Commit 09_18_2023: Hello, world!
Alex Vegas / Unsplash
Hello! Welcome to Commit, a companion to Changelog intended to help you stay on top of infosec news in between installments of our weekly newsletter. README senior editor Nathaniel Mott here with the latest on the MGM Resorts hack, North Korean crypto theft and more.
404 Media: Testing MGM Resorts’ claims that everything is fine, really, totally fine
Seemingly everyone in the cybersecurity industry has been watching the fallout of a ransomware attack on MGM Resorts—which I covered in last week’s Changelog—from afar. 404 Media’s Jason Koebler opted to get up close and personal by visiting MGM Grand so he could assess whether or not MGM’s claims about its facilities remaining operational were true.
His verdict: “You can still gamble, drink, go to the pool, play slot machines, bet on sports, and scream at TVs. But if you are looking for things that have been fucked up by the hack, and I was, the evidence is everywhere.” From tired workers being forced to replace automated systems to ordering kiosks being down, it was clear that all was not well at MGM Grand.
Elliptic: North Korean hackers have stolen nearly $300 million worth of crypto in about 100 days
Blockchain analysis startup Elliptic said on Sept. 15 that North Korean hackers, having “already been identified as responsible for stealing almost $240 million in crypto assets from Atomic Wallet ($100m) CoinsPaid ($37.3M), Alphapo ($60M), and Stake.com ($41M)” over 104 days, made off with approximately $54 million worth of cryptocurrency in a heist targeting CoinEx.
README doesn’t typically cover the Lazarus Group’s day-to-day activity. That isn’t because North Korea’s premier hacking group is ineffective: If anything, it’s because these campaigns are so effective that the group can steal tens of millions of dollars every 20 days or so, and coverage would be overwhelming. There are no signs of anyone putting a stop to it stealing crypto-backed candy from metaphorical babies. Fortunately, there are firms like Elliptic highlighting the Lazarus Group’s ongoing campaigns.
BBC: Ransomware attack could put undercover officers at risk
A ransomware attack on an unidentified company that “makes ID cards” might have unforeseen consequences for Greater Manchester Police, the BBC reported, with one anonymous officer telling the outlet there’s “particular concern regarding the identities of undercover officers” being made public if the threat actors responsible for the hack decide to leak the compromised data.
This is just the latest example of ransomware attacks posing a far greater risk than many people might expect. (See also: Robert Lemos’ report on the public health risks associated with attacks on healthcare facilities.) It’s essentially the opposite of Lazarus Group activity: despite the frequency with which these attacks occur, it’s important to continue to cover them, because the potential consequences are more dire than a cryptocurrency project losing its funny money.
TechCrunch: Microsoft accidentally exposes 38TB (with a “T”) of sensitive data
Wiz researchers discovered that Microsoft employees accidentally revealed 38 terabytes of sensitive information—including what TechCrunch described as “passwords to Microsoft services, secret keys and more than 30,000 internal Microsoft Teams messages from hundreds of Microsoft employees,” among other things—via a misconfigured Azure Storage URL shared in a public GitHub repository. This misconfiguration reportedly lasted between 2020 and June 24.
The incident highlights just how difficult it is to make sure private data remains private. In this case Microsoft owns every link in the chain: from GitHub and Azure to Teams and Windows. (I assume the devices involved weren’t running macOS or Linux.) Yet even then it was possible for 38TB of data to be exposed for about three years. How are other organizations using these platforms supposed to safeguard their data when even Microsoft can’t seem to do so?
OpenSSF: Funding Rustls and Rust in Linux
Score for the “rewrite it in Rust” brigade: OpenSSF said today its Alpha-Omega project will provide additional funding to Prossimo, an Internet Security Research Group project backing Rustls (a replacement for the OpenSSL library that underpins safe browsing) as well as efforts to expand the use of Rust within the Linux kernel, in a bid to “further Prossimo’s efforts to bring memory safety to critical components of the Internet and further OpenSSF’s Alpha-Omega project’s mission to protect society by improving the security of open source software.”
Rust, as its name kinda-sorta implies, is not a silver bullet for improving security. The recent implementation of “sudo” in Rust shows that simply porting software to the language isn’t going to magically improve security, for example. But when it comes to critical infrastructure, the language’s memory safety guarantees can have a lot to offer. Now Prossimo will be able to continue exploring the ways Rust can help secure this pair of ubiquitous technologies.