Robin’s Newsletter #303

7 April 2024. Volume 7, Issue 14
CSRB slams Microsoft over 'preventable' Storm-558 breach that 'should never have occured'.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Microsoft slammed in CSRB report over Storm-0558 breach

  • A “cascade” of “avoidable errors” allowed Storm-0558 (linked to the People’s Republic of China) to gain access to the mailboxes of US and UK government departments is the conclusion of an investigation by the US Cyber Safety Review Board (CSRB). The intrusion “should never have occurred”.
  • Microsoft received short shrift for failing to detect the compromise of its Microsoft Services Account (MSA) cryptographic material and not implementing industry good practices widely adopted by its competitors. In particular, Microsoft’s consumer identity infrastructure (for which the MSA key was compromised) had no automatic key rotation. Instead, manual rotations were prescribed, though these had ceased entirely after one rotation caused an outage in 2021. This, combined with poor segregation of consumer and enterprise authentication systems, allowed the key — dating from 2016 — to be used.
  • The CSRB also says Microsoft pursued 46 different theories for how Storm-0558 stole the MSA key and still has not determined which occurred, contrary to a blog post pushing a ‘crash dump’ theory shortly after the incident. Microsoft acknowledged the post was inaccurate to the CSRB but has taken over six months to correct it.
  • Pressure is mounting on Microsoft to up its security game, especially given an intrusion by Russian actors disclosed in January. Senator Ron Wyden described the US government’s dependence on Microsoft as a “serious national security threat, which requires strong action.” On the flip side, while one German state announced a switch to Linux and LibreOffice, it’s doubtful that Uncle Sam would make a switch, let alone be able to do so any time soon.
  • Having cited Bill Gates’ Trustworthy Computing memo, which prioritised resolving security issues over new features, the report adds that “[the] Board concludes that Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority.”
  • Lastly, I found it interesting that the report links Storm-0558, the Chinese-affiliated group behind this attack, to the Operation Aurora attacks against Google and the 2011 compromise of RSA’s key material behind its SecurID MFA tokens. That’s over two decades of focus on core email and authentication systems.
  • The whole report is well worth a read.
  • LINK, REPORT (PDF), PRESSURE, GERMAN LINUX

More on xz Utils backdoor

  • A few interesting things from analysis following the discovery and prevention of the xz Utils supply chain backdoor.
  • The backdoor was designed to execute commands rather than bypass authentication. The attacker’s commands would have been hidden in part of the binary data exchanged as part of an SSH login to minimise the chances of detection. A specific private key must also sign the commands to be processed. This, combined with the length of time and good OpSec, makes it highly likely that it’s a state-backed campaign: there was an equities process here and a choice to minimise the chances of wholesale exploitation. The ‘Jia Tan’ persona behind the commits doesn’t appear to exist outside of the commits on this project. Similarly, other identities that promoted the changes and encouraged adoption by other open-source projects only existed to promote this campaign. JIA TAN
  • This video looks at the backdoor, how it would have worked, and why it was so sneaky. VIDEO (h/t Lee)
  • Finally, a broader look at the bullying behaviour of many in the free open source software movement and the vulnerability that this introduces into the ecosystem. CULTURE

Interesting stats

$1.1 billion lost to impersonation scams in 2023, according to the US FTC, ~3x what was reported in 2020. LINK

Other newsy bits / in brief

⚠️ Incidents:

  • UK Members of Parliament who were targeted with ‘honey trap’ WhatsApp messages by an unknown actor may have had their numbers leaked to the attacker by another MP on a dating app. William Wragg, chair of the public administration committee and vice-chair of the 1922 committee of backbenchers, described being pressured and coerced after sharing “compromising things” with an individual he met online. LINK
  • The Open Worldwide Application Security Project (OWASP) is warning that around 1,000 CVs of members dating from 2006 to 2014 were left on a misconfigured wiki site. LINK
  • The Chinese e-commerce platform Pandabuy has confirmed a data breach that affected 1.3 million customers. Cybercriminals selling the data claim to have user IDs, full names, phone numbers, email addresses, IP addresses, home addresses, and order data. LINK
  • City of Hope, a US healthcare company specialising in cancer treatment and research, says that the personal information of 827,149 people was stolen by cybercriminals between 19 September and 12 October last year. “There is no indication of any identity theft or fraud occurring as a result of this incident,” a spokesperson told The Register. LINK

🏴‍☠️ Ransomware:

  • A cybercrime group stole sensitive information of more than 36,545 during a February incident at Prudential Insurance. Alphv claimed responsibility for the intrusion and theft of what the insurer describes as “administrative and user data from certain [IT] systems”. LINK
  • A Chilean data centre firm called IxMetro has had their VMware ESXi servers encrypted in a ransomware attack. The ‘SEXi’ cybercriminals are demanding two bitcoins per affected customer, which IxMetro says equates to $140 million, which they do not intend to pay. LINK
  • Leicester City Council has finally admitted that it was victim to a cyber attack, with the INC Ransom group claiming to have stolen “3TB of private information”, apparently including scans of passports, bank statements and other official council forms. LINK

🕵️ Threat Intel:

  • Fake AI law firms are sending fake DMCA notices requesting hyperlinks as part of an SEO scam. LINK
  • Lactrodectus may be an evolution of the IcedID loader, say Proofpoint and Team Cymru, citing initial access brokers replacing IceID in recent phishing campaigns. LINK
  • Martin Kupka, the Czech Republic’s transport minister, says that Russia has made “thousands” of attempts to compromise European rail networks. LINK
  • The US Department of Health and Human Services is warning of social engineering attacks against healthcare organisations’ IT help desks, particularly to enrol new multi-factor authentication methods. LINK

🪲 Vulnerabilities:

  • HTTP/2 protocol is vulnerable to a denial of service attack that can crash some common web server software with a single ‘continuation’ frame. A LINK

🛠️ Security engineering:

  • Google is promoting a solution that would negate cookie theft. Device Bound Session Credentials (DBSC) will cryptographically tie session cookies to the device they’re saved on. Cookie-stealing is a common malware capability, allowing attackers to appear as legitimate, authenticated users of web systems. LINK

🧿 Privacy:

  • Proton says that the new Microsoft Outlook is less email client and more surveillance tool, with EU privacy dialogues showing that the Office staple needs to process and share data with Microsoft and 801 (yes, eight-hundred-and-one) partners to improve products, personalise ads, and derive audience insights. Some of these ads appear as messages in the user’s mailbox. LINK

📜 Policy & Regulation:

  • The FCC is asking US telcos for details on how they’re preventing the (now notoriously insecure) SS7 vulnerabilities from being abused to track consumers’ locations. Signalling System No. 7 (SS7) is the protocol to route phone calls, SMS, and international roaming. LINK, TRACKING
  • Germany will introduce a dedicated cyber branch to its armed forces. The Cyber and Information Domain Service will have “responsibility for carrying out military actions — in the cyber and information space,” according to Germany’s defence minister, Boris Pistorius. LINK

👮 Law Enforcement:

  • Russian authorities have charged six men with the theft of 160,000 credit cards. Unusual! LINK

🏭 Industry news:

  • After several critical vulnerabilities and poor responses, Ivanti’s CEO Jeff Abbott has written an open letter to customers promising a ‘new era’. The promise includes a commitment to a _secure-by-design approach and to “anticipate and preemptively address potential vulnerabilities from product inception to deployment and beyond”. I’m sure it will reassure customers that the security vendor is now focused on “embedding security into every stage of the software development lifecycle”. CISA has warned energy and defence sector organisations of Volt Typhoon attacks against Ivanti products by CISA, and Mandiant claims five espionage groups with a ‘China-nexus’ are involved. LINK, ATTACKS

And finally

  • An Iowa sysadmin spent over thirty years impersonating the identity of a homeless man, including getting the victim admitted to a psychiatric hospital for over a year. It’s an extreme and horrific case of identity theft and systemic justice system failure. LINK
  • Risk-related… Having built software to detect and avoid collisions with moose and elk, Volvo couldn’t adapt its car technology to avoid the hazard of hopping kangaroos. LINK
Robin

  Robin's Newsletter - Volume 7

  Microsoft Storm-0558 China Advanced Persistent Threat (APT) Cyber Safety Review Board (CSRB) Trustworthy Computing Backdoor XZ Utils Supply Chain Ivanti Secure by Design Honey trap Coercion UK Parliament Device Bound Session Credentials (DBSC) Cookies Identity theft SS7