Newsletters

Rackspace faces three CALs: Cloud hosting provider Rackspace will have to defend at least three different class-action lawsuits related to a ransomware attack that hit a part of its server infrastructure and has left countless companies without access to their email servers. In an interview last week, Rackspace suggested they might not be able to recover all their customers' data, which they referred to as "legacy data." The company also appears to have given up on hosting Exchange email servers in its cloud and said it was migrating all its existing customers to Microsoft 365. Migrating its Exchange customers to a rival will cost the company $30 million, according to documents Rackspace filed with the SEC.

Lodestar Finance crypto-heist: A threat actor has abused an exploit in the smart contract of the Lodestar Finance DeFi platform and has stolen more than $5.8 million worth of cryptocurrency. The platform said it already recovered $2.4 million of the stolen funds and is still working to secure the rest. Just like most cryptocurrency platforms that get popped these days, Lodestar has offered to let the hacker keep some of the stolen funds and hide the intrusion under a "white-hat agreement."

Edge support on Windows 7/8: Microsoft plans to end support for its Edge web browser on Windows 7 and Windows 8/8.1 versions next year, on January 10, 2023. This is the same date when both Windows 7 and Windows 8/8.1 will reach End-Of-Life (EOL) after their extended support periods expire. Google also announced earlier this fall that Chrome version 110 would be the last to support both Windows 7 and Windows 8/8.1. Chrome 110 is scheduled for release in February 2023.

Finally, the third and most positively welcomed feature is Advanced Data Protection for iCloud, which lets users encrypt their iCloud data, including iCloud Backup, Photos, Notes, and others. According to an Apple documentation page, 23 different iCloud data categories can be encrypted.

The feature is also opt-in, so users will have to manually enable it.

Furthermore, Advanced Data Protection for iCloud uses an end-to-end encryption (E2EE) scheme, meaning there's a chance that if you lose access to your devices, you may lose all your encrypted backups and their respective data.

Microsoft continues to position itself as a bulwark against digital authoritarianism, but keeps pushing its rhetoric beyond the available evidence. This is consequential stuff, and we're disappointed that Microsoft seems more interested in hyping threats as opposed to seeking to help people understand them.

A few recent examples:

On Saturday, Microsoft released an article on "Preparing for a Russian cyber offensive against Ukraine this winter". In this article, Microsoft promotes the view that Russia is launching coordinated cyber and conventional attacks:

Amnesty International hack: A Chinese APT group has breached the network of the Canadian branch of Amnesty International, the organization said on Monday. The breach was discovered in early October and was investigated and confirmed with the help of cybersecurity firm Secureworks. Speaking to reporters, Amnesty International said the hackers searched for information on China, Hong Kong, and prominent Chinese activists. The organization said there found no evidence to suggest that Chinese hackers stole information on its donors and members. In August, threat intelligence firm Recorded Future warned that a Chinese APT named RedAlpha was registering lookalike domain names impersonating various human rights organizations, including Amnesty International.

It was ransomware: Rackspace has confirmed that the major outage of its Exchange email server infrastructure that took place over the weekend was caused by ransomware.

Mercury IT ransomware incident: The New Zealand government said that a ransomware attack on Mercury IT, a major local MSP, has impacted the services of several private and public institutions. The attack took place last week on November 30. According to the NZ Herald, the incident has impacted and compromised the data of the Ministry of Justice, the Ministry of Health, the NZ National Nurses Association, health insurer Accuro, and private industry group BusinessNZ.

Rackspace security incident: Cloud hosting platform Rackspace took down its hosted Microsoft Exchange email server infrastructure following what the company described as a "security incident." The incident took place on Friday, December 2, and Rackspace was still working on restoring affected services at the time of this newsletter on Monday morning. No confirmation yet that this is a ransomware attack. British security researcher Kevin Beaumont believes Rackspace's Exchange servers were most likely hacked using the ProxyNotShell vulnerability.

Accuro hack: New Zealand health insurer Accuro said that hackers gained access to its systems in a security incident last week. The company said that while it has no evidence that customer data was accessed, it can't rule out this possibility and urged users to be vigilant of possible fraud.

Ankr crypto-heist: Cryptocurrency platform Binance said it paused its integration with the Ankr DeFi protocol after an attacker used a leaked Ankr platform developer key and minted Binance BNB coins worth more than $4 billion in fiat currency. The attacker is believed to have stolen roughly $5 million worth of cryptocurrency before Binance stopped in to cut off their access, although it appears that Binance did manage to freeze $3 million of this.

LastPass discloses second breach this year: Password management utility LastPass says that a threat actor has breached one of its cloud storage servers using information the company believes was initially stolen during a previous security incident that took place in August 2022. LastPass says the intruder gained access to "certain elements of our customers' information," but that account master passwords remain safely encrypted. The company says it is working with Mandiant and law enforcement to investigate the incident. The incident also impacted the infrastructure of GoTo, a sister company part of the LogMeIn group.

Guatemala ransomware attack: The Guatemala government says it is investigating a ransomware attack that impacted the IT network of the Ministry of Foreign Affairs. The Ministry's data was added to the leak site of the Onyx ransomware group on September 27 and was added again on November 21, according to a report from The Record.

Full Medibank dump: The REvil ransomware gang has released the entire data set the group has stolen from Australian healthcare insurer Medibank. The data was published after the Australian company refused to pay the gang's extortion demand following a security breach in mid-October. Medibank has officially confirmed the leak of its entire data, which includes the personal and medical information of 9.7 million current and former customers.

In the US, the Federal Communications Commission (FCC) has banned Chinese telecommunications and video surveillance equipment from Huawei, ZTE, Hikvision and Dahua from sale in the United States. In the UK, the government banned Chinese surveillance camera manufacturers from installation at its "sensitive sites".

The UK government statement specifically mentioned the PRC's National Intelligence Law as the driver behind the ban. We don't think this is an overreaction. Article 7 of the law states:

It's clear: if the PRC government asks, companies must help.

Facebook fined €265 million: Ireland's data protection agency fined Meta €265 million in connection to the company's April 2021 data breach. The Irish Data Protection Commission said that Meta failed to safeguard its Facebook platform from data scraping, which allowed a threat actor to compile details on more than 530 million Facebook users. This data was later sold on an underground cybercrime forum. Responding to the fine, Facebook told TechCrunch that they have since rolled out protections to detect scraping operations. With this fine, the Irish data protection agency has fined all of Meta's three main platforms after it also fined Instagram €405 million in September 2022 and fined WhatsApp €228 million in September 2021.

EDF fine: French privacy watchdog CNIL has fined nuclear energy group EDF €600,000 for multiple security and privacy lapses. CNIL said that EDF failed to inform users of its web portal how their data was collected and handled, in a clear violation of the EU GDPR regulation. In addition, CNIL said that EDF had also failed to secure passwords for 2.5 million users, which were hashed using the insecure MD5 algorithm and were not salted, according to industry-accepted security best practices.

NIS2: After passing a provisional agreement in May, the European Council has formally adopted NIS2, a new EU directive that enforces a tougher set of cybersecurity incident reporting rules for crucial sectors, such as energy, transport, healthcare, space, public administration, and digital infrastructure. NIS2 replaces the older cybersecurity reporting framework NIS and widens reporting rules from large operators to also include mid-sized companies as well. The EU Parliament also formally passed the NIS2 regulations in October, and member states will have 21 months to incorporate the new NIS2 provisions into their national law.

Twitter data leak: A vulnerability reported via the HackerOne platform was used to mass-harvest the account details of Twitter users, including private information such as phone numbers and email addresses. An initial dataset compiled via this vulnerability and containing the details of more than 5.4 million Twitter accounts was allegedly traded on underground hacking forums earlier this year, while an even larger second dataset has also popped up on hacking forums over the past few days. According to reports, this second dataset allegedly contains details on tens of millions of Twitter accounts.

No WhatsApp breach: A threat actor has been circulating an alleged leak of WhatsApp data. It's fake. It's just a list of phone numbers, according to Alon Gal of Hudson Rock.

Zwijndrecht police ransomed: The Ragnar Locker ransomware gang has hacked and is now extorting the police department of the Belgian city of Zwijndrecht. The group claims to have obtained information detailing thousands of license plates, speeding fines, and even criminal investigations, ranging from 2006 to September 2022. Police officials said they detected the attempt to encrypt their servers and shut down their network for two weeks while they investigated and restored services. Ragnar Locker has already leaked some of the files on their dark web leak site.

EU Parliament DDoS attack: The EU Parliament said its servers were subject to a DDoS attack hours after they proclaimed the Russian government as a sponsor of terrorism. A pro-Kremlin hacktivist group took credit for the attack, according to Roberta Metsola, President of the EU Parliament. The agency's website resumed operations after two hours.

Guadeloupe cyberattack: In a message posted on its official website, the government of the Caribbean island Guadeloupe, a French overseas region, said it was hit by "a large-scale computer attack." Officials said they shut down all affected systems to protect data and diagnose the problem. The incident took place on Monday, and systems have yet to be restored. Security experts believe this is a ransomware attack, although the perpetrators have not yet been identified.

Ransomware on Indian hospital: A suspected ransomware attack has disrupted the IT network of the All India Institute of Medical Sciences (AIIMS), one of India's largest medical schools and hospitals. The Hindustan Times said this would mark the first instance of a major Indian hospital being affected by ransomware. Healthcare organizations, and especially hospitals, have been constantly targeted by ransomware gangs all over the US and Europe for the past five years, but as these organizations are getting better at protecting their networks, ransomware attacks are now hitting other countries as well.