U.S. cyber board’s Lapsus$ postmortem, CPU vulns and remembering Vim’s creator
Andrey Metelev / Unsplash
Welcome to Changelog for 8/13/23, published by Synack! Nathaniel Mott here with a special announcement: README and Changelog will be migrating from the Medium ecosystem to a new website this week! If you want to continue receiving Changelog, no action is needed. If you don’t want to continue receiving newsletters, we understand (although we’ll miss you), and please unsubscribe via the link at the bottom of this email by next Sunday.
The payload
The Cyber Safety Review Board (CSRB) has published its highly anticipated report on the high-profile attacks conducted by the Lapsus$ group in 2021 and 2022.
Much of the independent advisory panel’s findings are review for close followers of Lapsus$’s antics: The group relied on relatively unsophisticated attacks that proved effective against everyone from Microsoft and Rockstar Games to Nvidia and Samsung. (And let’s not forget T-Mobile, but malicious hackers haven’t always had such a hard time compromising that company.) Forget nation-states; these companies were popped by a group with a teenaged ringleader.
So the CSRB recommended that more secure multi-factor authentication methods be made the norm, that wireless service providers do more to defend against SIM-swapping and that companies improve their approaches to identity access management. All standard recommendations. But it also said the U.S. should check in on the youths:
The Board recommends developing stronger U.S. juvenile cybercrime prevention and intervention programs. For example, the Cyber Offender Prevention Squad (COPS), part of the Dutch National High-Tech Crime Unit (NHTCU), started an information campaign, with workshops and an intervention program to deter young people from online criminal activity, offering positive and legal alternatives. Their initiatives focused on preventing potential offenders as well as engaging prior offenders to decrease recidivism. These programs arose out of a realization that young cybercrime offenders, unlike counterparts operating primarily in the physical world, are often able to evade parental, educator, community, and law enforcement scrutiny and intervention on their journey to significant cybercriminal activity.
The Department of Homeland Security announced on Aug. 11 that the CSRB’s next task will be to “assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable [cloud service providers] and their customers.”
For more on that intrusion, check out the last one… two… three… four installments of the newsletter. And probably the next few, too.
The week, compiled
Someone ought to ask the researchers at Google and ETH Zurich’s computer security team what modern x86 processors did to them. The groups have independently revealed a trio of vulnerabilities in AMD and Intel CPUs — Zenbleed, Downfall and Inception — over the last few weeks.
Things kicked off with Zenbleed, a vulnerability in AMD Zen2 processors, on July 24. The company then revealed the Downfall vulnerability in certain Intel processors on Aug. 8. Both could be exploited to gain access to information the CPUs are supposed to keep secure.
Google’s Tavis Ormandy and Daniel Moghimi said these vulnerabilities “had the potential to affect billions of personal and cloud computers, signifying the importance of vulnerability research and cross-industry collaboration,” which seems like an understatement.
Olivier Collet / Unsplash
Meanwhile, the COMSEC team at ETH Zurich revealed the Inception vulnerability in AMD processors on Aug. 8. This vuln could be exploited to “enable an unprivileged attacker to leak arbitrary information on all modern AMD CPUs” despite various defensive measures.
So yeah. Great week to… use a system with a nearly ubiquitous subset of available CPUs. I’d say Mac users running Apple’s custom Arm chips are sitting pretty, but the way things are going, I expect a deluge of vulnerabilities in that processor architecture any day now.
Here’s what else caught my eye last week:
Citizen Lab: Vulnerabilities in Tencent’s Sogou Input Method app, which 450 million people in China use to input characters on their Windows, iOS and Android devices, “render sensitive data such as the keystrokes that users type decipherable to network eavesdroppers.”
The Record: The NSA and Viasat offered at Black Hat more details about the February 2022 attack on the company’s satellite network, which coincided with Russia’s invasion of Ukraine and was reportedly “intended to degrade the ability of the Ukrainian government and military to communicate.”
The Register: The U.K. Electoral Commission said on Aug. 8 that it was compromised in August 2021 — and took 15 months to discover the attack and then another 9 months to publicly disclose it. Security researcher Kevin Beaumont said the vulnerability exploited by these attackers was likely ProxyNotShell, which we covered in October 2022.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
Software may be vulnerable, but it’s rarely considered venerable. Even fewer code creations are cited in the context of a “holy war” between two kinds of software. Vim can make both claims, and we learned last week that its maintainer, Bram Moolenaar, died on Aug. 3.
Some might be familiar with Vim because of the memes about not knowing how to exit it. (For the record: you type “:q” or “:q!” as appropriate. There; fixed it for you.) Others might know it because the text editor has been around since 1991 and is still a mainstay on many systems.
Vim’s claim to fame is that it’s a modal editor — which is to say that users switch between different modes of operation — with an entirely keyboard-driven interface that can be somewhat difficult to understand at first. Those who do learn it often want to use similar controls everywhere, however.
As for the holy war: that’s between Vim and Emacs. The former is a text editor; the latter is a computing environment that happens to include a text editor. (It can also emulate Vim’s controls via the descriptively named “evil mode.”) Nobody will win this decades-long conflict between typing fans.
Like I said, rare is the software that can inspire such enthusiasm, especially over the course of 32 years. Hats off to Moolenaar.
Local files
WaPo: The NSA discovered in 2020 that Chinese hackers “had wormed their way into Japan’s most sensitive computer systems,” The Washington Post reported, sparking a multi-year effort to improve the country’s security.
TechCrunch: ESET said on Aug. 10 that Belarus hackers have, as TechCrunch put it, “likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level.” So far at least four embassies in Belarus are known to have been targeted by this group.
BleepingComputer: We keep on learning more about the fallout from MOVEit Transfer’s vulnerabilities, with Missouri’s Department of Social Services saying on Aug. 8 that a server managed by IBM was compromised, exposing health information of Medicaid participants within the state.
Off-script
Last week, Lifehacker advised readers to “Uninstall NightOwl From Your Mac ASAP” because the app, which made it easier to manage the schedule for switching between light and dark mode on macOS, had been “making a habit of adding people’s computers to a botnet without explicit consent.”
Rúben Marques / Unsplash
That’s good advice! It’s also funny that web developer Taylor Robinson published the blog post revealing this malpractice — which blew up on Hacker News and, therefore, got the attention of many a news outlet — on June 28. (And recently updated it to say that it seems Apple has revoked NightOwl’s signing certificate to prevent it from being launched.)
The whole thing reminds me of Alvaro Muñoz and Oleksandr Mirosh warning everyone that the Java Naming and Directory Interface (JNDI) could be exploited to enable remote code execution at Black Hat 2017 — four years before the entire security industry went into high alert because these flaws were exploited in Log4j.
There was a much smaller gap between Robinson’s warning about NightOwl and general awareness of the concerns, of course, but it seems we’re still doomed to ignoring urgent reports of security issues until it’s too late… and then saying the problem needs to be addressed ASAP.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next week from README’s new home!