Changelog: The “C” in SEC stands for “cyber”

Edu Grande / Unsplash

Welcome to Changelog for 10/12/23, published by Synack! README senior editor Nathaniel Mott here after getting the flu shot and the most recent COVID booster to bring you the week’s cyber news.

The payload

The Securities and Exchange Commission is conducting two cybersecurity-related investigations worth caring about. (And no, neither has to do with the cyber disclosure rules the commission adopted in July.)

The first is an investigation into MOVEit Transfer maker Progress Software, which said in a filing that the SEC has launched “a fact-finding inquiry” related to the mass exploitation of vulnerabilities in the file transfer software by the Cl0p ransomware gang. TechCrunch noted that this campaign is known to have led to the compromise of more than 64 million people—and the actual number is probably much higher.

The second is an investigation into what Bloomberg described as “a 2018 security lapse” at Twitter related to the ability to learn any user’s email address by attempting to reset their password, with the SEC reportedly “scrutinizing whether the former top executives failed to adequately disclose those privacy issues to shareholders or put in place proper controls,” per “people familiar with the matter.”

The potential ramifications of both investigations remains unclear. Progress Software was careful to note that “the investigation does not mean that Progress or anyone else has violated federal securities laws,” and Bloomberg reported that “none of the former executives has been accused of any wrongdoing.” But these investigations, along with the new disclosure rules, make it clear the SEC is taking cyber seriously.

The week, compiled

When it comes to vulnerability disclosures, many people’s official stance is that nobody wants to see a critical flaw in popular software, because that would be a terrible thing to want. Unofficially? Vulnerabilities like that are far more interesting than yet another milquetoast flaw in some enterprise software that most organizations probably shouldn’t be running on-premise in the first place. It’s sickos the whole way down.

It was against this backdrop that a high-severity vulnerability in curl, a “command line tool and library for transferring data with URLs” that’s been available since 1998, and the associated libcurl library was revealed on Oct. 11. (A low-severity flaw was revealed the same day.) Curl maintainer Daniel Stenberg said ahead of the vuln’s disclosure that it was “probably the worst curl security flaw in a long time.”

That isn’t the kind of thing you want to hear about a utility and library found in practically every internet-connected device on the planet, of course. So it was good that JFrog said “the vast majority of curl users won’t be affected by this vulnerability” because of the conditions that must be met for it to be exploited—and even then attacks are more likely to lead to denial of service than remote code execution.

markus-spiske-iar-afB0QQw-unsplash

Markus Spiske / Unsplash

It reminds me of the OpenSSL flaws revealed last year—the official stance is that these flaws being less impactful than expected is welcome news. Unofficially, though, it seems some folks were annoyed by the hype leading up to the disclosure of this vulnerability. (Even though it was clearly marked as high severity, and “the worst curl security flaw in a long time” does not translate to “a threat to the entire internet.”) 

Now onto the week in README:

Commit 10_10_2023: This week’s sole Commit (I skipped Monday’s release in observance of Indigenous Peoples’ Day) focused on the release of the Predator Files, a record-breaking distributed denial-of-service attack that exploited a flaw in the HTTP/2 protocol, the most important fixes Microsoft released on Patch Tuesday and hacktivists’ rush to sow chaos after a Hamas attack on Israel Saturday reignited the conflict. 

And some of the biggest news from around the web:

Wired: Surprise! A new report from blockchain sleuthing firm Elliptic today revealed that the approximately $477 million worth of cryptocurrency stolen from the infamous FTX exchange in November 2022 might not have been nabbed by North Korean hackers—the most prolific crypto thieves on the planet and, therefore, the obvious suspects for such a heist—but instead by a group with links to Russian cybercrime. 

The Record: Microsoft said on Oct. 10 that a vulnerability in Atlassian’s knowledge management software, Confluence, was exploited by a threat actor it tracks as Storm-0062 as early as Sept. 14. (The vulnerability, CVE-2023-22515, was publicly revealed on Oct. 4.) The company said that others have tracked this group as DarkShadow or Oro0lxy; The Record noted that the latter identifier is a moniker used by a Chinese Ministry of State Security hacker indicted by the Justice Department in 2020.

A message from Synack

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

It has officially been 35 years since Steve Jobs revealed the NeXT Computer. Although NeXT itself didn’t survive—the company was acquired by Apple in 1997—the legacy of its technologies continues today.

The most obvious throughline involves macOS. Parts of the NeXTSTEP operating system have provided the foundation for Apple’s personal computers since Mac OS X debuted in 2001, surviving the shift to OS X in 2012 and macOS in 2016. The tech has outlived its parent company several times over.

The Computer History Museum also pointed out that NeXT “introduced several features new to personal computers, including an optical storage disc, a built-in digital signal processor that allowed voice recognition, and object-oriented languages that simplified programming.”

Wikipedia noted that NeXTSTEP “is the platform on which Tim Berners-Lee created the first web browser, and on which id Software developed the video games Doom and Quake,” so it’s safe to say that little black box was used to make some cool stuff even though most people never got their hands on one.

Local files

BleepingComputer: ALPHV / BlackCat reportedly claimed responsibility for “an attack that affected state courts across Northwest Florida [...] last week,” with BleepingComputer saying the group allegedly “acquired personal details like Social Security numbers and CVs of employees, including judges.” The court’s official statement about the incident can be found on its website.

The Register: Simpson Manufacturing Company said in an SEC filing that it “experienced disruptions in its Information Technology (IT) infrastructure and applications resulting from a cybersecurity incident" on Oct. 10. The company hasn’t revealed additional details about the attack but did say that it “has caused, and is expected to continue to cause, disruption to parts of the Company's business operations."

Off-script

I really shouldn’t be surprised that companies have to be told not to make deepfakes without their subject’s permission, yet here I am, gobsmacked at TechCrunch’s story about a startup that “shared two ‘deepfaked’ videos” of a reporter in “an unsolicited email pitch” seeking coverage of their service. (I’m not going to name or link to the company, but that information is easy to find in the TechCrunch report.)

Deepfakes are AI-generated photos and videos featuring the likeness of a real person. They’ve gotten pretty good—and have also been used to do far worse things than creep out reporters.

transly-translation-agency-kXVAfnkNG_8-unsplash

Transly Translation Agency / Unsplash
  • Exhibit A: People using deepfakes to make porn using someone’s likeness, which MIT Technology Review reported in 2021 was “ruining women’s lives,” yet is still an ongoing problem. 
  • Exhibit B: A deepfake of Ukrainian President Volodymyr Zelenskyy “appearing to tell his soldiers to lay down their arms and surrender the fight against Russia,” as NPR put it, going viral in March 2022. 
  • Exhibit C: The FBI said in June that it “continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content” and then “publicly circulated on social media or pornographic websites” as part of harassment or “sextortion” schemes.

 

This harassment, disinformation and outright abuse wouldn’t occur without increasingly capable deepfake technology, which appears to have little to offer when it comes to the creation of non-malicious content, at least from what I’ve seen to date. It’s past time for regulators to discourage the use of this technology without strict safeguards (and heavy punishments for misuse) and reporting requirements.

The potential for societal harm far outweighs the benefits of these technologies—and the fact that a company was comfortable generating deepfakes of a reporter they haven’t interacted with just so they can appear in TechCrunch shows that it probably shouldn’t be trusted to steward responsible use of its service in the first place. This is exactly the kind of problem regulators are meant to address; I hope they do so.