Newsletters

This newsletter goes out three days after this incident came to light, so it's gonna cover what happened using a summary-like tone, focusing on aggregating links, conclusions, and hot-takes. At this point, you either know what happened, or you need a crash course in all that took place over the Easter weekend.

What happened: A backdoor mechanism was discovered in XZ Utils, a library that supports lossless compression. The library is extremely popular and is used with most major Linux distros and with a ton of Linux and macOS apps.

What does the backdoor do: In simple terms, it intercepts SSH RSA key decryption operations, which are redirected to the backdoor code. This allows the attacker to pass special arguments during an SSH auth operation and execute code on remote systems if they use a backdoored XZ Utils version.

Commercial spyware/surveillance vendors were behind 24 of the 97 zero-days that were exploited in the wild in 2023, according to a Google report published this week.

Eleven of the 24 zero-days impacted Safari and iOS, while the rest impacted Android and other Google products.

The data shows a clear interest from spyware vendors for mobile platforms. Google says it did not link any non-Apple or non-Google zero-days to spyware vendors.

On Monday this week, the US and UK denounced PRC cyber espionage activity that focused on interfering with democracies and their institutions, and announced sanctions and indictments. 

The US Department of Justice (DoJ) indicted seven Chinese nationals it said were linked to the APT31 hacking group. The DoJ's indictment said the named individuals had been involved in cyber espionage campaigns on behalf of the Hubei province arm of the PRC's Ministry of State Security (MSS) since 2010. 

The governments of Australia, New Zealand, the UK, the US, and the EU have called out China again over its broad, clumsy, and sometimes illegal hacking campaigns.

The push behind this latest round of diplomacy finger-pointing came from the UK and US, the two countries that appear to have seen the brunt of these campaigns.

Western officials are miffed—and deservedly so—about China's targeting and attempts to meddle in their democratic and election processes.

The EU Parliament has passed new anti-money laundering legislation that bans anonymous cryptocurrency payments.

The legislation applies to payments made through online service providers, also known as hosted wallets. It also applies to platforms that exchange virtual for regular fiat currency. It does not apply to owners of hardware and self-hosted wallets.

The new rules come to complement the EU's MiCA (Markets in Crypto-Assets) framework, which passed last year and is scheduled to go into effect on December 30, 2024.

The US government has sanctioned two Russian nationals and their respective companies for running years-long Russian disinformation campaigns across Latin America.

The US Treasury Department has levied sanctions against Ilya Andreevich Gambashidze, the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, the CEO of Russian company Structura.

The sanctions come six months after a State Department report identified the two and their companies as the central pieces in Russia's disinformation effort across Latin America.

Tom Uren is on leave this week so Risky Business publisher Patrick Gray wrote this week's edition.

Good security happens when the incentives are right. Sometimes that's because a company is operating under a strict compliance regime, or it has customers that really, really care about security, or it's in a frequently attacked vertical like banking. 

Academics have discovered a new variation of the network loop attack that can crash servers by putting them in an infinite loop of data exchange.

The new attack is named Loop DoS and was discovered by Yepeng Pan and Professor Dr. Christian Rossow from the CISPA German research institute.

It is a variation of classic network loops but one that takes place at the application layer instead of the network routing level.

Microsoft has developed a new security protection for its Edge web browser.

The new feature—which has no official name—aims to stop sandbox escape attacks.

In a super simplified explanation—the new protection works by crashing the JavaScript rendering process when an attacker tries to escape the sandbox (where a website's code is executed) and then pivot to a more high-privileged internal browser component.

For more than a month, staff at the US National Institute of Standards and Technology (NIST) has stopped enriching CVE vulnerability data added to the National Vulnerability Database (NVD).

More than 2,100 CVE entries have been published without crucial metadata information—a process called "enrichment."

Enrichment data is crucial to anyone viewing the NVD. It provides basic details such as the name of software products impacted by the CVE, the vulnerability's CVSS severity scores, CVE and CWE data, a basic description of the bug, and patching status.