Microsoft report on Nobelium
Microsoft announced the Nobelium threat group, previously behind the SolarWinds supply chain attack, has breached at least 14 managed service and cloud providers since May 2021. Overall Microsoft said 609 customers were notified of 22,868 attacks between July and October, although Nobelium saw a low single digit success rate. To put the scale of this activity into context, Microsoft said this is more than all of the notifications about attacks from state-affiliated groups it sent to customers in the three years prior to July 2021. While the organization is constantly changing tactics and attack vectors, it’s overall mission appears to be gaining long-term access to the systems of targets of interest and establish espionage and exfiltration channels.
Healthcare organizations struggle with breaches
A new report from the Ponemon Institute and SecureLink found that in the last 12 months, 44% of healthcare organizations surveyed have experienced a data breach caused by a third-party. Part of the problem comes from the fact that these organizations are not equipped to properly monitor third-parties, with only 41% saying they had a comprehensive inventory of third parties with access to critical systems, and only 44% having visibility into levels of access from internal and external users.
ProtonMail wins appeal on surveillance data
The Swiss Federal Administrative Court upheld an appeal filed by Proton AG, the parent company of ProtonMail, ruling that email services are not telecommunication providers in Switzerland. This means email providers are not subject to requirements to store data necessary for surveillance. The Swiss Post and Telecommunications Surveillance Service previously decided in September 2020 that ProtonVPN was required to collect surveillance information as a telecom service. The Swiss Supreme Court ruled in April that email, chat, IM, and VOIP providers were “over-the-top” providers, not telecom services.
UK spy chief warns of ransomware surge
Jeremy Fleming, the ironically named director of the UK spy agency GCHQ said that the number of ransomware attacks against British institutions doubled in the past year, saying that this rise is the result of attacks being highly profitable and “largely uncontested.” Fleming claimed part of the response to the problem will require clarifying the lines between ransomware operations and hostile states, pointing fingers squarely in Russia and China’s direction. GCHQ declined to give an exact number of attacks Fleming was referencing in the last two years.
Thanks to our episode sponsor, Banyan Security
UK’s largest grocery chain hacked
Tesco, the UK’s largest supermarket chain, said an attempt “to interfere with our systems” by threat actors caused disruptions in online grocery deliveries on October 23th and 24th, with services fully restored by the 25th. Customers reported being unable to access or change orders over the weekend. It’s unclear who was behind the attack. Tesco said it did not believe any customer data was impacted.
Twitter report on political amplification
Twitter publicly released the results of its internal investigation on what affect its algorithm has on amplifying political speech. It analyzed tweets between April 1 and August 15, 2020 from political parties and news outlets in Canada, France, Germany, Japan, Spain, the UK, and the US. It categorized the politics of a tweet based on public-third party sources. The company emphasized that they didn’t arbitrarily deem political affiliation but rather used outside references. They did not find that the algorithm amplified extreme content more than mainstream content across the political spectrum. The investigation did find that the algorithm amplified right-leaning content more than left-leaning content. The study did not go so far as to determine whether this was a bias in the algorithm or if right-leaning content creators are better at using the system.
Rootkit signed by Microsoft
Security researchers at BitDefender discovered the rootkit FiveSys made its way through Microsoft’s driver-certification process, ultimately receiving a digital signature. This allows it to appear as valid software and bypass Windows OS-level protections against suspicious software. This does not appear to be a situation of FiveSys using a stolen certificate. Rather it appears to have been submitted for validation and somehow it got through Microsoft’s checks. Analysis shows the rootkit seems to be targeting gamers in China, and is likely distributed through cracked software downloads. After BitDefender notified Microsoft, it revoked the certificate.
What is Windows XP will never die
The 20th birthday of Windows XP should probably be a footnote in the history of Microsoft, but instead serves to remind us that there are still machines out there running it. The OS ended mainstream support in 2009, with extended support lasting through 2014. While Microsoft has backported some security fixes for things like EternalBlue and BlueKeep vulnerabilities, the OS is virtually devoid of security patching for the last seven years. Globally StatCounter found that 0.59% of machines still run XP, more than double the number of the marginally newer Windows Vista. In Armenia, it remains the most popular version of Windows, with 53.5% market share among Windows users.