Joey Csunyo / Unsplash
Welcome to Changelog for 4/11/2024, published by Synack! README senior editor Nathaniel Mott “enjoying” those April showers and bringing you the top security news of the week.
The payload
I may have cursed Kaspersky.
Last month I wrote a piece, “TikTok is the new Kaspersky,” in which I pointed out the similarities between U.S. efforts to ban the social media juggernaut and the cybersecurity stalwart. But I also noted that Congress was being harder on TikTok by looking to ban it from the U.S. entirely; Kaspersky had been barred from government-issued devices but was still freely available to American consumers.
Now it seems that’s about to change. CNN reported on April 9 that “the Biden administration is preparing to take the unusual step of issuing an order that would prevent U.S. companies and citizens from using software made by a major Russian cybersecurity firm because of national security concerns”—Kaspersky— and that this ban “is being finalized and could happen as soon as this month.”
In last month’s piece, I explored the arguments for banning Kaspersky’s antivirus from both government-issued and consumer-owned devices as well as my frustration about the lack of publicly available evidence to support those arguments. Merits of the move aside, it’s clear the Biden administration is convinced that it’s time for Kaspersky to be evicted from the U.S. entirely.
The action would also raise additional questions about the so-called TikTok ban. CNN said the Biden administration’s Kaspersky ban would arrive via Commerce Department authorities that are “relatively new and derived in part from a 2021 executive order that Biden signed in the name of protecting Americans’ personal data from ‘foreign adversaries’ and a related order signed by Trump in 2019.”
So on the one hand we’d have existing Commerce Department authority being used to ban Kaspersky, and on the other, we’d have H.R. 7521 providing the authority that would be used to ban TikTok and other “foreign adversary controlled applications.” I’m curious to see which hand strikes first—and how other companies from Russia and China respond to what seems like an increasingly hostile U.S. market.
The week, compiled
Companies often claim their software is shipped as native wrappers around web apps—think Slack, Discord and Obsidian, among countless others—because it allows them to easily support multiple platforms. I have an alternative justification: It’s easier to ship an entire web browser devoted to a single web app than it is to figure out how to properly interact with seemingly basic interfaces on Windows.
For a while I thought maybe I was just being unfair to Windows. Then, on April 9, Flatt Security revealed that several of the most commonly used programming languages “can’t securely execute commands on Windows” because of a vulnerability that security researcher “RyotaK” dubbed “BatBadBut.”
RyotaK said that “BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.” This can then lead to arbitrary code execution—and the problem affects various Windows software written in Java, Python, Go and other programming languages.
Johnyvino / Unsplash
Why does this happen? “The root cause of BatBadBut is the overlooked behavior of the CreateProcess function on Windows,” RyotaK said. Many programming languages end up “wrapping” this function “to provide a more user-friendly interface” without understanding how the original function interacts with “cmd.exe,” which doesn’t escape functions the same way shells on macOS and Linux and the like would.
It’s essentially just one of the quirks that set Windows apart from its UNIX-derived counterparts. RyotaK said that now a bunch of programming languages have either released patches to change the way they interact with this Windows function, said they plan to release such patches, updated their documentation or, in Java’s case, simply marked the issue as “Won’t fix.” All because Windows is weird.
On to some of the leading security news of the week:
TechCrunch: Speaking of inscrutable Microsoft-designed mechanisms causing problems, TechCrunch reported on April 9 that a Bing-related Azure server that “housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems” wasn’t password protected… and that it took Microsoft a month to fix the issue after it was reported by SOCRadar researchers Can Yoleri, Murat Özfidan and Egemen Koçhisarlı.
Ars Technica: A bunch of NAS devices sold by D-Link have a backdoor account—”username messagebus and an empty password field”—that can be exploited to take control of affected systems. D-Link doesn’t plan to release a fix because the affected devices were marked “end of life” at least four years ago. (Initial reports indicated that 92,000 devices were vulnerable, but that number is now believed to be far lower.)
The Record: What goes around comes around. The Record reported on April 9 that “a previously unknown ransomware gang has been attacking Russian businesses with malware based on the leaked source code from the Conti hacking group.” That group, which has been dubbed “Muliaka” or “Muddy Water,” is believed to have been active since at least December 2023. (Not to be confused with MuddyWater.)
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Local files
Nextgov: Lt. Gen. Timothy Haugh, who succeeded Paul Nakasone as head of the NSA and Cyber Command, told the Senate Armed Services Committee that CYBERCOM conducted 22 “hunt forward” missions across 17 countries throughout 2023 in an effort to, as Nextgov put it, “root out hackers and slow adversaries’ cyber operations while gaining important defensive insights for future cyberwar.”
CISA: The U.S. Cybersecurity and Infrastructure Security Agency announced on April 10 “a new release of our malware analysis system, called Malware Next-Gen, which allows any organization to submit malware samples and other suspicious artifacts for analysis.” The system was previously limited to U.S. government agencies; now it’s available to everyone who wants CISA to help analyze some malware.
CyberScoop: In the latest sign that U.S. water infrastructure is poorly defended, Sen. Ron Wyden is pushing for American dams to improve their cybersecurity because he doesn’t “want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver.” (Yet somehow nobody has made the “dams-el in distress” pun.)
Off-script
Allow me to start by saying that my heart goes out to anyone who’s still working on the platform formerly known as Twitter. It’s no secret that Elon Musk’s acquisition of the company has led to a hostile work environment where decisions appear to be made 280 characters at a time and X’s ambitions to become an “everything app” trump delivering a quality product via the apps people have been using since 2010.
But it’s still unfathomable—and perhaps unconscionable—how X rolled out a new “feature” that replaces any references to “twitter[.]com” with an “x[.]com” in such a broken state that it was an active security risk. Why? Because the replacement was activated whenever “twitter[.]com” appeared, which meant “netflitwitter[.]com” would show up as “netflix[.]com” in affected clients. That’s a phisher’s white whale.
Rubaitul Azad / Unsplash
Brian Krebs reported that at least 60 domains meant to take advantage of this gaffe, including “fedetwitter[.]com” and “roblotwitter[.]com,” were registered over the course of just two days. In some cases they were registered specifically to prevent them from being used by scammers (offering further proof that not all heroes wear capes) but I suspect at least some of them were meant to be used in phishing attacks.
The company has now solved this problem, but I think it’s pretty telling that it managed to reach production in the first place. (And that it’s the second issue affecting links on X to appear within just two months.) Whatever faith you had in Twitter should probably be well and truly X’d out by now.
