header image

Cyber Intelligence Briefing: 8 October 2021

Joseph Tarraf, Kyle Schwaeble 8 October 2021
8 October 2021    Joseph Tarraf, Kyle Schwaeble

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

  1. Facebook. Major outage caused by misconfiguration.
  2. Reporting requirements. US intensifies push to require reporting of ransomware attacks.
  3. Fightback against cybercrime and APTs. UK “Cyber Force” and US-led coalition.
  4. Ransomware arrests. Europol seizes two prolific hackers in Ukraine.
  5. Five long years. Threat actor had unauthorised access to Syniverse systems for five-year period.
  6. Apache zero-day. A zero-day in over 100,000 Apache servers allows attackers to remotely execute code and expose files.

1. Facebook outage caused by misconfiguration 

On Monday, Facebook, Instagram, and WhatsApp experienced a near six-hour outage. Facebook explained that the interruption was caused by user error when changes to its “backbone routers” were misconfigured and disrupted network traffic between its data centres.  

The misconfiguration also impaired Facebook’s internal tools and systems, which impeded its ability to diagnose and recover from the issue. The company reiterated that the outage was not the result of a cyber attack and that no user data had been compromised.

 

 SO WHAT?  The incident highlights the impact non-malicious cyber incidents, such as system misconfigurations, can have. An over-reliance on a single system to manage services and internal communication channels increases an organisations risk exposure. 


2. US legislative push to require reporting of ransomware attacks intensifies 

The US is intensifying its efforts to require reporting of cyber attacks. New legislation proposed by Democrats would require ransomware victims to notify the Department of Homeland Security within 48 hours of making any ransom payment. Meanwhile, senators have introduced a bipartisan bill that would require critical infrastructure owners and operators to report any cyber attacks they suffer to the US Cybersecurity and Infrastructure Security Agency.

Separately, on 6 October, the Justice Department announced its readiness to sue government contractors and those receiving US government grants if they fail to report cyber breaches.

 

 SO WHAT?  It is likely that at least some aspectsof these proposed laws will come into force. US organisations should familiarise themselves with and plan for any new reporting requirements before an attack happens, so they are prepared in the event they do suffer a cyber breach or make a ransom payment.


3. UK plans to build a “Cyber Force”, meanwhile US proposes anti-cybercrime coalition 

  • The UK has announced its intention to invest GBP 5 billion in strengthening national cyber security, including developing its offensive cyber capabilities. The move will make the UK one of the only countries in the world capable of launching sophisticated offensive cyber operations and is thought to primarily be a means to discourage future attacks against the UK and companies operating in the country. 
  • Separately, the US plans to hold an inaugural meeting for a coalition of G7 and NATO allies later this month where the group is expected to expand cooperation amongst global law enforcement agencies to tackle cybercrime and the illegal use of cryptocurrency.

 

 SO WHAT?  Both announcements continue the growing trend of government and law enforcement action against cyber attacks, and ransomware in particular. We expect to see increasing regulation of cryptocurrency and the expansion of cyber-related sanctions in the near future. 


4. Members of prolific ransomware group arrested in Ukraine 

An international law enforcement operation has resulted in the arrest of two members of an unnamed ransomware group. Although the group’s identity remains unclear, it has been attributed to approximately 100 cyber attacks and is estimated to have cumulatively caused USD 150 million in damages to its victims. 

Alongside the arrests, authorities froze USD 1.3 million worth of cryptocurrency and seized USD 375,000 in cash and two vehicles worth approximately USD 250,000. The arrested individuals each face up to 12 years in prison. 

 

 SO WHAT?  Although the physical arrest of two cybercriminals will not have much impact on the wider issue, such action is increasingly being supported by wider powers and funding for law enforcement and investigative agencies and we will likely see more arrests like these in the future.


5. Syniverse discloses five-year-long breach

In a 27 September filing with the US Securities and Exchange Commission, Syniverse, a telecommunications service provider, disclosed that in May 2021 the company discovered that a threat actor had had access to its systems for five years.

During this period, the threat actor “gained unauthorized access to databases within its network on several occasions” in addition to compromising the login data for the Electronic Data Transfer environment belonging to approximately 235 customers.

In the filing, it stated that “there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems" that could “have a material adverse effect on Syniverse's business, reputation, financial condition and results of operations”.

 

 SO WHAT?  It is possible that Syniverse may be the subject of investigations looking in to the maturity of the cybersecurity controls they have in place to understand why a breach was able to go undetected for five years and to determine whether the correct controls are in place to protect the data it holds.


6. Apache needs patching 

Over 100,000 Apache web servers are currently exposed to a zero-day flaw allowing attackers to access sensitive files held on vulnerable servers. Threat actors have been observed conducting mass scanning activities in order to identify and target vulnerable Apache servers.

Researchers have created publicly accessible proof-of-concept code that can retrieve sensitive files from vulnerable servers. If the Apache module mod-cgi is enabled on the server, attackers can exploit this vulnerability to achieve remote code execution. 

 

 SO WHAT?  If you have any assets using Apache 2.4.49, upgrade immediately to version 2.4.50.

 

Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Joseph Tarraf
Joseph tarraf Managing Director, Cyber Security Email Joseph
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report