F5 SIRT - This Week in Security, Feb 4th -10th, 2024

Introduction

Tikka Nagi is back as your editor. Last week I had an opportunity to help out at F5's customer conference called AppWorld in San Jose, CA. It was fun meeting so many F5ers IRL who I have only known virtually. I spent a couple of days at the MyF5 booth talking to customers about MyF5 and F5 SIRT and how they can leverage both of these resources. It was very interesting to hear from some of our customers and partners about their security challenges and some good war stories. I even had a chance to do some ASM troubleshooting and profile tuning real time for one of our customers. Overall, it was a fun experience, and would love to do it again.

As always a lot is going on in the world of cybersecurity. At F5SIRT, we are working hard to get ready for our Quarterly Security Notification which comes on Feb 14th. Let's take a brief look a some of the top stories in the world of security this week:

The Tale of 3 Million Malware-Munching Toothbrushes

Remember the viral story about millions of hacked toothbrushes taking down a website? Turns out, it might be more fiction than fact. A Swiss news report claimed 1.5 million smart toothbrushes were used in a DDoS attack, citing Fortinet as the source. Fortinet quickly backtracked, calling it a "hypothetical" scenario and a "translation problem." But the drama didn't end there, The Swiss news source insists it was presented as a real attack, complete with details like duration and damage. They even double-checked with Fortinet before publishing.

As I was researching this story, I couldn't find any technical details such as what kind of tech spec the toothbrushes had, which malware infected these,  and since it is a DDoS attack what command and control center was involved. 

It's unclear what is the truth! While Fortinet claims a misunderstanding, the Swiss report stands firm. The jury is still out on the toothbrush DDoS. Whether it was a real attack or a cautionary tale lost in translation, one thing's clear: we need to be more critical of the information we consume online, especially when it sounds too good (or too bad) to be true. 

FCC moves to criminalize most AI-generated robocalls

The FCC is cracking down on robocalls using AI-generated voices after a deepfake Joe Biden message discouraged voting in New Hampshire. This expands the Telephone Consumer Protection Act to cover these calls, allowing for potential criminal charges. State attorneys general gain power to fight these scams, which target everyone from seniors to voters. The move aims to combat the growing threat of AI-powered fraud and misinformation.  

It seems like it will have minimal impact on the use of Robocalls even when the voice is AI-generated since the bill does not include any of these measures:

  1. Carrier liability: Holding carriers responsible if they can't identify the spam source, incentivizing authentication and KYC measures.
  2. Spam rebates: Charging senders a fee for each message, refunded only if the recipient confirms it's genuine.
  3. Contact list management: Using contact lists to differentiate between spam and legitimate messages.
  4. Fines and regulations: Imposing fines on carriers and strengthening regulations.

Robocall spam is a significant problem, and there's a strong desire for solutions. However, finding an effective and balanced solution requires careful consideration and refinement. The conversation is far from over. 

Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’

Imagine you're on a video call with your boss and colleagues, discussing a confidential financial transaction. Everything seems normal, until later you discover it was all a meticulously crafted illusion. This is the shocking reality for a finance worker in Hong Kong, who lost a staggering $25 million after being tricked by deepfakes. The worker receives a suspicious email from the supposed CFO, requesting a secret transaction. Red flags go up, but a video call follows, featuring the "CFO" and other colleagues (all deepfakes). Convinced by the familiar faces and voices, the worker approves the transfer. However, $25 million later, the truth dawns – it was all a cleverly orchestrated scam.

This incident highlights the chilling potential of deepfake technology. By manipulating videos and audio, scammers can create incredibly realistic scenarios, eroding trust and exploiting vulnerabilities. This case isn't an isolated one;

  • Authorities in Hong Kong arrested six individuals linked to similar scams, using deepfakes to bypass facial recognition checks.
  • The entertainment industry has faced deepfake pornographic content targeting celebrities like Taylor Swift.

Combating deepfakes requires educating individuals and organizations about the risks and red flags, developing tools to detect and authenticate deepfakes and legal frameworks to address deepfake misuse.

The deepfake threat is real and evolving. Remember, if something seems too good (or bad) to be true, it probably is. Always verify information through trusted channels before making critical decisions.

Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline

F5SIRT has been diligently covering ransomware in past editions of this newsletter. You can see the coverage of Ransomware on this page. It was very interesting to see Chainalysis publish a detailed report on Ransomware Payments made in 2023. It is a long read that you can read at your leisure using the link provided in the Title. Here is a TLDR version of the report:

In 2023, ransomware payments exceeded $1 billion, marking a record high after a decline in 2022. Ransomware attacks targeted critical infrastructure and high-profile institutions, exploiting vulnerabilities like the MOVEit software, and affecting numerous companies. This resurgence emphasizes the evolving threat of ransomware, its growing impact on global security, and the challenges in monitoring and tracing payments. Law enforcement interventions, such as the FBI's infiltration of the Hive ransomware strain, have shown some success in mitigating these threats. 

Key Points:

  • Record-breaking payments: Ransomware victims paid over $1 billion in 2023, marking a significant jump from 2022.

  • Shifting tactics: Cybercriminals are targeting high-profile entities and critical infrastructure, often employing sophisticated zero-day exploits.

  • RaaS on the rise: Ransomware-as-a-Service (RaaS) models are simplifying attacks, attracting new players, and facilitating "big game hunting" for larger ransoms.

  • Law enforcement action: While the Hive takedown and BlackCat disruption were successes, the fight against ransomware requires continued collaboration and proactive engagement from all stakeholders.

Deep Dive:

  • The report dives into the various ransomware strains and their strategies, highlighting the dominance of "big game hunting" and the increasing use of data exfiltration.

  • It explores the role of initial access brokers (IABs) in lowering the barrier to entry for attackers and the growing use of mixers and other services for laundering stolen funds.

  • The case study of Cl0p's MOVEit exploit showcases the effectiveness of zero-day attacks and the shift towards data exfiltration as a more efficient extortion tactic.

Updated Mar 05, 2024
Version 5.0
F5 SIRT
security
series-F5SIRT-this-week-in-security
TWIS

Was this article helpful?

No CommentsBe the first to comment