Weekly Video: September 26, 2022
9–26–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, September 26th, and this week we’re going to talk about a couple of recent breaches, how they happened, and why that matters to PE-and venture-backed firms.
Lost of lessons to learn, and we’re going to try to do it in 5 minutes or less.
Uber’s Breach, con’t
Optus (AUS) Breach
HHS on APT 41 - and why that’s a bigger deal than it might seem
Uber’s Breach, Con’t.
Uber continues to do a poor job - in my opinion - of managing the fallout from their recent breach.
What really has me frustrated with their response is the latest official update. Let’s be clear - there are some real wins in this update.
In particular, their response actions represent best practices, such as
Rotating keys, disabling tools, requiring reauthentication, boosting monitoring, resetting accounts, etc.
My problem, though, is two-fold. First, they use lots of language that’s weighted as if it was fact, but remains speculation.
For example, “it is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware.”
Were they leaked? Or not? Was the personal machine compromised? Or not?
The guessing here doesn’t help.
The second issue that I have is a bigger version of the same thing - Uber names threat actor group Lapsus as the perpetrator, and links to a TechMeme article about a Grand Theft Auto leak - with no real evidence.
Is this supposed to be a distraction tactic? Does it make it better or worse that the corporate security team and control set of a $54B company was compromised by a teenager or two? I can’t tell, I don’t know what it matters to the incident, and I really feel like introducing this now - with no evidence and in an official Uber statement - is disingenuous (at best).
For what it’s worth, Uber is down about 13% since the news of this breach broke, so maybe this is just damage control? I don’t know, but the blame game isn’t a good luck.
Uber’s not alone in this, though.
Optus Breach
Optus, Australia’s second largest telco, was breached last week, and while the telco declined to say what the extent of the breach was, 11.2M records claiming to be from this incident appeared on the dark web for sale.
The CEO of Optus said the were “devastated to discover that we have been subject to a cyberattack” and that they “immediately took action to block the attack”.
Reports have since surfaced that this data was exfiltrated from an API endpoint that was public facing and didn’t require authentication - the attacker simply enumerated the customer data but incrementing the ID number, and pulling out the response.
Reports also indicate that it did trigger an alert for an anomalous amount of traffic. That’s quite a bit of traffic to go out the door between the alert and the data that was ultimately posted online. I’m not quite sure it amounts to an “immediate” response.
But the key here is that this wasn’t an attack like Uber’s - it didn’t take social engineering, it didn’t take defeating multi-factor auth, it just took making an API request to an open end point. These are the sorts of things that we just can’t have large telecoms - or any business - do in 2022 and beyond. And even if they did happen to deploy a production system this way, testing should’ve caught this error - even rudimentary attack surface tools should’ve found an open API endpoint hanging off of your production domain.
The lesson here is that there’s a certain amount of care - bordering, frankly, on some duty of care and potential for negligence - that is required when handling this type of data.
HHS on APT41
Normally, security briefings from Health and Human Services wouldn’t merit mention in this weekly video, but this one calls out a Chinese-backed state actor for specifically targeting healthcare.
And - it goes so far as to mention how it ties into the Chinese Communist Party’s most recent 5 year plan.
The stakes are getting higher for nation-state cyber espionage - “geopolitical tensions” - and this is a good reminder that small and medium businesses, including hospitals, are the front lines of these bigger conflicts.
This all ties in to the theme of doing the type and amount of work your companies need to do to remain secure and resilient given the evolving threat landscape - from teenage kids to Chinese military operations.
Fortunately, the same defenses will help protect you from both types of bad actors.
Fundraising
Massive week for new capital - $31.3B. The markets remain volatile, and maybe it will all be used for just a couple of massive take-private plays, but there’s no doubt that capital continues to flow to funds - let’s see when it starts to flow to deals.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://www.uber.com/newsroom/security-update/
https://twitter.com/Jeremy_Kirk/status/1573652991496048640
https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf