At a glance.
- Microsoft releases results of investigation into cloud email compromise.
- "Multiple nation-state actors" target the aerospace sector.
- DPRK targets security researchers.
- Fancy Bear makes an attempt on Ukrainian energy infrastructure.
- "Smishing Triad" impersonates postal services.
- MinIO storage exploit reported.
- New variant of Chae$ malware described.
Microsoft releases results of investigation into cloud email compromise.
Microsoft has published the results of its investigation into how a Chinese threat actor was able to obtain a Microsoft account consumer key, which it used to forge tokens to access OWA and Outlook.com. Redmond's investigators found that the threat actor (tracked as “Storm-0558”) compromised a Microsoft engineer’s corporate account, which had access to the crash dump containing the key. The company said, “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.” Storm-0558 is a Chinese cyberespionage actor. The crash dump incident saw it compromise cloud-based Outlook email systems used by at least twenty-five organizations, including several US Government agencies, the State Department among them.
"Multiple nation-state actors" target the aerospace sector.
Several nation-state actors exploited two vulnerabilities to attack an organization in the aeronautical sector, according to a joint advisory released Thursday by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and US Cyber Command’s Cyber National Mission Force (CNMF). The threat actors gained access via CVE-2022-47966 in Zoho ManageEngine ServiceDesk Plus and CVE-2022-42475 in FortiOS SSL-VPN. The joint advisory includes an extensive description of the threat activity, advice on detection, and recommendations for mitigating risk. Patches for both exploits have been available since early this year.
DPRK targets security researchers.
Google’s Threat Analysis Group (TAG) warns that a North Korean threat actor has been targeting security researchers with at least one zero-day for the past several weeks. Google notified the affected vendor, and the zero-day is in the process of being patched.
Fancy Bear makes an attempt on Ukrainian energy infrastructure.
CERT-UA reported Monday that the GRU's APT28, Fancy Bear, has attempted to compromise an unspecified energy facility with a phishing campaign that carries a malicious payload in a zip file (said to contain links to photos) attached to an email. If the attachment is opened, the victim is open to remote code execution. The phishing email is unusual, the Record points out, in that the phishbait is gaudier than the stodgy and sober come-ons that have characterized much Russian phishing of Ukrainian targets. The text of the email often reads, "Hi! I talked to three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website." Should the recipients incautiously do so, they'll be taken to some apparently innocent websites where the malware will be served.
"Smishing Triad" impersonates postal services.
Resecurity has warned that a China-based cybercriminal group is running a smishing campaign targeting US citizens by impersonating postal services. The threat actors “are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud.”
MinIO storage exploit reported.
Researchers at Security Joes have found that a threat actor was exploiting two vulnerabilities in the distributed object storage system MinIO to steal data and execute arbitrary code. The vulnerabilities had been fixed, but the attackers used social engineering to trick a MinIO developer into reverting the service to an earlier, vulnerable version. They then used the flaws to gain access to the MinIO administrative console, which allowed them to push a malicious update containing exploit code.
New variant of Chae$ malware described.
Morphisec this morning published a description of a new variant of the Chae$ malware, "Chae$ 4," which is being used against the financial services and software supply chain sectors. Among the affected targets are Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and MetaMask, as well as content management systems including WordPress, Joomla, Drupal, and Magento. The identity of the threat actor behind the malware is murky, but he, she, or they (it's unclear whether it's an individual or a gang) has come to be known as "Lucifer."
Patch news.
On Thursday Apple issued three emergency patches for a vulnerability that could be exploited to install spyware. The patches affect macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. "A maliciously crafted attachment may result in arbitrary code execution," the company said in its advisories. "Apple is aware of a report that this issue may have been actively exploited." The report of active exploitation came from the University of Toronto's Citizen Lab, which found evidence that NSO Group’s Pegasus spyware was being installed in vulnerable devices through a zero-click exploit the Lab calls "BLASTPASS." The attacks used PassKit attachments sent as iMessage images. These carried the malicious payload. The patches will protect users against BLASTPASS; so will enabling Apple's Lockdown Mode on the device. Citizen Lab found BLASTPASS on the device used by "a Washington DC-based civil society organization with international offices. Both Apple and Citizen Lab characterize this threat as "mercenary spyware," that is, it's spyware sold to a variety of actors, especially government security services, without having any essential political connections.
Crime and punishment.
The International Criminal Court (ICC) confirmed to WIRED that it now intends to prosecute cyber war crimes. An ICC representative said, “The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression, and that such conduct may potentially be prosecuted before the Court where the case is sufficiently grave.”
ICC prosecutor Karim A.A. Khan explained the rationale for bringing cyber war crimes into the Court's jurisdiction in an essay, "Technology Will Not Exceed Our Humanity," published in Foreign Policy Analytics. "Cyber warfare does not play out in the abstract," he wrote. "Rather, it can have a profound impact on people’s lives. Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable. Consequently, as part of its investigations, my Office will collect and review evidence of such conduct. We are likewise mindful of the misuse of the internet to amplify hate speech and disinformation, which may facilitate or even directly lead to the occurrence of atrocities." He notes that cyberspace is commonly perceived as an ambiguous gray zone, where serious harm can be worked while the actors remain below a threshold that would generally be recognized as war. The ICC is interested in clarifying that ambiguity.
The ICC doesn't explicitly mention Russia, but WIRED reviews the many reasons for thinking that Russian activity is likely to provide the first cases. The GRU's role in pre-invasion attacks against Ukraine's power grid and in the NotPetya pseudoransomware incident are cited as examples of indiscriminate cyber warfare that may be construed as criminal.
The US Justice Department is expanding investigations under Operation KleptoCapture from its original targets--Russian oligarchs whose activities sustain Russia's war against Ukraine--to professional service providers--"lawyers, accountants and other facilitators"--who've helped the oligarchs evade sanctions. The Operation's inaugural director, Andrew Adams, who retired to private practice in July, told the Wall Street Journal that "the people who are on the list tend to be either key propagandists or tend to be people who are essentially pocketbooks for the Kremlin. Any ability to stifle the availability of that pocketbook is at least potentially useful, and I think in the mid- and long term, probably a worthwhile project."
On Thursday the US Department of Justice announced "three indictments in three different federal jurisdictions have been unsealed charging multiple Russian cybercrime actors involved in the Trickbot malware and Conti ransomware schemes." All of those charged (their given names and their noms-de-hack are Maksim Galochkin, aka Bentley; Maksim Rudenskiy, aka Buza; Mikhail Mikhailovich Tsarev, aka Mango; Andrey Yuryevich Zhuykov, aka Defender; Dmitry Putilin, aka Grad and Staff; Sergey Loguntsov, aka Begemot and Zulas; Max Mikhaylov, aka Baget; Valentin Karyagin, aka Globus; and Maksim Khaliullin, aka Maxfax, Maxhax, and Kagas) are Russian nationals. See the notes on the related Treasury Department sanctions described below.
Vladislav Klyushin, a wealthy Russian tech entrepreneur who owned M-13, a company that provided IT services to the Russian government, was sentenced Thursday to nine years by a US Federal Court for wire fraud and securities fraud. His activities were connected with a $100-million stock fraud scheme. Some of Mr. Klushin's alleged co-conspirators remain at large.
Courts and torts.
In February the US and UK jointly imposed sanctions on members of Russia’s privateering Trickbot gang. As the US Treasury Department put it at the time, “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies.” Seven individuals were named in that round of sanctions. This week the two governments added eleven more members of the gang to the list of sanctioned individuals. They’re described as “administrators, managers, developers, and coders who have materially assisted the Trickbot group in its operations.” The sanctions require, as a minimum, that “all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC,” the Treasury Department’s Office of Foreign Assets Control. And the Trickboteers will find it more difficult to do business with foreigners. The Treasury statement explains, “OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons.”
The Cyber Express reports that IBM is being sued over a data breach that was reportedly caused by vulnerabilities in the popular file transfer software. The plaintiff, Jennifer Wedeking, claims that IBM was negligent in using the software despite being aware of the platform’s security issues.
Policies, procurements, and agency equities.
Privacy activists and tech companies have been speaking out against a controversial clause in the UK’s Online Safety Bill that would essentially put an end to end-to-end encryption. However, it appears the clause could no longer be an issue. As Wired reports, the British government has admitted it doesn’t have the capability to securely scan encrypted messages.
New Zealand's Computer Emergency Response Team (CERT NZ) has merged with the country’s National Cyber Security Centre (NCSC), but NCSC head Lisa Fong says that for now, operations will continue as usual, at least from a customer perspective. “This initial shift has been designed to minimise disruption to customers, with the move simply transferring CERT NZ’s operations and staff from the Ministry of Business, Innovation and Employment to the NCSC,” Fong told Reseller News. She said that the group is working on an integrated operating model that will allow them to work as a single agency similar to those in Australia, the UK, and Canada.The merger follows a recommendation made by the Cyber Security Advisory Committee (CSAC) in July.
The US Securities and Exchange Commission's (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule took effect this week. The regulations, under preparation since 2022, seek to address the growing cyber risks facing public companies. Specifically, public companies will be required to address material cyber incidents in their 8-K filings. "New Form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material," the SEC said in a factsheet, "and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations."
The UK National Cyber Security Centre (NCSC), an arm of Britain’s Government Communications Headquarters (GCHQ), has selected its first ever Chief Technology Officer. Ollie Whitehouse has decades of experience in cybersecurity in the private sector, most recently working at information assurance firm NCC Group, the Record notes.
The Washington Post reports that the US Cybersecurity and Infrastructure Security Agency (CISA) has brought in Peiter "Mudge" Zatko as a part-time senior technical advisor on security-by-design.
Fortunes of commerce.
SentinelOne still says it's not for sale, and clarified the state of its partnership with reported (smaller) suitor Wiz. The partnership is still in place; only the reselling agreement had been cancelled. Late Friday afternoon CNBC reported that SentinelOne CEO Tomer Weingarten said the company was not for sale, but instead was “focused on our individual path.”
Labor markets.
TechTarget’s Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) have published research looking at the cybersecurity workforce, finding that the majority of cybersecurity workers said their jobs have grown more difficult over the past two years. The problems about two-thirds of those surveyed report are both internal and external to their organizations. Externally, a more challenging set of threats and more onerous regulatory regimes have made the job tougher. Internally, workers say staffing shortages, parsimonious budgets, and workload complexity have combined to increase the burdens at work and have made their careers more difficult.
71% of organizations say they've been affected by a shortage of workers with cybersecurity skills, and that, the report says, represents "a dramatic increase from 57% in the last study." The labor shortage has increased cybersecurity team workloads and contributed to a high rate of staff burnout. Organizations say that they have the most difficulty finding people qualified to work in application security, cloud security, and security analysis and investigations.
Industry has long deplored cybersecurity labor shortages, so this study adds volume to a familiar complaint. It's interesting, however, to see the tension between such reports of a tight labor market and a more recent trend toward layoffs by cybersecurity firms. Cybersecuritynews reports that data from Layoffs.fyi show that "at least 46 cybersecurity companies have laid off 4738 employees since the start of 2023." And those numbers represent minima, since not all companies are required to report layoffs and therefore many do not. Many of the layoffs followed mergers or acquisitions, and therefore are unlikely to be composed entirely of cybersecurity specialists. Staff teams like marketing and HR, for example, are notoriously vulnerable to cuts after M&A as the combined organizations eliminate redundancies and look for economies of scale. But a significant fraction do affect cybersecurity workers proper.
Mergers and acquisitions.
Globes reports that Tenable is in "advanced talks" to acquire Israeli cloud security firm Ermetic for approximately $350 million.
Investments and exits.
London-based chip giant Arm is looking to raise nearly $5 billion in its IPO later this month, CNN reports. The IPO is expected to value the company at up to $52.3 billion, with its current owner SoftBank continuing to hold about 90% of its shares.
SeekingAlpha reports that data protection company Rubrik is aiming for an IPO later this year. Bloomberg cites sources as saying the company could sell between $500 million and $700 million worth of shares in the offering.
Six leaders honored at the 2023 Billington CyberSecurity Summit.
Six people were honored at the Billington CyberSecurity Summit in Washington, DC, this week. Congratulations to them all:
- 4th Annual General (Ret.) Michael V. Hayden Lifetime Achievement Award for Public Service—Hon. Suzanne E. Spaulding, Senior Advisor, Center for Strategic and International Studies
- 12th Annual Cybersecurity Leadership Award (Sponsored by Cisco)—Brian J. Peretti, Director, Domestic and International Cyber Policy, U.S. Department of the Treasury
- 6th Annual Billington International Cybersecurity Award (Sponsored by AWS)—Sami Khoury, Head, Canadian Centre for Cyber Security
- 2nd Annual Billington Public Private Partnership Leadership Award (Sponsored by Booz Allen Hamilton)—Holly Baroody, Executive Director, U.S. Cyber Command
- 2nd Annual Billington Cyber Workforce Award (Sponsored by Leidos)—Mark Gorak, Principal Director for Resources & Analysis, Department of Defense, Chief Information Officer
- 2nd Annual Billington CyberSecurity Integration Award (Sponsored by Raytheon)—Brandon Wales, Executive Director, Cybersecurity and Infrastructure Security Agency
And security innovation.
SINET has announced the 2013 winners of its annual SINET 16, a program that selects sixteen promising cybersecurity startups. This year's class includes: Cado Security, Concentric AI, DeepFactor, Dig Security, Endor Labs, Kasada, Obsidian, Ox Security, Pangea, Reveal Security, Secret Double Octopus, Securin, Talon Cybersecurity, Traceable, Trinity Security, and Vulcan.