IEEE Cipher --- Items from security-related news (E167)

  • LAPSES 'R US: Sophisticated Leapfrogging Undermines Microsoft
    Microsoft confirms it was breached by hacker group
    Publisher: CNN
    Date: March 23, 2022
    By: Brian Fung

    With everyone working remotely, the security of off-site employee computers is crucially important. Microsoft fell victim to this, and although the damage was minor, the red flags for all companies are obvious. During "a five-day window of time between January 16-21, 2022 ... an attacker had access to a support engineer's laptop." Microsoft notes that the breach provided only "'limited access'" to company systems, including source files. Nonetheless, the hackers, believed to be a group known as Lapsus$, show "a sophisticated grasp of technology supply chains, understanding how to use one organization's relationships or reliance on another to its advantage."

  • The Other Shoe: Identity Provider Shaken by Account Hack
    Authentication firm Okta's shares slide after hack warning
    Publisher: Reuters
    Date: March 23, 2022
    By: Raphael Satter

    Okta is an identity provider company, and it was also hit by the Lapsus$ hackers. In this case, a contractor to Okta had an engineer whose computer was hacked. Okta said that private data of "at most" 366 customers may have been exposed. Some observers were startled at Okta's subdued response to the problem which was discovered in January. The contractor was quickly identified as the problem source, but Okta did not provide a full report to the contractor for 2 months. It was only then that the contractor was able to stop the exposure.

    Comments by OKTA's Chief Security Officer
    Updated Okta Statement on LAPSUS$
    Publisher: Blog by OKTA CSO
    Date:Mar 22, 2022
    By: David Bradbury
  • Cyberattacks May Target Energy
    US federal alert warns of the discovery of malicious cyber tools
    Cybersecurity officials said the evidence suggests Russia is behind the tools – configured to target North American energy concerns
    Publisher: Associated Press
    Date: 13 Apr 2022

    Industrial control systems in the energy sector (and others) often use a simple, serial protocol called SCADA. Interfaces between Internet systems and SCADA controls allow operational control of larges networks of devices. Malicious software that attacks SCADA systems is not common, but a new instance of it surfaced recently and was detected, thwarted, and analyzed by the US government and security firms. Their opinion is that is circumstantially connected to prior Russian exploits. The targets were, initially, liquefied natural gas and electric power sites in North America.

  • Hawaiian Cable Hacking
    Agency disrupts cyberattack on an underwater cable
    Publisher: The Maui News
    Date: Apr 13, 2022

    An attack on servers that might be involved in managing Internet traffic on an undersea cable was thwarted by DHS's Homeland Security Investigations team. At least one person was arrested in connection with the "unauthorized access." There were no reports of exploits associated with the breakin, but agents emphasized the potential of causing various forms of havoc on Internet service. See also this article from CYBERSCOOP on Apr 13, 2022 by A. J. Vicens: DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii.

  • Command-and-Control Domains being Whack-a-Moled
    Microsoft and other tech firms take aim at prolific cybercrime gang
    Publisher: CNN Business
    Date: April 13, 2022
    By: Sean Lyngaas

    Most ransomware has an Achilles heel: the reliance on a few allied Internet servers that direct the attack after the initial breach. These "command and control servers" have to be surreptitious and anonymous, else they would give away the identity of the attackers. Attackers register meaningless DNS names for the servers, pay for them via circuitous routes, and often move them from one physical infrastructure to another. If the DNS names can be wiped out, then the attack will cease. Microsoft claims to have done exactly that by seizing 65 DNS domains used by "ZLoader". A court order allowed the seizure. Although this doesn't mean that ZLoader cannot be resurrected, it might mean that there will be a hiatus before it is reconstituted. The identity of one hacker was discovered and referred to authorities.

  • Because That's Where the Money Is
    North Korea, NFTs and a hit video game: inside a $500m cryptocurrency theft
    Another high-profile hack has raised more questions about the vulnerabilities of the blockchain "End users may not necessarily be cognizant of the security risks that they incur," says Nicholas Christin.
    Publisher: The Guardian
    Date: 16 Apr 2022
    By: Carly Olson

    Perhaps one measure of the success of a cryptocurrency scheme is the amount of theft that it can tolerate without becoming useless. Last year, about $3.2bn was stolen. This year it will be more, and part of it will be from the hack that drained the "Ronin Bridge" of half a billion dollars.

    "Axie" is a "wildly popular" video game in which players purchase cartoon characters that are NFTs. The NFTs can be sold to other players. This commerce uses Ethereum for exchanging money. What could go wrong? One problem is that while Ethereum transactions are faster than Bitcoin, they aren't fast enough for the volume of activity in a wildly popular video game. Thus, one needs an Ethereum "sidechain" that processes transactions faster by bridging between the game and Ethereum. The sidechain is called Ronin, and it runs smart contracts for Axie players. What could go wrong?

    The smart contracts are pieces of software in which the actions are secured by private keys. Smart contracts sometimes have exploitable bugs. In the case of Ronin, hackers were able to extract private keys via the contracts, and once they got enough keys, they were able to commandeer the system and collect all the money for themselves.

    Who carried out the dastardly deed? Possibly North Korea. But the fact that $500 million was left dangling in an insecure cryptocurrency bag shows that this technology is hardly mature, and ordinary people who just enjoy playing a video game can be simply putting their money out on the porch for any clever software expert to carry away.

  • "Here's a Useless Piece of Code ..."
    Oracle already wins 'crypto bug of the year' with Java digital signature bypass
    Whole new meaning for zero consequences
    Publisher: The Register
    Date: 20 Apr 2022
    By: Liam Proven

    When a large software company makes a newbie mistake in its security code, it's cause for embarrassment. Oracle became the butt of many jokes and general derision when it revealed a security patch showing that a crucial piece of code was trivially vulnerable and had been for as much as 6 months.

    Much of cryptography that Internet security depends on uses digital signatures. Oracle undertook to implement their elliptic curve digital signature software in Java. The original code was in C++, and the translation from that to Java was successfully carried out and introduced into Java version 15. Unfortunately, a crucial check to prevent the use of the "zero signature" was omitted. A "zero signature" always satisfies the verification step, and for this reason it must be summarily rejected, but Oracle's Java code didn't look for it. Oracle has not explained how such a serious error was overlooked during code review. Perhaps there was some clever but non-obvious way it was coded in C++, and the expression was "simplified" in the Java version.

  • Russian Cyberattacks are Part of War
    Russian hacking in Ukraine has been extensive and intertwined with military operations, Microsoft says
    Publisher: CNN
    Date: April 27, 2022
    By: Sean Lyngaas

    It seems like an eon has passed since the Ukraine invasion began. As Russian forces gathered on the border, the US warned about Russian cyberattacks on Ukraine assets. Microsoft monitored the Ukrainian Internet, watching for attack attempts, and documented several of them.

    "NATO officials David Cattler and Daniel Black noted a series of alleged Russian data-wiping hacks aimed at Ukrainian organizations over multiple weeks." They noted that the attacks seems to be timed to support Russian military objectives. The correlations are difficult to see in the overall "fog of war" and the images of unrelenting violence.

  • Microsoft's Special Report on Russia vs. Ukraine Cyberattacks
    Special Report: An overview of Russia's cyberattack activity in Ukraine
    An overview of Russia's cyberattack activity in Ukraine Publisher: Microsoft
    Date: April 27, 2022
    By: Digital Security Unit

    This report summarizes the known cyberattacks launched against Ukraine as part of the military offensive against that country. These are infrastructure attacks as well as disinformation attacks.

  • Pentagon Seeks to Improve Contractor Cybersecurity
    Pentagon contractors go looking for software flaws as foreign hacking threats loom
    Publisher: CNN
    Date: May 2, 2022
    By: Sean Lyngaas

    Given that "an estimated 300,000 companies comprise the US defense industrial base" and also given the ability of hackers to move through supply chains stealthily, the Defense Department has been looking for ways to improve the security of those 300,000 companies. Smaller companies are assumed to be especially vulnerable because they might not have the resources needed to keep their systems locked up tight. A pilot program of the Pentagon called VDP ("Vulnerability Disclosure Program", shows some promise. Over the course of a year, the Pentagon probed the computers of a few dozen participating small companies to "to find and fix flaws in the email programs, mobile devices and industrial software".

    The pilot program was successful in identifying a panoply of weaknesses, but it is a drop in the bucket. The Pentagon is looking for ways to expand the program.

  • A Bounty on Conti
    U.S. offers $15 mln reward for information on Conti ransomware group
    Publisher: Reuters
    Date: May 6, 2022
    By: Eric Beech

    The US state department wants to apprehend the people behind the Conti ransomware group. The $15 million reward offered is one tenth of the amount the Russian affiliated group is believed to have extorted. They attacked 16 medical and first responder groups in the United States and hurt Costa Rica's tax and customs systems.

  • Costa Rica's Cyber Troubles Intensify
    Cyber attack on Costa Rica grows as more agencies hit, president says
    Date: May 16, 2022
    Publisher: Reuters
    Reporter: Alvaro Murillo
    By: Brendan O'Boyle

    Summary: Costa Rica has not paid a ransom to the hackers who have damaged government systems, and the problems are widening. There is some suspicion that locals are cooperating with the Russian group behind the attacks.