Changelog: All eyes on China (and toothbrushes)
Matze Bob / Unsplash
Welcome to Changelog for 2/8/2024, published by Synack! README senior editor Nathaniel Mott here on a sunny January day with the week’s leading security news.
The payload
Last week I reported on the heads of the NSA, FBI, Office of the National Cyber Director and Cybersecurity and Infrastructure Security Agency (CISA) testifying about the Chinese government’s ongoing efforts to hack U.S. organizations. This week, CISA and the Military Intelligence and Security Service (MIVD) of the Netherlands revealed some additional information about those efforts, including the patience with which China-linked threat actors make their way through targeted networks.
CISA said on Feb. 7 that “the data and information CISA and its U.S. Government partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.” The agency and its partners in the U.S., the U.K., Australia and New Zealand said one threat actor in particular, Volt Typhoon, is concerning because its “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.”
The U.S. agencies said in the advisory that they “have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years” without detection. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise,” the agencies said.
But the U.S. isn’t China’s only target—and its hackers don’t always devote as much effort to remaining undetected. BleepingComputer reported on Feb. 6 that “a Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices,” according to the MIVD, which said “the effects of the intrusion were limited because the victim network was segmented from the wider [defense ministry] networks." There’s a stark difference in approaches there. (Or, less optimistically, a stark difference in the U.S. and the Netherlands’ ability to detect these intrusions.)
The week, compiled
There is no world in which I don’t address the fantastic (and fantastical) toothbrush botnet story in this newsletter. In case you’ve managed to miss all the discourse: Aargauer Zeitung reported on Jan. 30 that 3 million internet-connected toothbrushes had been compromised with malware and enlisted in a botnet used to conduct distributed denial-of-service (DDoS) attacks on targets of the operator’s choosing. Tom’s Hardware—where, full disclosure, I used to be news editor—picked up the story on Feb. 6.
Infosec experts were quick to call bullshit on the claims of this dentally hygienic botnet. The company that gave this story to Aargauer Zeitung, Fortinet, initially refused to respond to requests for comment. Then it gave outlets like 404 Media the following statement: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”
Alex Padurariu / Unsplash
But the plot runs deeper! Luzerner Zeitung said on Feb. 8 that “Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats” and that “the text was submitted to Fortinet for verification before publication” without any objection to the characterization of the toothbrush botnet as a legitimate threat. This viral story, which I’m willing to bet has received far more attention than real vulnerability reports over the last few days, resulted from a comedy of errors that either Fortinet or one of the Zeitungs should have been able to avoid making.
The problem is that a toothbrush botnet almost sounds plausible. Manufacturers are bringing practically every device online these days, and as the Internet of Things constantly reminds us, they don’t seem to care whether or not those devices are secure. (I wouldn’t be surprised if some toothbrush manufacturer saw this entire saga play out and thought to themselves “you know what, an internet-connected toothbrush sounds like it would sell, actually” because that’s how these things go.) For now, if you’re worried about your toothbrush misbehaving, I recommend Malwarebytes’ blog post on the matter
And now for some things that actually happened:
Google: Google’s Threat Analysis Group published a report on Feb. 6 that covers its “understanding of who is involved in developing, selling, and deploying spyware, how [commercial surveillance vendors] operate, the types of products they develop and sell, and our analysis of recent activity” across 50 pages of easy-to-read copy that anyone curious about the spyware industry should check out.
BleepingComputer: Here’s another reason to get off Facebook. BleepingComputer reported on Feb. 7 that “password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency,” with the infection chain involving “a Discord URL where a PowerShell script downloads the malware payload from a GitHub repository.”
Chainalysis: Ransomware gangs reportedly surpassed “$1 billion in extorted cryptocurrency payments from victims” in 2023, according to Chainalysis, which made absolutely nobody feel better by adding that iIt is important to recognize that our figures are conservative estimates” that are “likely to increase as new ransomware addresses are discovered over time.” (Well, nobody but the ransomware gangs, I guess.)
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Flash memory
Google Maps debuted on Feb. 8, 2005. The service would be unrecognizable today. It didn’t land on mobile devices until 2007, lacked turn-by-turn navigation until 2009 and didn’t let business owners easily update their information until 2014. It’s also seen numerous redesigns—which is reasonable for a 19-year-old service—and become increasingly useful thanks to Google’s commitment to maintaining it. (Unlike, say, the hundreds of other services that reside in the Google graveyard.)
The benefits of a tool like Google Maps were easy to see. The drawbacks weren’t—at least until they became all-too-apparent to various at-risk groups throughout 2022. First we saw Google disable live traffic data in Ukraine because it didn’t want Maps to inform Russia’s attacks on the country. Then, with the overturning of Roe v. Wade, Google tried and failed to assure Maps users the service wouldn’t endanger them if they sought directions to or visited healthcare facilities providing abortion services.
All of which goes to show that even a service as beneficial to daily life as Google Maps isn’t without its risks. (And that’s if you ignore the lock-in effect that Google Maps data has for Google search, or the creepiness factor of an advertising company driving around to make people’s homes and businesses easy to peer on from anywhere in the world, among other things.) It’ll be interesting to see how our relationship with Google Maps and similar services continues to evolve alongside our geopolitical circumstances.
Local files
Microsoft: The Microsoft Threat Analysis Center said on Feb. 6 that “Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners” since the Hamas attack on Israel in October 2023, and that their activities have since spread to Albania, Bahrain and the U.S., too.
The Record: A ransomware attack on Korneuburg, Austria has reportedly disrupted several of the town hall’s vital functions, including the issuance of death certificates. This has caused funerals to be delayed while the small town—The Record said it has a population of just 13,000 people—attempts to recover from the incident without giving in to the attacker’s demands.
State Department: The U.S. Department of State announced on Feb. 5 that it was implementing a new policy “that will allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware,” which it said has been used “to facilitate repression, restrict the free flow of information, and enable human rights abuses” in countries around the world.
Off-script
I didn’t expect playing “Super Smash Bros. Ultimate” with my son to be so much fun. I’m not particularly good at the game—which is part of the reason why I haven’t played it since it came out in 2018—and Nintendo’s decision to force players to unlock the majority of the game’s roster of characters was a bummer. (I just want to play as Sephiroth, damn it, especially after his stunning reveal trailer.)
Kelly Sikkema / Unsplash
But the other day he decided to give “Super Mario Kart 8 Deluxe” and “New Super Mario Bros. U Deluxe” a break so we could play a bit of “Smash.” I’m not ashamed to admit, dear reader, that he trounced me the first game. Our record’s swung the other way since I’ve refamiliarized myself with the controls, but we were both pleasantly surprised to find that he’s getting good enough at games to hold his own.
Now, if you’ll excuse me, I have to figure out how these dang grab mechanics work so I can firmly establish my position in the Mott household when he gets home from school. Erm, I mean, so I can teach him some of the finer points of a franchise we’ve both grown to love! Definitely that second one.