Cyber is the race nobody wins - but that's ok

It's been a challenging year for cybersecurity defenders, marked by?significant, monthly breaches at organisations like Volkswagen and Microsoft, alongside critical infrastructure vulnerabilities such as the CISCO ArcaneDoor Firewall campaign targeting government networks. If this year's cybersecurity results were compared to an F1 race, the hackers would resemble Red Bull, dominating the track, whilst top defenders with infinite security budgets struggle to even identify themselves amongst the losing teams of this year's championship.?

It’s not all doom and gloom. Researchers at Oxford University have developed a major study to understand profit-driven cybercrime distribution, resulting in the World Cybercrime Index (WCI). The WCI categorises cybercrime into five major types and highlights geographical concentrations of financially motivated cybercriminals. The index identifies specific countries posing significant cybercrime threats, showing specialisation in certain cybercrime activities within hubs. This research contributes to understanding why some countries produce more cybercrime than others. The WCI aims to demystify cybercriminal anonymity and help us defenders to bolster global efforts to combat this evolving threat. ?

Meanwhile, the theft of 19,000 sensitive documents from Volkswagen, including commercial plans for electric mobility, emphasises the strategic and commercial nature of these cyber gangs and their attacks. These perpetrators operate with a solid "go-to-market" strategy, showing meticulous planning and ample resources behind their actions. The stolen documents pose a threat to Volkswagen's competitiveness in the electric vehicle market, potentially leading to financial losses and reduced investor confidence. To respond, Volkswagen is overhauling its cybersecurity protocols, adopting advanced real-time monitoring systems, and bolstering its cybersecurity workforce.?

Similarly, Microsoft's recent data leak, exposing critical security vulnerabilities for weeks, highlights the ongoing challenges faced by the tech giants' defenders. This year hasn’t been a good one for Microsoft, leaving users with a sense of buyer's remorse due to these repeated security incidents. ?

Hacks, Cybercrime and Threat Intel??

INC Ransom Cybercrime Group claims attack on Leicester City Council Hit?

Leicester City Council has confirmed that a recent cyber incident was indeed a ransomware attack, following the disclosure of stolen documents on a dark web extortion site by the group INC Ransom. Richard Sword, Leicester's strategic director, acknowledged that approximately 25 confidential documents, including rent statements, housing applications, and identification details such as passport information, had been published by the ransomware group. ?

‘GooseEgg Malware’?tool used by Russian State Hackers?

Russian state-sponsored hackers linked to the GRU military intelligence agency are using a malware tool called GooseEgg, exploiting a legacy Windows Print Spooler vulnerability (CVE-2022-38028) to steal credentials in compromised networks. Known as Forest Blizzard (Fancy Bear / APT28), they have targeted organisations in Ukraine, Western Europe, and North America since at least June 2020. After gaining access, they use GooseEgg for privilege escalation, remote code execution, and backdoor installation. Microsoft patched the Print Spooler vulnerability in 2022. This vulnerability serves to remind us, that despite investments in costly security solutions, many governments and organisations are underutilizing their defences. What will it take to get everyone applying timely patches? ?

Infosec Research and Vulnerabilities?

Linux XZ backdoor?

Over the Easter weekend, Linux, narrowly avoided a catastrophic cyber-attack. The discovery of a backdoor in a recent release of XZ Utils, a tool widely used across Linux distributions for file compression, raised serious concerns over potential widespread system compromise. ?

Microsoft developer Andres Freund uncovered the issue during an investigation into unusual CPU activity caused by encrypted log-ins to liblzma, part of the XZ compression library. The compromised versions 5.6.0 and 5.6.1 of XZ tools and libraries contained the backdoor, which originated from a sophisticated, multiyear social engineering attack orchestrated by "JiaT75" (Jia Tan) and accomplices "Jigar Kumar" and "Dennis Ens." Tan, who had gained influence within the XZ project, exploited this position to insert the malicious code. ?

Red Hat, promptly issued a security alert urging affected Fedora users to cease usage of impacted instances to mitigate risks associated with the backdoor.

Imperva WAF Flaw (CVE-2023-50969)?

A critical security flaw, identified as CVE-2023-50969, has been found in Imperva SecureSphere, a popular on-premises Web Application Firewall (WAF). This vulnerability allows attackers to bypass essential security protocols meant to defend against common web-based attacks like SQL injection and cross-site scripting. Exploiting the manipulation of "Content-Encoding" headers within HTTP requests and the transmission of specifically encoded POST data, malicious actors can clandestinely inject harmful payloads past the WAF's defences, targeting vulnerabilities within applications the WAF was designed to safeguard.?

Multiple Vulnerabilities Affecting Ivanti Avalanche?

Ivanti has released a security advisory addressing multiple?vulnerabilities in Ivanti Avalanche, two of which are critical severity with a CVSSv3 score of 9.8. Ivanti Avalanche is an mobile device management solution and is used to remotely manage, deploy software, and schedule updates for enterprise mobile devices.?

CVE-2024-24996 is a (heap overflow) vulnerability which could allow an unauthenticated remote attacker to execute arbitrary commands. Similarly,?CVE-2024-29204 is also a (heap overflow) vulnerability, this time affecting the?WLAvalancheService?component of Ivanti Avalanche. This could also allow a remote unauthenticated attacker to execute arbitrary commands.?

The solution upgrade to version v6.4.1 or later if you can.

Legal and Compliance?

UK’s device security law finally kicks in?

The UK's long-awaited Product Security and Telecommunications Infrastructure (PSTI) Act has come into effect, requiring manufacturers of electronic and smart devices to implement basic cybersecurity standards to protect consumers and businesses from data privacy violations and cyber-attacks. This legislation prohibits devices from using insecure default passwords, mandates manufacturers to provide contact details for issue reporting, and ensures transparency about security update timelines. Non-compliance can result in significant fines. The law covers a wide range of devices including smart speakers, TVs, smartphones, wearables, and smart home appliances, aiming to enhance cybersecurity and consumer confidence in the rapidly growing IoT landscape. Cybersecurity experts have welcomed the law for addressing key vulnerabilities and improving overall IoT security.?

Former FSB Officer Receives Nine-Year Sentence in $1.7 Million Bribery Case?

Grigory Tsaregorodtsev, a former Russian Federal Security Service (FSB) officer, has been sentenced to nine years in a penal colony for his involvement in a $1.7 million bribery scandal. Tsaregorodtsev, once a respected figure within the FSB's counterintelligence division in Perm, was implicated in accepting substantial bribes from hacker groups, totalling 160 million Rubles. These bribes were exchanged for his protection and influence, enabling the hackers to operate without fear of intervention.?

Conclusion?

As we face the ongoing challenges of cybersecurity, it's critical to ask ourselves... Are we effectively winning the cyber race and ensuring our safety against modern adversaries, or are we underestimating the magnitude of the threat? The truth is, cyber-attacks are inevitable, especially for high-profile targets where the rewards for these modern day bank robbers and attackers are substantial. The key defence lies in acknowledging this reality and adopting a proactive stance towards cybersecurity. We must prioritise the basics and develop a pervasive culture of security within our organisations. By embracing this approach, integrating security into every aspect of our operations, and fostering awareness among all stakeholders, we can enhance our resilience and better protect our data, people and businesses.