Microsoft tells yet more customers their emails have been stolen
Plus: US auto dealers still offline; Conti coders sanction; Rabbit R1 hardcoded API keys; and more
Infosec in brief It took a while, but Microsoft has told customers that the Russian criminals who compromised its systems earlier this year made off with even more emails than it first admitted.
We've been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive US government data. Reports last week revealed that the issue was even larger than initially believed and additional customers' data has been stolen.
"We are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor," a Microsoft spokesperson told Bloomberg. "This is increased detail for customers who have already been notified and also includes new notifications."
Along with Russia, Microsoft was also compromised by state actors from China not long ago, and that issue similarly led to the theft of emails and other data belonging to senior US government officials.
Both incidents have led experts to call Microsoft a threat to US national security, and president Brad Smith to issue a less-than-reassuring mea culpa to Congress. All the while, the US government has actually invested more in its Microsoft kit.
Bloomberg reported that emails being sent to affected Microsoft customers include a link to a secure environment where customers can visit a site to review messages Microsoft identified as having been compromised. But even that might not have been the most security-conscious way to notify folks: Several thought they were being phished.
Critical vulnerabilities: IP camera antics
We start this week with a series of four vulnerabilities reported in Johnson Controls Illustra Essentials Gen 4 IP cameras, one of which sports a CVSS 9.1 severity bug.
According to notices from CISA, the aforementioned IP cameras are failing to properly validate input, allowing "characters unrelated to the expected input" to be sent. Along with that critical vulnerability (CVE-2024-32755), the same cameras were also found to be storing passwords in a recoverable format, storing "unnecessary" sensitive user details in log files, and storing web interface passwords in a recoverable format.
Those latter three vulnerabilities only merited a CVSS score of 6.8, but given their combination with the fourth bug it's a good idea to get those cameras updated ASAP.
Elsewhere:
- CVSS 10.0 – CVE-2024-6071: PTC's Creo Elements/Direct License Server for CAD license management doesn't require any login to access its web interface.
- CVSS 9.3 – Multiple CVEs: TELSAT Markoni-D and Markoni-DH FM transmitters contain hard-coded credentials, use client-side authentication and are improperly controlling access.
- CVSS 9.3 – CVE-2024-2882: SDG Technologies' PnPSCADA web-based SCADA HMI will let a remote attacker attach entities without requiring system authentication, allowing unauthorized access and control.
There have also been a couple of known vulnerabilities discovered under active exploit this week you ought to know about:
- CVSS 9.8 – CVE-2022-24816: A code injection vulnerability in GeoSolutionsGroup's JAI-EXT project can lead to remote code execution.
- CVSS 7.8 – CVE-2022-2586: NFT objects or expressions in Linux can reference an NFT set on a different table, leading to a use-after-free condition when the table is deleted.
US car dealers still without software week after 'cyber incident'
A "cyber incident" last week at CDK, which makes dealer management software used at approximately 15,000 auto retailers in the US, hasn't eased up, leaving thousands unable to sell cars.
CDK updated dealerships this week with an email indicating it wasn't sure it would be able to get all dealers back online by the end of June, and advised them to make alternative plans for closing out monthly sales. Car dealerships around the US are expected to report losses this month due to the outage, and some dealerships are worried it could take years to fully recover.
And would you believe it? Blame for this might actually be placeable at the feet of the US Supreme Court messing with anti-monopoly laws that allowed CDK to gain so much market share.
Updated to add on July 1
Post-publication CDK dropped The Register a line with good news, for some. Normal services are coming online this week and the stricken business should have a special independence day.
“We are continuing our phased approach to the restoration process and are rapidly bringing dealers live on the Dealer Management System (DMS)," CDK said.
"We anticipate all dealers connections will be live by late Wednesday, July 3 or early morning Thursday, July 4. Our Customer Care channels have also been restored and customers can call, chat or submit eCases if they need assistance."
Phishing phact: Phacebook is phavorite brand phor impersonation
An analysis of four years of spam collected by Mailsuite suggests it's Facebook users that are the most likely to be targeted for a phishing scam.
Phishing messages targeting Facebook/Meta customers accounted for around four percent of brand-impersonating spam Mailsuite collected, and while that's not a large percentage of the whole it's still seven percent higher than the next most popular impersonation target: the IRS.
More broadly, IT and technology firms are the most impersonated, accounting for around 20 percent of total brand impersonation spam, followed by banking and financial services.
Please read your emails more carefully – if not for your boss, then for us?
It takes milliseconds to purloin your internet secrets
A group of researchers have presented an exploit they call SnailLoad, which they believe is present in every single internet connection in the world and which can let an attacker infer internet activity based on the time it takes for TCP ACK requests to make a round trip.
While it's unlikely SnailLoad has been exploited in the wild, the researchers said it'll be a hard issue to mitigate, and any download of a file or website component can be modified to transmit the attack.
"The root cause of SnailLoad are bandwidth differences between backbone and end-user connections," the team noted. "Hence, the root cause cannot be eliminated and further research is necessary to find satisfying solutions."
Six Russians sanctioned for digitally attacking EU, Ukraine
The Council of the EU last week approved sanctions on six Russians involved in cyber attacks against EU states and Ukraine, and the list includes some heavy hitters.
Among the sanctioned individuals are two alleged members of the Callisto Group, Ruslan Peretyatko and Andreay Korinets; suspected Armageddon members Oleksandr Sklianko and Mykola Chernykh; and two individuals, Mikhail Tsarev and Maksim Galochkin, believed to have been involved in the production of Conti.
All individuals are now under an asset freeze and travel ban in Europe, and are barred from receiving funds from EU citizens and entities.
Rabbit R1 loaded with hardcoded keys, say jailbreakers
The Rabbit R1, an AI-powered … thing … that was widely panned on release, isn't just not very useful – it's also riddled with security holes. Like a whole bunch of hard-coded API keys, say a team of jailbreakers.
The team said it made Rabbit aware of several exposed API keys which it fixed, but the company missed one for Twilio's SendGrid that was still exposed after the fix. The Jailbreak crew was able to view a complete history of emails sent from the r1.rabbit.tech domain, and even allowed them to send emails as a domain administrator – which is how they allegedly made reporters aware of the matter.
If you have a Rabbit R1 – why? – it'd be a good idea to shut it off until this gets resolved. ®