Most zero-days come from surveillance vendors. NVD database issues. US sanctions Chinese state-sponsored hackers. 29th March 2024

News

Hi folks,

Quite a few articles relating to the US government, the UN, and state-sponsored hacking this week. It's not unusual these days, but it definitely wasn't the case when I started the newsletter. It's interesting to see how, ten years or so ago, cybersecurity was a rather niche topic to the outside world. Where as now it's often front-and-center on the geopolitical stage. We have a ways to go, but at least the world's awareness has grown significantly.

With those ponderings of yours truly aside, enjoy the read my friends :-)

Cheers,

Google research shows surveillance vendors behind 50% of zero-days exploited in 2023

2023 saw a sharp increase in zero-days compared to 2022, but didn't beat the record of 2021. Most interesting though is the fact that over half of all zero-days have been attributed to so-called "commercial surveillance vendors" aka CSV's, like the NSO group. There's a short list of other such companies that Google calls out in the article. Booming business, clearly.

Plan to revive the NIST's vulnerability database draws criticism

The National Vulnerability Database (NVD) is the central database where detailed information on vulnerabilities is analysed and offered for free. It's where CVE numbers come from, essentially, and a whole lot of security vendors rely on this information. I used it myself for several projects.

Lately, however, the NVD has mostly stopped adding new information, and nobody really knows why. The article explains some of the background on this, but we still don't know much. It seems to boil down to increased workload and stagnant budget, as I read it, which is understandable. The amount of CVE's has ballooned over the last few years, I always wondered how the NVD managed to keep up. I guess they can't anymore.

In order to fix the problems though, the head of the NVD wants to create a "consortium" of partners to tackle the issues as a group. This has led to criticism however, since adding more layers is not often the answer to productivity issues. To be continued.

Quick links

PyPI suspends new user registration to block malware campaign: link.
Pentagon lays out strategy to improve defense industrial base cybersecurity: link.
CISA publishes 447-page draft of cyber incident reporting rule: link.
UN investigating 58 crypto heists by North Korea worth $3 billion: link.
42.parquet – A zip bomb for the Big Data Age: link.

Breaches and leaks

Hackers poison source code from top.gg Discord bot platform: link.
INC Ransom threatens to leak 3TB of NHS Scotland stolen data: link.
Retail chain Hot Topic hit by new credential stuffing attacks: link.
Harvard Pilgrim health network updates data breach total to nearly 2.9 million: link.
Cyberattack on Vietnam securities broker disrupts stock markets: link.
Ransomware gang attacks the Big Issue, a street newspaper supporting the homeless: link.
St. Cloud most recent in string of Florida cities hit with ransomware: link.

Issues and fixes

German cyber agency warns 17,000 Microsoft Exchange servers are vulnerable to critical bugs: link.
CISA tags Microsoft SharePoint RCE bug as actively exploited: link.
Google fixes Chrome zero-days exploited at Pwn2Own 2024: link.
Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own: link.
AWS fixes 1-click Apache Airflow session hijack flaw: link.
Thousands of companies using Ray framework exposed to cyberattacks: link.
Decade-old Linux ‘wall’ bug helps make fake SUDO prompts, steal passwords: link.