Weekly Video: October 24, 2022
10–24–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, October 24h, and we are back in the home office and back with three international news stories that highlight some key issues we’ll need to help our portfolio companies navigate in the immediate future.
Let’s see if we can do them all in 5 minutes or less.
Unsolicited Acquisition Offer Spurs Ransomware Attack
Australian Regulatory Reaction
How APT Groups Actually Work: A Timeline
Unsolicited Acquisition Offer Spurs Ransomware Attack
A publicly traded car dealer group in the UK recently announced that they received an unsolicited acquisition offer. They then fell victim to one of the largest ransomware attacks - with a $60M ransom demand.
It appears that the attackers - calling themselves LockBit 3.0 - are leveraging this business event as an opportunity to increase their exploitation.
The victim is refusing to pay, but did note that they believe hackers have approximately 5% of their data, and have confirmed that data has been stolen.
While we don’t know if they’re going to end up paying, negotiating, or how this might impact the acquisition offer, the pattern here is worth noting. Mergers & Acquisitions are a particularly sensitive time, and threat actors know this. Therefore, they can ramp up their efforts to extract a ransom in conjunction with these transactions.
You should be sure that as you conduct cyber due diligence on any acquisition, if there are critical fixes that need to be addressed, these are done before the deal is announced. It’s also worth considering general timing of transaction announcements as relates to cyber risk, though it’s not possible to avoid all risk.
Threat actors are actively looking for these higher leverage opportunities and won’t be afraid to use them to their advantage.
Australian Regulatory Reaction
Speaking of threat actors, Australia is recovering from a string of high-profile hacks over the past month including Optus, Telstra, Medibank, Woolworths, and EnergyAustralia. For Americans, these companies may not be as familiar but the activity has prompted Australian regulators to propose significantly higher penalties for data breaches.
Keep in mind that while these new penalties are still in the proposal stage, the impact is significant:
$50 million;
three times the value of any benefit obtained through the misuse of information; or
30 per cent of a company's adjusted turnover in the relevant period.
Whichever is GREATER.
Regulators around the world continue to increase their oversight from a cyber risk perspective - and the US is poised to follow suit with the forthcoming National Cybersecurity Strategy. Director Inglis has been telegraphing the use of increased regulation lately, and we’re due to see the actual text any day now.
Now is the time to start investing in these capabilities - and if Australia is any indication, the investment is going to be far less than the penalty.
How APT Groups Actually Work: A Timeline
Finally, closing with a slightly more technical story that outlines the event history of an attack by a threat actor group Called APT 27 - believed to be a Chinese government group focused on Defense contractors, Aerospace, Telecommunication, Energy, Manufacturing, Technology, Education and government data.
The technical details of this attack are going to be interesting to defenders, but here are the salient points worth covering for our leadership teams:
Time to Breach: APT 27 took advantage of a newly discovered “zero day” flaw in Microsoft Exchange within 2 days to breach a system and establish persistence - i.e. the ability to stay present in the network, even after the initial vulnerability was patched. Are you able to patch this quickly? It’s unlikely - in many cases, a patch isn’t even available within that short of a window.
Dwell Time: APT 27 then laid low for a total of 9 months - doing nothing, just waiting. Plenty of time for your team to forget about any related zero days or malicious activity. Are you keeping your logs for at least 9 months to help reconstruct this malicious activity?
Exfil Window: When they were ready to strike APT 27 finally exfiltrated almost 3 terabytes of data, from 4 different domains, over 26 days. Are you able to see this data going out the door? 3 Terabytes - or 3,000 gigabytes - is quite a bit. Hopefully that type of activity to net-new domains would get notice, but not always.
In short, it’s a good read to understand how the bad actors are operating, and consider whether your own defenses would’ve been enough to detect, prevent, alert, and respond to this type of pretty typical attack.
Fundraising
As the public markets continue their volatility, private capital sees Private Equity as an attractive proposition.
This week saw nearly $11.8B in newly committed capital, less than half of last week, but still well over $1B/day. Macro economic activity continues to be pretty volatile, so it will be interesting to see how that plays out in the fundraising activities for the rest of the year.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://twitter.com/AlvieriD/status/1583467922768334848
https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022
https://www.intrinsec.com/apt27-analysis/?utm_source=substack&utm_medium=email&cn-reloaded=1