Shownotes Transcript
The CSRB drops a scathing report on Microsoft. The F-Droid project avoids an XZ-like incident. A new Chrome feature will block hackers from abusing stolen authentication cookies. And anti-Kremlin hacktivists breach Russia's prison system. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird.
Today is the 3rd of April and this podcast episode is brought to you by Resourcely, the company that can help you manage Terraform securely.
In today's top story, the US government's Cyber Safety Review Board has released its report into a Chinese Ministry of State security email hacking campaign that targeted Microsoft customers last year. 500 email accounts across 22 organisations were impacted and the US State Department was among those targeted. The board's report says Microsoft still doesn't know how the incident happened, has a lax security culture and was not transparent about the hack.
During the incident, operators from China's MSS somehow obtained a critical signing key that allowed them to create valid authentication tokens for M365 accounts. The board's report says Microsoft's security culture needs an overhaul.
In other news, a mysterious threat actor tried to insert an SQL injection vulnerability in the F-Droid open-source Android app store. The malicious contribution was disguised as an improvement to the store's search functionality. The incident took place in 2020 and was detected by the project's community. F-Droid developers said the incident resembles the recent XZUtil's backdoor. The contribution came from a never-before-seen user,
and other new accounts tried to pressure the developers into approving the change. An anti-Kremlin hacktivist group has hacked Russia's prison system following the death of opposition leader Alexei Navalny. The hackers claim they stole a database containing information on hundreds of thousands of Russian prisoners, their families and contact information. The hackers claim they're a mix of nationalities, including expatriate Russians and Ukrainians.
The OWASP Foundation has disclosed a data breach that involved its old WikiWeb server. Members who applied between 2006 and 2014 had their resumes exposed online due to a directory misconfiguration. Exposed data includes names, emails, phone numbers and home addresses. OWASP says it's now notifying affected members and applicants.
Hackers have stolen the personal data of more than a million PandaBuy customers. The online shopping platform confirmed the breach after hackers posted the data for sale online. PandaBuy initially denied the breach until users started confirming the authenticity of the stolen information.
Google is working on a new Chrome security feature named Device Bound Session Credentials. The new feature binds an authenticated website session to the user's device. The feature will prevent hackers from using stolen authentication cookies to bypass MFA and access online accounts. Google hopes the new feature will become an open web standard and be adopted by other browsers. Google is currently testing DBSC in beta versions of Chrome.
In Poland, a parliamentary inquiry is underway into the previous government's use of the Pegasus spyware. The former government's been accused of using Pegasus to spy on opposition leaders, journalists and prosecutors. Officials plan to notify all victims who could seek financial compensation under Polish law. Officials haven't ruled out criminal charges against the former government.
A security researcher has discovered a vulnerability in Imperva Secure Spheres firewalls. The vulnerability allows the attackers to manipulate HTTP headers and slip malicious payloads past the firewall. Approximately 400 Imperva Secure Spheres firewalls are identifiable online. Imperva released a fix at the end of February.
Pentagrid researchers have found a vulnerability in the automatic check-in terminals used by the Ibis budget hotel chain. The vulnerability can be exploited by typing a series of dashes in the booking ID field. This exposes the names and room keypad codes for other hotel guests. Pentagrid reported the issue to the hotel chain in January and the terminals have been patched.
Trend Micro has discovered a new APT group named Earth Fraybug. Researchers say the group has been active since 2012 and its main focus has been on espionage and financially motivated attacks. The group uses a novel piece of malware named UnAPImon to avoid sandboxes and security software. Trend Micro believes Earth Fraybug might be a subset of the larger APT31 Chinese cyber espionage group.
Russian authorities have arrested six members of a web skimmer gang. Officials claim the group planted malware on online stores and collected payment card details from users. The group is believed to have stolen and sold 160,000 payment card details. Dutch prosecutors are seeking a five-year prison sentence for one of the developers of the Tornado Cash platform. Officials allege Alexey Pertsev worked with two other Russian nationals to develop and operate Tornado Cash.
Criminal organizations and cybercrime groups abused the platform to launder more than $1.2 billion worth of cryptocurrency. Persev was arrested in August 2022, days after the U.S. sanctioned the Tornado Cash platform. He was formally charged last month.
And finally, Google has settled a class action lawsuit and agreed to delete data it collected from Chrome's private browsing mode. The company was sued for breaching user privacy in 2020 after users learned that Google was tracking their movements even in Chrome private browsing sessions. Google settled the lawsuit after plaintiffs allegedly asked for $5 billion in monetary damages. As part of the settlement, Google will also redesign Chrome's private browsing mode.
And that is all for this podcast edition. Today's show was brought to you by our sponsor, Resourcely. Find them at resourcely.io. Thanks for your company.
