Commit 12_11_2023: A lot of hackin’ going on

Kasia Derenda / Unsplash

 Welcome to Commit 12_11_2023! README senior editor Nathaniel Mott here with the world’s longest cold and some hot-hot security news.

WaPo: China’s hacked ‘about two dozen critical entities’ in the U.S.


It’s no secret that government-backed threat actors have been poking and prodding at critical infrastructure throughout the U.S. and other countries. The Washington Post today reported that China has been particularly active, with “U.S. officials and industry security officials” saying the country’s “burrowed into the computer systems of about two dozen critical entities over the past year.”

These so-called critical entities include “power and water utilities as well as communications and transportation systems.” But there is a silver lining: “none of the intrusions affected industrial control systems that operate pumps, pistons or any critical function, or caused a disruption,” U.S. officials told The Post, which implies that any follow-on activity would be limited in scope.

The Record: FBI guides companies through SEC reporting rules

Here’s one for all the ransomware gangs… erm, companies out there: The Record said on Dec. 8 that the FBI has “published guidance on how companies can request a delay in disclosing cyber incidents to the Securities and Exchange Commission.” That guidance should make it easier for American companies to keep regulators off their back while they attempt to grapple with the fallout of a successful hack.

It could also help them avoid being bullied by ransomware gangs—not that I’d recommend other cybercriminals following in AlphV / BlackCat’s footsteps by reporting a victim to the SEC. As we reported earlier this month, while threatening companies with regulatory scrutiny might prove effective in some cases, in others it seems unlikely to result in them paying a ransom to the group that tattled.

The Verge: FTC revives QR code hacking concerns

Here we go again. The Verge reported that the FTC joined the chorus of cautionary voices related to QR-code-based phishing attempts last week. (Fortunately the publication had the good taste not to refer to these kinds of attacks as “quishing,” which is the kind of thing toddlers say when they squish something, and not the kind of thing self-respecting adults should repeat.)

I really didn’t think I’d have to address hacking via QR codes after I reported on how it’s largely a non-issue following the Super Bowl in 2022. Scanning a QR code isn’t inherently more risky than following a malicious link, and although “don’t click on suspicious links” is perhaps the most oft-repeated security advice besides “use a password manager,” the reality is that people are going to click and scan anyway.

BleepingComputer: Devs are still using vulnerable versions of Log4j

I wish I could say I didn’t expect to be talking about Log4j—the ubiquitous Java library that ruined seemingly every cybersecurity professional’s holiday in 2021—at the end of 2023 either. But we’ve known for a while that the so-called “Log4Shell” vulnerabilities would continue to pose a problem for years after their disclosure; there’s a decent chance that some of the software that relies on it will never be fixed.

Enter this Dec. 10 report from BleepingComputer indicating that, according to Veracode, some 30% of software using Log4j relies on a vulnerable version of the library. Should we be surprised that the percentage remains so high after two years of warnings related to Log4Shell? No. Does that make it any less of a bummer? Not really! Let’s see if anything changes over the next two years.