Newsletters

Palo Alto Networks has scrambled over the weekend to release a software patch for its firewall devices. The patch is intended to fix a zero-day (CVE-2024-3400) in the GlobalProtect VPN feature of PAN-OS, the firmware that runs on Palo Alto's firewalls.

Security firm Volexity discovered the attacks, which the company attributed to a group it tracks as UTA0218. Palo Alto tracks this as Operation MidnightEclipse.

Volexity described the group as a state-backed threat actor but did not link the group to any country.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged customers of business analytics company Sisense to rotate all credentials and access tokens linked to the company's tools and services.

The agency said it was responding to a security breach discovered at Sisense by "independent security researchers."

At the time of writing, details about the hack and what exactly happened remain shrouded in mystery, but infosec peeps in the know seem to be treating it as a DEFCON 1 incident.

Multiple recent incidents show state actors violating what Five Eyes countries consider to be acceptable norms of online behaviour. 

Politico reports politicians, officials and journalists working in the UK parliament were subjected to honeypot-style phishing campaigns. Politico's investigation identified six men who were targeted with unsolicited WhatsApp messages.  

And further on in the article:

Google has added a new feature for its Workspace enterprise platform that will require multiple administrators to approve changes to an organization's sensitive settings.

The new Multi-Party Approval feature will roll out in the next two weeks and will be available to any Google Workspace customer with two or more super admin accounts.

Once enabled, all super admins will be required to approve changes made to sensitive Workspace environments, such as changing MFA settings, account recovery steps, and login and session controls. The full list of Workspace settings that will trigger a multi-party approval challenge is available below.

A security researcher going online by the pseudonym of NetSecFish (NetworkSecurityFish) has discovered a backdoor in D-Link network-attached storage (NAS) devices.

D-Link has declined to patch the issue as all the devices reached End-of-Service four years ago, in June 2020.

The list of affected products includes NAS models DNS-320L, DNS-325, DNS-327L, and DNS-340L.

The Ukrainian government is gathering evidence and intends to file a war crimes case against Russian military hackers at the International Criminal Court in The Hague.

The case will center around the December 2023 cyberattack against Kyivstar, Ukraine's largest mobile operator.

Russia hackers breached the company in May of last year, gathered data, and then wiped thousands of servers on December 12.

The Cyber Safety Review Board (CSRB) has described 'a cascade of avoidable errors' by Microsoft in an incident in which a PRC-affiliated cyber espionage actor accessed email accounts belonging to senior US and UK officials. 

A newly released report by the CSRB states:

The review found that the threat actor responsible was also linked to the 2009 Operation Aurora compromise of dozens of private companies, including Google, and also to the 2011 RSA SecurID incident. 

Back in June 2020, a mysterious individual tried to insert an SQL injection vulnerability in F-Droid, an open-source app store for Android devices.

The incident was disclosed this week by Hans-Christoph Steiner, the project's current lead developer.

Steiner likened it to the recent XZ Utils backdoor incident.

This newsletter goes out three days after this incident came to light, so it's gonna cover what happened using a summary-like tone, focusing on aggregating links, conclusions, and hot-takes. At this point, you either know what happened, or you need a crash course in all that took place over the Easter weekend.

What happened: A backdoor mechanism was discovered in XZ Utils, a library that supports lossless compression. The library is extremely popular and is used with most major Linux distros and with a ton of Linux and macOS apps.

What does the backdoor do: In simple terms, it intercepts SSH RSA key decryption operations, which are redirected to the backdoor code. This allows the attacker to pass special arguments during an SSH auth operation and execute code on remote systems if they use a backdoored XZ Utils version.

Commercial spyware/surveillance vendors were behind 24 of the 97 zero-days that were exploited in the wild in 2023, according to a Google report published this week.

Eleven of the 24 zero-days impacted Safari and iOS, while the rest impacted Android and other Google products.

The data shows a clear interest from spyware vendors for mobile platforms. Google says it did not link any non-Apple or non-Google zero-days to spyware vendors.