this week in security — june 16 2024 edition
THIS WEEK, TL;DR
At least 165 companies affected by Snowflake attacks
Mandiant: We start back (again...) with Snowflake, as more customers have come forward to confirm they've had data hosted by the frost-themed cloud data giant stolen. Mandiant now says at least 165 customers are affected so far. We know Ticketmaster (Live Nation), QuoteWizard (LendingTree), and now Pure Storage are affected — with several others suspected but not confirming — and with many more organizations to disclose. Mandiant, which is helping Snowflake with its incident response, blames a financially motivated cybercrime gang called UNC5537, with suspected links to other cybercrime gangs (like Scattered Spider, whose alleged ringleader was arrested this week), and says this group has exfiltrated a "significant volume of customer data" from Snowflake customer instances. Snowflake still has no plan (at the time of writing this) to reset customer passwords or mandate MFA, but its CISO Brad Jones told Bloomberg ($) that the company apparently "hasn't detected any unauthorized access into customer accounts since early last week." That said, Snowflake "doesn’t have visibility into how much customer data was stolen," so it's not clear exactly what Snowflake does have visibility into.
More: Snowflake | The Register | TechCrunch | @mattburgess | @riskybusiness
Chinese cyber espionage campaign targets 'dozens' of Western governments
Cyberscoop: Dutch officials say an ongoing Chinese-linked cyber espionage campaign targeting Fortinet devices has successfully infiltrated "a significant number of victims," including Western governments (and that includes the Dutch) and the wider defense sector. The attacks began in 2022 and 2023 using a since-patched bug (CVE-2022-42475) in software running on FortiGate networking devices, which sit at the edge of an organization's network, but Dutch authorities say the hackers knew about the flaw at least two months before Fortinet announced the bug this February — at which point the Chinese hackers had already infected around 14,000 devices. More than 20,000 devices have been compromised in total.
More: Dutch NCSC | Reuters ($) | @arekfurt
Microsoft refused to fix SAML security bug for years before hacks
ProPublica: Incredible deep-dive reporting here in part thanks to a whistleblower — a former senior Microsoft employee — who said that Microsoft chose to ignore a security flaw he had found years earlier that opened Microsoft's customers, including the federal government, at risk of near-silent account hacks. The former employee, Andrew Harris, found a SAML attack that allowed hackers to impersonate real people's accounts. But a culture of focusing on profits and compensation tied to features (not security), the bug was ignored — until it was too late. It comes as Microsoft president Brad Smith got grilled (medium-rare) by lawmakers on Capitol Hill this week following a "cascade" of security failings at the company in recent years, including Windows Recall — which Microsoft just pulled from its planned public preview for now. @ericgeller has a tweet-by-tweet account of the hearing.
More: Washington Post ($) | New York Times ($) | NBC News
~ ~
THE STUFF YOU MIGHT'VE MISSED
Hacker accessed internal Tile tool for cops
404 Media ($): A hacker showed they had access to a tool used by location tracking device company Tile that cops can use to access customer data. The hacker didn't get access to users' location data, but shows how bad actors can abuse internal tools used by companies to access customer data. The hacker allegedly "had access to everything," and appeared to show as such in a screenshot. Tile's statement acknowledged the breach only after 404 Media proved to the company that the data was accurate by verifying with affected individuals.
CI/CD Attacks for security research
Asi Greenholts: Here's a curated list of CI/CD attacks — such as stolen developer secrets and exposed repos — over the past few years and other resources for security research.
U.K. politics corner: Who's voting for cyber?
BBC News: The U.K. election is in full swing and all of the major political parties have included at least some mentions of cyber (though, some more than others). Area reporter @AlexMartin has all of the major parties' pledges and manifestos in tweet threads for your perusal. That includes the Conservatives, Greens, Labour, and the Liberal Democrats. There's also Count Binface as a local candidate, who did a wonderful job of beating a fascist in May.
~ ~
OTHER NEWSY NUGGETS
London NHS cyberattack could drag on for months: A ransomware attack on a pathology lab called Synnovis, used across NHS trusts in London, may take "many months" to resolve. The attack is linked to a Russian ransomware gang called Qilin. It's caused hospitals in the capital to redirect patients and the lab says it is likely it'll have to discard patient samples because they would've degraded. An absolute mess that's only hurting patients more; and still little from the politicians. (via Independent, The Guardian ($))
U.S. cyber incidents up: There were more than 32,200 security incidents reported by federal agencies during 2023, per a new White House report [PDF]. That's up from 29,300 incidents a year earlier. Most of the incidents were attributed to "improper usage" (such as employee error) but there were hundreds attributed to email phishing, web attacks and "multiple attack vectors" used in combination. (via @campuscodi)
New bugs in CISA's catalog: Speaking of federal agencies... U.S. cyber agency CISA has added two new known flaws to its catalog. One of them is a Windows-based PHP bug (CVE-2024-4577), which Ars Technica reports has already been used in ransomware attacks. The other is a bug currently exploited as a zero-day in the software used by Arm chips that was found by Google's Project Zero and Threat Analysis Group... so there's a hint that a government-backed actor might be behind that one. Google also patched a zero-day under active exploitation in its Pixel phones. (via SecurityWeek, CISA)
Apple AI taps a private cloud: Apple finally debuted its AI, or Apple Intelligence (too obvious) this week, announcing its newer devices will have a beefed-up Siri able to tap a local language model. There's also Apple's own private cloud, dubbed Private Cloud Compute, which aims to securely offload some of the more challenging AI tasks to Apple's own datacenters, where the company says customer data is never stored and as about as inaccessible to anyone as it can be (though, the proof will be in the technicals). There's also ChatGPT integration... which won't please everyone. (Can we please bake in ways to switch these features off?) There are a lot of security promises here. @matthew_d_green has a great, lengthy thread on this and what security to look out for, as does Simon Willison. (via Apple, @mysk)
~ ~
~ ~
THE HAPPY CORNER
And peace.
After the Snowflake debacle, now Amazon is offering passkeys for AWS customers. Given the long-running plague of infostealing malware, this is a long overdue move, but better late than never.
Many congrats to former BBC tech correspondent and author @ruskin147 for being awarded an OBE for services to journalism. As someone who started out as Rory was full-swing in his journalism career, it was precisely people like Rory who set the standards and did the amazing work that people like me could learn from.
I had a good laugh reading XScreenSaver's new privacy policy (because Google said it had to write one), which took every opportunity it could to spell out exactly what it won't do with your data — but Google will. My favorite? "Unlike Google, XScreenSaver will never tell you to put glue on pizza." (Yeah, that happened.)
Per @jerry, it looks like infosec.exchange — the internet's happy infosec and cyber corner of the Mastodon world — reached over three million posts this week.
This week it was announced Lynn Conway, a pioneering chip designer and trans rights activist, passed on June 9 aged 86. Conway's work is felt and seen everywhere, without her we wouldn't have half the technologies we have today. She was also known for her trans rights activism after she was fired from IBM after revealing her intention to transition, for which IBM eventually apologized. By all accounts an incredible mind who changed the tech landscape, and there aren't enough thank-yous in the world.
Finally, bonus Pride cybercat:
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Leia, who as you can see is hunting for threat activity. Now, who's controlling the mouse pointer? 👀 Many thanks to Paulo M. for sending in!
We're very low on cybercats! Please send in your cyber cats! Drop me a photo of your cyber cat (or your non-feline friend!) with their name and they will be featured in an upcoming newsletter. If you've sent in before, updates are also very welcome!
~ ~
SUGGESTION BOX
And I think that's everything you need to know for now. Thanks so much for reading! I will be back next weekend with your usual roundup from the week.
As always, you can get in touch with me about anything for the newsletter — it's always great to hear from you (and your cybercats, obviously).
All my best,
@zackwhittaker