Newsletters

Last week, Microsoft released its latest report into how its services were compromised by a China-based actor it called Storm-0558. It's an eye opening document that raises some red flags about Microsoft's security culture.

To summarise the incident briefly, Storm-0558 used a Microsoft Account (MSA) signing key to gain access to the email accounts of individuals in businesses and in government departments including the US Department of State and the US Department of Commerce. For several reasons this hack should not have worked, yet Storm-0558 was able to take advantage of multiple flaws in Microsoft processes to achieve its objectives.

From the perspective of someone who has worked in high-security environments, some of these flaws are absolutely bewildering.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced it is providing free access to its official Vulnerability Scanning (VS) service to the operators of public US water and wastewater utilities.

The VS service has been running for years but has been previously available to federal civilian agencies only.

The service will help water utilities identify internet-exposed systems and see if they are vulnerable to known security bugs.

Microsoft will phase out the use of third-party printer drivers in Windows in favor of a new and more secure interface.

"In the near future, Windows will default to a new print mode that disables 3rd party drivers for printing," said Microsoft security engineer Johnathan Norman.

"That new system will have quite a few big security improvements, which we plan to detail in a future blog post."

The US and UK governments have revealed the real-world identities and imposed sanctions on 11 additional members of the Trickbot/Conti cybercrime operation. The new sanctions come after both governments doxed and sanctioned seven members earlier this year in February.

The new batch includes:

This adds to the February batch of sanctioned Trickbot/Conti members, which includes:

A harrowing new UN report describes how hundreds of thousands of trafficked people are forced into working in online scam operations.

These operations cover the gamut from online fraud such as romance scams and fake cryptocurrency investment schemes to illegal gambling. They take place in online scam centres known as "boiler rooms" or "pig-butchering farms".

The human toll is staggering. The report says that at least 120,000 people across Myanmar and 100,000 in Cambodia are thought to be forced to work on online scams. The report cites Myanmar's military coup, ongoing violence and breakdown in the rule of law as significant factors in the proliferation of boiler rooms in the country.

Back in June, the Chinese ambassador in Myanmar asked the country's military junta to crack down on the ever-growing number of illegal call centers operating in Myanmar's north conducting online and telecom scams targeting Chinese citizens.

Three months later, Myanmarese officials have delivered on their promise and have put high-profitable criminal operations on alert after a long string of arrests.

Six suspects were detained in June, seven last month, then two, then 24, and now 269 in the largest crackdown to date.

The German government says Chinese APTs are hijacking SOHO routers, NAS devices, and smart home automation systems to conduct cyber-espionage operations.

The hacked devices are used as a giant mesh of proxies that relay and hide the origin of the attack.

Chinese cyber-espionage groups like APT15 (Vixen Panda, Ke3chang) and APT31 (Zirconium, Judgement Panda) have been observed utilizing the tactic, according to a security advisory published by the German Federal Office for the Protection of the Constitution (BfV) last week. A Google Translate machine-translated version of the alert is here.

An anonymous researcher has sifted through the changelogs of open-source projects and obtained CVE identifiers for old bugs that experts say may not be security flaws.

All the fake CVEs were obtained on August 22nd, and all were filed for open-source projects.

According to a list compiled by Chainguard at RiskyBusiness' request, 138 CVEs were filed in projects such as cURL, PostgreSQL, Python, the Netwide Assembler, ImageMagick, and many smaller libraries.

Fears that proposed amendments to the UK's Investigatory Powers Act will prevent vendors from issuing software updates are overblown.

Early last month the UK government opened a consultation period on proposed changes to its Investigatory Powers Act (IPA), the legislation that governs law enforcement and intelligence agencies’ use of intrusive investigatory powers such as telco-mediated lawful interception.

The IPA has been in force since 2016 when it combined existing statutory powers granted to UK authorities into a single piece of legislation. It also strengthened approval and oversight processes, with use of the most intrusive powers requiring a 'double-lock' approval from a government minister and an independent judicial commissioner.

The FBI has seized server infrastructure that hosted the Qakbot botnet and mass-uninstalled the malware from infected systems.

Also known as Qbot and Pinkslipbot, the botnet has been active since 2008. It initially launched as a banking trojan but changed to operating as a "loader" in the mid-2010s, infecting systems via malspam campaigns and then selling access to infected systems to other cybercrime groups.

Over the past three years, Qakbot has served as an initial entry point for many ransomware attacks. Groups that have worked with Qakbot include the likes of Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.