FFT news digest April 1 2022

Facing up to cyber challenges

Cybersecurity is failing to keep pace with a generational upheaval in global politics and economics that will take decades to play out, according to the head of the UK's signals intelligence agency. GCHQ director, Sir Jeremy Fleming, said gaps in national strategies are being painfully exposed and more investment is urgently needed. Fleming added that commentary about the absence of a major Russian cyber attack as part of its invasion of Ukraine misses the point. "Whilst some people look for cyber Pearl Harbours, it was never our understanding that a catastrophic cyber attack was central to Russia’s use of offensive cyber or to their military doctrine,” he said. While "lots of cyber" has been seen in the conflict, Fleming emphasised that a key focus for Moscow has been disinformation, most prominently within Russia itself.

Details are emerging about the most high-profile cyber attack seen so far during the war, which disabled thousands of satellite terminals in Ukraine and elsewhere in Europe. Viasat said attackers took advantage of a misconfigured VPN appliance to gain remote access to a "trusted" section of the network used to manage the KA-SAT satellite network. This allowed malicious commands to be sent to modems in Ukraine and several other European countries. "These destructive commands overwrote key data in flash memory on the modems, rendering them unable to access the network, but not permanently unusable," Viasat said. SentinelOne says the devices were wiped with software linked to a destructive Russian tool. Meanwhile, Reuters reports that the attacks on Viasat are continuing.

Kaspersky: The US Federal Communications Commission has listed Kaspersky Lab as an "unacceptable" security risk to the country. The UK's National Cyber Security Centre's view is slightly different. While advising users to reassess the risks of Russian technology products, it says Kaspersky doesn't represent a threat to individual users "at present".

On the up: One month into the war, Check Point Research says both Russia and Ukraine have seen increases in cyber attacks, of 10% and 17% respectively.

Retaliation: The US and its NATO allies should expect a "long tail of retaliation," in the form of cyberattacks, for the sanctions imposed on Russia, according to cloud security provider, ExtraHop. The Register

Data: Yandex (aka the Russian Google) is sending data harvested from millions of iPhone users to Russia, regardless of whether you use its apps. The Financial Times says (£) the cause is a developer tool created by Yandex and used in a wide range of apps.

Internet outage: Russia's largest entrepreneurship union has warned of imminent large-scale service internet service outages due to shortages of telecom equipment. Bleeping Computer

LinkedIn

LinkedIn can be useful, but it's also crammed full of lies and misinformation. A new study has found more than 1,000 profiles using what appear to be faces created by artificial intelligence. NPR says many of the profiles seem to be aimed at generating business leads for real companies, though several of those denied authorising the use of fake images. The risk of such an approach is underlined by a Proofpoint report that examined phishing emails masquerading as job offers. It says it has seen almost 4,000 a day, some of them highly convincing. “Of the job themed threats, nearly 95% are targeted at educational institutions, mainly colleges and universities," Proofpoint said.

Lessons from Lapsus$

Last week's arrests of seven people by British police doesn't seem to have cramped the style of the Lapsus$ extortionists. Announcing their return from "vacation" on Telegram, they posted 70GB of data that they said were stolen from software development company, Globant. If confirmed, Globant will join Microsoft and authentication giant, Okta, as victims of the Lapsus$ gang. Researchers believe that the methods used to gain access to their networks include multi-factor authentication "bombing". As we've reported previously, this involves bombarding users with prompts to authorise access to an online resource until they eventually get bored and respond to one. The technique is not new, but it's effective. Education can help to defeat it, but the best defence is a hardware key.

Privacy and Google Workspace 

Google has rolled out significant (and controversial) changes to the privacy settings for paying users of Google Workspace. Previously, it was possible to control "Web and App Activity" at an organisation level. Not any longer. Now individual users need to control privacy settings themselves - assuming they can be bothered to find them. Previous settings won't be remembered, so organisations and individuals that opted out of tracking will find they've magically opted back in - at least to some extent. There's also a new function called "Search History" that is turned on by default. Google says it never uses data from its core Workspace service for advertising and so people shouldn't worry. Hmm.

Updates

The importance of applying updates is underlined by the increasing speed at which attackers exploit software bugs. Rapid7 says the average time to exploitation fell from 42 to 12 days in 2020. The figures probably understate reality because Rapid7's report focusses on 'server-side' software such as SAP, VMware and Microsoft Exchange. More positively it says zero-day (i.e. previously unknown) vulnerabilities are being identified more quickly - and the US Cybersecurity and Infrastructure Security Agency's list of known exploited vulnerabilities provides a handy reference to important updates. This week, the agency highlighted issues with Chrome and uninterruptible power supplies.

In the light of the above, some interesting news about iOS and iPadOS updates. We've long observed that devices set to update automatically can take a long time to do so. Now Apple's software engineering chief has revealed that users can expect a delay of "1-4 weeks" before auto-update will install a new iOS/iPadOS release. It's a good idea to wait a few days before updating. A few weeks is another matter. The lesson is, don't rely on auto-update!

iOS/iPadOS/macOS: Urgent security updates to address two previously unknown issues that are being used to attack iPhones, iPads and Macs.

Chrome: Google Chrome 100 is mainly a security update with 28 fixes.

Edge: As Microsoft's browser is based on Chrome, it's no surprise that it has also had an emergency update.

WD My Cloud: Western Digital has addressed a critical severity vulnerability that could be used to gain remote access to My Cloud OS 5 devices.

Sophos: Updates for Sophos Firewall which are designed to fix a vulnerability that could allow code to be executed remotely.

SecureDrop: Version 2.3.0 includes usability improvements and bug fixes.

Zimbra: 9.0.0 “Kepler” Patch 24 and 8.8.15 “James Prescott Joule” Patch 31 include important security fixes.

Threats

Bypassing security: 10% of UK employees actively circumvent their organisation's security measures, according to Cisco. It also found that many hybrid workers don't believe cybersecurity is their responsibility.

Ukraine: There's been a rise in the number of scams trying to persuade people to part with cryptocurrency. More than 100,000 emails are being sent every day urging people to "Help Ukraine". Cyren

Council tax: Very convincing scam promises a council tax refund and takes victims through a persuasive workflow designed to steal personal information and financial details. My Online Security

Open Office ads: An information-stealing variant (dubbed MarsStealer) is using Google Ads to promote cloned sites that purport to offer OpenOffice. Morphisec

Auto spam: Latest trick of US scammers; deliver spam messages that appear to come from the target's own (Verizon) phone number. Verizon says it's trying to block them. The Verge

Wyze: If you have a Wyze security camera, you might want to think about replacing it. Bitdefender advised its manufacturer about three dreadful security flaws. It took up to two years to fix them. And Wyze Cam v1 is no longer supported, so it will never be fixed. Bleeping Computer

Tech support: Those laughable calls offering to sort out non-existent computer problems have been around for years, but the FBI warns they're still very much a threat. Last year they led to $347 million of losses in 70 countries.

Facebook Messenger: You may have seen coverage in the press about a widespread scam that tries to exploit people's curiosity. The messages simply say, “Look what I found,” and include a link. Clicking it brings up a fake Facebook login page designed to steal login credentials. Metro

In brief

US elections: The FBI has warned US election officials about an ongoing phishing campaign designed to steal their credentials. Officials in at least nine states received invoice-themed phishing emails.

South Africa: We try not to write about proposals (because so many never become reality), but a South African regulator has recommended that anyone wanting to own a smartphone should be required to hand over biometric data.

Ransomware speed: 42 minutes 54 seconds is how long the median ransomware variant requires to encrypt 100,000 files. Splunk

WhatsApp: The EU has reached agreement on the Digital Markets Act which is designed to revolutionise competition between technology companies. The details are yet to be published, but The Verge explains how it could impact on the security of messaging apps like WhatsApp.

Europol: 108 arrests have been made in connection with an alleged international call centre operation behind a vastly profitable investment scam.

Stolen: Apple Stores will start refusing to repair stolen iPhones (i.e. ones that have been reported missing in the GSMA Device Registry). One might ask, why only now? MacRumors

North Korea: Two campaigns exploited a previously unknown vulnerability in the Chrome browser to attack more than 250 people working for 10 news organisations as well as web hosting providers and software vendors. They were targeted with fake recruitment emails. Google

Smart lens: A company has completed development of a display-enabled contact lens and is now awaiting official approval in the US. As CNET explains, it also needs a better power supply.

Social media: A UK survey found that there are two periods of adolescence when heavy use of social media contributed to lower ratings of “life satisfaction.” First around puberty and again around age 19.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved