Commit 10_31_2023: SolarWinds in the SEC’s hot seat

Tyler van der Hoeven / Unsplash

Welcome to Commit 10_31_2023! README senior editor Nathaniel Mott here on the spookiest day of the year with the top cybersecurity news.

Axios: SEC files suit against SolarWinds

CISOs are sweating once again following the Securities and Exchange Commission’s filing of fraud charges against SolarWinds and its security chief on Monday because, as Axios put it, “SolarWinds and [CISO Timothy] Brown allegedly presented misleading and false statements about the company's cybersecurity risks and practices from October 2018 to ‘at least’ January 12, 2021.”

Are other CISOs right to be worried about facing similar charges? I suspect that depends on their answer to a fairly simple question: Have you deliberately misled regulators and investors about some aspect of your company’s security posture? That’s why the SEC filed against Brown—and why former Uber chief security officer Joe Sullivan was sentenced to three years of probation after covering up a 2016 hack.

Forbes: Israel turns to spyware companies

Forbes today reported that Israel has “called on its much-vaunted cybersecurity and surveillance industries to assist in the war on Hamas” by “remotely breaking into and silently monitoring the smartphones and laptops of abductees” so the Israel Defense Forces can learn more about Hamas’ movements following the group’s coordinated attack on southern Israel on Oct. 7.

Israel’s spyware industry has long been criticized for selling its wares to authoritarian regimes that use those capabilities to spy on activists, journalists and other people of interest. Now even the oft-maligned NSO Group has been called upon to help the Israeli government access the devices and social media accounts of both the victims and the perpetrators of the Oct. 7 attack.

Risky Biz News: CitrixBleed vulnerability starts gushing

A vulnerability in what Risky Biz News described as “extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff”—otherwise known as Citrix ADC and Citrix NetScaler—is seeing mass exploitation over two weeks after Citrix released patches to address the flaw.

The vulnerability has been dubbed CitrixBleed, and it can be used to compromise session tokens so attackers can take control of affected devices without having to worry about pesky usernames or passwords. At this point anyone running one of these Citrix products who hasn’t installed the patches should probably kick off the incident response process sooner than later.

Bloomberg: U.S. details extent of MOVEit hack

Bloomberg reported on Oct. 30 that Cl0p exploited the MOVEit Transfer vulnerability (more on that here) to gain “access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice.”. That’s according to a report from the Office of Personnel Management—which knows a thing or two about being hacked—obtained via the Freedom of Information Act.

Here’s the good news: OPM reportedly said “it didn’t have reason to believe it posed a significant risk and that the compromised data was ‘generally of low sensitivity’ and not classified.” (Which is probably why we’re hearing about the breach from Bloomberg now, months after Cl0p started extorting organizations compromised via the MOVEit Transfer vuln, rather than straight from the horse’s mouth earlier this year.)

Reuters: 40 countries pinky promise not to pay ransomware gangs

The International Counter Ransomware Initiative today announced that 40 countries led by the U.S. “plan to sign a pledge never to pay ransom to cybercriminals and to work toward eliminating the hackers' funding mechanism,” as Reuters put it, in the latest attempt to make a dent in the number of ransomware attacks organizations face each year. But will it be enough to dissuade such activity?

Probably not. Experts have advised organizations not to pay ransomware gangs for years, especially since there’s no guarantee that making a payment will result in restored access to encrypted files, or stop any stolen information from being leaked. Yet enough orgs pay for these cybercrime groups to remain in operation. It’s hard to see a symbolic vow between governments being enough to make a difference.