The US Cybersecurity and Infrastructure Security Agency has released an advisory on the activities of China’s Ministry of State Security (MSS) and its associated agencies and contractors. These operations are characterized by collection of open-source intelligence and by the use of readily available exploits. There’s nothing particularly exotic about the tactics and techniques, but they’ve been proven effective nonetheless. The MSS has tended to concentrate on recently identified vulnerabilities, hoping to catch organizations that have been laggard in patching. Some of the issues exploited include Microsoft Exchange Server (CVE-2020-0688), F5’s Big-IP remote takeover vulnerability (CVE-2020-5902), Pulse Secure VPN's remote code flaw (CVE-2019-11510) and Citrix VPN’s directory traversal problem (CVE-2019-19781).
Investigations into the database leaked from Zhenhua Data continue. The Guardian describes how Canberra-based Internet 2.0 was able to extract information from the (corrupted) files. Zhenhua maintains that there’s nothing particularly sinister about the database: essentially, it’s marketing data. The Australian government’s reaction to the incident has been relatively subdued, but the Labor Party has called upon the Information Commissioner to open an investigation. Reaction from India’s government has been similarly low-key. Since the information was publicly available, the Economic Times reports, the government’s view is that there’s no question of either surveillance or espionage.
Proofpoint researchers this morning reported vulnerabilities that could enable attackers to bypass two-factor authentication in Microsoft Office 365.
Digital Shadows today warned that companies’ access keys are being inadvertently exposed during software development, turning up on GitHub, GitLab, and Pastebin. Almost half are for database stores.