Newsletters

The Cyber Safety Review Board (CSRB) has described 'a cascade of avoidable errors' by Microsoft in an incident in which a PRC-affiliated cyber espionage actor accessed email accounts belonging to senior US and UK officials. 

A newly released report by the CSRB states:

The review found that the threat actor responsible was also linked to the 2009 Operation Aurora compromise of dozens of private companies, including Google, and also to the 2011 RSA SecurID incident. 

Back in June 2020, a mysterious individual tried to insert an SQL injection vulnerability in F-Droid, an open-source app store for Android devices.

The incident was disclosed this week by Hans-Christoph Steiner, the project's current lead developer.

Steiner likened it to the recent XZ Utils backdoor incident.

This newsletter goes out three days after this incident came to light, so it's gonna cover what happened using a summary-like tone, focusing on aggregating links, conclusions, and hot-takes. At this point, you either know what happened, or you need a crash course in all that took place over the Easter weekend.

What happened: A backdoor mechanism was discovered in XZ Utils, a library that supports lossless compression. The library is extremely popular and is used with most major Linux distros and with a ton of Linux and macOS apps.

What does the backdoor do: In simple terms, it intercepts SSH RSA key decryption operations, which are redirected to the backdoor code. This allows the attacker to pass special arguments during an SSH auth operation and execute code on remote systems if they use a backdoored XZ Utils version.

Commercial spyware/surveillance vendors were behind 24 of the 97 zero-days that were exploited in the wild in 2023, according to a Google report published this week.

Eleven of the 24 zero-days impacted Safari and iOS, while the rest impacted Android and other Google products.

The data shows a clear interest from spyware vendors for mobile platforms. Google says it did not link any non-Apple or non-Google zero-days to spyware vendors.

On Monday this week, the US and UK denounced PRC cyber espionage activity that focused on interfering with democracies and their institutions, and announced sanctions and indictments. 

The US Department of Justice (DoJ) indicted seven Chinese nationals it said were linked to the APT31 hacking group. The DoJ's indictment said the named individuals had been involved in cyber espionage campaigns on behalf of the Hubei province arm of the PRC's Ministry of State Security (MSS) since 2010. 

The governments of Australia, New Zealand, the UK, the US, and the EU have called out China again over its broad, clumsy, and sometimes illegal hacking campaigns.

The push behind this latest round of diplomacy finger-pointing came from the UK and US, the two countries that appear to have seen the brunt of these campaigns.

Western officials are miffed—and deservedly so—about China's targeting and attempts to meddle in their democratic and election processes.

The EU Parliament has passed new anti-money laundering legislation that bans anonymous cryptocurrency payments.

The legislation applies to payments made through online service providers, also known as hosted wallets. It also applies to platforms that exchange virtual for regular fiat currency. It does not apply to owners of hardware and self-hosted wallets.

The new rules come to complement the EU's MiCA (Markets in Crypto-Assets) framework, which passed last year and is scheduled to go into effect on December 30, 2024.

The US government has sanctioned two Russian nationals and their respective companies for running years-long Russian disinformation campaigns across Latin America.

The US Treasury Department has levied sanctions against Ilya Andreevich Gambashidze, the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, the CEO of Russian company Structura.

The sanctions come six months after a State Department report identified the two and their companies as the central pieces in Russia's disinformation effort across Latin America.

Tom Uren is on leave this week so Risky Business publisher Patrick Gray wrote this week's edition.

Good security happens when the incentives are right. Sometimes that's because a company is operating under a strict compliance regime, or it has customers that really, really care about security, or it's in a frequently attacked vertical like banking. 

Academics have discovered a new variation of the network loop attack that can crash servers by putting them in an infinite loop of data exchange.

The new attack is named Loop DoS and was discovered by Yepeng Pan and Professor Dr. Christian Rossow from the CISPA German research institute.

It is a variation of classic network loops but one that takes place at the application layer instead of the network routing level.