The Cyber Why: What We Read This Week...
... and why you should too! (4/5/24)
There are days when TCW wouldn’t be possible without the fantastic team of analysts who helped me create the weekly content. This week would be one of those rough weeks. I sit here in Louisville airport with a tear of appreciation in my eye for the TCW staff. Thanks, guys. I owe you one this time around.
In this week's TCW, we cover a scathing cyber safety review board report lambasting Microsoft, AI’s impact on the impending elections, the long con that is the XZ Utils supply chain hack, NIST rewarding people entering the cyber field, and a cloud of magic security dust that solves all of your cyber theater issues! All this and more in this week’s edition of The Cyber Why!
Featured Sponsor - Material Security
Are you wasting your email security budget?
When every dollar counts, you want to make sure you make the most of what you get. You (hopefully) get funds for anti-phishing tools, but the threat landscape extends beyond the inbox.
With more sophisticated attack flavors at higher volumes than ever, email security must also encompass insider risk scenarios, account takeover protection, and data loss prevention.
See why Material Security is the preferred choice for organizations looking to protect more areas of their Microsoft 365 or Google Workspace footprint under a unified toolkit… and a single line item in the budget.
Microsoft's "Secure Future Initiative" Isn’t Looking So “Secure”
Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 (CISA)
Scathing federal report rips Microsoft for shoddy security, insincerity in response to Chinese hack (AP)
(Rick Pick) This week, the Cyber Safety Review Board released a scathing report regarding Microsoft's 2023 Exchange Online breach. Although we could dissect the 29-page report separately, here's an overview of the crucial points. A Chinese-based threat actor, Storm-0558, gained unfettered access to the email accounts of a broad range of victims across the US, UK, and beyond. The threat actor has ties back to 2009's Operation Aurora, targeting Google. The Board wrote:
"identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management."
Microsoft was disingenuous when it claimed that the actor gained access via a crash dump, no evidence was provided to support this.
"Microsoft has not identified a crash dump that contains the 2016 MSA key, or any other evidence of the key having been moved inappropriately."
It took six months for Microsoft to update its blog, and only after the Board's persistence. Most alarming, Microsoft is still unaware of how the threat actor gained access to the MSA key. The Board wrote:
"The loss of a signing key is a serious problem, but the loss of a signing key through unknown means is far more significant because it means that the victim company does not know how its systems were infiltrated and whether the relevant vulnerabilities have been closed off."
The "Findings and Recommendations" section is a must-read for enterprises and vendors alike. One final note: vendors who live in glass houses shouldn't throw stones. Some folks who compete against Microsoft's cybersecurity products have been quick to judge. I'd look at the twenty-five recommendations and ensure my own house is in order, especially if you are a "platform" player that makes for an attractive target to nation-state actors.
Editor’s (Tyler) Note: Hot damn, this is a good take. We can all go a long way to improve before we start throwing stones at our opponents. Great write-up, Rick!
AI Will Play a Pivotal Role in U.S. Elections
China tests US voter fault lines and ramps AI content to boost its geopolitical interests (Microsoft blog)
Same targets, new playbooks: East Asia threat actors employ unique methods (Microsoft)
China will use AI to disrupt elections in the US, South Korea and India, Microsoft warns (The Guardian)
(Katie Pick) A new report from the Microsoft Threat Intelligence division says that the Chinese Communist Party (CCP)- and North Korean-affiliated actors are testing AI-aided techniques to influence elections in the U.S. and abroad. The research group has been looking into trends and indicators since June 2023. It states that these adversarial nation-state actors focus on the South Pacific Islands, regional Chinese adversaries, and the U.S. defense industrial base.
Interference in U.S. elections is always a hot topic, and it’s not unexpected that China (or other adversaries) would try to disrupt or influence the upcoming U.S. Presidential election. Mis- and disinformation are rampant around election time, and reports show that voters consuming information on specific social media platforms are likely to be swayed by malicious content.
With recent advancements in AI, threat actors can more easily create deep fakes, highly convincingly manipulated images and videos, and other AI-enhanced content. Microsoft previously released research on how the Chinese use generative AI to “create sleek, engaging visual content.” Now, says the tech firm, China is doubling down on publication.
Though social media platforms say they’ll do their part to identify, remove, and/or block maliciously manipulated content, only time will tell if they’re successful. Humans are prone to influence, and everybody loves a juicy story about their most hated presidential candidate. AI will make it harder to spot and stop the “fake news.”
XZ Utils, The Mother Of All Backdoors, Almost
Backdoor in upstream xz/liblzma leading to ssh server compromise (Andres Freund)
What we know about the xz Utils backdoor that almost infected the world (Ars Technica)
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind (WIRED)
This could be one of the most drama-filled stories of the year. A severe security breach recently occurred within the XZ Utils project, a popular data compression tool for Linux systems. Hackers cleverly embedded a backdoor into specific versions of the software. If exploited, this backdoor could provide attackers with complete remote control of vulnerable systems, allowing them to bypass authentication on servers using those compromised versions.
The incident reinforces the critical need for strict security measures in open-source projects and highlights the dangers of software supply chain attacks. Security experts are still working to identify the culprits behind the attack, with the latest theories centering on a foreign nation-state actor who has been executing a slow and low attack for years. In application security circles, it’s often discussed how easy it would be to spend a decade or more to build up a reputation as a conscientious contributor to open-source projects only to embed something nefarious years into the project. It seems like we weren’t the only ones considering this exact threat scenario.
A NICE Cybersecurity Workforce Development Program Aimed at Bringing New Talent to the Field
NIST Awards $3.6 Million for Community-Based Cybersecurity Workforce Development (NIST)
(Katie pick) On April 3, 2024, the National Institute of Standards and Technology (NIST) announced the 18 organizations to which it has pledged funding to help with cybersecurity workforce development and recruitment. The grants, of up to $200,000 each, were awarded to diverse education and community organizations across 15 U.S. states.
Anyone who has worked in the space knows about the legendary “talent shortage” faced by both private and public organizations. As companies’ rapid tech adoption fuels the need for increased security measures and governance, already-stretched security teams struggle to handle the amount of work on any given day.
The funding offered by NIST and delivered in collaboration with NICE will help train and educate individuals interested in cybersecurity careers. NIST is still accepting applications for future grants through Friday, May 24, 2024. Participants can learn more about the program on NIST’s website. A free informational webinar will be held on April 8, 2024 at 3 PM ET.
Finally a Product That Solves Security Theater
Magic Security Dust™ from Shostack + Associates (Adam Shostack)
In a world where most of the products we purchase to help secure our environments are built on the backs of unicorn tears and fairy wishes, a product that fixes everything is finally launched. I announce to you - “MAGIC SECURITY DUST!” Just sprinkle a little on all of those broken products, procedures, policies, and even PEOPLE, and before you know it, your cyber security program turns from theater to reality! Check out this fantastic solution brought to you by the threat modeling expert himself, Adam Shostack. Date of launch: April 1, 2024!
Quick Hits and Hidden Gems
RSA Conference Innovation Sandbox Contest Finalists Announced (RSAC) - If you are headed to RSAC, this is one of the best parts of the week.
NIST Wants Help Digging Out of Its NVD Backlog (Dark Reading) - This follows a story we did on the latest TCW Podcast. NIST needs help!
Themes From (And Beyond) Altitude Cyber's 2023 Cybersecurity Year In Review (Strategy of Security) - Themes from 13 years of cyber market research.
On Tech Politics/Policy -- 2 hour video discussion (
) - Two hours on tech politics and policy with one of the leading tech luminaries.The OWASP Foundation disclosed a data breach that impacted some members due to a misconfiguration of an old Wiki web server. (Security Affairs) - It’s a nothing-burger of a story but still an interesting target that y’all care about!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!
I talked about the CSRB and DHS eviscerating Microsoft in that report at work today. Also mentioned that if Fan Duel has odds on it, I'll bet on MS coming out within a couple months with a scathing report on what they've seen in the those agencies security structure :)