China’s U.S. agency hacking spree, zero-days galore and USB malware
Silas Köhler / Unsplash
Welcome to Changelog for 7/16/23, published by Synack! Nathaniel Mott here, signing in from upstate New York. README was onsite at the Intelligence and National Security Summit in National Harbor, Md., where editor-in-chief Blake Sobczak picked up the conference highlights from the two-day annual conference. Here’s what else played out last week:
Microsoft revealed on July 11 that a China-linked threat actor it’s tracking as Storm-0558 “gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations.”
CNN reported that the U.S. State Department and Department of Commerce were among the organizations affected by the incident, and even though “the full scope of the hack is being investigated,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Microsoft has informed all orgs known to have been targeted in this campaign.
Microsoft said it has assessed that “this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” and that “this type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”
Wired reported that the threat actor was “able to steal a key that Microsoft uses to sign tokens for consumer-grade users of its cloud services” and then exploit a bug that “allowed them to sign consumer-grade tokens with the stolen key and then use them to instead access enterprise-grade systems.” But how exactly Storm-0558 got this key in the first place is unknown.
Microsoft said it has “completed mitigation of this attack for all customers.” But I’d be surprised if we’ve heard the last of the fallout from this hack.
The week, compiled
It was a helluva week for zero-day vulnerabilities.
Apple kicked off the week with patches for iOS, iPadOS and macOS that addressed an actively exploited vulnerability in the WebKit browser engine. (And then it pulled and re-released the patches after they broke Facebook, Zoom and other popular websites in the company’s Safari browser.)
A number of updates for Windows and Office products arrived on Patch Tuesday to address a zero-day vulnerability that could lead to remote code execution. Palo Alto Networks’ Unit 42 threat intelligence division said it could confirm these flaws have been exploited since at least July 3, and three other zero-days were addressed with their own patches as well.
But these massive tech companies weren’t the only ones addressing zero-days this week. Risky Biz News reported that the maintainers of Lemmy, a decentralized take on Reddit that’s received more attention than usual following the latter company’s decision to kill off third-party clients, also had to contend with a vulnerability being exploited over the weekend.
Also from last week:
BleepingComputer: USB-delivered malware has seen a dramatic spike in popularity in 2023, according to Mandiant, which reported on two ongoing campaigns (SOGU and SNOWYDRIVE) that are using USB drives to deliver malware to organizations in various industries around the world.
TechCrunch: The fallout from vulnerabilities in MOVEit Transfer continued to expand last week as TechCrunch reported that “hotel chain Radisson, U.S.-based 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom” were among the “hundreds of victims” of the Cl0p ransomware gang’s efforts to exploit these flaws.
Ars Technica: The makers of a WordPress plugin called All-In-One Security — which is used by more than 1 million websites — released an update on July 13 after it was found to be “logging plaintext passwords and storing them in a database accessible to website admins.”
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
It’s been eight years since Ashley Madison, a platform whose tagline is “life is short […] have an affair,” was hacked by Impact Team. Hulu marked the occasion by releasing a limited series called “The Ashley Madison Affair.”
Brian Krebs reported on July 15, 2015 that Impact Team “leaked maps of internal company servers, employee network account information, company bank account data and salary information” as well as “snippets of account data apparently sampled at random from among some 40 million users” of Ashley Madison, Cougar Life and Established Men.
Krebs — who appears in “The Ashley Madison Affair” — published two followup articles on the service’s hack last week. The first revealed that the primary suspect of the hack died by suicide in 2014; the second offers additional information about why that person was the primary suspect.
Nobody has been charged in the Ashley Madison hack, and it doesn’t seem any progress has been made towards identifying the culprits.
“I realize this ending may be unsatisfying for many readers, as it is for me,” Krebs wrote. “The story I wrote in 2015 about the Ashley Madison hack is still the biggest scoop I’ve published here (in terms of traffic), yet it remains perhaps the single most frustrating investigation I’ve ever pursued. But my hunch is that there is still more to this story that has yet to unfold.”
The Record: A ransomware attack on the town of Cornelius, North Carolina has led to “delayed or unavailable services,” with a town representative telling The Record that the “services most affected will be those delivered over the phone or those requiring staff to access files located on our servers.” The town’s 911 services remain operational, however.
Wired: Variety Jones, whose real name is Roger Thomas Clark, was sentenced to 20 years in prison for helping administer the infamous Silk Road dark web drug marketplace. (Silk Road creator Ross Ulbricht was sentenced to life in prison in 2015.)
CyberScoop: The White House revealed on July 13 its implementation plan for the National Cybersecurity Strategy, but CyberScoop noted that “if courts rule against [new] standards and Chinese hackers are nonetheless able to penetrate cloud services, Biden administration officials face a tall task in trying to protect the nation’s most sensitive infrastructure.”
Microsoft engaged in a bit of typographical defenestration last week — which is to say Calibri has been replaced as the Office suite’s default font.
The company said on July 13 that its new font, Aptos, “will start appearing as the new default font across Word, Outlook, PowerPoint and Excel for hundreds of millions of users” and will replace Calibri as the default font for all Microsoft customers “over the next few months.”
The Verge noted that this is poor timing for the U.S. State Department, which finally switched to Calibri earlier this year. I suspect other organizations will be quicker to switch to Aptos, so don’t be surprised if hastily printed signs the world over look a little different than they used to.
And don’t worry — Microsoft said that Calibri will join Times New Roman and Arial in their special place atop the list of installed fonts. This place of honor all but guarantees that nobody will forget Calibri as they scroll as quickly as possible to the most hallowed of fonts: Comic Sans.