xz backdoor nearly infecting everything. Report on Microsoft Exchange hack scathing. Google getting device-bound cookies.  

News

Hi folks,

A day early, but plenty of news to fill an issue. The xz backdoor was definitely the biggest item this week, and it was fascinating to read up on. I've tried to summarise as best as I can, but definitely feel free to dig into the extra links. The burning report that Microsoft received is worth a conversation or two as well around the watercooler. Plenty to read, I hope you enjoy it :-) Cheers!

Dieter Van der Stock

What we know about the xz backdoor that almost infected the world

Wow, this is a wild one. In short: some unknown individual or group spent years gaining trust and working their way into contributing to code for xz-utils, a collection of tools related to file compression, present in almost all Linux and Unix systems.

If it had been successful it would have given them a perfect backdoor, through SSH, into all Linux/Unix systems, giving them the power to do pretty much anything with those servers. The fact that is was caught at all was the result of a lot of expertise, combined with a whole lot of coincidence and luck. And it was caught just in time: the backdoor hadn't made it to production-ready releases yet, only to the beta versions.

The though part is: there is no real way this can be prevented. The attackers took years, contributed proper open-source code, and really knew their stuff. And what they did would not have been easily detectable by standard EDR systems either, it's that clever. They also made use of the fact that many open-source coders are burnt out, because it's often a damn thankless job to do. You can see the emails where they pressure the original maintainer, stressing him further and pushing him towards "accepting help". It's a long standing problem with open source and there's no easy fix.

There's many more nuances to share. Like the fact that, in the end, the backdoor job was probably rushed, due to an upcoming fix to systemd that would have blocked this particular attack. Or that the backdoor wasn't really in the source code itself, but in the package building systems. The linked article is a good read if you want to dive deeper, although it gets very technical. This post gives a great timeline of all the events, and this post with Kevin Beaumont's take is always worth a read too. We'll be digesting this one for a while, and hopefully learn much from it.

arstechnica.com

Microsoft blamed for “a cascade of security failures” in Exchange breach report

This is about the Exchange breach from last year, where Chinese hackers got access to a treasure trove of Microsoft-hosted e-mails, including those from a number of government offices and diplomats. President Biden ordered a review of Microsoft's practices by the Cyber Safety Review Board (CSRB), a sort of council made up from federal agencies and private industry, under leadership of the Department of Homeland Security. In short, these folks know what they are talking about.

The results are pretty aweful. Some quotes:

  • Microsoft failed to detect a compromise on a laptop from an employee at an acquired company before connecting it to its network.
  • The incident was preventable and should never have occurred.
  • Microsoft's security culture was inadequate.
  • Microsoft let inaccurate public statements stand for months.
  • Microsoft lacks security practices of other cloud providers.

Yikes. Especially that last one. They didn't hold back at all. Microsoft has said, several times, that they will do better, but they have a lot left to prove.

The article does a good job of walking you through the scathing results. Bleepingcomputer's article on this is also good. And the report itself is actually very readable too, you can find it here.

arstechnica.com

Google Chrome gets 'Device Bound Session Credentials' to stop cookie theft

In response to an issue from last year, where Google's session tokens could be "revived", Google has announced the introduction of Device Bound Session Credentials (DBSC). It's a process where session cookies get signed, using a hard-to-extract private key on your device. The cookie will only be accepted on the server if the provided key matches the public key that the server has access to.

It definitely won't make session stealing impossible, but it might make it a lot harder. Very cool stuff. Development is happening out in the open, with Google estimating they'll have a public trial ready at the end of 2024. Other companies like Okta and Microsoft have already expressed interest in joining the effort.

malwarebytes.com

How Apple plans to update new iPhones without opening them

When you buy a new phone, often the first thing you're asked to do is run an update. It's not great from a UX point of view, but vital for security. Apple's apparently working on a system called Presto to wake the device up, connect to the Internet, and run the update, all while it remains in its packaging in the store. Very neat, if they can pull this off in a reliable and safe way.

arstechnica.com

Quick links

  • FTC: Americans lost $1.1 billion to impersonation scams in 2023: link.
  • Google now blocks spoofed emails for better phishing protection: link.
  • Water woes: A federal push for cyber mitigation is highlighting the sector’s fault lines: link.
  • Progress Software continues to cooperate with SEC probe into MOVEit exploitation: link.
  • CISA faces resource challenge in implementing cyber reporting rules: link.
  • India rescues 250 citizens enslaved by Cambodian cybercrime gang: link.

Breaches and leaks

  • AT&T faces lawsuits over data breach affecting 73 million customers: link.
  • Jackson County in state of emergency after ransomware attack: link.
  • OWASP discloses data breach caused by wiki misconfiguration: link.
  • Shopping platform PandaBuy data leak impacts 1.3 million users: link.
  • Omni Hotels confirms cyberattack behind ongoing IT outage: link.
  • Hosting firm's VMware ESXi servers hit by new SEXi ransomware: link.
  • SurveyLama data breach exposes info of 4.4 million users: link.
  • Yacht retailer MarineMax discloses data breach after cyberattack: link.
  • CISA asserts no data stolen during Ivanti-linked attack on the agency: link.
  • Nearly 1M medical records feared stolen from City of Hope: link.
  • State Department investigating reports of data theft allegedly involving federal tech consulting firm: link.
  • Prudential Insurance says data of 36,000 exposed during February cyberattack: link.

Issues and fixes

  • Google fixes one more Chrome zero-day exploited at Pwn2Own: link.
  • Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks: link.
  • Critical flaw in LayerSlider WordPress plugin impacts 1 million sites: link.
  • Google fixes two Pixel zero-day flaws exploited by forensics firms: link.

What 1Password can do for developers

If you're an engineer, it's really worth checking out 1Password's developer tools. It can manage secrets for your infrastructure and CI/CD pipeline, manage SSH keys, and inject tokens into CLI scripts. Play around with it and see how it can fit in your development flow. (Sponsored)

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.