Newsletters

A threat actor has exploited a MobileIron zero-day to breach twelve Norwegian government agencies, the country's security service said on Tuesday.

The identity of the attacker, the dates of the intrusions, and the names of the compromised agencies have not been revealed.

Norwegian authorities say the zero-day targeted a piece of software named the Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. The platform is used to manage mobile devices used by government employees and grant remote access to government systems and applications.

A team of four Google engineers has proposed a new Web API named Web Environment Integrity that would allow websites to block client apps that modify their code.

In layman's terms, the proposal would force clients, such as desktop and mobile browsers, to cryptographically sign a CBOR token that contains details about their local environment.

Based on the token they receive, websites can then decide if they want to continue delivering service to the client or not.

Microsoft has expanded the number of security logs that customers of the lower tier of its cloud service can access.

Thirty-one log categories have been moved from the premium tier of the Microsoft Purview Audit service into the standard offering.

The log retention policy for the standard tier has also been changed from 90 to 180 days, Microsoft said in an announcement on Wednesday.

Microsoft and JumpCloud both disclosed breaches of their cloud services last week. It's nice they each disclosed these incidents, but it shouldn't be up to them. We need a mandate that will force cloud service companies to publish detailed postmortems when these things happen.

In the first announcement on 11 July, Microsoft revealed details of a likely China-based actor it calls 'Storm-0558' that had successfully accessed the cloud-based Outlook email of 25 organisations. The actor had targeted government agencies and individual consumer accounts likely associated with these organisations. Microsoft did not specify the affected organisations, but The Washington Post reported that the US Commerce and State departments were affected.

In a more detailed analysis of Storm-0558’s techniques, Microsoft says the group has "primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests". According to the vendor, the group’s objective in most campaigns is to access the email accounts of its targets. Microsoft says it has "moderate confidence" that the group is a China-based espionage actor, although from our standpoint, it walks like a duck and quacks like a duck, so it's probably a duck.

The White House and the FCC have announced a voluntary cybersecurity labeling program for internet-connected devices sold in the US.

The program will roll out in 2024 and is named the US Cyber Trust Mark.

It will take the form of a shield logo applied to routers and IoT devices sold through US retailers. The logo will be applied to devices that meet a set of basic cybersecurity criteria, such as devices using unique and strong default passwords, can receive security updates, protect user data, and restrict access to their management interfaces.

Cloud hosting provider JumpCloud says that its recent rush to change all customer API keys was made in the aftermath of discovering a major security breach of its internal systems by a state-sponsored APT group.

In a post-mortem of the incident, JumpCloud CISO Robert Phan says the attack was "extremely targeted and limited to specific customers."

A timeline of the intrusion, according to the company's report, is as follows:

A threat actor has used a zero-day vulnerability in the Lemmy platform to hack and deface multiple Lemmy instances over the weekend.

If the name sounds familiar, Lemmy is to Reddit what Mastodon is to Twitter. It is an open-source news aggregation and discussion forum modeled after the Reddit platform. Lemmy-based websites are where many Reddit communities have moved in the aftermath of the recent Reddit API controversy and site-wide protests.

On the night between Sunday to Monday, an attacker used a cross-site scripting (XSS) vulnerability to inject malicious code into the websites of some Lemmy-based communities.

A Citizen Lab analysis of Chinese social networking app WeChat has entirely missed the point by over indexing on the app’s privacy policy. WeChat is a ubiquitous, surveillance-friendly application that provides the PRC with unfettered access to its users' messages. Fiddling with its privacy policy won't fix that.

WeChat's domestic Chinese version, WeiXin, is what is known as a "super-app". Primarily a messaging app, it also serves as a major financial transaction platform and can run "Mini Programs", WeChat's equivalent of apps from an app store. These Mini Programs cover the entire spectrum from ecommerce, health, gaming, and also include government service apps such as COVID-19 contact tracing apps that were compulsory during the pandemic.

WeChat's international version isn't so all-encompassing, but it does contain many similar features. Tencent, the company behind WeChat, separates the international (WeChat) and domestic version of the app (Weixin) into two "services" run by separate subsidiaries in Singapore and Shenzhen respectively. WeChat considers the mainland Chinese version, Weixin, to be a "third party". So, funnily enough, it has a completely different privacy policy.

Microsoft has revoked more than 100 malicious drivers that received valid signatures via the company's Windows Hardware Compatibility Program (WHCP).

The malicious drivers were added to the company's driver revocation list and will be blocked from running on Windows systems going forward.

Microsoft credited security firms Sophos, Cisco Talos, and Trend Micro for discovering the malicious drivers and how they were being submitted to its developer portal.

Roughly $126 million worth of crypto-assets have been mysteriously transferred from the accounts of cryptocurrency platform Multichain in an apparent hack, according to blockchain security firms PeckShield, SlowMist, Lookonchain, and CertiK.

The incident took place on Friday, June 7.

Multichain—which is a platform that interconnects different blockchain platforms and allows users to exchange tokens—has shut down to investigate the incident.