The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Confluence exploitation. Jenkins project is one of many victims of a critical Atlassian Confluence exploit.
- Ransomware return. REvil is back online after a short hiatus.
- Exposed. ProtonMail provides activist’s IP address to authorities in response to court order.
- Plans paused. Apple delays rollout of new feature following criticism.
- Carry on Ghostwriter. Russian disinformation campaign reported ahead of German elections.
- WhatsApp stung by GDPR. EUR 225 million fine handed to instant messaging giant.
1. CRITICAL ATLASSIAN CONFLUENCE EXPLOIT IN WIDESPREAD USE
A critical vulnerability in Confluence, an integrated collaboration platform, is being actively exploited by threat actors in the wild. Security researchers have detected mass scanning and exploitation activity targeting vulnerable Atlassian Confluence servers. Researchers estimate that there are currently 4,000 vulnerable servers still publicly available as of 8 September 2021.
The vulnerability has already been used to compromise the Jenkins project, an open-source tool that automates tasks in software development. Threat actors gained access to a Confluence server owned by the Jenkins project and installed a cryptominer. Jenkins has subsequently halted all new version releases as a precaution.
SO WHAT? Ensure that all Confluence servers are patched to the latest version as public exploits are readily available. Atlassian has provided a temporary fix for this issue if updates cannot be immediately applied.
2. RETURN OF REVIL
Ransomware group, REvil, has resurfaced after going offline in July. The group went quiet after launching the major supply chain attack on Kaseya’s VSA remote management tool, which affected over 1,500 organisations globally. Following the Kaseya attack, the group faced mounting pressure from global law enforcement agencies and some experts believe the Russian government acted to shut REvil down.
Nevertheless, the group has returned and has recently been attributed to Distributed Denial of Service attacks against several UK Voice over IP providers. Although its ransomware blog is also back online, no new victims have been added to the site since the group’s July disappearance, and it is unclear whether it has recommenced ransomware operations.
SO WHAT? When REvil disappeared, many of its victims were unable to pay them for a decryptor or to prevent the leak of their data. The group’s return may provide a welcome lifeline to some organisations still struggling to recover from an attack that may have occurred months ago.
3. Privacy-focused Protonmail Provides Activist’s Ip Address In Response To Swiss Court Order
Email provider ProtonMail, which promotes a privacy-focused service, logged and provided to authorities a French activist’s IP address after receiving a Swiss court order to do so. Reports suggest the activist, who was protesting against real estate gentrification in Paris, was subsequently arrested.
ProtonMail’s founder and CEO has responded to the incident, saying ProtonMail does not log user IP addresses by default and only does so if it receives a legal order for a specific account. French police obtained the Swiss court order after submitting a request to Europol.
SO WHAT? Despite championing themselves as protecting privacy, organisations such as ProtonMail can lose control of their applications' intended functions and privacy when faced with government demands, such as court orders for user information.
4. APPLE DELAYS ROLLOUT OF NEW FEATURE TO DETECT CHILD SEX ABUSE IMAGES
Apple has announced a delay to the rollout of a feature that would help combat child sexual abuse imagery in order to take “additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”
The delay comes after the feature faced significant criticism following its announcement in August. Critics argue that the feature could be abused by governments for surveillance purposes. More than 90 global privacy groups wrote to Apple in opposition of the new control, thousands of members of the public signed a petition, and an open letter from almost 9,000 security and privacy experts was circulated.
SO WHAT? Although the rollout has been delayed, Apple has not scrapped it all together. Keep an eye out for further developments.
5. GERMANY ALLEGES RUSSIAN DISINFORMATION CAMPAIGN AHEAD OF FEDERAL ELECTIONS
Germany has warned of an influence and disinformation campaign ahead of its federal election on 26 September 2021. According to the German Foreign Ministry, Ghostwriter – a threat group affiliated with Russia’s military intelligence service – is allegedly attempting to steal login details from federal and state lawmakers. Should the accounts be compromised, there are fears Ghostwriter might spread phoney messages to mislead German voters and further Russia’s agenda in the country.
SO WHAT? Influence operations are an effective method for nation state actors to instil uncertainty and promote agendas, particularly in the lead up to elections.
6. WHATSAPP SLAPPED WITH EUR 225 MILLION GDPR FINE
Ireland’s Data Protection Commission (DPC) has fined WhatsApp EUR 225 million for GDPR violations. WhatsApp was penalised for failing to be transparent about how it processed user and non-user data.
WhatsApp intends to appeal the decision. The appeal will likely focus on the size of the fine, which is the largest issued by the DPC, and second largest against an organisation under EU data protection laws.
SO WHAT? There are several alternative instant messaging applications available to users who are either concerned about their privacy or how WhatsApp handles their data.