IoT cyber scorecards, Iranian hacking operations and a “dramatic change” to U.S. nuclear codes

Ivan Radic/Flickr

Welcome to Changelog for 10/23/22, published by Synack! Blake here, joined by README senior editor Nathaniel Mott. There was a lot of news last week, so let’s get right to it:

 

The payload

The White House is rolling ahead with a cybersecurity labeling program for Internet-of-Things devices. The Biden administration held a meeting Wednesday with manufacturers and tech giants to discuss how to craft the cyber equivalent of Energy Star ratings.

The goal is to help consumers make better choices when buying internet-connected household products, which often lack effective cyber safeguards. (“The ‘S’ in IoT stands for ‘security,’” an old saying goes.)

“A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards and retailers to market secure devices,” National Security Council spokesperson Adrienne Watson said Thursday.

The Energy Star program can track energy savings with watts. Gauging cybersecurity, however, is a lot murkier. I’ve drafted a few questions that could go into earning an IoT security label:

  • Does the device leak user data to no more than three third-party advertisers?
  • Are there 25,000 or fewer instances of the device accessible via a simple Shodan search?
  • Is the device’s default, hardcoded password something — anything! — other than “admin”?
  • Has the device been roped into either the Mirai or Mozi botnets (but not both)?

All jokes aside, IoT security is an enormous challenge that’s only getting bigger as a deluge of new devices from Fitbits to smart refrigerators come online. The White House’s focus on the issue is welcome, even if I still have questions about how a cyber Energy Star rating will work.

The week, compiled

Sometimes a software flaw sets everyone’s hair on fire; other times it just singes a few eyebrows.

Take a new vulnerability in the Apache Commons Text library (CVE-2022–42889), which drew initial comparisons to last year’s Log4j or “Log4Shell” flaw. That December 2021 vulnerability in the ubiquitous Java-based logging utility is expected to pose problems for a decade.

 1_Uy6ToSTUzvBam_ONDbsyIg-1
Illustration: Si Weon Kim

Not everything deserves a frenzied Log4j-style response .Rapid7 principal artificial intelligence researcher Erick Galinkin poured some cold water on the latest “Text4Shell” vuln in a blog post last week, noting “there are significant caveats to practical exploitability for CVE-2022–42889.”

“With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle,” he added.

Here are some other recent happenings:

NBC News: The FBI warned of “ongoing” Iran-linked cyber activity targeting the U.S. in a private industry notification Thursday. The Emennet Pasargad hacking group has a sordid history of conducting hack-and-leak operations.

Protocol: Dmitri Alperovitch, the executive chairman of Silverado Policy Accelerator and co-founder of CrowdStrike, warned we’re poised to enter “one of the most dangerous times that we’ve had in the history of the cyber domain when it comes to our infrastructure here in the West,” owing to threats posed by Russia and China. The comments aligned with similar warnings from U.S. officials earlier this month.

SOCRadar: A misconfigured Azure Blob Storage instance managed by Microsoft leaked “critical data” — including “more than 335,000 emails, 133,000 projects, and 548,000 exposed users,” according to SOCRadar. “The amount and scale of the leaked data make it the most significant B2B data leak in the recent history of cybersecurity,” the threat intelligence company said. Microsoft confirmed the incident but disputed SOCRadar’s characterization of the leaked data.

A message from Synack

There is a better way to pentest that meets compliance requirements, ensures vulnerabilities are remediated and augments existing security teams, allowing them to focus on other risk management projects. Learn how continuous pentesting achieves all that in a webinar featuring Adam Keown, global CISO of Eastman Chemical Company; David R. Hale of Brownstein Hyatt Farber Schreck LLP; and Synack co-founder and CEO Jay Kaplan. Learn more and view the webinar on-demand here.

Flash memory

For many people, October is a month for gazing at autumn foliage, enjoying pumpkin spice lattes and celebrating Halloween. The U.S. Department of Justice has a different October tradition: indicting hackers affiliated with Russia’s Main Intelligence Directorate (GRU).

This started with DOJ indicting seven GRU officers for “computer hacking, wire fraud, aggravated identity theft and money laundering” in October 2018. The indictment related to “persistent and sophisticated computer intrusions” between December 2014 and May 2018.

 1_PFgPf7j43oYJwPgCc0HG9Q
DOJ headquarters in Washington, D.C. M.V. Jantzen/Flickr

Then, in October 2020, DOJ indicted six more GRU officials who allegedly “engaged in computer intrusions and attacks intended to support Russian government efforts.”

“Their computer attacks used some of the world’s most destructive malware to date,” DOJ said, “including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”

There’s still a week left for DOJ to revive its October tradition this year!

Local files

NL Times: Dutch police reportedly tricked the Deadbolt ransomware gang into providing “more than 150” decryption keys and “free the computers of all Dutch victims who had filed a complaint,” according to NL Times, which said more than 1,000 systems in the Netherlands had been “held hostage” by the gang.

The Wall Street Journal: The U.S. has made a “dramatic change” to its nuclear defenses, WSJ reported, as evidenced by a new exhibit in the National Cryptologic Museum. The Maryland institution is “now home to several pieces of equipment that were in operation until just a few years ago to generate the codes the president could use to authorize the launch of nuclear weapons,” WSJ noted.

The Record: An alleged member of the Lapsus$ hacking group was arrested by the ‘Federal Police of Brazil on Oct. 19 as part of “Operation Dark Cloud.” The announcement follows news of a similar arrest in the UK in September after an alleged Lapsus$ affiliate’s hack of Uber and Rockstar Games.

Off-script

When picking this week’s offbeat news, I really had to mullet over.

Congrats to Scott Salvadore for rocking the ultimate Zoom-meeting-in-the-front, party-in-the-back hairstyle. The Stillwater, N.Y., man won the coveted 2022 USA Mullet Championships’ Mane Event, as News10 ABC reported.

“You don’t choose the mullet, the mullet chooses you,” Salvadore said.

 1_HMsTiv55zwsoafMjnxabPQ
Witness an award-winning mullet. USA Mullet Championships

That’s it for this week — see you Oct. 30! Send tips, feedback and your favorite Halloween candy to bsobczak@synack.com or nmott@synack.com.