#NSBCS.019 - Cracks in the Windows: Unravelling Microsoft's Security Saga

#NSBCS.019 - Cracks in the Windows: Unravelling Microsoft's Security Saga

Source: NSB Cyber

 

The Struggle for Tech Giants in the Race for Resilience

The United States (U.S) Cyber Security Review Board (CSRB) has issued a critical report on a recent data breach affecting nearly two dozen companies across Europe and the U.S. The CSRB criticises Microsoft, alleging a series of security lapses that enabled the breach by a China-based nation-state hacking group known as Storm-0558. This incident has far-reaching implications, raising concerns about the vulnerability of cloud-based systems and the responsibility of tech giants in safeguarding user data. Some of the key inadequate practices by Microsoft that the U.S CSRB highlight in their report include:

1. Security Failures and Cascade of Errors: The intrusion succeeded due to a series of avoidable errors by Microsoft, reflecting inadequacies in its security culture and practices. Microsoft failed to detect the compromise of its cryptographic keys on its own, relying instead on a customer to flag anomalous activities.

2. Failure in Public Communication: Microsoft did not correct inaccurate public statements about the incident in a timely manner. Even after acknowledging internally that its initial assessment of the intrusion's root cause was inaccurate, it delayed issuing a correction, undermining transparency and potentially affecting the ability of customers and partners to respond effectively.

3. Inadequate Security Practices Compared to Industry Peers: The review of other cloud service providers (CSPs) indicated that they maintained security controls absent in Microsoft's environment, highlighting a gap in Microsoft's cybersecurity practices compared to industry norms.

4. Mergers and Acquisitions Security Oversight: The 2021 compromise of Microsoft's corporate network by Storm-0558 was facilitated by an oversight in the security compromise assessment and remediation process related to Microsoft's acquisition of another company. This oversight allowed a compromised device to connect to Microsoft’s corporate network, demonstrating gaps in Microsoft’s security protocols during mergers and acquisitions.

5. Challenges in Victim Notification and Coordination: The process of notifying and coordinating with victims was complex and fraught with challenges. Microsoft’s initial efforts to notify victims were not always effective, with some recipients disregarding the notifications as potential spam. The FBI changed its approach to ensure that every identified account owner was directly notified, highlighting the difficulties in ensuring that critical information reaches affected parties in a manner that prompts appropriate action.

It's clear that what happened goes beyond technical glitches and corporate missteps. For many of us, trusting a company like Microsoft is second nature; we do it without blinking, believing in the security and reliability of the digital tools we use daily. But this breach—this jarring reminder of vulnerability—forces us to confront uncomfortable questions about trust and accountability in the digital space we all navigate and take #NoStepsBackwards!

For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.


What we read this week

  • Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution - A critical vulnerability has been discovered in XZ Utils, a widely used open-source library for data compression in Linux distributions. The supply chain compromise tracked as CVE-2024-3094 was alerted recently by a Microsoft engineer and PostgreSQL developer. The vulnerability resides in a malicious code implanted into XZ Utils and acts as a backdoor, granting remote attackers full access and control over an affected system if exploited successfully.

  • DinodasRAT malware targets Linux servers in espionage campaign - Security researchers have observed a campaign leveraging a Linux version of the DinodasRAT (also known as XDealer) malware to target Red Hat and Ubuntu systems. The first version of DinodasRAT was identified in 2021, with this Linux variant potentially operating since 2022. The attackers are primarily using DinodasRAT to gain and maintain access to compromised Linux servers. This malware grants the attacker complete control over the infected machine, enabling them to steal data and conduct espionage activities. Details about the initial infection method remain undisclosed, however, the malware has been observed impacting victims in China, Taiwan, Turkey, and Uzbekistan since October 2023.

  • Shopping platform PandaBuy data leak impacts 1.3 million users - A data breach at PandaBuy, an online platform allowing international users to purchase products from Chinese e-commerce sites, has exposed information belonging to over 1.3 million customers. According to data breach aggregation service Have I Been Pwned (HIBP), the compromised information includes email addresses, customer names, order details (including numbers and shipping information), transaction dates and times, and payment IDs. Two threat actors, named Sanggiero and IntelBoker, exploited critical vulnerabilities within PandaBuy's systems to gain access to user data.

  • Sydney’s Indian Support Centre suffers second cyber attack of the year - The Indian Support Centre (ISC), a non-profit organisation assisting Indian migrants in Australia, fell victim to a cyberattack perpetrated by the threat group RipperSec. This group is known for targeting government or infrastructure sites, with a tendency to favor targets supporting Israel. This incident marks the second cyberattack the ISC has faced this year. In February, they were targeted by the Nixon Cyber Team, which launched a distributed denial-of-service (DDoS) attack and defacement attempt.

  • Vulnerability Exposed Ibis Budget Guest Room Codes to Hackers - Security flaws in self-check-in kiosks at Ibis Budget hotels across Europe raised concerns about guest safety in late 2023. A team of hackers from the Swiss firm Pentagrid discovered a critical flaw in the kiosks that allowed anyone to view room access codes on the screen after check-in, essentially compromising the security of any guest who used the kiosk for the check-in process. This vulnerability could have potentially enabled unauthorised individuals to gain access to guest rooms, raising significant concerns for the safety and privacy of Ibis Budget hotel guests.

References
https://thehackernews.com/2024/04/malicious-code-in-xz-utils-for-linux.html
https://www.bleepingcomputer.com/news/security/dinodasrat-malware-targets-linux-servers-in-espionage-campaign/
https://www.bleepingcomputer.com/news/security/shopping-platform-pandabuy-data-leak-impacts-13-million-users/
https://www.cyberdaily.au/security/10401-sydneys-indian-support-centre-suffers-second-cyber-attack-of-the-year
https://www.hackread.com/ibis-budget-guest-room-codes-hacker-vulnerability/
Previous
Previous

#NSBCS.020 - Human Insight Meets AI in Cybersecurity

Next
Next

#NSBCS.018 - The Road Ahead: The Importance of Public and Private Partnerships