Newsletter
11.09.2021 | 5'' read
US sanctions hit ‘friendly’ zero-day exploit shops
~~ Newsletter presented by Symmetry Systems, Process Unity and SecurityWeek ~~
* The most clicked link from the last newsletter was Patrick Gray’s podcast interview with zero-day exploit supplier Mark Dowd. The NTIA’s how-to guide for generating SBOMs also got a lot of attention.
Note.
- Today is Patch Tuesday. Expect all your favorite software makers to slap band-aids on major security defects. Update all the things and don’t forget to randomly reboot your iPhones.
At the same time, it’s surprising to see companies from two “friendly” countries — Israel and Singapore — on the list of entities deemed “to be acting contrary to the foreign policy and national security interests of the United States”.
Israeli zero-day shops Candiru and NSO Group have been caught up in exploit-delivery scandals but because of the dual-use nature of these high-end surveillance tools — sources tell me Candiru works closely on counter-terrorism ops — it’s been a touchy political issue to slap them with full sanctions. Look, Israeli officials are already pushing back against the NSO blacklist.
The addition of Singapore-based COSEINC to the entity list caused my eyebrows to raise even more. The man behind the company — Thomas Lim — has been an active member of the security research community for at least two decades, keynoting major conferences, and operating from a U.S. “ally” with close cybersecurity collaboration.
The fact that the U.S. has decided to flick sand in the eyes of companies in friendly allied countries is confirmation that, just maybe, there needs to be official pushback. This disturbance in the 0day exploit market will be fascinating to watch.
_ryan
On to the newsletter…
- Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions.. Get in touch today for a demo.
- ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule. Request a demo.
Ransomware hacking-back.
A flurry of U.S. government and law enforcement crackdown on the ransomware wealth-transfer epidemic:
- U.S. Cyber Command and a foreign government partner did a “hacking back” thing against a major ransomware group.
- The Treasury Department has slapped sanctions against the Chatex cryptobank and offering a $10 million bounty for info on the leadership of REvil, the hacking gang behind the big Kaseya hack.
- A separate $10 million reward is available for anyone who can provide data on the DarkSide gang leaders responsible for the Colonial Pipeline disruption.
- The FBI has released IOCs and TTPs associated with the Hello Kitty/FiveHands ransomware campaign.
- Symantec offers technical details on BlackMatter, a new data exfiltration tool used in ransomware attacks.
Some pretty big stories.
- The Biden Administration has issued a binding “patch-now” directive for government agencies to mitigate a CISA-managed catalog of known exploited vulnerabilities that carry critical risk to federal .gov networks. Dennis Fisher has some feedback, including commentary from Katie Moussouris.
- Robinhood fessed up to a breach that exposed names and e-mail addresses for close to 7 million people.
- Ukraine has doxxed Russian APT operators with a 35-page written analysis, a slide deck, and videos that include recordings of the purported Russian government hackers discussing attacks in real-time.
Hacker history.
- Aleph One’s seminal paper on memory safety exploitation — Smashing the Stack for Fun and Profit — is 25 years old. The publication of this paper changed many, many lives.
Inside the cyber arms market.
- This paper from the Atlantic Council — Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets — is quite a doozy. The authors found that 75% of companies likely selling interception/intrusion technologies have marketed these capabilities to governments outside their home continent. Five irresponsible proliferators — BTT, Cellebrite, Micro Systemation AB, Verint, and Vastech — have marketed their capabilities to US/NATO adversaries in the last ten years.
- MIT Tech Review’s Patrick Howell O’Neill says the new Atlantic Council data paints a detailed picture of the ways Western companies are selling cyber weapons and surveillance technology to NATO’s enemies.
Leftovers.
- It’s incredible to see how Microsoft’s decision to release CodeQL as a free tool is helping with major Linux kernel vulnerability discoveries. Kudos to Max Van Amerongen for a neat find.
- Firefox is sometimes recommended as a supposedly more secure browser because of its parent company’s privacy practices. This article explains why this notion is not true and enumerates a number of security weaknesses in Firefox’s security model when compared to Chromium.
- Trojan Source: Invisible Vulnerabilities is a paper describing cool new tricks for crafting targeted vulnerabilities that are invisible to human code reviewers.
- Catalin Cimpanu reports that Facebook is partnering with GitHub to invalidate Facebook API access tokens that have accidentally been uploaded and leaked inside GitHub repositories.
Tangentially.
- The original iPod prototype is quite a thing.
- This Zoomcorder.com thing is creepy as hell and a reminder that Zoom calls aren’t ever private or secure.