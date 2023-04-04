Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! Congratulations to the Connecticut Huskies, the NCAA men’s champions. But you should know that the real champions — decided for many years by strictly regulated mascot-on-mascot combat — are the Arizona State Sun Devils. Using their mysterious demonic powers, they defeated the Alabama Crimson Tide’s elephant to take home the title. History repeats itself from 2014. Was this forwarded to you? Sign up here.

Below: A cyber official’s departure was reportedly prompted by clashes with another official, and lawmakers ask DHS for documents on vulnerabilities posed by Chinese cranes. First:

Everyone’s still sifting through the hacks targeting 3CX after notching defensive successes

The worst part of a massive hack that was uncovered last week, which triggered a frenzy of activity from cyber companies and government agencies, appears to be over. But some details about what happened — and any remaining risk — are still up in the air.

Advertisement

Just on Monday, for instance, Russian cyber firm Kaspersky said it discovered that the hackers responsible had targeted cryptocurrency firms.

The alleged North Korean hackers attacked voice-over IP software provider 3CX, using it as a means to spread malware to its customers — known as a “supply chain attack.” Given that the company claims 12 million daily users and 600,000 business customers, the hack spawned comparisons to past major supply chain attacks, such as the ones that hit SolarWinds and Kaseya and alarmed cyber experts in 2021. (The U.S. government has said that Russia was responsible for the SolarWinds hack and that the REvil ransomware gang was behind the Kaseya hack.)

Whether those comparisons are apt or not is a different question.

The timeline

Here’s the order of major events:

Here’s how Christopher Budd, senior research manager at Sophos, explained what the hackers did: “They took one of the legitimate files that the application uses,” he told me. “They kept it intact, but appended to it malicious code. And this was actually pretty interesting because by doing that, it enabled the application from an end-user perspective to run completely normally without any indication that something was amiss.”

Advertisement

The number of companies affected by the harmful code remains unclear, with individual cyber companies reporting their own customer numbers. Fortinet said it saw 61 percent of victim machines “calling out to known actor controlled infrastructure” in Europe, followed by 16 percent in North America.

On Monday, Kaspersky said the hackers deployed a hacking tool to less than 10 infected machines at cryptocurrency firms, suggesting they used that tool “with surgical precision” to target the crypto companies.

Still, mysteries remain days after the campaign was detected. There’s been discussion of the role a 10-year-old Windows vulnerability played in the hackers gaining access. But, as Huntress’ senior security researcher John Hammond told me, it’s less clear what that means for the Mac side of things.

Advertisement

Nonetheless, Hammond, Budd and a third cyber expert, Adam Meyers with CrowdStrike, told me that the supply-chain element of the hacking campaign has been effectively “neutered,” in the words of Hammond. But, the experts said that infected machines that haven’t yet been updated might still be vulnerable to other kinds of attacks.

“Right now, I think it’s a cautionary tale of success,” Meyers, senior vice president of intelligence at CrowdStrike, told me. “I wouldn’t say that there’s no worry, but that [supply-chain] aspect of the operation has been largely exposed and is in the process of being remediated.”

Said Budd: “Most of the industry is now trying to figure out what we can find about that possible next stage of attack.”

Some threat researchers, meanwhile, said they’ve put together a tool to help identify victims:

In response to the #3CXpocalypse / #3CX, a group of us have put together a self-service site to look up if you were potentially impacted. If you're connecting from an IP address that was flagged, the header will turn red. https://t.co/FsLaTsOxrS pic.twitter.com/PnStUK4pC1 — Silas (@silascutler) March 31, 2023

The comparisons

Industry experts have hailed the approach toward the 3CX threat as a representation of lessons learned from the SolarWinds espionage campaign.

Advertisement

But there are also significant differences between what happened with SolarWinds and 3CX. While cyber officials believe North Korea is improving its cyber capabilities, they’re not as sophisticated as the Russian hackers allegedly behind the SolarWinds campaign.

“It was just noisier than SolarWinds and was a little bit easier to detect in that regard,” Meyers said. (When referring to cyberattacks, “noisy” means that the hackers left more clues about who they were and what they were doing.)

Budd said “the only comparisons that I would make are the point … about severing the attack chain,” and that they both were supply chain attacks.

“It’s not the same tactics, it’s not the same delivery and by no means the same execution,” said Hammond.

The keys

Former cyber official Inglis reportedly clashed with Neuberger, prompting departure

Former national cyber director Chris Inglis, who stepped down from his post in the weeks leading up to the unveiling of the Biden administration’s national cyber strategy, resigned mainly due to clashes with Anne Neuberger, another senior cybersecurity official, William Turton and Katrina Manson report for Bloomberg News, citing five people familiar with his thinking and emailed correspondence.

Advertisement

The report says Inglis and Neuberger had potential “competing lines of authority” that had worried observers, according to interviews by Turton and Manson with more than a dozen people.

“Inglis accused Neuberger of withholding relevant information from his office and trying to undermine his efforts to draft the cyber strategy, according to a March 14 email that Inglis wrote to a former colleague that was reviewed by Bloomberg News,” Turton and Manson write.

One current and three former officials in the White House told Bloomberg that the clashes between Neuberger’s National Security Council and the Office of the National Cyber Director threaten a smooth deployment of the nation’s national cyber strategy announced last month, as well as efforts to shield against cyberthreats.

Inglis told the outlet that discussions between the two offices were “often quite productive” at the staff level, but organizations outside of Neuberger’s “demonstrated a qualitatively and quantitatively stronger commitment to the foundations of collaboration: transparency and commitment to advance shared interests.” Neuberger told Bloomberg that any reports of conflict with Inglis have had little impact on the administration’s ability to improve the nation’s cybersecurity posture.

German cybersecurity authority admits to using China-linked Huawei equipment

Germany’s federal office for information security (BSI) uses communications equipment from China-based Huawei, according to a report from Dietmar Neuerer of German-language newspaper Handelsblatt, which cited documented responses to a parliamentary inquiry by the nation’s federal government.

Advertisement

German regulators have been working to lock out the European nation’s connections to equipment that allegedly pose risks to its national security, but one of the authorities responsible is ironically using such equipment, the report says.

The U.S. Federal Communications Commission has made concerted efforts to eject China-affiliated telecommunications entities including Huawei, as well as ZTE Corp., from American networks. The United States has previously warned Germany of integrating Huawei into its mobile network markets, the Handelsblatt story says.

Lawmakers to scrutinize potential vulnerabilities in cranes

Lawmakers on the House Homeland Security Committee want the Department of Homeland Security to provide documents on the vulnerabilities posed by Chinese cranes across the United States, as well as information on risk mitigation efforts, the Wall Street Journal’s Gordon Lubold and Aruna Viswanatha report. The committee aims to hold hearings on the issue by April 18, the outlet reports.

Advertisement

It is “extremely worrisome” that about 80 percent of cranes at American ports use a Chinese firm’s software, House Homeland Security Committee Chairman Mark Green (R-Tenn.) in a statement. “On behalf of the American people, this Committee is demanding answers on the risks these cranes pose to U.S. cybersecurity and the resilience of our critical infrastructure, which is a core aspect of the homeland security mission.”

Officials in China have said that the concerns represent paranoia and aim to thwart U.S.-Chinese cooperation.

Chinese officials have dismissed the concerns as paranoia and an attempt to thwart cooperation with China. State-owned Shanghai Zhenhua Heavy Industries (ZPMC), which makes many of the cranes, didn’t respond to the Journal’s requests for comment.

Chat room

Reactions pour in from Twitter beginning a rollback of its old blue check verification regime. Clickhole and The Onion writer Alex Blechman:

Imagine how much it would cost to hire LeBron James to write content for your website. Imagine miraculously getting him to do it for free. Imagine then driving him away from your website so you can fail to collect $96 from him annually https://t.co/XwqwyNcIIg — Alex Blechman (@AlexBlechman) March 31, 2023

New York Times tech reporter Sheera Frenkel:

So only @nytimes lost it’s blue check? Got it. Totally normal. — Sheera Frenkel (@sheeraf) April 2, 2023

Multimedia journalist David Leavitt:

Twitter has removed the ability to discern if someone received their verified check mark for being who they actually are in real life or if they’re paying for Twitter Blue. pic.twitter.com/tslRDBpxSJ — David Leavitt (@David_Leavitt) April 2, 2023

Government scan

Advertisement

Securing the ballot

Industry report

Global cyberspace

Cyber insecurity

Encryption wars

Daybook

The United Nations Institute for Disarmament Research holds a Geneva-based dialogue on subsea communications cables at 4 a.m. Eastern time.

The International Association of Privacy Professionals convenes its two-day 2023 Global Privacy Summit with the first general session beginning at 9 a.m.

The National Association For Public Health Statistics and Information holds a two-day identity and security conference with the opening plenary beginning at 9:15 a.m.

Secure log off

1998: Hackers changed the MIT home page to read "Disney to Acquire MIT for $6.9 Billion". https://t.co/jhGoqM55Eq pic.twitter.com/NYISl8hoya — Today In Infosec (@todayininfosec) April 1, 2023

Thanks for reading. See you tomorrow.

GiftOutline Gift Article