Changelog: Cyber review board is all bark, no bite on Microsoft
Kelsey Mirehouse / Unsplash
Welcome to Changelog for 4/4/2024, published by Synack! README senior editor Nathaniel Mott here after a long weekend with the week’s leading security news.
The payload
Microsoft is lucky the Cyber Safety Review Board has no bite to back up its bark.
The board published its “Review of the Summer 2023 Microsoft Exchange Online Intrusion” on April 2. Unlike its other reports, which examined the fallout of the Log4Shell vulnerabilities revealed in 2021 and the Lapsus$ hacking spree of 2022 and 2023, the CSRB’s latest investigation focused on a specific incident for which a single company might be held responsible… if the board had any enforcement capabilities. Instead it had to settle for publishing its most excoriating report to date.
To briefly summarize the incident: China-linked advanced persistent threat actor Storm-0558 used a stolen Microsoft account key to forge tokens used to access Microsoft Exchange Online accounts belonging to 22 organizations—including the State Department, Commerce Department and U.K. National Cyber Security Centre—in the summer of 2023 to support the Chinese government’s espionage programs. Microsoft publicly disclosed the incident in a pair of blog posts published in July and September 2023.
The Department of Homeland Security announced that the CSRB would investigate this incident in October 2023. That investigation culminated in Tuesday’s report, in which the board said “this intrusion was preventable and should never have occurred” and that it “concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
I won’t summarize the entire report—it’s worth reading yourself—but I want to highlight this section:
“Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important. This position brings with it utmost and global responsibilities. It requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers. [...] Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world. The Board is convinced that Microsoft should address its security culture.”
Yet the CSRB has no authority to demand the changes Microsoft needs to make to improve the security of its products and services. It reminds me of the countless groups publishing increasingly urgent warnings about the consequences of climate change. (Albeit on a far less cataclysmic scale.) I’m surprised the CSRB was willing to bark this loudly, but I’d be even more surprised if any of its counterparts in the U.S. government decide to stop whimpering in the corner and follow up this warning with some bite.
Until they do, we’ll continue to see intrusions like the one that prompted this report. We already have, in fact, with Russia-linked hacking group Midnight Blizzard compromising Microsoft’s corporate accounts in January. That campaign was seemingly easier to pull off than Storm-0558’s—Midnight Blizzard simply used a password spraying attack to gain access to what Microsoft described as a “legacy non-production test tenant account” that it used to gather information from the accounts it actually cared about.
Woof.
The week, compiled
Remember when a lone hacker knocked North Korea offline in 2022? At the time, he was known only as “P4x,” and he decided to put the “hermit” back in Hermit Kingdom after he was targeted by a widespread campaign dedicated to stealing tools from American offensive security experts. It wasn’t clear what happened next—until P4x decided to doxx himself to Wired more than two years later.
Wired today reported that P4x is Alejandro Caceres, “a 38-year-old Colombian-American cybersecurity entrepreneur with hacker tattoos on both arms, unruly dark brown hair, a very high tolerance for risk, and a very personal grudge” who “pitched Department of Defense officials on a mode of US government-sanctioned cyberattacks that, like his solo North Korean takedown, would be far leaner, faster, and arguably more effective than Washington’s slow and risk-averse model of cyberwar.”
“A very high tolerance for risk” was an understatement. The U.S. isn’t typically supportive of hacktivist efforts—at least when they aren’t just covers for official cyber operations—so publicly revealing that there were no consequences for disrupting an entire country’s internet access is certainly a choice. (Caceres also confessed to hacking dark web sites, “pulling data off their backend servers and anonymously handing it to contacts at the Department of Homeland Security,” which is less than legal.)
Tim Wildsmith / Unsplash
But it seems to be the week for Americans to fess up to hacktivism. BBC reported on April 3 that Ukraine sent certificates of gratitude to members of a hacktivist group called One Fist, which has members “from eight different countries including the UK, US and Poland.” That includes Kristopher Kortright, an “IT worker from Michigan” who “has stolen data from Russian military firms and hacked cameras to spy on troops” as part of One Fist’s efforts to support Ukraine following the Russian invasion of February 2022.
I reported in March 2022 that contributing to the “IT Army of Ukraine” could invite backlash from Western countries. By November 2023 it was clear that global conflicts had changed the way some governments viewed hacktivism, though, and that holding these individuals accountable for their actions had become increasingly complicated. But so far it seems like these efforts are more likely to be celebrated than criticized—at least when they’re limited to countries on the U.S. government’s naughty list.
And now for some of the week’s hottest cybersecurity news:
Ars Technica: The accidental discovery of a sophisticated backdoor introduced in a popular open source library (xz Utils) has reignited concerns about the security and sustainability of the tech industry’s status quo. We’re still learning about this effort to undermine the security of countless systems running popular Linux distributions, but Ars Technica’s write-up offers a good overview of why so many defenders had a very stressful weekend.
BleepingComputer: The class-action lawsuits have started rolling in over AT&T’s (mis)handling of a breach that exposed the “names, addresses, phone numbers, dates of birth, Social Security Numbers, and email addresses” of 73 million people. The breach was first disclosed in 2021, but AT&T dismissed those reports until the entire data set was leaked on a hacking forum on March 17.
CNN: A group of “anti-Kremlin hackers” reportedly “plastered a photo of [Alexei] Navalny on [a] hacked prison contractor’s website” after Navalny, who the Associated Press described as “Russia’s top opposition leader and President Vladimir Putin’s fiercest foe,” after he died in a penal colony in February. They’re also said to have “stolen a database containing information on hundreds of thousands of Russian prisoners and their relatives and contacts” and made some of that data available to the public.
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Local files
The Record: An alleged breach of Acuity, which The Record said is “a Virginia-based technology consulting firm that works with federal agencies,” has prompted the State Department to investigate claims that some of its data was stolen. The person who claimed responsibility for the hack reportedly said they made off with information about the Department of Defense and NSA as well.
TechCrunch: The Indian government reportedly “resolved a years-long cybersecurity issue that exposed reams of sensitive data about its citizens,” including “Aadhaar numbers, COVID-19 vaccination data, and passport details,” after it was reported by a security researcher in 2022.
CyberScoop: Should the U.S. government consider space a critical infrastructure sector? CyberScoop reported on the arguments for and against the industry’s inclusion in the list of critical infrastructure sectors “amid the Biden administration’s ongoing rewrite of Presidential Policy Directive 21, which is the key federal policy document governing the security of critical infrastructure.”
Off-script
It seems Amazon was lying about being able to replace human cashiers with artificial intelligence. The company said its Just Walk Out technology used AI, but according to The Information, the system was actually powered by 1,000 workers in India watching people as they shopped. Now the company is reportedly dropping the system entirely from its Amazon Fresh line of grocery stores.
Tara Clark / Unsplash
We’ve known since at least 2020 that machine learning (the phrase companies used before they realized they could make a lot more money by rebranding everything to AI) relied on underpaid workers in what The Washington Post would later call “digital sweatshops.” Amazon took it a step further with Just Walk Out, as did the “creators” of a George Carlin special that turned out to be written by a human, not AI.
Just don’t be surprised when other companies do the same. It turns out that AI is an incredibly expensive business to be in: Forbes reported that Stability AI was spending about $99 million a year on its infrastructure even though it only brought in $11 million worth of sales in 2023. But it’s all worth it because these companies are also… wreaking havoc on the environment and democratic processes!