At a glance.
- Twitter exploit may have compromised more than 5 million accounts.
- Cyberattack disrupts NHS 111.
- Twilio discloses data breach.
- Klaviyo discloses data breach.
- RCMP says it used spyware, but not Pegasus.
- Finland's parliament comes under cyberattack.
- Cyberattacks against a UK firm that's criticized Russia's war.
- Cisco discloses a security incident.
- Joint warning on Zeppelin ransomware.
- Blueprint to assist small and mid-sized businesses with ransomware released.
Twitter exploit may have compromised more than 5 million accounts.
Last Friday Twitter disclosed a cyberattack that compromised some users' personal information. "In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability." But it turned out that a threat actor had exploited the vulnerability to collect personal information before Twitter applied the patch, and was now offering the stolen data for sale. Twitter is in the process of notifying affected users. BleepingComputer reports that some 5.4 million accounts were scraped for personal data before the vulnerability was fixed.
Cyberattack disrupts NHS 111.
A cyberattack against a third-party provider has disrupted Britain's National Health Service's NHS 111 online service, an advice and scheduling platform designed "to make it easier and quicker for patients to get the right advice or treatment they need." Advanced, a digital services provider for NHS 111, detected the attack last Thursday. The BBC says the target of the attack was the system "used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions." Computing reports that staff at Britain's National Health Service (NHS) have been advised to expect at least three weeks of disruption following the cyberattack. NHS financial and patient referral systems were affected, and access to certain electronic records has been impaired. The Independent cites an NHS source who believes remediation could take months. Health Service Journal writes that the incident involved an attack against a third-party, IT firm Advanced, and that the attackers (unknown, or at least not yet publicly identified) have made unspecified "demands." NHS is concerned that some patient data may have been compromised, but the incident remains under investigation.
Twilio discloses data breach.
Twilio, which TechCrunch describes as a "communications giant" whose platform enables developers to build voice and SMS features into their apps, has disclosed a data breach. "On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials," the company said in a blog post. "This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data." The company is working directly with affected customers, and it still has the incident under investigation.
Klaviyo discloses data breach.
In another incident traceable to credential theft, BleepingComputer reports that the email marketing firm Klaviyo has disclosed a data breach. The firm wrote on its blog, "On August 3rd, we identified a Klaviyo employee’s login credentials had been compromised, as a result of suspicious activity from our internal logging and a user report. This allowed a threat actor to gain access to the employee’s Klaviyo account and, as a result, some of our internal support tools." Klaviyo, much of whose business is focused on cryptocurrency, explained that the attacker seemed interested in two classes of information:
- "The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments. All of these accounts have been notified with the details of which profiles and profile fields were accessed or downloaded.
- "The threat actor also viewed and downloaded two of Klaviyo’s internal lists used for product and marketing updates. These exports included information such as name, address, email address and phone number. The download did not include any passwords, password hashes, or credit card numbers. The download also did not include any account data for subscribers who have a Klaviyo account. All impacted individuals have been notified."
RCMP says it used spyware, but not Pegasus.
Sometimes spyware really is lawful intercept technology, at least when it's not being abused, so Parliamentary testimony by Canadian security officials would maintain. Global News reports that Mark Flynn, Royal Canadian Mounted Police (RCMP) assistant commissioner responsible for National Security and Protective Policing, told Members of the House of Commons Ethics Committee Monday that between 2002 and 2015, the RCMP used “Canadian-made technology” to covertly access electronic information. “As encryption started to be used by targets that we had judicial authorization to intercept, and we were unable to hear the audio, hear the phone calls or see the messages they were sending, that is when we developed the tool and technique to make it possible to intercept those communications,” he told the committee, which is conducting an inquiry into the use of surveillance tools against cellphones. “We have evolved in the use of the tools as individuals evolved in the way they communicate.” He also stressed to the Members that hostile foreign states were certainly using tools at least as powerful, and that Members of Parliament should understand that they themselves are the targets of foreign surveillance efforts.
Finland's parliament comes under cyberattack.
The website of Finland's parliament was unavailable Tuesday as it came under a distributed denial-of-service (DDoS) attack. The attack is under investigation, but is believed to originate from Russia. Finnish news outlet Yle reports that the website was inaccessible between 2:30 PM and 10:00 PM local time. The threat actor behind the incident is believed, on the basis of claims in a hacktivist group's Telegram channel, to be a Russian group calling itself NoName057(16), and the motive is to harass Finland's government for its decision to seek NATO membership. "We decided to make a 'friendly' visit to neighbouring Finland, whose authorities are so eager to join Nato," the group said.
Cyberattacks against a UK firm that's criticized Russia's war.
The Telegraph reports that Britain's National Cyber Security Center (NCSC) and Scotland Yard are investigating a series of denial-of-service (DDoS) attacks the alt-currency firm Currency.com has sustained since its founder criticized Russia's war at the end of February. Victor Prokopenya, the company's founder, said: “The cyber attack has been going on almost on a daily basis every day for the last three months. It’s like someone repeatedly trying to break down your front door.” He said his security team is convinced that the attack is Russian in origin. The NCSC believes that the operators behind the DDoS are privateers as opposed to Russian government organizations.
Cisco discloses a security incident.
Cisco Wednesday disclosed that, on May 24th of this year, it detected a hostile attempt against its corporate network. The company's Talos research group summarized some of its findings. Investigation showed that "a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized." The threat actor, which Cisco regards "with high confidence" as an initial access broker who's worked with at least "the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators," used information obtained from that intrusion to run a "sophisticated" voice phishing campaign in which it impersonated trusted organizations with a view to persuading victims to accept multifactor authentication push notifications. In this it enjoyed some success. "The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user." This led to further exploitation: "Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms."
The incident, Cisco Talos reports, was consistent with the early stages of a ransomware attack, but the company found no evidence of ransomware having been deployed in any of its systems.
"Cisco did not identify any impact to our business as a result of this incident," the company said, "including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations." The statement does acknowledge that "On August 10 the bad actors published a list of files from this security incident to the dark web."
The group responsible for this attack seems to have been Yanluowang. At least, Yanluowang contacted BleepingComputer and offered to show the publication the 2.8 GB of data they claim to have stolen. BleepingComputer says many of the files they saw were "non-disclosure agreements, data dumps, and engineering drawings."
Joint warning on Zeppelin ransomware.
The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory on Zeppelin ransomware. Developed from the Delphi-based Vega malware family, Zeppelin is a ransomware-as-a-service offering that's used "to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries." It gains access to its victims either through phishing or by RDP exploitation of known SonicWall firewall vulnerabilities. Zeppelin is typically used in double-extortion attacks, exfiltrating files before encrypting them, and thus adding the threat of doxing to the denial of access to data. The advisory includes a comprehensive list of indicators of compromise as well as recommended mitigations.
Blueprint to assist small and mid-sized businesses with ransomware released.
The Institute for Security and Technology has released their "Blueprint for Ransomware Defense," designed to assist small and medium-sized businesses with ransomware mitigation, response, and recovery. This guide provides a cybersecurity framework of best practices for enterprises, utilizing the CIS Controls, described as "a prioritized and prescriptive set of actions developed by a global community of cybersecurity experts." The 40 recommended safeguards have been backed by analysis to show that they protect against over 70% of ransomware attack techniques. The blueprint also provides tools and resources to assist with safeguard implementation.
Patch news.
This past Tuesday was August's Patch Tuesday, with updates released by IBM, Adobe, Siemens, Schneider Electric, and, of course, Microsoft. Redmond addressed 118 CVEs, seventeen of them critical. Tenable has a useful summary of Microsoft's patches.
VMware has warned that exploit code for vulnerabilities it patched last week is now available online. The vulnerabilities affect Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation. The availability of exploit code should lend urgency to patching.
Tuesday the US Cybersecurity and Infrastructure Security Agency (CISA) released three Industrial Control Systems Advisories, for Mitsubishi Electric GT SoftGOT2000 ("mitigations for Infinite Loop and OS Command Injection vulnerabilities"), Emerson ControlWave ("mitigations for an Insufficient Verification of Data Authenticity vulnerabilities"), and Emerson OpenBSI ("mitigations for Use of Broken or Risky Cryptographic Algorithm and Use of Hard-coded Cryptographic Key vulnerabilities").
Thursday the CISA released an unusually large number of ICS security advisories, twenty eight in all. They're too many to link here, but see the selected reading below for a complete list. The affected systems include products offered by Siemens, Schneider Electric, Emerson, and Baxter.
Crime and punishment.
Last Thursday Alexander Vinnik finally arrived in the US, extradited from Greece. Mr. Vinnik, the US Department of Justice announced last Friday, faces money laundering charges in connection with BTC-e, an exchange that allegedly catered to the criminal-to-criminal market. “'After more than five years of litigation, Russian national Alexander Vinnik was extradited to the United States yesterday to be held accountable for operating BTC-e, a criminal cryptocurrency exchange, which laundered more than $4 billion of criminal proceeds,' said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division."
The State Department's Rewards for Justice program is offering $10 million for information on Conti operators, or Conti alumni, depending upon how you read the gang's present occultation. In any case it's the natural person and not the organization that's the target. The US Department of State has tweeted its offer in both Russian and English: "The U.S. Government reveals the face of a Conti associate for the first time! We’re trying to put a name with the face! To the guy in the photo: Imagine how many cool hats you could buy with $10 million dollars! Write to us via our Tor-based tip line."
In a "cyber related designation," the US Department of the Treasury this morning added Tornado Cash to the Department's Specially Designated Nationals List. Tornado Cash is a virtual currency mixer, and the Treasury Department has concluded that this particular mixer is implicated in laundering the proceeds of cybercrime. In particular, Reuters reports, the Department is concerned about the uses North Korea's Lazarus Group has made of Tornado Cash. The immediate effect of the sanction, CoinDesk notes, is that US persons will no longer be able to use the mixer. This is the second virtual currency mixing service Treasury has sanctioned for connections with North Korea: Blender.io came under sanction early this May.
Courts and torts.
The US Bureau of Industry and Security has accused and issued a charging letter against China's Far East Cable Co., accusing the company of selling telecommunications equipment to Iran on behalf of telecommunications company and supplier ZTE, thus violating export controls, the Register reports. ZTE reportedly already paid $1.19 billion in fines in 2017 to settle export control violations charges. Now the Bureau has identified Far East Cable as a middleman vendor between ZTE and Iran; the vendor signed a deal in 2013 valued at $164 million to purchase telecommunications equipment from ZTE, and later entered into contracts with Telecommunications Company of Iran and Khadamate Ertebati Rightel to supply ZTE hardware to them for $189.5 million. John Sonderman, director of the Office for Export Enforcement for the BIS, said in a statement, "As alleged, Far East Cable acted as a cutout for ZTE, facilitating ZTE shipments to Iran at the very time ZTE knew it was under investigation for the exact same conduct. Far East Cable engaged in serious conduct as part of the attempt to conceal the activity from US investigators. These charges should send a strong message to any company contemplating facilitating violations on behalf of another."
Policies, procurements, and agency equities.
The US Cybersecurity and Infrastructure Security Agency (CISA) Wednesday released Protecting U.S. Elections: A CISA Cybersecurity Toolkit. Intended as "a one-stop catalog of free services and tools available for state and local election officials to improve the cybersecurity and resilience of their infrastructure," the Toolkit was developed in conjunction with private and public organizations working through CISA’s Joint Cyber Defense Collaborative (JCDC). CISA explains that Protecting U.S. Elections is designed to enable election officials to:
- "Assess their risk using an Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission;
- "Find tools related to protecting voter information, websites, email systems, and networks; and
- "Protect assets against phishing, ransomware, and distributed denial-of-services (DDoS) attacks."
In the US, we note for international readers, the conduct of elections is the responsibility of state and local governments, not Federal authorities.