Cyber Safety Review Board Eviscerates Microsoft's Handling of Chinese Hack

Metacurity is back from its publishing break!

The Cyber Safety Review Board issued a scathing report detailing lapses by tech giant Microsoft that led to a targeted Chinese hack last year of the emails of top US government officials, including Commerce Secretary Gina Raimondo, by a group known as Storm-0558.

The report takes aim at shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency over what Microsoft knew about the origins of the breach. It is a blistering indictment of a tech titan whose cloud infrastructure is widely used by consumers and governments worldwide.

The board issued sweeping recommendations that, if implemented, would dramatically strengthen the openness and security of the booming cloud computing industry.

The intrusion, which ransacked the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals worldwide, was “preventable” and “should never have occurred,” the report concludes.

Perhaps most concerning, the board report makes clear that Microsoft still does not know how the Chinese carried out the attack.

One of the sharpest rebukes is reserved for the company’s public messaging around the case. The board found that Microsoft for months did not correct inaccurate or misleading statements suggesting the breach was due to a “crash dump” or leftover data contained in the wake of a system crash. In fact, the report notes that Microsoft remains unsure if this event led to the breach.

Microsoft amended its public security statements only on March 12, after the board repeatedly questioned it about plans to issue a correction and when it was clear the board was concluding its review.

According to the report, the board faults “Microsoft’s decision not to correct in a timely manner its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when, in fact, it still has not.”

Microsoft’s initial statement about the intrusion was made in July, noting that a China-based adversary had somehow obtained a “signing” key allowing the hackers to forge users’ credentials and steal Outlook emails.

In a Sept. 6 statement update, Microsoft suggested that the hackers obtained the key through its inadvertent inclusion in the crash dump, which was not detected by the firm’s security systems.

However, in November, Microsoft acknowledged to the board that the September blog post “was inaccurate,” the report stated.

Microsoft updated the post a few weeks ago. In the update, the Microsoft Security Response Center admits that “we have not found a crash dump containing the impacted key material.”

A Microsoft spokesman said that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” noting that the company had created an initiative to do so. “While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.” (Ellen Nakashima and Joseph Menn / Washington Post)

Related: CISA, Cyber Safety Review Board, CyberScoop, GeekWire, Axios, DHS, Bloomberg, Reuters, Euronews, Geekwire, The Verge, IT Pro, Associated Press, The Times of India, South China Morning Post, CNN, Axios, DataBreachToday.com, InsideCyberSecurity.com, Tech Monitor, CISO Series, channelnews, C4ISRNET, The Stack

A lone Microsoft developer, Andres Freund, rocked the cybersecurity world last week when he revealed a backdoor had been intentionally planted in XZ Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems.

The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest Linux distributions, when an eagle-eyed software developer spotted something fishy.

"This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library," software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, published a graphic on Mastodon that helps visualize the sprawling extent of the nearly successful endeavor to spread a backdoor with a reach that would have dwarfed the SolarWinds event from 2020.

Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the software's function. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.

No one has actually seen code uploaded, so it's not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware. (Dan Goodin / Ars Technica)

Related: Ars Technica, Evan Boehs, Red Hat, Cybersecurity, OpenWall, lcamtuf's thing, Debian bug tracking system, LWN.net, Debian Mailing Lists, Arch Linux, openSUSE News, The Register, BleepingComputer, The Record, Cyber Kendra, The Stack, Hackaday, Help Net Security, Gist, SC Media, Dark Reading, The Hacker News, Decipher, 9to5Linux, The Stack, CRN, BetaNews, CRN, OSnews, CSO Online, The Verge, Phoronix, Research.swtch.com, ongoing, research.swtch.com, Firmware Security, Infosecurity, BleepingComputer, Ars Technica, Schneier on Security, WinBuzzer, Neowin

It is now clear that the XZ Utils backdoor was inserted by the mysterious lead open-source steward of XZ Utils, a developer who went by the name Jia Tan, a likely persona who security researchers believe is tied to a nation-state threat actor.

Jia Tan exploited open source software’s crowdsourced approach to coding whereby anyone can suggest changes to a program on code repositories like GitHub, where the changes are reviewed by other coders before they’re integrated into the software.

Peeling back Jia Tan’s documented history in the open source programming world reveals that they first appeared in November 2021 with the GitHub username JiaT75, then made contributions to other open source projects using the name Jia Tan, or sometimes Jia Cheong Tan, for more than a year before beginning to submit changes to XZ Utils. By January 2023, Jia Tan’s code was being integrated into XZ Utils.

Over the next year, they would largely take control of the project from its original maintainer, Lasse Collin, a change driven in part by nagging emails sent to Collin by a handful of users complaining about slow updates. Finally, Jia Tan added their stealthy backdoor to a version of XZ Utils in February of this year.

That patient approach, along with the technical features and sophistication of the backdoor itself, has led many in the cybersecurity world to believe that Jia Tan must, in fact, be a handle operated by state-sponsored hackers and very good ones.

This multiyear operation was very cunning, and the implanted backdoor is incredibly deceptive,” says Costin Raiu, who last year served as the most senior researcher and head of the global research and analysis team at Russian cybersecurity firm Kaspersky. “I’d say this is a nation-state-backed group, one with long-term goals in mind that affords to invest into multiyear infiltration of open source projects.”

As for which nation, Raiu names the usual suspects: China, Russia, and North Korea. He says it’s still too early to know the true culprit. “One thing is for sure clear,” he adds. “This was more cunning than all previous software supply chain attacks I’ve seen.”

As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. Independent security reporter Brian Krebs writes that he could find “zero trace” of Jia Tan’s email address outside of the messages he sent to fellow open source contributors, even after scouring breached databases. Jia Tan also appears to have routed all their communications through a VPN with a Singaporean IP address.

The lack of any other online presence linked to Jia Tan points towards the account being a “single-purpose invented persona” and indicates how much sophistication, patience, and thought was put into developing the backdoor, says Will Thomas, an instructor at the SANS Institute, a cybersecurity training firm. The Jia Tan persona has vanished since the backdoor was discovered, and emails sent to a Gmail address linked to it went unanswered.

Security researchers agree that it’s unlikely that Jia Tan is a real person or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—and one that nearly worked. (Andy Greenberg and Matt Burgess / Wired)

According to documents filed in federal court in San Francisco, Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode.

The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users, even when they’re in private browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. All told, this amounts to those “billions of data records.” Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda said that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active. (Dell Cameron and Andrew Couts / Wired)

Related: The Verge, NPR, The Mercury News, Forbes, Mashable, CNET, Associated Press, Tom’s Guide, TTom'sThe Guardian, Business Insider, Wall Street Journal, MacRumors, New York Times, Gizmodo, 9to5Google, BBC News, The Hill, Quartz, The Independent, Washington Post, CNN, Bleeping Computer

Phone giant AT&T reset millions of customer account passcodes after a huge cache of data containing AT&T customer records was dumped online earlier this month.

AT&T initiated the passcode mass-reset after TechCrunch informed AT&T that the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.

A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher. TechCrunch alerted AT&T to the security researcher’s statement. AT&T said: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”

AT&T said it does not ”have evidence of unauthorized access to its systems resulting in exfiltration of the data set.”

This is the first time that AT&T has acknowledged that the leaked data belongs to its customers, around three years after a hacker claimed the theft of 73 million AT&T customer records. AT&T had denied a breach of its systems, but the source of the leak remains inconclusive. (Zack Whittaker / TechCrunch)

Related: AT&T, Washington Post, BleepingComputer, The Verge, Forbes, AT&T, 9to5Mac, NPR, Reuters, Security Affairs, Laptop Mag, CNBC, Bloomberg, Associated Press, InfoRiskToday, PhoneArena, NBC News, New York Post, Interesting Engineering, Business Insider, WebProNews, Neowin, Engadget, PCMag, USA Today, AppleInsider, New York Times, Cord Cutters News, Gizmochina

Within hours of opposition leader Alexey Navalny’s death in a Russian prison, a group of anti-Kremlin hackers went looking for revenge, plastering a photo of Navalny and his wife Yulia on the hacked prison contractor’s website with a message “Long live Alexey Navalny!”

They also appear to have stolen a database containing information on hundreds of thousands of Russian prisoners and their relatives and contacts, including, the hackers claim, data held on prisoners in the Arctic penal colony where Navalny died on February 16.

The hackers, who say they are a mix of nationalities, including Russian expatriates and Ukrainians, are sharing that data, including phone numbers and email addresses of prisoners and their relatives, “in the hope that somebody can contact them and help understand what happened to Navalny,” a hacker who claimed to be involved in the breach said.

In addition, the hackers used their access to the Russian prison system’s online commissary, where family members buy food for inmates, to change the prices of things like noodles and canned beef to one ruble, which is roughly $0.01, according to screenshots and videos of purchases from the online store posted by the hackers. Normally, those goods cost over $1.

The hackers claim that the database contains information on about 800,000 prisoners and their relatives and contacts. A review of the data found some duplicate entries, but it still contains information on hundreds of thousands of people. CNN was able to match multiple prisoner names in screenshots shared by the hackers with people who, according to public records, are currently in Russian prisons.

The online prison shop that the hackers appear to have breached is owned by the Russian state and officially known as JSC Kaluzhskoe, according to Russian business records reviewed by CNN.  JSC Kaluzhskoe serves 34 regions in Russia.

The hacking group sent notes to administrators of the online prison shop, warning them not to take the pro-Navalny messages off the website. When the web administrators refused, the hackers retaliated by destroying one of the administrators’ computer servers, the hacker claimed. (Sean Lyngaas and Darya Tarasova / CNN)

Related: Business Insider, Cybernews, WION, RFE/RL, The Kyiv Independent, The Daily Beast, Ukrinform, Databreaches.net, Mediaite, Israel National News

The nonprofit OWASP Foundation, short for Open Worldwide Application Security Project, disclosed a data breach after some members' resumes were exposed online due to a misconfiguration of its old Wiki web server.

OWASP says it discovered the Media Wiki misconfiguration in late February following several support requests.

The incident only affected members who joined the foundation between 2006 and 2014 and provided resumes as part of the old membership process.

"The resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information," said OWASP Executive Director Andrew van der Stock. OWASP collected resumes as part of the early membership process, whereby members were required to show a connection to the OWASP community from 2006 to 2014. OWASP no longer collects resumes as part of the membership process.”

​OWASP took several measures to address the data breach, disabling directory browsing and reviewing the web server and Media Wiki configuration for other security issues.

The foundation will email affected individuals to notify them of the incident even though many of them are no longer members and the exposed personal details are, in many cases, out of date. (Sergiu Gatlan / Bleeping Computer)

Related: OWASP, The Record, IT Pro, Cybernews, The Register, SC Media, Security Week, Tech Radar, Teiss, Security Affairs

Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable.

"Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials said. Early indications suggest operational inconsistencies across its digital infrastructure, and certain systems have been rendered inoperative while others continue to function as normal.

The systems confirmed inoperable include tax and online property payments, marriage license issuance, and inmate searches. In response, the Assessment, Collection, and Recorder of Deeds offices at all county locations are closed until further notice.

"We are currently in the early stages of our diagnostic procedures, working closely with our cybersecurity partners to thoroughly explore all possibilities and identify the root cause of the situation," officials said. "While the investigation considers ransomware as a potential cause, comprehensive analyses are underway to confirm the exact nature of the disruption." (Dan Goodin / Ars Technica)

Related: Jackson County, GBHackers, KQ2, Kansas City Star

The US Federal Communications Commission (FCC) says it is investigating significant weaknesses in the telecommunications protocols Signaling System No. 7 (SS7) and Diameter that can enable cybercrime and spying.

The agency is investigating how the protocols can allow breaches, particularly by revealing consumers’ locations to malicious hackers and spies.

The FCC has told carriers to explain how they are preventing such activity over the protocols. It is also demanding providers turn over specific examples of breaches.

SS7 and Diameter are not outfitted with the technology needed to properly encrypt the traffic they handle, the agency and telecom experts say. Americans are particularly exposed to hacks while roaming networks. (Suzanne Smalley / The Record)

Related: The Register, NextGov/FCW

Security firm CertiK discovered that “suspicious transactions” totaling over $3 million were sent out of Bitcoin Lightning-based exchange FixedFloat.

FixedFloat is a fully automated service for exchanging cryptocurrencies and tokens and is based on Bitcoin Lightning, a network atop the main Bitcoin blockchain that uses micropayment channels for faster and cheaper transactions.

CertiK said funds were moved in ether (ETH) and tether (USDT) to wallets on the Ethereum and Tron networks, respectively. CertiK described the activity as an "exploit in the email”

“Approximately $2 million of the funds were deposited in eXch, similar behavior to the FixedFloat incident on 16 Feb, with another $100k USDT deposited to a Binance wallet on Tron,” the firm said.

As of 10 am EDT, FixedFloat’s website was down for “technical work.” (Shaurya Malwa / Coindesk)

Related: Coinfomania, BeInCrypto, crypto.news, CryptoSlate, Coinpedia, Coinspeaker, The Crypto Times, IB Times

The US National Institute of Standards and Technology (NIST) blames a dearth of analysis affecting thousands of entries in the National Vulnerability Database (NVD) on a drop in “interagency support” as vulnerability reporting surges.

Since mid-February, NIST has fallen behind in its role of adding essential enrichment information to new CVE (common vulnerabilities and exposures) entries.

The enrichment data provides threat analysts with the necessary context for new vulnerabilities, basic descriptions of the bugs and the software they impact, CVSS severity scores, related common weakness and enumeration (CWE), common platform enumeration (CPE) details, patch availability, and links to additional resources.

According to NIST’s website, NIST analyzed only 199 of the 3370 CVEs it received last month.

In a statement, NIST said the backlog was due to a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.

NIST said, “Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.” (Simon Hendery / SC Magazine)

Related: NIST, Dark Reading

After security researcher Sourajeet Majumde found at least hundreds of documents containing Indian citizens’ personal information, including Aadhaar numbers, COVID-19 vaccination data, and passport details, spilling online for anyone to access, the Indian government pulled down links to its cloud service, dubbed S3WaaS, that were exposing the documents.

Majumder found a misconfiguration in 2022 that exposed citizens’ personal information stored on S3WaaS to the open Internet. Because the private documents were inadvertently made public, search engines also indexed them, allowing anyone to actively search the Internet for sensitive private citizen data.

With support from the digital rights organization the Internet Freedom Foundation, Majumder reported the incident to India’s response team, CERT-In, and the Indian government’s National Informatics Centre.

CERT-In quickly acknowledged the issue and links containing sensitive files from public search engines were pulled down.

But Majumder said that despite repeated warnings about the data spill, the Indian government cloud service was still exposing some individuals’ personal information as recently as last week.

With evidence of ongoing exposures of private data, Majumder asked TechCrunch for help getting the remaining data secured. Majumder said that some citizens’ sensitive data began spilling online long after he first disclosed the misconfiguration in 2022.

TechCrunch reported some of the exposed data to CERT-In. Majumder confirmed that those files are no longer publicly accessible. (Jagmeet Singh / TechCrunch)

Related: Tech Radar, Neowin

Google is testing a new prototype feature for the Chrome browser that aims to thwart the threat of hackers looting a browser’s cookies to hijack login sessions with a new system called Device Bound Session Credentials.

The goal of the project is for it to become an “open web standard.”

“Cookie theft like this happens after login, so it bypasses two-factor authentication and any other login-time reputation checks,” said Google software engineer Kristian Monsen. “It’s also difficult to mitigate via antivirus software since the stolen cookies continue to work even after the malware is detected and removed.”

In response, Google has been working on a way to bind the authentication cookies to the user’s PC. To do so, the company wants to meld public key cryptography with the cookies. This means that when a browser starts a new login session, it’ll create an encryption key locally on the PC to verify that the login is legit with a website's server. (Michael Kan / PCMag)

Related: Chromium Blog, SecurityWeek, ZDNet, BleepingComputer, Android Police, Github

Researchers at Anthropic have devised a new AI jailbreak technique they call “many-shot jailbreaking,” in which a large language model (LLM) can be convinced to answer banned questions, such as telling users how to build a bomb if they prime it with a few dozen less-harmful questions first.

The vulnerability is a new one, resulting from the increased “context window” of the late” generation of LLMs. This is the amount of data they can hold in what you might call short-term memory, once only a few sentences but now thousands of words and even entire books.

What Anthropic’s researchers found was that these models with large context windows tend to perform better on many tasks if there are lots of examples of that task within the prompt. If there are lots of trivia questions in the prompt (or priming document, like a big list of trivia that the model has in context), the answers actually get better over time. So a fact that it might have gotten wrong if it was the first question, it may get right if it’s the hundredth question.

But in an unexpected extension of this “in-context learning,” as it’s called, the models also get “better” at replying to inappropriate questions. If a user asks it to build a bomb right away, it will refuse. But if you ask it to answer 99 other questions of lesser harmfulness and then ask it to build a bomb … it’s a lot more likely to comply.

Anthropic informed its peers and competitors about this attack which it hopes will “foster a culture where exploits like this are openly shared among LLM providers and researchers.” (Devin Coldewey / TechCrunch)

Related: Anthropic, Anthropic, SiliconANGLE, Maginative, Marcus on AI, Forbes

Researchers at the NCC Group report that the Android banking malware known as Vultur has been updated with new capabilities that allow operators to interact with the infected devices and modify files.

Vultur was first documented in March 2021, when it stood out for abusing the legitimate applications AlphaVNC and ngrok to remotely access the VNC server on the victim device and automate screen recording and key-logging for credential harvesting.

The most recent version of the banking malware, however, packs significantly more capabilities. It allows attackers to control the infected device, prevent applications from running, display custom notifications, bypass lock-screen protections, and download, upload, install, search for, and delete files.

The new features are mostly related to the remote interaction with the infected device, but the malware continues to rely on AlphaVNC and ngrok for remote access.

In addition, Vultur features updated anti-analysis and detection evasion techniques, spreading the malicious code over multiple payloads, modifying legitimate applications, using native code for payload decryption, and relying on AES encryption for command-and-control (C&C) communication.

The latest version of Vultur can also prevent the user from interacting with applications on the device, which are defined in a list provided by the attacker.

A Google spokesperson said, “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.” (Ionut Arghire / Security Week)

Related: NCC, Tom’s Guide, Tech Times

Researchers at Proofpoint warn home computer users against falling for a new campaign designed to trick them into clicking on malicious links in YouTube video descriptions.

Proofpoint detected infostealer malware, including Vidar, StealC, and Lumma Stealer, delivered via the platform. It was disguised as pirated software and video game cracks and delivered alongside legitimate-looking content.

“The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware,” Proofpoint said.

The vendor notified YouTube of over two dozen accounts and videos designed to distribute malware in this way, which the video platform giant subsequently removed. (Phil Muncaster / Infosecurity Magazine)

Related: Proofpoint, Cybernews

Best Thing of the Day: Sometimes It’s Good to Go Backwards

The US Federal Communications Commission will vote on April 25 to reinstate its landmark net neutrality rules and assume new regulatory oversight of broadband internet that was rescinded under former President Donald Trump, potentially handing the independent regulatory agency new tools to replace Chinese gear from broadband networks.

Worst Thing of the Day: Nearly $7 Billion in Ransom and Counting

Comparitech’s map of US ransomware attacks shows that since 2018, there have been 2,893 ransomware attacks with an average ransom of $2.35 million, affecting over 293 million records.

Closing Thought