Back-to-back Ivanti vulns, Microsoft woes and robocaller schadenfreude

Marcus Dietachmair / Unsplash
Welcome to Changelog for 8/6/23, published by Synack! Nathaniel Mott here with the week’s security news. Yes, README will be covering Black Hat and DEF CON later this week, so stay tuned for highlights from Hacker Summer Camp. Safe travels to everyone heading to and from Las Vegas!

The payload

When it rains, it pours.

The Wall Street Journal reported on Aug. 3 that Ivanti, whose Endpoint Manager Mobile software was exploited in a July attack that disrupted the communications networks of a dozen Norwegian government ministries, discovered a second vulnerability in the same product within days of the original zero-day’s disclosure.

Surely that was the vulnerability reported by Rapid7… oh. No. That’s yet another flaw. The Journal was referring to a vuln discovered by Mnemonic, a Norwegian cybersecurity firm assisting Ivanti with its investigation into the incident. (The original vulnerability is CVE-2023–35078. The flaws discovered by Mnemonic and Rapid7 are identified as CVE-2023–35081 and CVE-2023–35082, respectively.)

We saw a similar pattern with MOVEit Transfer: A zero-day was discovered, and in the weeks following its public disclosure, a bunch of other vulnerabilities were found as well. It’s like watching a body of water suddenly burst with activity as piranhas rush to devour a hunk of meat. One moment everything seems fine; the next a bunch of researchers are looking for their bite of this deliciously vulnerable software.

Which isn’t to say that everything was fine before the initial disclosure. The Cybersecurity and Infrastructure Security Agency and the Norwegian National Cyber Security Centre said on Aug. 1 that the original flaw in Ivanti’s product was exploited “from at least April 2023 through July 2023.” And unlike the piranhas’ target in my metaphor, Ivanti’s software ought to emerge from this water better than it was before.

The week, compiled

Microsoft had a rough week.

Tenable CEO Amit Yoran excoriated the company in a LinkedIn post on Aug. 2, saying that “Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.” He then provided an example by way of an Azure vulnerability a Tenable researcher discovered and disclosed in March.

Microsoft released a patch for the problem in June, but Yoran said it was “a partial fix — and only for new applications loaded in the service.” Microsoft wasn’t expected to fully patch the vulnerability until September — at least until Yoran’s post went viral. Then a patch was released, with the company telling PCMag that it “has fully addressed the vulnerability for all customers,” about a month sooner than expected.

Not all security researchers can rely on their CEO going viral on LinkedIn for calling out one of the world’s largest tech companies, however, so this isn’t a sustainable model for addressing vulnerabilities in Microsoft’s cloud services. (Or its other offerings, for that matter.) Fortunately, there are other ways to hold companies to account — such as government interventions.

greg-bulla-auITmXWF3Qw-unsplash

Greg Bulla / Unsplash

Enter the House Committee on Oversight and Accountability, which announced on Aug. 3 that it’s “investigating recent cyber espionage campaigns which breached the Department of State and the Department of Commerce,” referring to the Storm-0558 hack that’s had all eyes on Microsoft since it was revealed in mid-July. I’d put the odds of Microsoft making it through this inquiry without criticism at zero.

Enter the House Committee on Oversight and Accountability, which announced on Aug. 3 that it’s “investigating recent cyber espionage campaigns which breached the Department of State and the Department of Commerce,” referring to the Storm-0558 hack that’s had all eyes on Microsoft since it was revealed in mid-July. I’d put the odds of Microsoft making it through this inquiry unscathed at zero.

Here’s what else caught my eye last week:

Reuters: Researchers at the Halycon security firm said this week that a cloud hosting company called Cloudzy’s services have been used by “no fewer than 17 different state-sponsored hacking groups from China, Russia, Iran, North Korea, India, Pakistan and Vietnam.” CrowdStrike also told Reuters it had seen “other cybercriminal activity” associated with the service. Cloudzy denied that it caters to hacking groups.

The Record: BlackBerry said last week that attacks on “governments and public entities” were up 40% quarter-over-quarter, with an estimated 55,000 attacks targeting countries around the world between March and May. (For more on attacks on governments within the Global South, read our report from December 2022.)

TDD: U.S. law enforcement agencies are concerned about the Flipper Zero, a pocket-sized device with an adorable dolphin mascot that can be used to interact with Wi-Fi, Bluetooth and other wireless protocols. Leaked documents show that police fear “racially and ethnically motivated violent extremists” may use the device in their attacks, though there doesn’t appear to be any evidence this has happened yet.

A message from Synack

The depths of vulnerabilities continue to overwhelm security teams. During Black Hat, join Synack’s Aquatic Experience at booth #2328 and explore our strategic security testing platform that helps organizations discover, manage and remediate the vast ocean of threats. Float by our booth to learn how to navigate the most critical vulnerabilities in the Cave, catch a demo or grab some food and swag. Learn more here.

Flash memory

The world’s most terminally online money launderers, Ilya Lichtenstein and Heather Morgan, pleaded guilty to a number of crimes related to the Bitfinex hack on Aug. 3.

Bitfinex is a cryptocurrency exchange. Someone — apparently Lichtenstein — hacked it in August 2016 and made off with 119,756 Bitcoin. Wikipedia puts the value of that crypto at $72 million when it was stolen, but thanks to the cryptocurrency bubble, it was worth more than $3.6 billion when the U.S. government seized a portion of it in Feburary 2022. (And somehow Bitcoin’s value has only continued to climb since then.)

You might think Lichtenstein and Morgan would be most famous for attempting to launder several billion dollars in stolen cryptocurrency. In another timeline, you would be correct. But in this one, Morgan’s insistence on attempting to become an influencer/rapper/author overshadowed the duo’s crimes, as BuzzFeed so dutifully chronicled shortly after they were arrested last February.

CNBC reported that Lichtenstein could be sentenced to up to 20 years in prison; Morgan could be sentenced for up to five.

 

Local files

WaPo: The Cult of the Dead Cow is set to reveal Veilid, which The Washington Post said is supposed “to provide a foundation for messaging, file sharing and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments,” at Def Con, which means there should be even more Twitter alternatives debuting in the coming months.

TechCrunch: An Oregonian healthcare company called Performance Health Technology said last week that it was compromised via the MOVEit Transfer vulnerability. Data about some 1.7 million of its customers — including their names, Social Security Numbers and sensitive health information — was exposed via this breach.

NYT: The call was coming from inside the house… if by “call” you mean “paying for NSO Group spyware” and “inside the house” you mean “within the FBI.” The New York Times reported that an FBI contractor called Riva Networks finalized a deal with NSO Group concerning its Landmark software, which can be used to locate mobile phones with great precision, days after the White House blacklisted the spyware firm. Whoops.

Off-script

Everyone hates robocallers. Luckily we can all engage in a bit of schadenfreude now that the FCC has issued a $300 million fine to a company that, as The Hill reported, “violated federal statutes and the FCC’s regulations during a three-month span in 2021 when they made more than 5 billion robocalls to more than 500 million phone numbers.”

I can’t even make sense of that scale — or why it would take so long to take action against a company operating this way. Calling half a billion phone numbers 10 times each over the course of three months? Why? What legitimate business would be able to generate even half of that number within the same time period? I’m genuinely asking.

annie-spratt-goholCAVTRs-unsplash

Annie Spratt / Unsplash

But the FCC isn’t stopping with the duo behind these calls. The commission said on Aug. 3 that “[46] states and the District of Columbia and Guam have now signed Memoranda of Understanding to join with the FCC’s Enforcement Bureau to share evidence, coordinate investigations, pool enforcement resources, and work together to combat illegal robocall campaigns and protect American consumers from scams.”

In the meantime, we’re all one step closer to caring when our phones ring again.

That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next week after Hacker Summer Camp!