This Week in Cyber 20th September 2024

Analyst Insight

The world of cyber saw both successes and new threats this week. The Australian Federal Police arrested the creator of the ‘Ghost’ encrypted messaging app, used by criminal organisations. Meta resumed controversial AI model training using public content from adults on Facebook and Instagram, with an opt-out option, after addressing ICO concerns.

In terms of cyber attacks, cybercrime group Vanilla Tempest attacked the US healthcare sector using INC ransomware. Additionally, CentOS-VPS servers were targeted by a cryptojacking group and Fortinet confirmed a data breach that saw 440GB stolen. Reports indicate 44% of UK firms lack basic cyber security skills, highlighting the importance of cybersecurity awareness to prevent breaches.

Meta Announces Training of AI Models with U.K. Facebook / Instagram Content

An article published by Meta this week talks about how the company will train its AI models using public content shared by adults on Facebook and Instagram in the UK over the coming months. Users aged 18 or above will receive in-app notifications this week on Facebook and Instagram if they are wanting to opt out.

“This means that our generative AI models will reflect British culture, history, and idiom, and that UK companies and institutions will be able to utilise the latest technology” Meta stated.

Meta had recently paused its training of AI models to address regulatory concerns with the Information Commissioners Office (ICO). The ICO has been providing guidance to Meta to ensure that that the approach to training AI models is transparent with customers. Although, the ICO has not provided regulatory approval for the processing, it is for Meta to ensure and demonstrate ongoing compliance.

Ghost Encrypted Messaging App Dismantled by Australian Police

Australian Federal Police (AFP) on Tuesday arrested a 32-year-old man living in New South Wales for being the creator of the “Ghost” encrypted messaging app, which according to the AFP is predominantly used for illegal activities.

Mobile devices were sold to organised criminal groups around the world, with a monthly subscription to the “Ghost” encrypted network. The AFP reported an estimated 376 active handsets in Australia, most of them located in New South Wales. These devices cost $2350AUD (£1200GBP) and came with a six-month subscription to the network.

To seize operations of the crimeware app, the AFP performed a supply chain attack on the administrator of Ghost. The AFP modified software updates released by the administrator to infect the devices sold to criminals. According to the AFP, this operation resulted in 38 arrests, 71 search warrants, intervening in 50 threats to life/harm, preventing more than 200kg of drugs and seizing 25 illicit firearms/weapons.

44% of UK Firms Lack Basic Cybersecurity Skills

Research published by the UK Government on behalf of the Department for Science, Innovation and Technology (DSTI) reveals that across all sectors, around half (44%) of business have skill gaps in basic technical areas, where employees responsible for cyber security lack the confidence to perform the basic tasks outlined in the government-endorsed Cyber Essentials scheme.  Among the 637,000 businesses surveyed, 390,000 (27%) are also lacking advanced skills.

Within the research, it was found that employers and recruiters believe AI will significantly impact the cyber skills landscape, potentially leading to job losses, a need for AI-related skills, and the emergence of specialised roles like “cyber security machine learning”.

Microsoft Reveals New INC Ransomware Strain Targeting Healthcare

Vanilla Tempest (threat actor) has been found utilising a ransomware strain named “INC” targeting the U.S. healthcare sector for the first time, as discovered by Microsoft on Wednesday. The INC Ransom is a ransomware-as-a-service (RaaS) operation who have been targeting public and private organisations since July 2023.

The attack disrupted IT and phone systems, leading to a loss of access to patient information databases and requiring the rescheduling of some appointments. Microsoft has not named the victim of the attack.

TeamTNT Targeting CentOS-VPS Infrastructures

Cryptojacking group TeamTNT has resurfaced, targeting CentOS-based Virtual Private Server (VPS) infrastructures. According to Group-IB researchers, the attackers gain initial access through SSH brute force attacks, uploading a malicious script that disables security features, deletes logs, and terminates cryptocurrency mining processes. This script also deploys the Diamorphine rootkit to conceal malicious activities and establish persistent remote access. TeamTNT, first discovered in 2019, has a history of infiltrating cloud and container environments for illicit cryptocurrency mining. Despite announcing a “clean quit” in 2021, the group has continued its operations, with the latest campaign disabling SELinux, AppArmor, and firewalls, and modifying SSH configurations to maintain control over compromised systems.

Fortinet Confirm Data Breach | 440GB Stolen

Last week, Fortinet, a global leader in cyber security, confirmed a data breach in which a hacker stole 440GB of files from the company’s Microsoft SharePoint server. The breach came shortly after Fortinet completed its acquisition of Lacework, an AI-powered cloud security provider. Notably, the hacker claimed Lacework was responsible for the leaked drive at the heart of the breach. However, Fortinet has not provided any direct link between the acquisition and the breach.

In response, Fortinet emphasised that the breach was limited to a small portion of customer data stored in a third-party cloud-based system, and that no internal systems, corporate networks, or operations were affected. The company also confirmed that there was no ransomware or encryption involved.

This incident potentially has similarities to the 2018 Marriott Hotels breach, where vulnerabilities in the Starwood Hotels systems—acquired by Marriott—were exploited, which impacted an estimated 339 million guests. Both breaches highlight how third-party systems or newly acquired assets can create significant security gaps if not thoroughly integrated and secured. In Fortinet's case, the timing of the breach shortly after the Lacework acquisition raises concerns about the potential risks associated with merging new technology into an organisation’s existing infrastructure.

FBI Dismantles Flax Typhoon APT Botnet Affecting 200K Devices

Flax Typhoon APT targets IT infrastructure, government agencies and critical manufacturing. The Raptor Titan botnet operated by Flax Typhoon, infected 200,000 Internet of Things (IoT) and small-office/home-office (SOHO), routers, firewalls and network-attached storage (NAS). The botnet would disguise itself as routine Internet traffic to avoid detection. This week, a joint effort between the FBI, US Justice Departments and French authorities to lead to a disruption of the botnet.