Robin’s Newsletter #266

23 July 2023. Volume 6, Issue 30

Microsoft responds to pressure over pay-for security logs. UK Online Safety Bill progresses through the Lords. PwC client data stolen in MOVEit breach.

Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Microsoft responds to Chinese compromise, but questions remain

Microsoft has caved to pressure that critical cloud security audit logs were restricted behind premium-priced plans. “Over the coming months,” the Microsoft post says, “we will include access to wider cloud security logs for our worldwide customers at no additional cost.” The logs in question would have allowed victims of the Chinese attack on Microsoft’s cloud platform (vol. 6, iss. 29) to detect the unusual activity.
Microsoft’s pricing still locks many security features well out of reach of many businesses below the ‘security poverty line’: for example, enabling compliance reporting against Cyber Essentials costs around £10,000 annually, despite the certification being aimed at small businesses.
Meanwhile security researchers at Wiz have found that the compromised signing key could be used far beyond the two applications Microsoft said were affected, though Microsoft disputes Wiz’s report. I suspect that the full extent of the attack is still unknown.
Trey Herr looks at three unanswered questions that Microsoft has avoided (or doesn’t know) about the breach: where did the attackers obtain the Microsoft account consumer signing (MSA) key? Did attackers use the same MSA key in multiple customer environments? How did the attackers move between O365 Government and O365 Commercial infrastructures?

Some amendments made to UK’s Online Safety Bill at Lords’ report stage

The UK’s Online Safety Bill — encompassing a variety of things from age-verification to view pornography to breaking end-to-end encryption on messaging apps — is on its third reading at the House of Lords, and the government is making amendments to the controversial, and arguably flawed, legislation.
One welcome amendment is to broaden the definition of ‘harm’ with Baroness Kidron making the point that it is “a category error not to see harm in the round. Views on content can always differ but the outcome on a child is definitive. It is harm, not harmful content, that the Bill should measure.”
There’s been no meaningful shift in position over breaking end-to-end encryption. Clause 122(2)(a)(iii) requires ‘user-to-user’ services (like WhatsApp, Signal, iMessage) to “use accredited technology to identify [Child Sexual Abuse Material] content” that is communicated “publicly or privately”. The ‘accredited’ technology is subject to determination by telecoms regulator Ofcom, and may include ‘human moderators’.
Encryption is designed to protect the privacy of content. Reviewing encrypted messages will require a ‘backdoor’ or routed via an unencrypted clearing system. This is not just Orwellian (every message being scanned to find the needle in the haystack); it also introduces a weakness that will be targeted by foreign intelligence and cybercriminals who covert access to private communications. Deliberately weakening encryption is one concern; another is that, once implemented for CSAM, it would be trivial to extend powers to other materials or keywords.
If you feel strongly, you can use mySociety’s WriteToThem to find a lord to write to and express your concerns.

PwC, EY, and more caught up in MOVEit compromise

Professional services firms PwC and EY have both been caught up in the mass-compromise of Progress Software’s MOVEit file transfer appliances. At PwC, the cybercriminals seem to have accessed a significant volume of client files, which the Cl0p cybercriminals are releasing.
UK telco regulator Ofcom has also confirmed that the personal data of 412 employees was compromised, with almost 400 organisations and over 20 million individuals affected by the breaches.
Coverware expect the Cl0p gang to earn “over $75 million” from extorting MOVEit customer.
The US government is offering a $10 million reward for information on the Cl0p ransomware gang who claimed responsibility (vol. 6, iss. 25) for the attacks.
Cynthia Kaiser, deputy assistant director in the FBI’s Cyber Division, has spoken about how the FBI fights ransomware, in particular avoiding ‘whack-a-mole’ approaches in favour of ‘tightening the net’ around the cybercriminal ecosystem more generally.

Interesting stats

8.5% of 337,171 Docker Hub images analysed by researchers from RWTH Aachen University in German were found to contain sensitive information such as private keys and API secrets.

600% increase in distributed denial of service (DDOS) attacks against cryptocurrency websites in Q2 2023, according to Cloudflare.

Other newsy bits / in brief

JumpCloud, who reset customer’s API keys earlier this month (vol. 6, iss. 28), has confirmed that a “sophisticated nation-state sponsored threat actor” gained unauthorised access to their internal network, and used this in a ‘targeted’ way against a limited, unnamed, number of customers. The company, which claims almost 200,000 organisations use its service as their ‘cloud directory platform’, has published a list of indicators of compromise that have been traced back to North Korean actors.
Mining giant Fortescue Metals has confirmed a “low-impact” incident involving the Cl0p ransomware gang. Fortescue, the world’s fourth largest iron ore exporter, said that the information obtained and disclosed by the Russian cybercrime group was “not confidential in nature”.
Ukraine’s national Cyber Police Department seized approximately 150,000 SIM cards from a bot farm that has been disseminating Russian propaganda. The setup was used to register ‘thousands’ of bot accounts on various social media networks.
Citrix is warning customers to patch a critical vulnerability in their NetScaler ADC and NetScaler Gateway products. CVE-2023-3519 (9.8/10), which is being exploited in the wild, and allows attackers to execute code remotely, without having authenticated to the systems.
Adobe has been scrambling to patch a few vulnerabilities in ColdFusion. CVE-2023-38203 (also 9.8/10) allows arbitrary code execution and was mislabelled in a previous release which did not include a fix. A second vulnerability, CVE-2023-29298, to address unauthorised access to web server files was also incomplete, according to Rapid7.
Zimbra’s Collaboration Suite contains flaws that “could [potentially] impact the confidentiality and integrity” of customer data. Google says it has been evidence of the vulnerability being exploited. A fix will be made available later this month, whilst the vendor “kindly” asks customers to apply a manual fix in the interim.
Sophos is being impersonated by a ransomware crew who are using the vendor’s logo and malware being dubbed ‘SophosEncrypt’. Sophos has released a research report and IOCs for the malware.
Tech support scammers targeting elderly computer users are instructing them to send cash physically via shipping companies instead of making electronic transfers in a shift of tactics, says the FBI.
Security labels: The US has launched a labelling programme for Internet of Things devices. The “US Cyber Trust Mark” will apply to a range of connected consumer devices and ‘raise the bar’ for IoT security with standards being defined by NIST for password practices, data security and incident detection.
Data brokers will be prevented from selling consumer data to law enforcement and federal agencies under the new bi-partisan ‘Fourth Amendment is Not For Sale’ bill.
China: President Xi Jinping has issued a directive to build a ‘security barrier’ around its internet.
Google is running tests to measure how restricting employees’ internet access protects them from cyberattacks.
Identity verification startup Bureau has raised a $16.5 million Series A.
Brand protection and takedown outfit Netcraft, founded in 1995, has raised $100 million investment to grow services and acquire talent.

And finally

Mistyped military messages misdirected to Mali

Millions of US military emails have been misdirected to Mali due to typos. The West African country’s top-level domain (.ml) is similar to that of the US military (.mil). Johannes Zuurbier, the current operator, has collected around 117,000 emails since January alone and has warned of the issue for a decade but doesn’t feel the US government has taken the matter seriously.
Apparently, none of the messages are classified, but could be extremely useful to foreign intelligence regardless as it does include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.
Zuurbier’s contract for operating .ml changes hands from a Dutch entrepreneur to the Mali government, closely allied with Russia, this coming Monday.

Tributes to Kevin Mitnick, who died this week

Kevin Mitnick, the world’s ‘most wanted’ hacker, has died from pancreatic cancer aged 59. Mitnick was sometimes controversial, though respected, especially for his social engineering skills. Hundreds of tributes have been made from those who knew him across the industry.

Robin

Robin's Newsletter - Volume 6

Online Safety Bill End-to-End Encryption (E2EE) Cl0p Progress Software MOVEit Citrix Adobe Microsoft Security Poverty Line PwC EY JumpCloud Security Labels Data Brokers

Robin’s Newsletter #267

Robin’s Newsletter #265