From UK Fraud to Disruptions Downunder

In this week’s Security Bytes we ask ourselves, are the DDoS attacks from Killnet cyberwar or a cyber nuisance? The UK government more than suggests anti-fraud policing, especially the cyber division, is unfit. This week we have another attack gone sideways in Australia. With new cloud infrastructure vulnerabilities, are we seeing the beginning of a new reality for cyber? And finally, the CISA in the US is doing some great stuff, frankly better than it’s ever been, but not sure about the advisories.

Cyberwar-ish

Understandably there is a great deal of cyber-related tension relative to the war in Ukraine. There have been a number of cyberattacks that have been well documented, but admittedly I believe we all expected it to be much worse. (NOTE: Please note that I’m not saying they weren’t bad, and the war is far from over, I’m just saying Russia has a history of wielding serious cyber capabilities.) Nevertheless, the threat of a devastating attack has reached feverish levels and the bad guys are taking advantage. This week, pro-Russian hacker group, Killnet launched a DDoS attack against Bulgaria government temporarily impacting the websites of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. Killnet claimed responsibility pointing out it was a punishment “for betrayal to Russia and the supply of weapons to Ukraine.” This isn’t new. Last week Killnet got press for attacking US government sites. Before that they attacked airport websites across 24 states, which was after targeting state governments of Colorado, Connecticut, Kentucky and Mississippi – giving initial concerns of election tapering. They also tried to take out Eurovision song contest because it excluded Russia but were thwarted.

Is this cyberwar? No, it’s more like cyber-based insurgency based on skirmishes used at best to unsettle the political landscape or at worst to provide cover. Regardless, it’s a very smart move to get attention and get the press working for you. DDoS attacks can be devastating, but they’re becoming less so thanks to various technical capabilities. It’s headline grabbing and plays into fears, which some are well-founded.

Article about Bulgarian attack - https://therecord.media/cyberattack-disrupts-bulgarian-government-websites-over-betrayal-to-russia/

Unfit for Purpose

A scathing report on the failure of law enforcement to address fraud was published Tuesday by the UK’s House of Commons Justice Committee, noting “a wholesale change in philosophy and practice,” is needed. Quoting from the article (because I can’t write it any better:) ‘Despite a commitment to make the U.K. “the safest place in the world to live and work online” the government has presided over a 25% annual increase in reported fraud cases, more than half of which are driven by cybercrime.’ The report targeted on Action Fraud, a national center for reporting cybercrime that it says is unfit for purpose proposing a new system, and further pointed out that only 2% of police funding was directed at fraud despite it representing 40% of the crime. We can learn a few things here. First, good intentions not implemented meaningfully not only don’t help, but can actually hurt. Second, failing fast is one of the most important things you can do in cybersecurity, and a skill that’s rarely employed. In this case, while the UK government has identified the problem, the real test is are they going to pivot and implement change.

Article - https://therecord.media/uk-anti-fraud-efforts-have-failed-and-need-wholesale-change-lawmakers-say/

House of Commons report - https://committees.parliament.uk/publications/30328/documents/175363/default/

Down in Down Under

Earlier this month we learned that /Australian telco Optus was hacked resulting in the exposure of a most recently reported 1.2 million customer’s data. Of course the number is a moving target ranging from 10 million to a 1000. The company says 7.7 million people’s data wasn’t current or valid – a bold statement. And now they’ve boiled it down to 10,200 customers that had private data stolen. There’s a lot of “whodoneit” when it comes to how sophisticated the attack was, but by all indications it’s a total mess. There are many lessons to be learned here concerning how people are notified of breaches and what the breach actually did.

Which brings us to round two – Medibank, one of the largest privately health insurance providers in Australia servicing nearly 4 million members got hacked last week. On Oct 13th the company issued a press release noting unusual activity that resulted in some down time. Ok, may be a bit quick on the trigger, but I get it. This week, they issued an additional press release on the 17th pointing out that it was a cyber attack and – this is where things get sticky – reassuring that there was no evidence data was taken. They also state that it wasn’t a state-based actor (interesting) and that data wasn’t encrypted, so it wasn’t ransomware. Hmmm. The ink was still wet on the 17th press release as hackers claimed to have 200 GB of data, which they then confirmed Tuesday the 18th by offering hundreds of examples of policies and even medical procedures, validated by Medibank. Armed with that sample, the company believes it came from a specific database that houses 1 million of the 3.9 million customer’s data – hmmm. At this point, predictably, politicians jump in and cyber-security minister, Clare O’Neil, has warned of a new world “under relentless cyber-attack”… hmmm. And at that point trading of Medibank was halted on the Australian stock exchange, unsurprisingly followed quickly by negotiations with the cyber thugs. This isn’t over.

Medibank’s site on updates - https://www.medibank.com.au/livebetter/newsroom/post/medibank-cyber-incident-update-19-October

Good summary article - https://www.theregister.com/2022/10/20/medibank_data_breach_worsens/

Article – https://www.theguardian.com/australia-news/2022/oct/20/medibank-says-sample-of-stolen-customer-data-includes-details-of-medical-procedures

Article about O’Neal’s warning - https://www.theguardian.com/technology/2022/oct/19/health-insurer-medibank-enters-trading-halt-after-purported-cyber-attack

Press release #1 – https://yourir.info/resources/229150fa807ea4f2/announcements/mpl.asx/3A604459/MPL_Medibank_cyber_incident.pdf

Press release #2 - https://yourir.info/resources/229150fa807ea4f2/announcements/mpl.asx/3A604675/MPL_Medibank_cyber_incident_and_trading_update.pdf

New Norm

I vividly recall giving a keynote at an event in New York back in the very early 2000’s talking about the cloud… was it “more of the same”, “evolutionary”, or was it “revolutionary”? It made for an interesting discussion. The point of the presentation was that everything has at least two sides – positive and negative - and this is unsurprisingly true for security. Security programs can gain a lot from the cloud, but there are new risks and challenges as well. In recent months we’ve seen a number of cloud scenarios that speak to exposure on a grand scale. Of course, if all of everyone’s eggs are in the same basket the level of trust – implied or assumed – is significant. This week a researcher from Orca Security performed a proof-of-concept concerning a vulnerability in Microsoft’s Azure Service Fabric Explorer that can be fooled into providing admin level access to a platform used for building, deploying, and managing distributed microservices-based cloud applications. The cloud clearly represents a paradigm shift for IT and business, but it has completely changed how cyber risks need to be interpreted – and I think we’re still far from figuring that problem out.

Article -?https://www.theregister.com/2022/10/19/azure_service_fabric_vulnerability/

Orca POC - https://orca.security/resources/blog/fabrixss-vulnerability-azure-fabric-explorer/

The vulnerability - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35829

CVE detail - https://nvd.nist.gov/vuln/detail/CVE-2022-35829

Diminishing Returns?

I have high regard for the US government's Cybersecurity and Infrastructure Security Agency (CISA), who have been making phenomenal strides in establishing a new levels of cybersecurity activities and collaboration – especially with the UK. In fact, the CISA recently published their strategic plan for 2023-2025, the first since 2018, which left a bit to be desired. It’s comprehensive and a great start on what needs to be done. So, what’s the issue? There is one aspect where I see things getting lost and that’s in the CISA’s advisories. There have been a lot lately (no surprise) and essentially reflect information that’s already out there, such as CVE’s from the National Vulnerability Database (NVD) managed by NIST. It leaves me with… what’s the point? These advisories are piling up and don’t really add new information. In fact, in the most recent advisory the links to the CVS on NIST’s site are a dead end. We don’t need another source of the same vulnerability information as an industry – put that time, money and energy into NVD and CVE.

Article about the advisory - https://www.theregister.com/2022/10/20/cisa_flaws_advantech_hitachi/

This week’s advisory - https://www.cisa.gov/uscert/ics/advisories/icsa-22-291-01

CISA Strategy (a must read) - https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf

CVE - https://cve.mitre.org/

NVD - https://nvd.nist.gov/