Changelog: Another busy week for Beijing cyberthreats

Steve Johnson / Unsplash

Welcome to Changelog, published by Synack! README senior editor Nathaniel Mott here with a quick housekeeping note: This will be the last installment of the newsletter for August. We’ll return with a new schedule—and, perhaps, a surprise or two—on Sept. 7. Until then, enjoy the rest of the month. Here’s the week’s news:

The payload

Beijing's been busy: We got a trio of reports last week about Chinese hacking. (Or at least hacking that appears to have been conducted on behalf, or to further the goals, of the Chinese government.)

South Korea's National Intelligence Service reported discovering "malicious code embedded in the chips of weather-measuring instruments made in China and used by the Korean Meteorological Administration," as Risky Biz News put it on Aug. 23. The discovery of this so-called "spy chip" will reportedly lead to NIS auditing more than 10,000 pieces of Chinese-made equipment used by the South Korean government.

It's somewhat ironic for China to have been discovered using spy chips in weather monitoring equipment. Beijing previously accused the NSA of hacking an earthquake monitoring station in Wuhan, which it said "poses a serious threat to national security." How, then, should South Korea interpret the insertion of "spy chips" in similar equipment?

Then came Microsoft's report on "a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage." (The espionage takeaway is based on observations that the group doesn't appear to be conducting "additional actions" after it has made its way into a target's network.)

"Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware," Microsoft said, "relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks." The first campaign relied on a dedicated spy chip in sophisticated equipment; this second one used the same living-off-the-land techniques employed by cybercriminals.

Both campaigns—along with one targeting Hong Kong discussed below—show that China remains active throughout Asia in addition to targeting the U.S. Now the question is how many similar campaigns have gone undetected in other regions.

The week, compiled

Microsoft nearly avoided being a subject of this week's newsletter. Then I read Ars Technica security editor Dan Goodin's report on how the company has repeatedly failed to prevent abuse of its driver-signing program by threat actors keen to receive Microsoft's stamp of approval for Windows rootkits, kernel drivers and other malware.

Goodin's article recounts numerous incidents disclosed between June 2021 and last Tuesday, when Symantec revealed that an advanced persistent threat group it's dubbed Carderbee was using "malware signed with a legitimate Microsoft certificate" to "carry out a supply chain attack" against organizations in Hong Kong and "other regions of Asia."

vanna-phon-hRXIKdxoaPo-unsplash

Vanna Phon / Unsplash

The certs are managed via programs "used to certify that device drivers—the software that runs deep inside the Windows kernel—come from a known source and that they can be trusted to securely access the deepest and most sensitive recesses of the operating system," Goodin said. "Without the certification, drivers are ineligible to run on Windows."

Yet the programs are clearly flawed—and so is Microsoft's response to reports of their abuse. (Which seems to be something of a trend.) Clearly the Storm-0558 hack in July that exposed the emails of numerous government agencies and officials isn't the only aspect of Microsoft's security practices worthy of increased scrutiny.

In other news:

TechCrunch: More than 1,000 organizations are confirmed to have been compromised via vulnerabilities in the MOVEit Transfer software, leading TechCrunch to declare it “the biggest hack of the year.” Considering the number of organizations that haven’t confirmed they were popped by the attack—or might not even realize it themselves—I’d say it’s fair to make that call despite only being in the third quarter.

The Record: U.N. delegates are hashing out an international convention on cybercrime, but The Record reported that "the ultimate text wasn’t expected to be especially ambitious — or to dramatically transform law enforcement’s approach to ransomware" because they are primarily interested in producing something likely to pass the General Assembly in 2024.

ZDNet: Ransomware was on the rise in July, according to a report from NCC Group indicating that there were 502 known incidents that month, which is an increase from the 434 reported in June. Much of that activity was attributed to the Cl0p ransomware gang that exploited vulnerabilities in MOVEit Transfer to compromise hundreds of organizations.

BleepingComputer: WinRAR, the archive utility that has never been purchased by anyone without an IT budget, was "actively exploited to install malware when clicking on harmless files in an archive" in a bid to compromise "online cryptocurrency trading accounts." This campaign has reportedly been active since at least April 2023.

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

Adobe co-founder John Warnock died on Aug. 19 at 82 years old.

"John has been widely acknowledged as one of the greatest inventors in our generation with significant impact on how we communicate in words, images and videos," Adobe CEO Shantanu Narayen said, adding that Warnock received the National Medal of Technology and Innovation, the American Electronics Association Medal of Achievement and other awards in the decades since he co-founded Adobe with Charles Geschke in 1982.

It's virtually impossible to use a computer for more than a few... minutes? without encountering Adobe's technologies or a product of someone using those technologies. The company is best known for its suite of creative tools, sure, but it's also responsible for the nigh-ubiquitous PDF file format. (Not to mention the fallen Flash web technology.) Adobe's influence is everywhere.

Adobe said that Warnock is survived by his wife, Marva Warnock, and three children. The company also published a biography of Warnock on its website as—you guessed it—a PDF.

Local files

The Register: CloudNordic said last week that "the majority of [its] customers" have lost all of their data following a ransomware attack. The company said that it "cannot and do not want to meet the financial demands of the criminal hackers for ransom," which is the common recommendation for organizations affected by such attacks, though that's unlikely to be of comfort to the clients whose data has now been made inaccessible.

CoinDesk: The FBI said the Lazarus Group is looking to cash out from all the crypto heists it’s pulled within the last few months, with the North Korean hackers reportedly moving approximately $40 million worth of Bitcoin over the course of 24 hours. These cash-outs are intended to fill North Korea's coffers while evading the sanctions placed on the country by the U.S. and other superpowers.

Space: The National Counterintelligence and Security Center warned last week that spies and cyber agencies "recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets," and could target the industry as a result.

Off-script

A cadre of writers and editors from Motherboard announced last week that they had left Vice's tech vertical to found their own publication: 404 Media.

The group describes 404 Media as "a journalist-founded digital media company exploring the ways technology is shaping–and is shaped by–our world" that will focus on "investigative reports, longform features, blogs, and scoops about topics including: hacking, cybersecurity, cybercrime, sex, artificial intelligence, consumer rights, surveillance, privacy, and the democratization of the internet."

brett-jordan-XWar9MbNGUY-unsplash
Brett Jordan / Unsplash

That alone would have piqued my interest. Having the inimitable Joseph Cox on board, who's responsible for some of the best security-related reporting I've read in the last decade, made 404 Media an instant must-read, starting with his investigation of a disturbing market for credit data. I'm also keen to see how a journalist-founded org fares in a media environment skewed towards massive outlets like The New York Times on one end to individual writers launching an independent newsletter on the other.

404 Media: check 'em out.