Newsletters

Microsoft continues to position itself as a bulwark against digital authoritarianism, but keeps pushing its rhetoric beyond the available evidence. This is consequential stuff, and we're disappointed that Microsoft seems more interested in hyping threats as opposed to seeking to help people understand them.

A few recent examples:

On Saturday, Microsoft released an article on "Preparing for a Russian cyber offensive against Ukraine this winter". In this article, Microsoft promotes the view that Russia is launching coordinated cyber and conventional attacks:

Amnesty International hack: A Chinese APT group has breached the network of the Canadian branch of Amnesty International, the organization said on Monday. The breach was discovered in early October and was investigated and confirmed with the help of cybersecurity firm Secureworks. Speaking to reporters, Amnesty International said the hackers searched for information on China, Hong Kong, and prominent Chinese activists. The organization said there found no evidence to suggest that Chinese hackers stole information on its donors and members. In August, threat intelligence firm Recorded Future warned that a Chinese APT named RedAlpha was registering lookalike domain names impersonating various human rights organizations, including Amnesty International.

It was ransomware: Rackspace has confirmed that the major outage of its Exchange email server infrastructure that took place over the weekend was caused by ransomware.

Mercury IT ransomware incident: The New Zealand government said that a ransomware attack on Mercury IT, a major local MSP, has impacted the services of several private and public institutions. The attack took place last week on November 30. According to the NZ Herald, the incident has impacted and compromised the data of the Ministry of Justice, the Ministry of Health, the NZ National Nurses Association, health insurer Accuro, and private industry group BusinessNZ.

Rackspace security incident: Cloud hosting platform Rackspace took down its hosted Microsoft Exchange email server infrastructure following what the company described as a "security incident." The incident took place on Friday, December 2, and Rackspace was still working on restoring affected services at the time of this newsletter on Monday morning. No confirmation yet that this is a ransomware attack. British security researcher Kevin Beaumont believes Rackspace's Exchange servers were most likely hacked using the ProxyNotShell vulnerability.

Accuro hack: New Zealand health insurer Accuro said that hackers gained access to its systems in a security incident last week. The company said that while it has no evidence that customer data was accessed, it can't rule out this possibility and urged users to be vigilant of possible fraud.

Ankr crypto-heist: Cryptocurrency platform Binance said it paused its integration with the Ankr DeFi protocol after an attacker used a leaked Ankr platform developer key and minted Binance BNB coins worth more than $4 billion in fiat currency. The attacker is believed to have stolen roughly $5 million worth of cryptocurrency before Binance stopped in to cut off their access, although it appears that Binance did manage to freeze $3 million of this.

LastPass discloses second breach this year: Password management utility LastPass says that a threat actor has breached one of its cloud storage servers using information the company believes was initially stolen during a previous security incident that took place in August 2022. LastPass says the intruder gained access to "certain elements of our customers' information," but that account master passwords remain safely encrypted. The company says it is working with Mandiant and law enforcement to investigate the incident. The incident also impacted the infrastructure of GoTo, a sister company part of the LogMeIn group.

Guatemala ransomware attack: The Guatemala government says it is investigating a ransomware attack that impacted the IT network of the Ministry of Foreign Affairs. The Ministry's data was added to the leak site of the Onyx ransomware group on September 27 and was added again on November 21, according to a report from The Record.

Full Medibank dump: The REvil ransomware gang has released the entire data set the group has stolen from Australian healthcare insurer Medibank. The data was published after the Australian company refused to pay the gang's extortion demand following a security breach in mid-October. Medibank has officially confirmed the leak of its entire data, which includes the personal and medical information of 9.7 million current and former customers.

In the US, the Federal Communications Commission (FCC) has banned Chinese telecommunications and video surveillance equipment from Huawei, ZTE, Hikvision and Dahua from sale in the United States. In the UK, the government banned Chinese surveillance camera manufacturers from installation at its "sensitive sites".

The UK government statement specifically mentioned the PRC's National Intelligence Law as the driver behind the ban. We don't think this is an overreaction. Article 7 of the law states:

It's clear: if the PRC government asks, companies must help.

Facebook fined €265 million: Ireland's data protection agency fined Meta €265 million in connection to the company's April 2021 data breach. The Irish Data Protection Commission said that Meta failed to safeguard its Facebook platform from data scraping, which allowed a threat actor to compile details on more than 530 million Facebook users. This data was later sold on an underground cybercrime forum. Responding to the fine, Facebook told TechCrunch that they have since rolled out protections to detect scraping operations. With this fine, the Irish data protection agency has fined all of Meta's three main platforms after it also fined Instagram €405 million in September 2022 and fined WhatsApp €228 million in September 2021.

EDF fine: French privacy watchdog CNIL has fined nuclear energy group EDF €600,000 for multiple security and privacy lapses. CNIL said that EDF failed to inform users of its web portal how their data was collected and handled, in a clear violation of the EU GDPR regulation. In addition, CNIL said that EDF had also failed to secure passwords for 2.5 million users, which were hashed using the insecure MD5 algorithm and were not salted, according to industry-accepted security best practices.

NIS2: After passing a provisional agreement in May, the European Council has formally adopted NIS2, a new EU directive that enforces a tougher set of cybersecurity incident reporting rules for crucial sectors, such as energy, transport, healthcare, space, public administration, and digital infrastructure. NIS2 replaces the older cybersecurity reporting framework NIS and widens reporting rules from large operators to also include mid-sized companies as well. The EU Parliament also formally passed the NIS2 regulations in October, and member states will have 21 months to incorporate the new NIS2 provisions into their national law.

Twitter data leak: A vulnerability reported via the HackerOne platform was used to mass-harvest the account details of Twitter users, including private information such as phone numbers and email addresses. An initial dataset compiled via this vulnerability and containing the details of more than 5.4 million Twitter accounts was allegedly traded on underground hacking forums earlier this year, while an even larger second dataset has also popped up on hacking forums over the past few days. According to reports, this second dataset allegedly contains details on tens of millions of Twitter accounts.

No WhatsApp breach: A threat actor has been circulating an alleged leak of WhatsApp data. It's fake. It's just a list of phone numbers, according to Alon Gal of Hudson Rock.

Zwijndrecht police ransomed: The Ragnar Locker ransomware gang has hacked and is now extorting the police department of the Belgian city of Zwijndrecht. The group claims to have obtained information detailing thousands of license plates, speeding fines, and even criminal investigations, ranging from 2006 to September 2022. Police officials said they detected the attempt to encrypt their servers and shut down their network for two weeks while they investigated and restored services. Ragnar Locker has already leaked some of the files on their dark web leak site.

EU Parliament DDoS attack: The EU Parliament said its servers were subject to a DDoS attack hours after they proclaimed the Russian government as a sponsor of terrorism. A pro-Kremlin hacktivist group took credit for the attack, according to Roberta Metsola, President of the EU Parliament. The agency's website resumed operations after two hours.

Guadeloupe cyberattack: In a message posted on its official website, the government of the Caribbean island Guadeloupe, a French overseas region, said it was hit by "a large-scale computer attack." Officials said they shut down all affected systems to protect data and diagnose the problem. The incident took place on Monday, and systems have yet to be restored. Security experts believe this is a ransomware attack, although the perpetrators have not yet been identified.

Ransomware on Indian hospital: A suspected ransomware attack has disrupted the IT network of the All India Institute of Medical Sciences (AIIMS), one of India's largest medical schools and hospitals. The Hindustan Times said this would mark the first instance of a major Indian hospital being affected by ransomware. Healthcare organizations, and especially hospitals, have been constantly targeted by ransomware gangs all over the US and Europe for the past five years, but as these organizations are getting better at protecting their networks, ransomware attacks are now hitting other countries as well.

There are legitimate reasons to be concerned about the platform. Last month Forbes reported that TikTok's China-based parent company ByteDance planned to use the app to monitor the location of specific US citizens without their knowledge or consent. This monitoring effort was allegedly led by Bytedance's Internal Audit and Risk Control department, the team that investigates potential misconduct by current and former employees. Forbes alleges that in at least two cases "the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company".

It's hard to know what to make of this report as it's light on details and it's not even clear that the monitoring even took place. But perhaps the most concerning aspect of the Forbes article was that TikTok didn't explicitly deny the allegation and instead issued a "non-denial denial". Yikes.

Then there are concerns apps like TikTok could be used to harvest citizen data in bulk. In June we covered TikTok's efforts to mitigate these concerns by securing user data in US-based Oracle data centres before – the company's so-called "Project Texas" — and our take was that isolating US user data will be hard.

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

Pig-butchering crackdown: The US Department of Justice said it seized seven websites that were being used to trick victims as part of an online scam scheme known as "pig butchering." Pig butchering schemes are a combination of romance, investment, and cryptocurrency scams, where victims are approached via dating sites and then social-engineered into making various investment or cryptocurrency transactions. Pig butchering scams originated in Southeast Asia—where they have deep ties to criminal cartels—and are spreading globally. The DOJ said the seized domains impersonated the Singapore International Monetary Exchange and were used to steal more than $10 million from at least five victims.

Ten BEC scammers charged: The US DOJ has charged ten suspects across the US for stealing more than $11.1 million from state Medicaid programs and private health insurers. Officials said the group used BEC schemes where they posed as business partners to divert money from their victims' bank accounts into accounts operated by their money mules. The DOJ said that five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers fell victim and lost money to the group.