Passing the buck in cybersecurity, unleashing managed Chromebooks and ransomware attacks on schools

Luke Michael / Unsplash

Welcome to Changelog for 2/5/23, published by Synack! Nate Mott here feeling old—more on that later—but keen to wrap up the week’s cybersecurity news:

 

The payload

“Stop Passing the Buck on Cybersecurity,” said U.S. Cybersecurity and Infrastructure Security Agency director Jen Easterly and executive assistant director for cybersecurity Eric Goldstein in a piece published in Foreign Affairs last week. (Yes, I realize there’s a lot of “cyber” packed into that sentence.)

Easterly and Goldstein said Americans have not only “unwittingly come to accept that it is normal for new software and devices to be indefensible by design” but also watched as “many organizations and companies [relegate] cybersecurity to the ‘IT people’ or to a chief information security officer” who “are given this responsibility, but not the resources, influence or accountability to ensure that security is appropriately prioritized against cost, performance, speed to market and new features.”

I’m sure “IT people” in the digital trenches welcomed the call to action.

The CISA officials’ proposed solution: A new model Americans “can trust to ensure the safety and integrity of the technology that they use every hour of every day” by prioritizing cybersecurity rather than allowing it to continue being an afterthought. This would necessitate, among other things, the adoption of “stringent secure-by-default and secure-by-design requirements in the federal procurement process” as well as more strict regulations regarding the security of tech-enabled products used by consumers.

Politics aside — of course two leaders from a federal agency devoted to cybersecurity would argue that the federal government should be more proactive when it comes to, well, cybersecurity — Easterly and Goldstein’s argument is a sign of the times. Foreign Affairs published the piece shortly after Consumer Reports issued a special report on the continued use of programming languages such as C and C++ despite the overwhelming number of memory-related vulnerabilities that occur as a result.

Both reports present a compelling argument: Products should be secure by default and should therefore be written in a memory safe programming language such as Rust or Go. Many sources in the security industry have bemoaned a lack of resources (or motivation) for years. The question now is whether Easterly, Goldstein and Consumer Reports are finally singing a song of change or merely continuing to scream into the abyss. CISA’s pending $313 million budget increase may give the agency a bit more sway.

The week, compiled

People have been searching for ways to unlock their devices for decades. For iPhone owners, that means jailbreaking their phones so they can install apps from outside Apple’s ecosystem; for Android users, that means rooting their devices so they can flash entirely different operating systems. Now digital wayfarers can unshackle their managed Chromebooks, too, with the help of a new exploit called SH1MMER.

SH1MMER stands for “Shady Hacking 1nstrument Makes Machine Enrollment Retreat.” It’s made waves on Hacker News, Twitter and Mastodon since its Jan. 13 release.

According to the Mercury Workshop team that developed it, SH1MMER is “capable of completely unenrolling enterprise-managed Chromebooks” so a given device “will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions.” It’s not hard to guess why that might be compelling to people who only have access to a managed Chromebook.

 1_iHW4n9HVAmXNe6vvrgNEiw
Nathana Rebouças / Unsplash

There are some caveats, and Mercury Workshop recently pulled the prebuilt SH1MMER binaries due to a combination of “copyright concerns” and “harassment and toxicity from the community,” but the instructions for taking advantage of this exploit remain publicly available. Pour one out for all the school IT departments that will have to deal with bored (pre-)teens freeing their Chromebooks in the coming weeks.

Here are some other things that caught my eye this week:

TechCrunch: The cybercrime group known as 0ktapus, which Group-IB said last year targeted more than 130 organizations and stole login credentials from an estimated 10,000 people, has reportedly stayed active heading into 2023. TechCrunch said it obtained a non-public CrowdStrike report into the group’s activity in which the security firm said 0ktapus “has likely expanded its target scope to include technology sector companies specializing in gaming or financial software.”

BleepingComputer: Remember the former Ubiquiti employee who attempted to extort the company for approximately $2 million worth of Bitcoin, posed as a hacker to Brian Krebs and then got arrested? Well, he pleaded guilty this week. BleepingComputer reported that he’s set to be sentenced on May 10; the charges have a combined maximum sentence of 37 years in prison.

A message from Synack

Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.

Flash memory

How would you rob a bank? According to the FBI, most people opt for a handwritten note or verbal demand, with a small percentage threatening violence as well. But a group of North Korea-backed hackers took a different approach in February 2016: They compromised Bangladesh’s national bank in an attempt to steal $1 billion via the SWIFT system used by financial institutions around the world.

BBC has a worthwhile recap of this heist available as both an article and an episode of “The Lazarus Heist” podcast. (Darknet Diaries has also covered the saga, and for people who prefer to hear about bank robberies from the feds, the Department of Justice published additional information in 2018.) The long and short of it is that the so-called Lazarus Group hacked Bangladesh’s national bank and issued a series of fraudulent transactions via the SWIFT system to steal $1 billion while nobody was paying attention.

 1_B7n3odxx46yzJAcA_djI5Q
Lucas Favre / Unsplash

They didn’t actually cash out that much — the Federal Reserve Bank in New York halted most of the transactions, leaving the Lazarus Group with $81 million, which is less than a tenth of their intended score — but this was still an audacious attempt to pull off the largest bank robbery in history. Lately the group has contented itself with the far less interesting (but far more lucrative) theft of various cryptocurrencies.

Local files

Axios: Ransomware attacks continue to disrupt operations for schools across the U.S. This week Axios reported that school districts in Arizona and Massachusetts were the latest victims of these attacks, bringing the total number of U.S. school districts affected by ransomware in 2023 to five, according to Emsisoft threat analyst Brett Callow.

The Irish Times: The Oireachtas Joint Committee on Justice is set to “examine the existence of companies in Ireland involved in the production of spyware,” The Irish Times reported, due to Predator spyware maker Intellexa being registered in Dublin. (Citizen Lab and Google’s Threat Analysis Group have both reported on Predator, which isn’t as well-known as NSO Group’s Pegasus spyware but remains a threat.)

The Record: Vice Media disclosed a data breach to Maine’s Attorney General in two filings on Jan. 26 and 31. The company said it investigated the breach from March 2022 — when it was first notified of the incident — to Jan. 25. It found that the breach involved the Social Security Numbers of more than 1,700 people, The Record reported, as well as “financial account numbers, credit and debit card numbers as well as security codes, access codes, passwords and PINs for accounts.”

Off-script

Thrice released a new version of “The Artist in the Ambulance” this week to celebrate the album’s 20th anniversary. I haven’t listened to the original version as much as I probably should have — mostly because at the time I didn’t have easy access to pretty much anything but “Now That’s What I Call Music” fodder.

That was a mistake, and I’m glad I have the chance to rectify it now with this new take on the album. Does it make me feel old? Yes, but not any more than realizing that being excited for new Fall Out Boy is roughly equivalent to my parents being happy to have new Lynyrd Skynyrd, I suppose.

Anyway. “The Artist in the Ambulance — Revisited” is streaming now. Give it a listen.

 1_G2qjMn_Lj93pJMsprvV-9g
Jay D / Flickr

That’s all for this week — please send any tips or feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!