Disappearing SBOMs, a bevy of zero-days and the Father Christmas Worm

Gage Skidmore/Flickr

Welcome to Changelog for 12/18/22, published by Synack! Nate here, delivering your last edition of the year. We’ll return Sunday, Jan. 8. In the meantime, enjoy the holidays — and don’t miss the inaugural episode of the second season of the WE’RE IN! cybersecurity podcast, featuring Andy Greenberg, author of “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.” (README Editor-in-Chief Blake Sobczak co-hosts the podcast.) Now, for the latest news:


The payload

A draft version of the National Defense Authorization Act passed by the House in July prompted a bit of infosec panic when a security researcher pointed out that the legislation appeared to require thousands of Pentagon suppliers to certify their software “is free from all known vulnerabilities or defects” —an all but impossible task.

Fast forward to last week, when the Senate passed a version of the NDAA for 2023 that lacked any such language, sending the $858 billion defense bill to the White House for President Biden’s signature. FedScoop reported that all requirements related to software bills of materials (SBOMs) were stripped from the legislation amid industry pressure.

That doesn’t come as a surprise. We reported earlier this month that industry groups have been slow to embrace SBOMs because they’re difficult to generate, it’s not clear what kind of information they’re supposed to include and many software makers are hesitant to provide details about how they make their products. Expecting that to change in a few months — never mind ensuring that software like Windows is “free from all known vulnerabilities or defects” — was always going to be too much to ask.

That’s not to say SBOMs are outré in the Defense Department’s vast web of suppliers. The U.S. government has become increasingly concerned about SBOMs since Log4Shell’s disclosure in 2021, and the White House wants its suppliers to include SBOMs for all of the federal government’s software.

But the infosec Twitter hubbub in August was simultaneously late (the House passed H.R. 7900 in July) and premature. Perhaps infosec Mastodon will prove a bit less excitable.

The week, compiled

Security teams around the world got the digital equivalent to a lump of coal in their stockings this week as Microsoft, Apple and other companies released patches for actively exploited zero-day vulnerabilities.

Microsoft’s Patch Tuesday for December included a fix for CVE-2022–44698, which BleepingComputer reported has been exploited to “circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads,” as well as patches for 73 other vulnerabilities.

Apple released iOS 16.2 to address numerous vulnerabilities in the mobile operating system this week. TechCrunch reported that the company also admitted that iOS 16.1.2, which debuted on Nov. 30, included a fix for an actively exploited zero-day vulnerability in the WebKit browser engine used in Safari for iOS.

But the most troubling vulnerabilities were found in Citrix ADC and Citrix Gateway, which the NSA said were being exploited by a Chinese threat actor tracked as APT5, and a flaw in FortiOS SSL-VPN that Fortinet said “may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” That one has also been exploited in the wild.

If that’s not enough to keep you busy, here are a few other things that happened in the past week:

Email scammers recently stole physical shipments of powdered milk, according to an FBI advisory. Maybe they really needed to bake? JLS Photography — Alaska/Flickr

CNN: First, ransomware criminals came for our meat. Now, email scammers are rerouting entire truckloads of powdered milk, according to a recent FBI, Federal Drug Administration and USDA advisory. “In some cases, the suppliers had already shipped well over $100,000 of milk products before realizing they had been conned, prompting the federal agencies to urge companies to ‘consider taking steps to protect their brand and reputation,’” CNN reported.

CyberScoop: Russia-backed hackers have breached a U.S. satellite network, American officials say, as concerns mount about the cyber defenses of sensitive space equipment. “All of these satellite telco’s are a freaking nightmare when it comes to security posture,” one cybersecurity expert told CyberScoop.

The Washington Post: The next Congress will weigh issues like protecting operational technology, open-source software security and federal IT modernization, according to Senate agenda-setters.

A message from Synack

Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.

Flash memory

’Twas three days before Christmas, in 1988,

When DECNet users found something to hate.

For they’d been infected by the Father Christmas Worm,

Created merely to bother and make them all squirm.

It displayed a message claiming to be from Saint Nick,

Complaining ‘bout how his tummy was too thick.

Then it searched through their address books,

To send itself via email to all the other DEC node kooks.

Dan LeFebvre / Unsplash

Infected some 6,000 nodes, yes, it did,

From its roots in a uni in Switzerland.

They never did find the creator, they say,

Their identity remaining a mystery to this day.

Read the report from NASA if you’re looking for a fright,

Otherwise bid the Father Christmas Worm GOOD NIGHT.

Local files

NPR: Bring on the TikTok bans: Virginia has become the latest state to bar the social media app from being installed on state devices over cybersecurity concerns, joining a growing list of other states including Georgia, Texas, North Dakota and Maryland. The fear is that TikTok’s ties to China-based parent company ByteDance could pose infosec risks owing to intrusive Chinese Communist Party data laws.

Mandiant: Ukrainian government sites have been hit by trojanized Windows 10 Operating System installers, the latest bout of suspicious activity linked to Russia’s GRU military intelligence agency. The cyber news was overshadowed by a series of physical Russian missile strikes on Ukraine’s capital that have left millions of Ukrainians in the dark.


NASA’s Artemis 1 Orion spacecraft splashed down safely on Earth last Sunday after a casual journey around the Moon(!). The successful Artemis 1 mission sets the stage for humans to visit the Moon again (or even Mars) in the coming years.

“From the launch of the world’s most powerful rocket to the exceptional journey around the Moon and back to Earth, this flight test is a major step forward in the Artemis Generation of lunar exploration,” NASA Administrator Bill Nelson said.

Onward and upward!


That’s it for now — see you in 2023! Don’t forget to send tips and feedback to bsobczak@synack.com or nmott@synack.com.