LOGS
-
Law enforcement: Four of eight convicted members of the REvil ransomware gang are being released for time served after admitting guilt. The Russian judge is requiring the remaining four to complete their sentences, which are being served as a “general regime penal colony”. French police have arrested five operators of BreachForums cybercrime forum used to buy and sell stolen data. The arrests include the people behind the online handles “ShinyHunters,” “Hollow,” “Noct,” and “Depressed.” The operation included the French overseas territory of Reunion, in the Indian Ocean, which stands out a bit to me. This week, an unsealed indictment named a frequent poster on BreachForums using the IntelBroker alias, real name Kyle Northern, a British citizen arrested in France in February this year for stealing and selling data and causing an estimated $25 million in damages. REVIL, BREACHFORUMS, INTELBROKER
-
Get patching: Cisco is warning of two critical remote code execution vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC): CVE-2025-20281 and CVE-2025-20282 (both 10/10). The issues both stem from insufficient input validation and flawed file validation. You may want to change the default password of any Brother printers (also some Konica Minolta, Fujifilm, Ricoh, and Toshiba ones). AMI’s MegaRAC, a baseband management controller (BMC) module on some motherboards, also contains a 10/10 critical vulnerability. CISA is warning that CVE-2024-54085, disclosed in March, is known to be exploited by threat actors. CISCO (ADVISORY), BROTHER (ADVISORY), AMI (ADVISORY (PDF))
And finally
- Microsoft is making changes to Windows to help prevent future Crowdstrike-style outages by allowing anti-malware firms to run in user rather than privileged kernel contexts via an API. Reps from all the main endpoint vendors welcomed the move. Other changes include the end of the blue screen of death — the critical warning screen presented to users following an unrecoverable system error — which will become black and, crucially, if the OS gets stuck in a boot loop, fall back to a stripped-down recovery version to help resolve the issue. MICROSOFT