Legacy technology and the dangers of unpatched software and systems are shaping up to be urgent themes this quarter. Last month’s news of Claude Mythos Preview’s ability to detect decade-old security flaws, has prompted many in the industry to address legacy tech stack risks as a matter of urgency. Look out for a wave of patches designed to shore up vulnerabilities coming your way soon.
News of two hackers being jailed for ransomware extortion wouldn’t normally come as much of a surprise – except that the two in question were previously cyber security professionals who turned on the very organisations they were meant to protect. Find out how the FBI caught up with them.
We also bring news of the latest phishing scams using ‘code of conduct’ content as lures and how you can stay protected.
And finally, the consequences of legacy technology and poor monitoring: read how two Midlands water companies have been fined nearly £1million for a cyber hack that could have been avoided by updating their systems.
In the wake of Claude Mythos Preview, get ready to ride the ‘patch wave’ says NCSC
The National Cyber Security Centre is asking organisations to prepare to install a wave of imminent security patches to protect against vulnerabilities uncovered by advanced AI models.
The NCSC is anticipating a rush of software updates, or a ‘patch wave’, issued by technology producers and vendors to counteract the recent developments in advanced AI’s cyber vulnerability detection.
News last month of Anthropic’s release of Claude Mythos Preview – an AI model that its makers claim can detect decade-old security flaws without human intervention – has prompted the NCSC to give out this guidance.
The UK’s national technical authority has shed light on something we talked about in last month’s newsletter – legacy technology, or ‘technical debt’ as the NCSC puts it. This build-up of old technology issues which organisations have delayed fixing, could be a prime target for advanced AI that falls into the wrong hands.
The NCSC is asking organisations to prioritise securing external attack surfaces, such as those found on network perimeters (file transfer applications, firewalls and VPNs).
Other advice includes:
- Patching cloud instances and on-premises environments
- Making sure to upgrade legacy, end-of-life technology, which won’t receive updates – it’s not enough to just patch.
- Prioritising ‘hot patching’ and automatic updates, to minimise service disruption and support team workloads.
More details of the guidance can be found here.
The arrival of Mythos has certainly made many authorities and private organisations nervous. In related news, NHS England has asked all its tech leads to close off any open-source code repositories to ensure they can’t be scanned by advanced AI.
HR want to talk to you – but don’t panic...
Microsoft has warned organisations to beware of a new, sophisticated AiTM (adversary-in-the-middle) phishing fraud. Hackers are using very convincing HTML emails with plausible messages about internal compliance or regulatory communications to steal employee credentials.
Microsoft says that the attacks have targeted over 30,000 users across the globe, with a majority in the US and some in UK also affected. Hackers appear to be using sophisticated social engineering tactics to target a broad range of sectors, including highly regulated verticals such as healthcare and life sciences, and financial and professional services. As we’ve mentioned previously, AiTM attacks intercept live authentication traffic by bypassing multifactor authentication.
The emails used persuasive subject lines such as “Internal case log issued under conduct policy” and “Reminder: employer opened a non-compliance case log”. The body of the messages contained urgent content about a “code of conduct review” being initiated and used organisations’ specific names within the text.
Recipients were asked to “open a personalised attachment” to review case materials. Worryingly, each message had a notice at the top saying it had been issued “through an authorized internal channel”.
When they clicked on the link, users were directed to multiple hacker-controlled domains with several landing pages and CAPTCHA messages. The hack culminated in users being redirected to a Microsoft Authentication page, which in turn prompted an AiTM hijack to capture authentication tokens and access user accounts.
Microsoft has the following security tips to protect organisations from this phishing scam
- Carry out regular user-awareness training about advanced phishing lures
- Use Microsoft Defender for Office 365 and configure necessary email security settings
- Enable network protection by letting Windows use SmartScreen as a host-based web proxy.
Cyber security gamekeepers turn poachers… turn inmates in US prison
Two former cyber security professionals who used their technical skills to deploy ransomware and extort victims have each been jailed for four years. The US Department of Justice has sentenced Ryan Goldberg and Kevin Martin to prison for extortion in connection with ransomware attacks in 2023. A third co-conspirator, Angelo Martin, abused his role as a ransomware victim negotiator and shared confidential information with hackers to increase the value of the ransom paid. Martin has also pleaded guilty and is waiting for sentencing in July.
We covered this case of gamekeepers turning poachers in previous issues. The case has also thrown light on the murky ecosystem of Ransomware-as-a-Service; FBI investigations revealed how the three men used the ransomware extortion platform ALPHV BlackCat. They were part of a profit-sharing arrangement where, as affiliates, they identified high-value targets (many in the healthcare and engineering sectors), attacked them with ransomware and, when ransom was paid, split 20% of the money with the malware’s developers.
The FBI was hot on the heels of the criminals and pursued Goldberg, who tried to escape abroad, through ten countries. It also created a decryption tool which offered hundreds of victims around the world a way to restore their systems and consequently saved roughly $99 million in ransom payments.
The NCSC and UK law enforcement explicitly do not encourage payment of any ransom, as it doesn’t guarantee that victims will get access to their data or systems. The incident has highlighted the importance of vetting your IT and cyber security teams, as they hold the keys to the kingdom.
Our Head of Security, Jake Ives, stresses the importance of conducting due diligence on IT hires:
“With deepfakes on the rise and North Korean actors posing as Western IT workers to funnel wages home and infiltrate corporate networks, knowing exactly who you’re hiring has never been more critical.
Robust identity verification, business-wide training on spotting deepfakes, and thorough address checks before equipment is dispatched are now essential safeguards. Once that person is inside the business, security teams need the tools to detect suspicious sign-ins and unusual working patterns, alongside least-privilege access controls and DLP measures to limit what any individual can reach or remove.”
Legacy software data leak sees South Staffordshire fined nearly £1m
Our warning last month about the dangers of legacy technology is illustrated clearly by the recent ICO fine issued to two Midlands water companies.
South Staffordshire Plc and South Staffordshire Water Plc (together, South Staffordshire) have been fined £963,900 by the Information Commissioner’s Office (ICO) for a cyber attack that led to the theft of over 600,000 customers’ and employees’ personal data.
The hack first occurred in 2020 but went undetected until 2022, when IT performance issues alerted staff that something was amiss. In the same year, the hackers began attacking the network and gained admin privileges, which allowed them to steal 4.1 terabytes of data and publish it on the dark web.
Personal details of customers and employees (both current and former) were stolen. They include names, addresses, National Insurance numbers, South Staffordshire Water online account information and disability details.
The ICO, in a damning report, stated that South Staffordshire failed to implement basic security controls required under UK data protection law. The companies didn’t have proper controls, which enabled the hackers to escalate to admin privileges soon after gaining access to the network. Shockingly, only 5% of the IT environment was being monitored, so malicious activity went undetected. The companies also relied on obsolete software, such as Windows Server 2003.
Ian Hulme, ICO Interim Executive Director for Regulatory Supervisions, summed up the importance of good cyber hygiene when he said, “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
Other vulnerabilities and updates
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability