Disruptive Chinese malware, Storm-0558 fallout and SEC cyber rules

Harold Mendoza / Unsplash

Welcome to Changelog for 7/30/23, published by Synack! Nathaniel Mott here, still parsing the New York Times’ blockbuster report Saturday citing intelligence that China “has hidden deep inside the networks controlling power grids, communications systems and water supplies that feed military bases in the United States and around the world.” It’s not that China doesn’t pose a pervasive cyberthreat to U.S. interests — I’ve just seen threats to power grids overstated in the past, so I’m not sure what to make of “Volt Typhoon.” But speaking of China:

 

The payload

U.S. senators don’t like it when Chinese hackers access government emails.

A quick refresher: Microsoft said on July 11 that a China-linked group it’s tracking as Storm-0558 had “gained access to email accounts affecting approximately 25 organizations.” That included the U.S. State Department and Department of Commerce, among others, and now over a dozen senators want more information about the hack.

Newsweek reported on July 26 that a bipartisan group of 14 senators had sent a letter to State Department Chief Information Officer Kelly Fletcher “asking for details of the extent of the breach, and the timeline on which it was fixed,” along with a Sept. 6 deadline for her response. (A copy of the letter can be found here.)

A day later, Sen. Ron Wyden (D-Ore.) sent a letter to U.S. Cybersecurity and Infrastructure Security Agency director Jen Easterly, FTC chair Lina Khan and Attorney General Merrick Garland “to request that your agencies take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.”

The Wall Street Journal reported that Microsoft “is working with government agencies and is committed to sharing information about the hack,” according to a company spokesperson, who told the outlet that “this incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.”

I’d say incurring the wrath of the Senate Finance Committee Chairman also counts as “challenges.”

The week, compiled

Google published on July 27 its breakdown of the zero-days exploited throughout 2022. (An initial summary was published in June 2022; now we have the full report.)

The company said last June that 18 of these vulnerabilities had been detected and disclosed. In the final version of the report, that number has grown to 41, which is a 40% drop from the number of zero-days publicly revealed in 2021. But that doesn’t necessarily mean it’s time to pop some champagne.

“Both positive and negative changes can influence the number of in-the-wild 0-days to both rise and fall. We therefore can’t use this number alone to signify whether or not we’re progressing in the fight to keep users safe. Instead we use the number to analyze what factors could have contributed to it and then review whether or not those factors are areas of success or places that need to be addressed.”

 1_zKKC-GooinjaS2sRvkMT4g
Mitchell Luo / Unsplash

Google said that some of the decline in detected zero-days can be attributed to threat actors being able to exploit known (“n-day”) vulnerabilities on Android due to long patch cycles and the proliferation of hard-to-detect zero-click exploits. These factors bring down the number of zero-days exploited throughout the year, but they’re hardly cause for celebration. (At least on the defenders’ side.)

The company also noted that 17 of the vulns were “variants of previously reported vulnerabilities” from 2020 or 2021, and that “2022 brought more frequent reports of attackers using the same vulnerabilities as each other, as well as security researchers reporting vulnerabilities that were later discovered to be used by attackers.” The former is also a bummer, but at least the latter is a net positive.

Some other stories that caught my attention last week:

AP: The Securities and Exchange Commission voted 3–2 along party lines to require publicly traded companies to disclose “material” cybersecurity breaches within four days, a move that drew pushback from some corners of the U.S. business community. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said.

TechCrunch: “Call of Duty: Modern Warfare 2” was taken offline last week following the discovery of a worm that infects the systems of people still playing the 14-year-old game. (The 2022 title bearing the same name doesn’t appear to be affected.) As for why someone developed malware for such an old game, well, that isn’t clear yet.

BleepingComputer: Ransomware gangs are diversifying their leak methods. BleepingComputer reported on July 23 that Cl0p had started leaking data stolen by exploiting vulnerabilities in MOVEit Transfer to clearweb sites, and on July 26, it reported that ALPHV’s leak site now provides an API to make finding data easier.

The Record: More than 900,000 MikroTik routers remained susceptible to a vulnerability (CVE-2023–30799) nearly a week after the company released a patch for it, according to VulnCheck, which told The Record that exploits for the underlying security flaw have been publicly available since at least June 2022.

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

Wired senior writer Andy Greenberg has a thing for letting security researchers hack a vehicle while he’s driving it — and for publishing the reports based on these proof of concept exploits some time in late July.

The first report, published by Forbes in July 2013, was fairly tame. Greenberg said that security researchers Charlie Miller and Chris Valasek “sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers” to a Ford Escape and Toyota Prius while he drove around an abandoned parking lot. That’s frightening, sure, but fairly safe.

Then a followup arrived in July 2015. Greenberg opens that report, which was published by Wired, with the line “I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.” (Talk about not burying the lede, Andy!) That’s terrifying even before you reach this snippet:

“To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway.”

Reader, I can guarantee that my response would have been a “no” so colorful The New York Times would refuse to print it. But not Greenberg, and we’re all better off for it, because this coverage of Miller and Valasek’s research has prompted vehicle makers to start taking cybersecurity at least a little more seriously than before.

Local files

The Register: NATO is investigating SiegedSec’s claim that it “broke into the military alliance’s unclassified information-sharing and collaboration IT environment, stole information belonging to 31 nations, and leaked 845 MB of compressed data,” as The Register put it.

CyberScoop: The Senate Commerce Committee is moving forward with two bills — the Children and Teens’ Online Privacy Protection Act and the Kids Online Safety Act — despite widespread criticism regarding the data collection the bills would require and the risks they would pose to youths who are already in unsafe situations.

Reuters: China accused the U.S. of hacking an earthquake monitoring center in Wuhan on July 26 and said the breach threatened its national security. It’s not clear why the U.S. would hack this equipment, however, or how exactly doing so would threaten China even if such an operation had taken place.

Off-script

There are too many streaming platforms. Most organizations thinking about introducing another one shouldn’t — with the possible exception of NASA.

1_rAcoil2z5JOKoSflAwPbvA 
History in HD / Unsplash

The space agency said on July 27 that it plans to introduce a platform called NASA+ later this year. “Through the ad-free, no cost, and family-friendly streaming service,” NASA said, “users will gain access to the agency’s Emmy Award-winning live coverage and views into NASA’s missions through collections of original video series, including a handful of new series launching with the streaming service.”

NASA is also testing an update to its website and said it “will continue to connect additional agency websites and multimedia libraries into this new experience to continually streamline all the information shared across its centers, missions, and programs.” (You should check out the new site at beta.nasa.gov; it’s pretty cool.)

Like I said, there are too many streaming platforms. But space is cool. It follows that an ad-free no-cost streaming platform about space would also be cool. And so far as performance goes, well, it’s not like making a video app’s rocket science.

That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!