RSAC 2023, supply chain problems and a broken ransomware record

Maarten van den Heuvel / Unsplash

Welcome to Changelog for 4/23/23, published by Synack! Nathaniel Mott here, writing in the calm before the RSA 2023 storm—but more on that in a moment.

 

The payload

If your calendar is anything like mine, countless meetings have already been canceled with a three-letter explanation: “RSA.” The conference officially starts tomorrow, but many attendees have already begun their annual pilgrimage to San Francisco to prepare for the four-day soiree. (Before you ask, no, I’m not going this year — but README editor-in-chief Blake Sobczak will be there.)

The official agenda for RSA 2023 includes more than 500 talks. Topics range from managing security at the board level to defending critical infrastructure and integrating best practices into the development process. (Among, well, more than 497 other things relevant to the industry.)

A glance at RSA 2023’s keynote speakers also reveals growing interest in artificial intelligence, which reflects the broader technology industry’s recent obsession with the field, and which even Microsoft is hoping will finally allow defenders to keep pace with their adversaries.

Much of the appeal of a conference like RSA 2023 happens outside of the scheduled talks, of course, whether that means they’re happening in hotel lobbies or in San Francisco bars and restaurants. Just remember to stay safe, hydrate and prepare for the inevitable post-conference crash.

The week, compiled

Mandiant revealed this week that business communications service provider 3CX was compromised in March via a supply chain attack on a futures trading software maker called Trading Technologies.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” the security firm said. That doesn’t bode well for security teams already struggling to manage these risks despite recent efforts to improve supply chain security.

 1_Ma27Z9nWRnV1Q_IGB01GSQ
Tom Wilson / Unsplash

Mandiant has associated the Trading Technologies, 3CX and subsequent compromises with a North Korea-linked threat actor it tracks as UNC4736. The group’s primary goal—at least so far as we know—appears to be stealing cryptocurrency and committing other financial crimes.

“Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware,” Mandiant said, “and move between target networks while conducting operations aligned with North Korea’s interests.” This probably won’t be the last time we attacks like this, then.

Here are some other headlines from this week:

BleepingComputer: Ransomware attacks were on the rise in March, according to NCC Group, which said the 459 attacks seen that month represented a 91% month-over-month and 62% year-over-year increase. A vulnerability in GoAnywhere MFT is said to be at least partly to blame. It all adds up to a sordid new ransomware record!

TechCrunch: Citizen Lab said that NSO Group exploited a trio of zero-day vulnerabilities in iOS 15 and 16 to deploy its Pegasus spyware in 2022. There is some cause to hope, however, because the Lockdown Mode that Apple introduced with iOS 16 reportedly blocked one of these exploits.

The Register: It seems Russian hackers are fond of exploiting a vulnerability in Cisco routers, with the NSA, Cybersecurity and Infrastructure Security Agency, FBI and UK National Cyber Security Centre saying in a joint advisory that in 2021 APT28 targeted organizations in Europe, “US government institutions and approximately 250 Ukrainian victims.

A message from Synack

Heading to RSA this week? Swing by Fogo de Chão to join Synack’s “Journey by the Bay” experience just 98 steps away from the Moscone Center. We have a jam-packed week of programming lined up, from an exclusive whiskey and dry-aged steak tasting to a panel discussion on top cybersecurity vulnerabilities. Check out the full roster of events and parties here.

Flash memory

We’re once again heading back to the ‘90s—which my increasing amount of gray hair keeps reminding me was longer ago than I think—with a look at the CIH computer virus that wreaked havoc on Windows 95 systems in 1998 and 1999.

Sophos said in a retrospective article about CIH that “a computer that was infected by CIH didn’t just have one virus, it typically had tens, or hundreds — or, in the case of a file server, perhaps hundreds of thousands — of independently dangerous copies of the virus on it.”

 1_w_UQZmE11VZ0uToR6Z7o1Q
Md Riduwan Molla / Unsplash

CIH was more than just a nuisance. “Instead of spreading as widely as it could, on 26 April it went into ‘warhead mode’, overwriting your computer BIOS with garbage,” Sophos said. “That’s right: an unauthorised firmware update that aimed to leave your computer completely unbootable, and in many cases unrepairable, at least by software alone.”

In keeping with similar incidents from decades gone by, CIH didn’t appear to be financially motivated. Its creator, Chen Ing-hau, was said to have created the virus to demonstrate the problems with antivirus solutions. It worked—and supposedly Taiwan’s lack of cybersecurity-related laws at the time meant that he wasn’t really punished for the stunt.

Local files

Bloomberg: Speaking of supply chain problems, Bloomberg reported this week that the hack of a Japanese cupholder maker “brought [Toyota’s] entire production line to a screeching stop.” This could prove to be an increasing problem for Japan, with the National Police Agency reportedly saying that ransomware attacks have risen 58% over the last year.

The New York Times: NSO Group wasn’t only in the headlines because of the iOS 15 and 16 zero-days. The New York Times also published an investigation revealing what “led Mexico to become Pegasus’ first client” and how the “country grew into the most prolific user of the world’s most infamous spyware.

The Record: China-affiliated hacktivists reportedly targeted “a dozen South Korean research and academic institutions with data exfiltration attacks in late January” before starting “a round of new cyberattacks against organizations in Japan and Taiwan.” The data stolen from the group’s victims was then leaked via Telegram and the now-defunct BreachForums.

Off-script

This spring I’ve set the rosé aside in favor of something new: orange wine.

A quick vinification primer: Rosé is often made from red wine that isn’t allowed to sit on the grape skins as long as it’s darker-hued counterparts. Orange wine is essentially the opposite. It’s made from white wine that has been allowed to remain on the skins longer than its contemporaries.

 1_c2VRWl1zVSdgKgnSVcZLrg
Zan / Unsplash

Orange wine isn’t new, but it’s newly fashionable, and it seems like more producers are experimenting with the style each year. (This is particularly true of my native Finger Lakes, a region best known for Riesling, though many other grape varieties have also caught on with local producers.)

I’m digging orange wine because it often has an interesting structure and, in some cases, more pronounced aromas and flavors than similar white wines. This is particularly true of Gewürztraminer—an already contentious variety—but I’ve noticed it with orange Riesling and blends as well.

Orange wine isn’t going to be for everyone, but if you like something a little different, I recommend giving it a try.

That’s all for now — please send any feedback and last-minute RSA pitches to nmott@synack.com or bsobczak@synack.com. We’ll be back next Sunday!