Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
31 Garage Storage Ideas To Keep Your Space Organized
Sep 05, 2023Panthers' Frank Reich promotes Bryce Young to first team at OTAs, won't name him Week 1 starter yet
Sep 30, 2023The Miraculous Life and Afterlife of Charlene Richard
Nov 21, 2023The SRTF to Provide School Furniture to Ten Schools Under A Cash
May 20, 2023BEDC in talks with new vertical farm partner
Oct 26, 2023Cyberdefenders respond to hack of file
Jul 23, 2023Welcome to The Cybersecurity 202! It's been a real weird couple news days for extraterrestrial visitors and searching for life in space.
Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: The GOP is demanding meetings with disinformation researchers, and the European Union is weighing a mandatory ban of Huawei. First:
This is starting to get a little too familiar for 2023: A company discovers a vulnerability in a popular piece of software or a tech tool. A hacking group looks poised to exploit it in a widespread way. Organizations begin to announce they’re among the victims.
This time around, a file-transfer tool known as MOVEit Transfer is at the center of everything. The ransomware gang in question appears to be Clop, a repeat player in this kind of story (some researchers are blaming the group, which is apparently also claiming credit). And the affected organizations whose information has been taken include the likes of British Airways, BBC, the government of Nova Scotia and a university in New York state.
As before, the main mystery going forward is how big the fallout will get. There's reason, for now, to expect things will get worse before they get better.
"It still very much qualifies as an emergent threat," Caitlin Condon, senior manager of security research at the cyber company Rapid7, told me.
On Tuesday, the alleged attackers began spelling out how they wanted victims to pay, telling victims that the hackers expected to receive an email from them over the next week, as Emsisoft's Brett Callow relayed on Twitter:
View Tweet on Twitter
The MOVEit vulnerability follows on some other noteworthy attacks with some parallels this year:
Rapid7 and another cyber company, Mandiant, saw the first instances of compromise on May 27. That was four days before MOVEit maker Progress Software warned the public about the vulnerability.
So far, prominent companies affected include a number of U.K. organizations, via compromised payroll services provider Zellis. In North America, victims include the government of Nova Scotia and the University of Rochester.
A search engine for publicly exposed devices suggests that 2,500 instances are exposed to the internet, more than half of them in the United States.
Around a dozen federal agencies appear to have active U.S. government contracts that mention MOVEit.
Independent security researcher Kevin Beaumont mentioned possible government victims on Twitter:
View Tweet on Twitter
Rapid7 has labeled it a "widespread" attack despite the uncertain victim count right now because of the many probable compromises, Condon said.
Condon explained what makes file-transfer tools juicy targets for hackers. (Clop notably went after them in the 2021 Accellion breach.)
Another cyber company said it noticed something else interesting about the kind of attack the hackers used. The basic part is known as SQL injection, which involves putting malicious statements into an application to interfere with queries it makes to its database.
But Huntress said Monday that in the case of the MOVEit attack, SQL injection opens the door to potential remote code execution, allowing attackers to make changes to a target device no matter where it's located. That's "the crown jewel" allowing attackers to "own the access," said Huntress's senior security researcher John Hammond.
But it's not clear why the attackers didn't use that access to drop ransomware into victim networks, Hammond told me, although some ransomware gangs have been focusing more on stealing data to hold for ransom and skipping the encryption part because it's faster and easier. Condon also told me the industry hasn't seen the attackers move around inside victim systems, which decreases their chances of getting discovered.
Microsoft has attributed the MOVEit attacks to an affiliate of the ransomware gang known alternately as Clop or Cl0p. Google Cloud-owned Mandiant has not gone that far, attributing it to "a newly created threat cluster with unknown motivations" and saying it doesn't yet have sufficient evidence to connect it to the Clop gang, which it also calls FIN11.
Clop itself — or, at least, someone pretending to represent Clop — has told news outlets that it is in fact behind the attacks, but won't release data on military, government, children's hospitals, police departments and "etc." (Many ransomware groups have welshed on similar promises.)
View Tweet on Twitter
One thing making it hard to quickly assess the number of victims is Clop's history. After the GoAnywhere attacks, Clop waited more than a month to make ransom demands. More victims could also become public later when they come up on government deadlines for disclosing breaches, Condon said.
Some cyber industry veterans have given kudos to Progress for aspects of how it's handled the situation, including quickly offering patches.
View Tweet on Twitter
And the Cybersecurity and Infrastructure Security Agency has placed the MOVEit vulnerability on its so-called "must-patch" list for government agencies, giving them a June 23 deadline.
House Judiciary Chairman Jim Jordan (R-Ohio) and his congressional allies are demanding documents from and meetings with disinformation experts that have been frequent targets of right-wing activists, our colleagues Naomi Nix and Joseph Menn report.
The meetings are putting pressure on the group of academics. Jordan and his allies have accused them of colluding with U.S. officials to suppress conservative views.
Naomi and Joseph write: "Jordan's colleagues and staffers met Tuesday on Capitol Hill with … University of Washington professor Kate Starbird, two weeks after they interviewed Clemson University professors who also track online propaganda, according to people familiar with the events."
"The pressure has forced some researchers to change their approach or step back, even as disinformation is rising ahead of the 2024 election," they add. "As artificial intelligence makes deception easier and platforms relax their rules on political hoaxes, industry veterans say they fear that young scholars will avoid studying disinformation."
The European Union is weighing the possibility of banning member states from using companies deemed national security risks — like Chinese telecommunications giant Huawei — to help construct their 5G infrastructure, Javier Espinoza reports for Financial Times.
The United States and European allies claim the company poses a security threat and that Chinese officials could conduct espionage or disrupt networks. Huawei denies the allegations.
Espinoza writes: "Only a third of EU countries had banned Huawei from critical parts of the bloc's 5G communications despite recommendations set out by Brussels to exclude high-risk vendors from technology investments, Thierry Breton, EU internal market commissioner, told the bloc's telecoms ministers at a meeting last Friday."
Huawei opposed the effort. "Assessing cyber security risks without sticking to technological standards … is a violation of the principles of fairness and non-discrimination, and also against the laws and regulations of the European Union and its member states," a company representative told the Financial Times.
The successor group to the independent commission behind the creation of the Office of the National Cyber Director said the Biden administration's cybersecurity approach "is not delivering the necessary improvements" to agencies responsible for steering the protection of critical infrastructure sectors and that it must be carefully overhauled.
The Cyberspace Solarium Commission (CSC) 2.0 in a report out this morning said the strategies around governing critical infrastructure protections have "become stale" and that the current system that designates critical infrastructure entities is "inadequate" including for risks that cross into several sectors.
PPD-21 has been "frozen in time now for eight years," Mark Montgomery, CSC 2.0's executive director, said in a call with reporters, adding that it should have been revised at the start of the Biden administration.
'Night Fury': documents detail DHS project to give 'risk scores' to social media users (Motherboard)
White House quiet on national cyber director choice, senator says (Axios)
Excel spreadsheet error leads Austrian party to announce wrong leader (Kelsey Ables)
Should software companies be held liable for security flaws? (Wall Street Journal)
North Korea hackers suspected in new $35 million crypto heist (CNN)
Prince Harry: I couldn't trust anybody due to phone hacking (BBC News)
U.K. to remove Chinese-made surveillance equipment from sensitive government sites (Reuters)
Over 60,000 Android apps secretly installed adware for past six months (Bleeping Computer)
1Password launches its public passkey beta (The Verge)
DeSantis takes swing at Big Tech in New Florida privacy law (Bloomberg Law)
View Tweet on Twitter
Thanks for reading. See you tomorrow.