Ben Rosett / Unsplash
Welcome to Changelog for 7/2/23, published by Synack! Nathaniel Mott here, ready to jinx everyone’s Fourth of July by bringing up the “K” word (Kaseya!). But more on that after a quick breakdown of the week’s security news.
The payload
It looks like CISOs are back on the menu. A few months after former Uber chief security officer Joe Sullivan was sentenced to three years of probation and ordered to pay a $50,000 fine for disguising a ransom payout as a bug bounty in 2014 and then lying about it in 2016, the SEC has told SolarWinds CISO Tim Brown and CFO Barton Kalsu they may have violated federal securities laws after the company was compromised in 2020.
CNN reported on June 23 that the SEC recently sent so-called Wells notices to Brown and Kalsu. Kim Zetter — who also wrote the most comprehensive report on how the SolarWinds hack was discovered and responded to — described these notices as “a significant notification to recipients that SEC investigators believe there is evidence they may have violated” federal securities laws and “that the commission is considering bringing civil enforcement action against them” as a result.
This has once again made folks in the industry wonder if CISOs are going to face legal repercussions if their companies get popped. (Though Brown wasn’t named CISO until after the 2020 hack, he was the company’s head of security architecture at the time.) And unlike Sullivan’s case, where he deliberately misled the FTC while Uber was being actively investigated, it’s not clear how Brown is believed to have mishandled the SolarWinds hack.
There is a somewhat cynical expectation that CISOs, like other C-suite executives, won’t stay at a company for long. Sacking the CISO allows companies to slake observers’ thirst for executive shakeups following high-profile incidents without affecting other areas of the business. This often works out for the CISO, too, who can enjoy a long career of increasing compensation from companies expecting them to fall on this sword.
The possibility of legal action endangers that arrangement. The swords these CISOs are used to falling on are props that only maintain the illusion of sacrifice; the swords brandished by the FTC, SEC and others are meant to make that illusion a reality. Or at least that’s what people fear might happen as a result of the SEC’s notices to SolarWinds. Maybe this will be another case like Sullivan’s, where the punishment isn’t particularly severe.
The week, compiled
LockBit said on June 29 that it had stolen data from TSMC, the world’s largest semiconductor foundry and perhaps the most important tech company most people have never heard of, and that it would start to leak some of the compromised information if a $70 million ransom wasn’t paid.
This is among the highest ransom demands in history — it matches another historic ransomware incident that we’ll discuss later in this newsletter — but it’s not clear how TSMC plans to respond. The company said in a statement to TechCrunch that although the investigation into this attack is ongoing, so far it believes the incident “has not affected TSMC’s business operations” or “compromise any [of] TSMC’s customer information.”
That’s a vital qualification. TSMC’s customers include Apple, Qualcomm, Nvidia and many other high-profile companies that need the foundry to produce the chips used in their products. LockBit making off with sensitive information about the design of Apple’s upcoming system-on-a-chip or Nvidia’s latest graphics technologies would pose a significantly larger problem for TSMC than learning some aspects of its internal network.
TSMC told BleepingComputer that it wasn’t directly popped by LockBit. Instead one of its suppliers, Kinmax Technology, was compromised. Kinmax confirmed that it learned on June 29 that its “internal specific testing environment was attacked” and that “the leaked content mainly consisted of system installation preparation” it provides to its customers.
Tom’s Hardware reported that Kinmax counts Microsoft, Nvidia and other large companies among its customers; presumably the incident response teams at those companies have already started to check whether or not they’ve also been affected by this attack on one of their suppliers.
Also from last week:
The Record: Vulnerabilities in the MOVEit Transfer program — which we covered throughout June — have reportedly led to the compromise of information about 16 million people and counting since Progress Software revealed the initial security flaw at the end of May.
CyberScoop: A group claiming affiliation with the Wagner mercenary group said in a Telegram message on June 28 that they had compromised Dozor, “a satellite telecommunications provider that services power lines, oil fields, Russian military units and the Federal Security Service (FSB), among others,” as Wagner mutinied against the Russian government.
RBN: Researchers have revealed a new way to undermine the protections DRAM manufacturers put in place after the RowHammer attack was made public in 2014. It’s called RowPress, and although it was found to affect over 100 of the most popular DDR4 memory chips, Risky Biz News reported that “the attack can be easily mitigated at the software level.”
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
People across the U.S. are preparing to celebrate the Fourth of July with barbecue, fireworks and prayers to whichever deity has claimed security as its domain that we don’t have a repeat of the Kaseya attack of 2021.
Kaseya offers a remote management tool called VSA that is popular among managed service providers (MSPs) around the world. On July 2, 2021, an automatic update to VSA containing malicious code inserted by the REvil ransomware gang was deployed. Huntress said after the attack was discovered that it was “tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses.”
The success of this supply-chain attack within a supply-chain attack prompted REvil to demand a then-record $70 million ransom in exchange for a universal decryptor. Kaseya didn’t pay the ransom, which left many organizations scrambling to restore their systems, but it turned out someone else had already created a key that could be used to recover from this attack: the FBI. Yet it didn’t reveal the existence of this key for weeks.
The Washington Post reported in September 2021 that the FBI “refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer” because “it was planning to carry out an operation to disrupt” REvil and “did not want to tip them off” by helping organizations recover from the Kaseya attack. It didn’t matter; REvil had gone dark on July 13.
Local files
Ars Technica: An unidentified Japan-based cryptocurrency exchange recently fell victim to the JokerSpy malware that “contains a full suite of capabilities, including the ability to steal private data and download and execute new malicious files,” and specifically targets macOS devices.
BleepingComputer: The U.S. Cybersecurity and Infrastructure Security Agency said on June 30 that distributed denial of service (DDoS) attacks were targeting “multiple sectors.” The agency didn’t attribute these attacks to anyone, but BleepingComputer noted that Anonymous Sudan claimed responsibility for several DDoS attacks before this warning was issued.
TechCrunch: A high school in Illinois demonstrated exactly how not to handle password resets last week by changing every student’s password to “Ch@ngeme!” and then informing students and their parents of the situation via email — thereby allowing fast-acting students to access other students’ accounts before that password could be, well, changed.
Off-script
This was the hardest installment of Changelog to write to date. I don’t mean that emotionally — I mean the physical act of typing out this newsletter is more complicated than ever because I built my own keyboard last week.
That’s right: The same week I decided to rebuild my PC around Linux, I decided to stop using one of the many fine keyboards I have in favor of a split ortholinear keyboard that I had to buy all the parts for and assemble by hand. (“Split” means it has two parts; “ortholinear” means the keys are organized into columns rather than staggered like other keyboards.)
I spend most of my workday — and a not-insignificant amount of my free time — with my hands on my keyboard. This has taken its toll on me by causing repetitive strain injuries as well as pain in my shoulders and neck. A split keyboard allows me to type with my hands at shoulder-width rather than scrunched up like they are with a standard keyboard. Less scrunching, less pain, especially in conjunction with a trackball mouse.
Or at least that’s the goal. For now, I’m trying to get used to this new layout, address bad habits and enjoy using something made entirely from parts I selected rather than an off-the-shelf product. And, of course, spending an inordinate amount of time looking at alternative sets of keycaps because my set wasn’t designed with ortholinear layouts in mind. So it goes.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!
