This week
Backdoor found in open source XZ Utils project
-
An engineer discovered a malicious code in a data compression utility included in popular Linux distributions that would allow backdoor access to systems this week. The XZ Utils project included obfuscated code to inject itself into the SSH remote access tool for administering Linux systems. LINK
-
The method was pretty sophisticated and attempted to avoid detection by hiding the offending code in the ‘tarball’ (pre-compiled) versions 5.6.0 and 5.6.1 of XZ Utils, avoiding scrutiny by anyone reading the project’s source code. It also attempted to detect if the code was running on a build server. However, despite the sophistication, it also caused SSH logins to be processed really slowly, which is what caused a Microsoft engineer to go digging. LINK
-
The contributor to the project, an account named JiaT75, had been making updates and enhancements to the project for two years before a seemingly deliberate attempt to slip the malware into major Linux distributions. That perseverance would suggest a well-funded, ‘persistent’ threat actor. It could also be that their account was compromised, or they were coerced into making the changes.
-
CISA has released an alert for the supply chain compromise and CVE-2024-3094 (10/10) vulnerability. Thankfully, the impact should be relatively limited, as there have been no reports of infected versions in production releases (though some early adopters may be affected). LINK, ADVISORY
-
Simultaneously, this highlights the dangers and strengths of open-source projects. Yes, anyone can submit code, but the community also spotted the suspicious behaviour before widespread deployment and compromise.
-
Side-but-related note: AI programming tools are hallucinating software libraries that they think should exist, and one researcher spotted the recurring hallucination and registered the offending
huggingface-cli
project. A substantial proportion of GPT-4 (~1/4) and Gemini (~2/3) programming queries include a hallucinated software library, making using these co-programming tools by developers a significant factor in this dependency risk. LINK
The UK and US accuse China of cyber attacks against politicians
- The UK government has accused Chinese state-backed attackers of “carrying out malicious cyber activity targeting UK institutions and individuals important to our democracy.” The campaigns against lawmakers did not succeed, but the UK sanctioned two people and a company linked to the operation. LINK
- The US Department of Justice also indicted seven Chinese nationals it alleges are part of APT31 for sending over 10,000 malicious emails. Where the targets were aware that they were likely targets and had taken measures to heighten their digital security, the threat actors turned their attention to family members. LINK
- A post on the Chinese embassy website described the UK government claims as “fabricated and malicious slanders”, adding that Beijing “strongly oppose such accusations.”
- NCSC believes APT31, the Chinese Ministry of State Security, was behind reconnaissance against Members of Parliament and Lords that criticised China. NCSC also attributed the attack against The UK Electoral Commission in August last year to a Chinese actor. LINK, vol. 6, iss. 33
- China introduced guidelines blocking Intel and AMD processors on government servers and computers last week. The move is part of an initiative to develop homegrown “safe and reliable” alternatives to common technology hardware and software, including Microsoft Windows. LINK
Interesting stats
60% of the 37 zero-day vulnerabilities in browsers and mobile devices discovered in 2023 were attributed to commercial spyware vendors by analysis from Google and Mandiant. The report — A Year in Review of Zero-Days Exploited In-the-Wild in 2023 — is worth looking at. LINK.
24.2% of GPT-4 programming questions, and 64.5% of Gemini queries returned results with a hallucinated software package (see XZ Utils, above).
Other newsy bits / in brief
⚠️ Incidents:
- AT&T has finally confirmed that data of 73 million people leaked on a dark web forum came from its systems, having originally denied being the source. LINK
- Poor default configuration of Anyscale’s Ray AI Framework, used for scaling artificial intelligence software, has left thousands of servers exposed. Attackers have been able to tamper with AI models, steal network credentials, install reverse shells and run crypto mining workloads. Anyscale’s response — that their software should be segregated — is weak; their jobs API requires no authentication. LINK
- Another week, another retail chain was unable to take card payments. Panera Bread, a US food chain, has been able to open stores but only accept cash payments, while online ordering, phone, and other internal systems have been impacted. LINK
- The Communications Workers Union (CWU) is responding to a cyberattack. Email services at the CWU, which represent hundreds of thousands of UK tech and telecoms workers, are disrupted, and other systems have been taken offline as a precaution. LINK
- The Qilin ransomware gang has claimed responsibility for an attack against The Big Issue, a UK magazine distributed by and providing a source of income to homeless people. The cybercriminals claim to have stolen 550GB of data relating to commercial and personnel at the magazine. LINK
- US fast fashion retailer Hot Topic disclosed two waves of credential stuffing attacks against its users in November 2023. Attackers may have accessed the names, email and postal addresses, phone numbers, birthdays and order histories of loyalty scheme members. These types of attacks against company portals are becoming more and more common. I don’t think blaming the customer (as 23AndMe did) is a good answer. Companies must focus on customer authentication and monitoring their platforms for suspicious activity. LINK
🕵️ Threat Intel:
- MFA fatigue attacks against Apple iPhone users: After bombarding a user with password reset prompts, a call is initiated to the victim purporting to be Apple support investigating suspicious activity on their account. Whatever the technique used to generate the prompts, it appears to key off knowing the target individual’s phone number (one victim purchased a new phone, set up a new iCloud attack and received the same prompts — the only consistent information was their phone number). If you ever receive an unexpected call, remember the right thing to do is hang up, look up the number on the company’s website and call them back. LINK
- “Darcula’ phishing-as-a-service uses Rich Communication Services messages to target Android users and iMessage to target iPhone users in over 100 countries. Cybercriminals are using 20,000 domains to spoof different brands and steal credentials from victims. LINK
- Cisco is warning about password spraying attacks against its VPN devices and has shared recommendations to defend against them. LINK
- An infostealer malware campaign is being targeted at Call of Duty players using cheat software to improve their chances in the computer game. Activision is enabling two-step verification to protect potentially compromised accounts. LINK, 2SV
🪲 Vulnerabilities:
- A proof-of-concept for an easy-to-use privilege escalation vulnerability in Linux kernels has been released. CVE-2024-1086 (7.8/10) affects Linux kernels versions 5.14 to 6.6.14 in common distributions like Debian, Ubuntu, Red Hat, Fedora and others. LINK
- JetBrains has fixed “26 security problems” in its TeamCity CI/CD software. The firm isn’t providing details on the vulnerabilities. LINK
🧿 Privacy:
- Desperate to get insight into competitors’ apps, Facebook used its Onavo VPN service to intercept and analyse users’ encrypted traffic to Snapchat, Amazon and YouTube in an internal drive called ‘Project Ghostbusters’. Documents, including emails from Facebook chief executive Mark Zuckerberg, were released as part of a class action lawsuit. LINK
- Facebook also allegedly gave Netflix access to users direct messages through a series of data sharing and ‘Extended API’ agreements that “allowed Netflix programmatic access to Facebook’s users’ private message inboxes, in exchange for which Netflix would “provide to FB a written report every two weeks” showing counts of recommendations and clicks. LINK
- A Wired investigation has used geolocation data from a data broker to identify around 200 mobile devices of people who visited Jeffery Epstein’s “paedophile island”. The fine-grained data, allowed under the US’ loose privacy protections, shows how profiles of individuals and their movements can be amassed with stark accuracy. “The coordinates that Near Intelligence collected and left exposed online pinpoint locations to within a few centimetres of space. Visitors were tracked as they moved from the Ritz-Carlton on neighbouring St. Thomas Island,” adding that “locations 30 minutes before and after they arrived on Epstein’s island, producing a trail of signals that show phones and other devices carried over by helicopter and boat…” LINK
📜 Policy & Regulation:
- The Foundation for Defense of Democracies, a Washington DC-based think tank, calls for the US to establish a dedicated ‘cyber force’ instead of US Cyber Command relying on drafting skills from the Army, Navy, Air Force and Marines. As the UK has, establishing such a service could provide a distinct identity and help standardise pay, resourcing and training. LINK
- CISA has released draft rules under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The 447-page (yes, four hundred and forty-seven pages) regulations are available for public comment on the regulations intended to improve Uncle Sam’s tracking of incidents and ransomware payments. Incidents must be notified within 72 hours, and ransom payments must be made within 24 hours, with reports being exempt from public disclosure laws to ensure the confidentiality of data. The proposal estimates that 316,000 entitles from 16 critical infrastructure sectors will be affected, collectively expecting to submit over 210,525 CIRCIA reports over the next decade. Over that period, the scheme is estimated to cost industry $1.4 billion (just under $4.5K per organisation) and the US government $1.2 billion. It all adds up quickly, eh? LINK
👮 Law Enforcement:
- The UK nuclear safety regulator, Office for Nuclear Regulation, is to prosecute the Sellafield nuclear processing site operators for “alleged information technology security offences during a four year period between 2019 and early 2023.” The intention to prosecute notice added that there is “no suggestion that public safety has been compromised as a result of these issues.” That’s good, then. LINK
💰 Investments, mergers and acquisitions:
- Rumours that AI data protection startup Cyera (pronounced “Sierra”) is close to completing a $300 million fundraising round. LINK
- Singapore-headquartered StealthMole has announced a $7 million Series A round for its AI-powered dark web intelligence platform. LINK
- Coro, a platform of “14 Enterprise-grade [cybersecurity] modules” for small businesses, has closed a $100 million Series D round, valuing the company at over $750 million. It will use the money to expand from the US to European markets. LINK
🏭 Industry news:
- Munich Re has unveiled an insurance policy covering attacks targeting connected vehicles. The Cyber for Auto policies focus on “personal data that is connected and stored in a vehicle” and cover malware infections (including ransomware), data breaches and identity theft. LINK
And finally
- Ross Anderson, professor at the University of Cambridge and the University of Edinburgh, author of Security Engineering (a textbook on my degree course!), and prolific academic and commentator has passed away, aged 67. LINK
- Israeli-American psychologist Daniel Kahneman also died this week, aged 90. Kahneman’s behavioural economics theories underpin many cyber security ‘nudge’ training and awareness platforms. Much of his research helped prove that humans are not “rational actors” and that biases and mental shortcuts can affect our decision-making in irrational yet predictable ways. A lot of this is neatly and accessibly summed up in his book, Thinking, Fast and Slow. It’s well worth a read! LINK, BOOK