Security Roundup August 2023

In the month of August; we saw UK police forces give away their data, teens from the Lapsus$ group stand trial for stealing data, ransomware being spread through compromised Cisco VPN accounts, APTs slipping through the net at Barracuda and something that doesn’t “ad” up at Google.

Multiple UK Police Forces Suffer Data Breaches

There has been a growing trend of police forces across the UK suffering data breaches, which continue apace this month.

The Metropolitan Police said data about its officers, including names, ranks, vetting and salary levels, were breached via unauthorised access to a supplier’s IT systems. The Sun reported that 47,000 personnel may have been impacted. The force has reported the breach to the National Crime Agency and the Information Commissioner’s Office (ICO).

The Police Service of Northern Ireland (PSNI) had a shocker by mistakenly publishing the names, ranks, departments and locations of every serving police officer in the PSNI. A spreadsheet was posted online for several hours before being removed by a hosting provider. Given the history of paramilitary groups targeting police officers in Northern Ireland, the breach is being taken extremely seriously. The Northern Ireland Secretary, Chris Heaton-Harris, stated that he was “deeply concerned” about the breach. The ICO has been informed.

Norfolk and Suffolk Police also revealed the personal information of 1,230 people, including victims of crime and witnesses, was included in Freedom of Information (FOI) responses issued by the forces. The two East Anglian constabularies said a “technical issue” meant raw crime report data was included in a “tiny percentage” of FOI responses issued between April 2021 and March 2022. The forces added that the data was hidden from anyone opening the files, but it should not have been included. The personal details shared were held on a specific police system and related to crime reports.

The list above is, sadly, not exhaustive!

Lapsus$ Hackers Stand Trial

Two teenage members of the Lapsus$ cyber-crime gang were found guilty by a jury of compromising Uber and Nvidia’s computer systems, blackmailing Rockstar Games, and targeting other high-profile victims. Arion Kurtaj, 18, and an unidentified 17-year-old were convicted at Southwark Crown Court in London and are awaiting sentencing. Kurtaj, who was assessed as unfit for trial, was not judged as guilty or not guilty, but on whether he committed the accused actions.

The jury found that Kurtaj committed 12 offences, including computer intrusion, blackmail, and fraud. The 17-year-old was convicted of fraud, blackmail, and unauthorised computer disruption. The Lapsus$ group, which included these two teens, also attempted to extort BT, Microsoft, Samsung, Vodafone, Revolut, and Okta between 2021 and 2022.

They initially infiltrated BT and EE servers, demanding a £3.1 million ransom, though payment wasn’t made. They stole data, leading to around £100,000 being stolen from cryptocurrency wallets. In 2022, they breached Nvidia, obtaining sensitive information and leaking files, including a Windows malware-signing key. They also stole and revealed unreleased content and code for Grand Theft Auto 6.

The US Department of Homeland Security’s Cyber Safety Review Board investigated the threat posed by the teen hackers in connection with Lapsus$, recommending Congress fund juvenile cybercrime prevention programs and align federal and state law enforcement authorities.

Barracuda Email Gateways Vulnerable Despite Recent Patches

The US Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups.

It also deemed the fixes as “ineffective” and that it “continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.”

Tracked as CVE-2023-2868 (CVSS score: 9.8), the zero-day bug is said to have been weaponised as early as October 2022, more than seven months before the security hole was plugged. Google-owned Mandiant is tracking the China-nexus activity cluster under the name UNC4841.

Ransomware Targets Cisco VPN Accounts

Akira Group, a relatively new entrant to the ransomware scene, has been targeting businesses using Cisco’s VPN products. By logging into compromised accounts, Akira’s members could breach corporate endpoints, steal sensitive data, and ultimately deploy ransomware.

This is according to research by multiple cyber security firms, although these firms cannot be sure how Akira obtained the login credentials for the VPN service. There are common tools available for attacking Cisco AnyConnect (or, as it’s now known, Secure Client), therefore Protos always advocate putting multi-factor authentication on your VPN services.

Google Sponsored Advertising Fraud

Reports of cyber criminals abusing Google’s advertising platform by creating sponsored links to impersonations of legitimate websites. Fraudsters are paying to have their false websites appear at the top of search results to trick users into clicking on links and, unwillingly, interacting with their dodgy domain. Even though the sites are fake, they can display legitimate URLs for popular websites such as Amazon. Read the full article here. 

The best defence from these scams is to employ some ad-blocking mechanism. For Chromium-based browsers such as Microsoft’s Edge, Google Chrome and Opera, Protos advises installing the extension “UBlock Origin”. An alternative to installing extensions would be to migrate to a browser focused on user privacy, such as Brave or Firefox.