Welcome to The Cybersecurity 202! We’re on an abbreviated publication schedule next week. See you next on Tuesday.
Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: Russian hackers target companies and governments around the world, and an Australian Senate panel recommends banning a Chinese app on government devices. First:
Alleged Chinese hack is drawing attention from the Hill
The House Oversight and Accountability Committee is investigating alleged Chinese hackers’ exploitation of a Microsoft vulnerability they used to breach U.S. government emails, the panel said in letters to the Commerce and State departments Wednesday.
The letters open another line of inquiry in a hack that has aroused considerable congressional attention, across a range of areas related to the breach. The Oversight panel, for instance, is mainly focused on China’s capabilities.
Advertisement
“We are also concerned that these attacks on federal agencies, which include at least the Department of Commerce and the Department of State, reflect a new level of skill and sophistication from China’s hackers,” wrote Oversight Chairman James Comer (R-Ky.), cybersecurity subcommittee chairwoman Nancy Mace (R-S.C.) and national security and foreign policy subcommittee chairman Glenn Grothman (R-Wis.). They requested a staff briefing from the agencies by Aug. 9.
Commerce Secretary Gina Raimondo is one victim of the breach, my colleagues Ellen Nakashima, Joseph Menn and Shane Harris reported last month. Other reported victims include Nicholas Burns, the U.S. ambassador to China, and Daniel Kritenbrink, assistant secretary of state for East Asia.
It was a very targeted attack that also included a congressional staffer, a U.S. human rights advocate and U.S. think tanks, according to officials familiar with the matter who spoke on the condition of anonymity due to the matter’s sensitivity. Microsoft said Chinese hackers they had identified as Storm-0558 conducted the hack.
The Senate side
The House panel’s inquiry follows letters from members of the Senate.
Advertisement
A bipartisan group wrote the State Department on July 26, primarily to seek additional information about the breach there. The State Department first discovered the incident. The hackers, the senators noted, relied on “a fundamental gap in the State Department’s cloud-based security architecture that provided broad access to sensitive electronic communications between senior officials.”
- “As the United States Senate continues to evaluate legislation and proposals which shore up both immediate and long-term threats across U.S. government information systems, timely information related to the recent cyber-intrusions into the State Department’s network is critical,” the senators wrote.
- Sen. Eric Schmitt (R-Mo.) spearheaded the letter. Tim Kaine (D-Va.), Bill Hagerty (R-Tenn), Ben Cardin (D-Md.), Mike Braun (R-Ind.), Rick Scott (R-Fla.), Cynthia M. Lummis (R-Wyo.), J.D. Vance (R-Ohio), Katie Boyd Britt (R-Ala.), Pete Ricketts (R-N.E.), Josh Hawley (R-Mo.), Mark Kelly (D-Ariz.) and Tim Scott (R-S.C.) also signed it.
- They requested information about whose emails were affected, how the attack happened, plans for combating future sophisticated attacks and how the hack will affect a $10 billion information technology initiative.
The departments did not respond to request for comment.
Even before the hack made news, Schmitt had been pressing the Defense Department over its reliance on Microsoft as a vendor, including by getting a provision in the annual Senate defense policy bill seeking a written report on the “risks and benefits” of buying cybersecurity software from the company.
One day after the bipartisan Senate letter to State, Sen. Ron Wyden (D-Ore.) sent his own missive, urging the Cybersecurity and Infrastructure Security Agency (CISA), Justice Department and Federal Trade Commission “to hold Microsoft responsible for its negligent cybersecurity practices.”
Advertisement
- “Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” Wyden wrote.
- He called on all three agencies to investigate Microsoft over the incident, including asking the Justice Department and FTC to probe the company over possible violation of federal law.
Attention elsewhere
The hack has gotten plenty of focus outside Congress, too.
After the hack surfaced, federal officials called for Microsoft to make logging tools available to all Microsoft 365 license-holders free rather than tiering availability of the tools based on price — including the kind that found the alleged Chinese hacking campaign. CISA, which has been pressing tech providers to make all products “secure by default” rather than imposing additional costs, announced the decision to do so alongside Microsoft. (Lawmakers had previously called for advanced Microsoft logging to be built in to its offerings in the wake of the SolarWinds hack.)
Cybersecurity companies also have joined in, and expanded upon, the criticism of Microsoft.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Amit Yoran, CEO of Tenable, wrote Wednesday.
Advertisement
The senior director of Sentinel Labs at SentinelOne, J.A. Guerrero-Saade, recently detailed on Twitter what he considered the “enraging, duplicitous, disappointing, counterproductive, and most importantly unnecessary” actions of Microsoft.
In an attempt to cut through the scarcity of candor these days, let’s state some things plainly. Let’s talk about Microsoft. With the upfront caveat that every security vendor has made mistakes and has skeletons in their respective closets that need addressing. None without sin.
— J. A. Guerrero-Saade (@juanandres_gs) July 23, 2023Microsoft also has been in conflict with a cybersecurity company, Wiz, which found that the method the hackers used could be used for broader attacks.
Microsoft senior director Jeff Jones said in a statement that the “incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” and that “[w]e continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information.”
- “We appreciate the collaboration with the security community to responsibly disclose product issues," Jones said. "We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
Update: A previous version of this story did not include a statement provided by Microsoft. This version has been updated.
The keys
Russian hackers target governments, companies worldwide via Microsoft Teams phishing
Hackers linked to Russia’s Foreign Intelligence Service (SVR) have targeted companies and government agencies around the world by phishing victims with a cyberattack that targeted Microsoft Teams users, Sergiu Gatlan reports for Bleeping Computer.
Advertisement
“Our current investigation indicates this campaign has affected fewer than 40 unique global organizations,” Microsoft said in a Wednesday blog post that identified the group as Midnight Blizzard, the same entity linked to the high-profile SolarWinds breach three years ago.
- “The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors,” the blog post adds.
The group used a set of compromised Microsoft 365 tenants — user groups that share access to certain software functions — and created fake tech support domains to lure unsuspecting users to grant the hackers key access to credentials.
- “As the messages came from the legitimate onmicrosoft.com domain, they may have caused the fake Microsoft support messages to appear trustworthy,” Gatlan writes.
“We’re aware of this report and have determined that it relies on social engineering to be successful,” Microsoft told BleepingComputer when the outlet asked if there are plans to fix the issue. “We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,” the company spokesperson added.
Advertisement
The incident comes off the heels of fever-pitched scrutiny against the tech giant after a breach announced last month indicated that hackers compromised the Microsoft email accounts of key U.S. government officials.
Australian Senate panel recommends government TikTok ban be extended to WeChat
The Australian Senate’s Committee on Foreign Interference through Social Media recommended that a government device ban of the China-linked TikTok app be extended to WeChat, China’s most popular social media platform, Rod McGuirk reports for the Associated Press.
- The committee was formed last year to examine how social media platforms could undermine Australian democracy or values. Australia became the last nation within the Five Eyes intelligence-sharing partner nations to ban TikTok from government devices on grounds that it poses a national security risk. “The committee recommended the government consider extending that ban because WeChat posed similar data security and foreign interference risks,” McGuirk writes.
- “Committee chair James Paterson said on Wednesday the report’s recommendations would make Australia a more difficult target for the serious foreign interference risks that the nation faced,” according to the AP. The committee also recommends social media platforms including Facebook and Twitter “should become more transparent or be fined,” McGuirk adds.
Crypto lenders try to contain fallout of Curve Finance hack
Cryptocurrency lending platforms are scrambling to contain the fallout from the recent hack of decentralized finance exchange Curve Finance, Muyao Shen reports for Bloomberg News.
- “The weekend breach led to a decline in the value and liquidity of the CRV token, the governance cryptocurrency of the exchange. The price decline also jeopardized tens of millions of dollars in loans that Curve Finance founder Michael Egorov had taken out with CRV serving as collateral with lenders including Aave, Fraxland and Abracadabra,” according to the report.
- A software language vulnerability allowed hackers to exploit the native token of Curve’s crypto exchange, the outlet reported over the weekend. Crypto auditing company BlockSec estimated the hack shed some $40 million from the company.
Some decentralized finance lending entities have weighed the possibility of freezing CRV lending on the platform, while some are voting whether to raise the interest rates on the loans to Egorov to force asset liquidation, according to the report.
Advertisement
Shen writes: “The transparency makes Egorov’s positions especially vulnerable to attacks from other traders, according to Leo Mizuhara, founder and chief executive of DeFi institutional asset management platform Hashnote.” This is reportedly not the first time when “Egorov’s loans caused anxiety,” the report adds.
Government scan
Materiality definition seen as tough task in new SEC cyber rules (Wall Street Journal)
DOD ‘years behind’ private sector in utilizing AI for cybersecurity, official says (Nextgov/FCW)
Securing the ballot
Heart of the Trump Jan. 6 indictment: What’s in Trump’s head (Devlin Barrett and Josh Dawsey)
Industry report
HackerOne lays off 12% workforce as 'one-time event' (TechCrunch)
National security watch
How America can protect elections from hackers and conspiracy theories (The Messenger)
Advertisement
Global cyberspace
Cyberattack on Norway ministries lasted at least four months (Bloomberg )
China floats two-hour daily limit of smartphone screen time for kids (CNBC)
Cyber insecurity
Hackers exploited Salesforce zero-day in Facebook phishing attack (Bleeping Computer)
Russia-linked cybercriminals target school for children with learning difficulties (The Record)
Credit card fraud isn’t going anywhere. Here’s how to protect yourself. (Chris Velazco)
Daybook
- Principal Deputy Director of National Intelligence Stacey Dixon chats with the Intelligence and National Security Alliance at 5:30 p.m.
Secure log off
Thanks for reading. See you next week.
ncG1vNJzZmivp6x7uK3SoaCnn6Sku7G70q1lnKedZL2wuMitoJyrX2d9c3%2BOaW9oaGNksLC6xqucrKuZpLuiuIysmqutpJ67unnMopqrp6Oks7V5x5qapGWgnrCsv4yup2arpJqurns%3D