US senator victim-blames Microsoft for Chinese hack
ALSO: China says US hacked it right back, BreachForums users have been pwned, and this week's critical vulns
Infosec in brief US senator Ron Wyden (D-OR) thinks it's Microsoft's fault that Chinese hackers broke into Exchange Online, and he wants three separate government agencies to launch investigations and hold the Windows giant "responsible for its negligent cyber security practices."
In a letter [PDF] sent to the Department of Justice, Cybersecurity and Infrastructure Security Agency and the Federal Trade Commission Thursday, Wyden argued that Microsoft enabled the attack through four distinct security failures.
The intrusion into Microsoft's hosted email service, you may recall, occurred because suspected Chinese hackers were able to steal an encryption key used for Microsoft account (MSA) services.
Wyden asserts that Microsoft failed its customers by employing just a single encryption key with the power to forge access to customer accounts – including those belonging to US government agencies. He also says Microsoft was negligent in not storing high-value encryption keys in a hardware security module, and is concerned that security audits, both internal and external, failed to find security weaknesses that enabled the hack.
Most egregiously, the stolen security key had expired in 2021 yet was still usable, Wyden charged in the letter. "Authentication tokens signed by an expired key should never have been accepted as valid," the senator fumed.
Wyden also laid some blame for the China-linked attack on Microsoft at the feet of the Biden administration, which he said didn't appropriately study the SolarWinds hack. Such an effort, he said, could have prevented this latest mess.
Wyden wants CISA to spin up a review board to investigate the hack, and thinks the DoJ should use civil enforcement tools to determine whether Microsoft may have violated federal contract law through its negligence. Wyden also asked the FTC to figure out whether Microsoft violated any of its regulations, and whether the hack puts Microsoft in danger of violating a 2002 consent decree it has with the FTC over security failures in its Passport web service.
None of what Wyden calls for in the letter is binding.
Don't forget: Nation-state hacking isn't a one-way street
Just in case you thought it was just Chinese hackers hitting US targets, or Russians DDoSing Ukraine, Chinese officials want you to know that the US hacks them, too.
According to Chinese state-run news sources, the Wuhan Earthquake Monitoring Center was "subjected to a cyber attack by an overseas organization" that Chinese officials have preliminarily identified as the US National Security Agency's office of Tailored Access Operations. NSA TAO hackers, say Chinese officials, loaded Trojan software into the WEMC's systems enabling them to snoop on data collected by the organization.
An unnamed expert who spoke to Chinese outlet The Global Times claimed that such data could be used to infer the location of underground military bases and other subterranean features, and as such is a national security matter.
This isn't the first time the NSA's TAO office has been accused by Chinese officials of cyber attacks. In June of last year, NSA hackers allegedly attacked the Northwestern Polytechnical University in Xi'an, allegedly exfiltrating data and hijacking thousands of devices. The University is known to conduct aerospace research for the Chinese government.
Critical vulnerabilities: Time-to-update-Ubuntu edition
This week's critical vulnerabilities are led by a pair of CVEs identified in the Ubuntu OverlayFS module – a popular Linux overlay filesystem.
Dubbed "GameOver(lay)" by the researchers from cloud security firm Wiz that discovered it, the pair of vulnerabilities stem from previous modifications made by Ubuntu to OverlayFS that could allow an attacker to use a specially crafted executable to escalate to root privileges on affected machines.
Multiple recent Ubuntu kernels are affected, but patches are available. If patching isn't immediately possible, Ubuntu suggests disabling the ability for unprivileged users to create namespaces.
Several critical ICS vulnerabilities were identified this week, too:
- CVSS 9.8 – CVE-2023-3346: A whole bunch of Mitsubishi Electric CNC machines are vulnerable to a classic buffer overflow that could allow an attacker to execute malicious code on vulnerable machines.
- CVSS 9.4 – CVE-2023-1935: Several models of Emerson ROC800 series remote terminal units are vulnerable to authentication bypass.
- CVSS 8.3 – CVE-2023-3548: Johnson Controls' IQ Wifi 6 AP firmware prior to versions 2.0.2 doesn't properly restrict excessive login attempts, which can allow brute force attacks.
As for known exploits, researchers from VulnCheck are reporting that more than 900,000 of the most recent MikroTik RouterOS long-term systems are still vulnerable to CVE-2023-30799, a privilege escalation exploit.
Despite the CVE being new, MikroTik has reportedly known about the issue since late last year when it patched the issue in RouterOS stable. The patch never made it to RouterOS long-term, however, so if you're running MikroTik routers with that OS flavor, get patching.
BreachForums users: Have you been pwned?
Users of the notorious hacking forum BreachForums, which was shut down in March of this year after its founder was arrested, may want to start worrying – it appears their information is for sale online.
That's according to data breach notification site Have I Been Pwned, which on Wednesday added data belonging to 212,156 BreachForums users to its database of compromised credentials. Included in the hack were email addresses, IP addresses, passwords, usernames and – most worrying of all for users – private messages exchanged between hackers on the site.
According to Have I Been Pwned, BreachForums was breached in November 2022, and the data was provided by a source who only referred to themselves as "breached_db_person."
Data from the original BreachForums joins data stolen from a BreachForum clone that appeared in June, which was compromised within days due to an exposed database backup that included user data and password hashes. ®
PS: Mandiant reports that a Chinese PR firm staged two Washington, DC-based protests — and then used those events to push divisive fake news articles.