Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks.

The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device.

The security firm Rapid7 notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.

“Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,” wrote Adam Barnett, lead software engineer at Rapid7. “Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.”

Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by Tenable; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device.

Rob Reeves, principal security engineer at Immersive Labs, called special attention to CVE-2024-49112, a remote code execution flaw in the Lightweight Directory Access Protocol (LDAP) service on every version of Windows since Windows 7. CVE-2024-49112 has been assigned a CVSS (badness) score of 9.8 out of 10.

“LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,” Reeves said. “Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.”

Tyler Reguly at the security firm Fortra had a slightly different 2024 patch tally for Microsoft, at 1,088 vulnerabilities, which he said was surprisingly similar to the 1,063 vulnerabilities resolved in 2023 and the 1,119 vulnerabilities resolved in 2022.

“If nothing else, we can say that Microsoft is consistent,” Reguly said. “While it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect.”

If you’re a Windows end user and your system is not set up to automatically install updates, please take a minute this week to run Windows Update, preferably after backing up your system and/or important data.

System admins should keep an eye on AskWoody.com, which usually has the details if any of the Patch Tuesday fixes are causing problems. In the meantime, if you run into any problems applying this month’s fixes, please drop a note about in the comments below.

Australia has created a tax that only big tech companies must pay – but which they can also legally avoid by paying money to Aussie news publishers.

The new tax – dubbed the “News Bargaining Incentive” – is a follow-up to 2021’s News Media Bargaining Code under which Australia forced Meta and Google to negotiate payments to local publishers, to reflect the value their news content adds to their search and social services. Those payments went straight to local publishers^*

The two tech giants both signed up, but the Code requires occasional re-negotiation of payment plans.

Meta’s negotiations are due soon, and The House That Zuck Built has signalled it won’t negotiate a new deal. Instead, it could repeat its actions in Canada, where it no longer allows links to news – to avoid obligations under a law like the Code.

If Meta or Google stopped allowing links to Australian publishers’ articles, they would be exempt from the Code.

Australian lawmakers have realized that, which is why the News Bargaining Incentive has two elements: a charge, and an offset.

The charge will be levied on entities covered by the Code that choose not to make payments to publishers. The Register understands the charge will be sufficiently high that it will hurt to pay it.

But if an entity covered by the Code chooses to do deals with local media under the Code, the offset kicks in – and defrays the cost of the charge! Australian media will get funds needed to pay journalists, Big Tech will cough up a sliver of global revenue, and – in theory – the Land Down Under will emerge as a slightly better place thanks to its residents being able to access quality info curated by pros.

Entities that earn more than AU$250 million ($160 million) in revenue down under will be impacted by the scheme, which Australia’s government has said won’t be used as a revenue-raising measure.

The Incentive is not yet law. A consultation paper will appear in early 2025, and a federal election due by May means it could be some time before it reaches Parliament.

Big Tech will likely use that time to push back – fiercely – just as they did when the Code was floated in 2020.

Australia persisted, and many governments around the world watched on with interest. Meta and Google scored some significant changes to the Code, but nonetheless signed up and handed over cash. Some international governments tried to follow Australia’s lead, but Meta in particular decided it didn’t like this sort of law and decided not to play ball – just as in Canada.

So now we get another round of “That’s not a knife. That’s a knife” as Australia and Big Tech brandish their blades of sovereign and market power.

The introduction of the Incentive is the Australia’s second big swipe at Big Tech in two weeks. The nation effectively banned kids under 16 using social media by requiring operators to “make reasonable efforts” to identify youngsters and deny them service. Australia has therefore reduced Big Tech’s ability to make money and found a way to make it spend more on local media. Now to see if it works. ®

^*The Register is not eligible for these schemes, which we report to keep readers informed of evolving relations between sovereign states and Big Tech.

The $3 billion that Congress folded into the annual defense policy bill to remove Chinese-made telecommunications technology from U.S. networks would be a huge start to defending against breaches like the Salt Typhoon espionage campaign, senators and hearing witnesses said Wednesday.

Federal Communications Commission Chairwoman Jessica Rosenworcel recently told Hill leaders that the $1.9 billion Congress had devoted to the “rip and replace” program to get rid of Huawei and ZTE equipment left the agency with a $3.08 billion hole to reimburse 126 carriers for eliminating use of that tech, “putting our national security and the connectivity of rural consumers who depend on these networks at risk.”

The fiscal 2025 National Defense Authorization Act (NDAA), which passed the House by a 281-140 vote Wednesday, contains language authorizing funds to fill that gap. Sen. Ben Ray Luján, the New Mexico Democrat who chairs the Commerce Subcommittee on Communications, Media and Broadband, said at Wednesday’s hearing of his panel that Congress should approve that funding even though there’s much still unknown about the attacks from the Chinese government hackers known as Salt Typhoon.

“What we do know is that more must be done to prevent attacks like this in the future,” he said. “One obvious thing we can do today is get equipment manufactured by companies that collaborate with our foreign adversaries out of our American networks. … I’m hopeful that there’s strong bipartisan agreement to fully fund this program through this year’s National Defense Authorization Act and address one of the major known vulnerabilities facing our networks every day once and for all.”

Congressional action on the “rip and replace” program “demonstrates that Congress can take bipartisan action to secure our networks, an approach that is urgently needed now as we take steps to confront the challenges posed by China,” said Sen. Jerry Moran, R-Kan.

Tim Donovan, president and CEO of the Competitive Carriers Association that represents telecommunications providers and vendors, said that for rural carriers deciding whether to remove equipment but not replace it under the program’s original timeline, “the situation is dire.” Equipment still in place can’t be upgraded.

“If Salt Typhoon can hack major operators, then there’s a flashing red light for ‘rip and replace’ networks that do not have the same resources,” he testified.

The timing on final passage of the NDAA remains up in the air in the Senate following the House’s approval Wednesday. Some Democrats have opposed the NDAA over provisions related to transgender medical treatment. Prior to lawmakers reaching a deal and releasing the final version of the legislation over the weekend, incoming Senate Majority Leader John Thune, R-S.D., said the GOP would prioritize it when they assume control of the chamber from Democrats next month — assuming it doesn’t pass before then.

Some Republican senators at the hearing also cast doubt on a recent FCC proposal to regulate telecommunications firms’ cybersecurity under the 1994 Communications Assistance for Law Enforcement Act. Texas Sen. Ted Cruz, the top Republican on the full Commerce panel, said the Biden administration shouldn’t “rush into regulatory expansion” as an answer.

But Sen. Ed Markey, D-Mass., said the FCC was taking needed action and telecommunications companies have to invest more resources to safeguard their systems. Major telecoms should’ve also already been doing the things the FBI and Cybersecurity and Infrastructure Security Agency recently recommended, said Justin Sherman, founder and CEO of Global Cyber Strategies and nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.

NEWS BRIEF

The US government unsealed charges yesterday against a Chinese national who allegedly broke into approximately 81,000 of Sophos firewall devices around the world in 2020.

Guan Tianfeng, also known as gbigmao and gxiaomao, was charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Tianfeng has also been accused of developing and testing a zero-day security vulnerability used to conduct the Sophos attacks.

The zero-day vulnerability in question is tracked as CVE-2020-12271 and has a CVSS score of 9.8, a critical SQL injection flaw that could allow a threat actor to achieve remote code execution (RCE).

A federal arrest warrant was issued for Tianfeng in the US District Court, Northern District of Indiana, Hammond Division, and it is believed that he is currently residing in Sichuan Province, China.

The Rewards for Justice Program through the US Department of State is offering an award of up to $10 million for information on Tianfeng and the offices he worked out of, Sichuan Silence Technology Company Ltd., as well as associated individuals and their malicious activity.

“The defendant and his conspirators compromised tens of thousands of firewalls and then continued to hold at risk these devices, which protect computers in the United States and around the world,” said Assistant Attorney General for National Security Matthew Olsen, in a press release. “The Department of Justice will hold accountable those who contribute to the dangerous ecosystem of China-based enabling companies that carry out indiscriminate hacks on behalf of their sponsors and undermine global cybersecurity.”

Any tips or information can be made with the FBI via WhatsApp, Signal, Telegram, or tips.fbi.gov.

Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository.

By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts.

The activity was discovered by WPScan, who reported it to Hunk Companion, with a security update addressing the zero-day flaw released yesterday.

Installing vulnerable plugins

Hunk Companion is a WordPress plugin designed to complement and enhance the functionality of themes developed by ThemeHunk, a provider of customizable WordPress themes, so it’s more of an add-on rather than a standalone plugin.

According to WordPress.org stats, Hunk Companion is currently used by over 10,000 WordPress sites, so it’s a relatively niche tool in the space.

The critical vulnerability was discovered by WPScan researcher Daniel Rodriguez and is tracked as CVE-2024-11972. The flaw allows the arbitrary installation of plugins by means of unauthenticated POST requests.

The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem.

While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console.

This is an obscure plugin last updated over 7 years ago, which the hackers exploited to execute malicious PHP code on the targeted sites, leveraging the zero-day RCE flaw CVE-2024-50498.

“In the infections we’ve analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory,” explains WPScan.

“This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.”

It’s worth noting that Hunk Companion fixed a similar flaw in version 1.8.5, which was tracked under CVE-2024-9707, but apparently, the patch wasn’t adequate, and ways to bypass it exist.

Given the flaw’s severity and its active exploitation status, users of Hunk Companion are recommended to update to 1.9.0 as soon as possible.

At the time of writing, the latest version has been downloaded roughly 1,800 times, so at least eight thousand websites remain vulnerable to exploitation.

Dec 11, 2024Ravie LakshmananMalware / Cyber Espionage

The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.

The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto “specifically selected” systems associated with the Ukrainian military between March and April 2024.

The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine.

“Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors,” the company said in a report shared with The Hacker News.

Some of the other known methods employed by the hacking crew include adversary-in-the-middle (AitM) campaigns, strategic web compromises (aka watering hole attacks), and spear-phishing.

Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies across the world.

The latest report comes a week after the tech giant, along with Lumen Technologies Black Lotus Labs, revealed Turla’s hijacking of 33 command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to carry out its own operations.

The attacks targeting Ukrainian entities entail commandeering Amadey bots to deploy a backdoor known as Tavdig, which is then used to install an updated version of Kazuar, which was documented by Palo Alto Networks Unit 42 in November 2023.

The cybercriminal activity tied to Amadey, which often includes the execution of the XMRig cryptocurrency miner, is being tracked by Microsoft under the moniker Storm-1919.

It’s believed that Secret Blizzard either used the Amadey malware-as-a-service (MaaS) or accessed the Amadey command-and-control (C2) panels stealthily to download a PowerShell dropper on target devices. The dropper comprises a Base64-encoded Amadey payload that’s appended by a code segment, which calls back to a Turla C2 server.

“The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot,” Microsoft said.

The next phase involves downloading a bespoke reconnaissance tool with an aim to collect details about the victim device and likely check if Microsoft Defender was enabled, ultimately enabling the threat actor to zero in on systems that are of further interest.

At this stage, the attack proceeds to deploy a PowerShell dropper containing the Tavdig backdoor and a legitimate Symantec binary that’s susceptible to DLL side-loading. Tavdig, for its part, is used to conduct additional reconnaissance and launch KazuarV2.

Microsoft said it also detected the threat actor repurposing COOKBOX, a PowerShell backdoor tied to a different Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149), to deploy a PowerShell dropper that embeds Tavdig.

Investigation into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools is presently ongoing, the tech giant noted.

Needless to say, the findings once again highlight the threat actor’s repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence.

“It is not uncommon for actors to use the same tactics or tools, although we rarely see evidence of them compromising and using other actors’ infrastructure,” Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft, told The Hacker News.

“Most state-sponsored threat actors have operational objectives that rely on dedicated or carefully compromised infrastructure to retain the integrity of their operation. This is potentially an effective obfuscation technique to frustrate threat intelligence analysts and make attribution to the correct threat actor more difficult.”

A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which are physically located there.

Richard Sanders is a blockchain analyst and investigator who advises the law enforcement and intelligence community. Sanders spent most of 2023 in Ukraine, traveling with Ukrainian soldiers while mapping the shifting landscape of Russian crypto exchanges that are laundering money for narcotics networks operating in the region.

More recently, Sanders has focused on identifying how dozens of popular cybercrime services are getting paid by their customers, and how they are converting cryptocurrency revenues into cash. For the past several months, he’s been signing up for various cybercrime services, and then tracking where their customer funds go from there.

The 122 services targeted in Sanders’ research include some of the more prominent businesses advertising on the cybercrime forums today, such as:

-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.

The site Verif dot work, which processes payments through Cryptomus, sells financial accounts, including debit and credit cards.

Sanders said he first encountered some of these services while investigating Kremlin-funded disinformation efforts in Ukraine, as they are all useful in assembling large-scale, anonymous social media campaigns.

According to Sanders, all 122 of the services he tested are processing transactions through a company called Cryptomus, which says it is a cryptocurrency payments platform based in Vancouver, British Columbia. Cryptomus’ website says its parent firm — Xeltox Enterprises Ltd. (formerly certa-pay[.]com) — is registered as a money service business (MSB) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

Sanders said the payment data he gathered also shows that at least 56 cryptocurrency exchanges are currently using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.

These platforms are built for Russian speakers, and they each advertise the ability to anonymously swap one form of cryptocurrency for another. They also allow the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.

A machine-translated version of Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus.

An analysis of their technology infrastructure shows that all of these exchanges use Russian email providers, and most are directly hosted in Russia or by Russia-backed ISPs with infrastructure in Europe (e.g. Selectel, Netwarm UK, Beget, Timeweb and DDoS-Guard). The analysis also showed nearly all 56 exchanges used services from Cloudflare, a global content delivery network based in San Francisco.

“Purportedly, the purpose of these platforms is for companies to accept cryptocurrency payments in exchange for goods or services,” Sanders told KrebsOnSecurity. “Unfortunately, it is next to impossible to find any goods for sale with websites using Cryptomus, and the services appear to fall into one or two different categories: Facilitating transactions with sanctioned Russian banks, and platforms providing the infrastructure and means for cyber attacks.”

Cryptomus did not respond to multiple requests for comment.

PHANTOM ADDRESSES?

The Cryptomus website and its FINTRAC listing say the company’s registered address is Suite 170, 422 Richards St. in Vancouver, BC. This address was the subject of an investigation published in July by CTV National News and the Investigative Journalism Foundation (IJF), which documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.

This building at 422 Richards St. in downtown Vancouver is the registered address for 90 money services businesses, including 10 that have had their registrations revoked. Image: theijf.org/msb-cluster-investigation.

Their inquiry found 422 Richards St. was listed as the registered address for at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But they found none of the MSBs or currency dealers were paying for services at that co-working space.

The reporters found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence these companies had ever arranged for any business services at that address.

Peter German, a former deputy commissioner for the Royal Canadian Mounted Police who authored two reports on money laundering in British Columbia, told the publications it goes against the spirit of Canada’s registration requirements for such businesses, which are considered high-risk for money laundering and terrorist financing.

“If you’re able to have 70 in one building, that’s just an abuse of the whole system,” German said.

Ten MSBs registered to 422 Richard St. had their registrations revoked. One company at 422 Richards St. whose registration was revoked this year had a director with a listed address in Russia, the publications reported. “Others appear to be directed by people who are also directors of companies in Cyprus and other high-risk jurisdictions for money laundering,” they wrote.

A review of FINTRAC’s registry (.CSV) shows many of the MSBs at 422 Richards St. are international money transfer or remittance services to countries like Malaysia, India and Nigeria. Some act as currency exchanges, while others appear to sell merchant accounts and online payment services. Still, KrebsOnSecurity could find no obvious connections between the 56 Russian cryptocurrency exchanges identified by Sanders and the dozens of payment companies that FINTRAC says share an address with the Cryptomus parent firm Xeltox Enterprises.

SANCTIONS EVASION

In August 2023, Binance and some of the largest cryptocurrency exchanges responded to sanctions against Russia by cutting off many Russian banks and restricting Russian customers to transactions in Rubles only. Sanders said prior to that change, most of the exchanges currently served by Cryptomus were handling customer funds with their own self-custodial cryptocurrency wallets.

By September 2023, Sanders said he found the exchanges he was tracking had all nested themselves like Matryoshka dolls at Cryptomus, which adds a layer of obfuscation to all transactions by generating a new cryptocurrency wallet for each order.

“They all simply moved to Cryptomus,” he said. “Cryptomus generates new wallets for each order, rendering ongoing attribution to require transactions with high fees each time.”

“Exchanges like Binance and OKX removing Sberbank and other sanctioned banks and offboarding Russian users did not remove the ability of Russians to transact in and out of cryptocurrency easily,” he continued. “In fact, it’s become easier, because the instant-swap exchanges do not even have Know Your Customer rules. The U.S. sanctions resulted in the majority of Russian instant exchanges switching from their self-custodial wallets to platforms, especially Cryptomus.”

Russian President Vladimir Putin in August signed a new law legalizing cryptocurrency mining and allowing the use of cryptocurrency for international payments. The Russian government’s embrace of cryptocurrency was a remarkable pivot: Bloomberg notes that as recently as January 2022, just weeks before Russia’s full-scale invasion of Ukraine, the central bank proposed a blanket ban on the use and creation of cryptocurrencies.

In a report on Russia’s cryptocurrency ambitions published in September, blockchain analysis firm Chainalysis said Russia’s move to integrate crypto into its financial system may improve its ability to bypass the U.S.-led financial system and to engage in non-dollar denominated trade.

“Although it can be hard to quantify the true impact of certain sanctions actions, the fact that Russian officials have singled out the effect of sanctions on Moscow’s ability to process cross-border trade suggests that the impact felt is great enough to incite urgency to legitimize and invest in alternative payment channels it once decried,” Chainalysis assessed.

Asked about its view of activity on Cryptomus, Chainanlysis said Cryptomus has been used by criminals of all stripes for laundering money and/or the purchase of goods and services.

“We see threat actors engaged in ransomware, narcotics, darknet markets, fraud, cybercrime, sanctioned entities and jurisdictions, and hacktivism making deposits to Cryptomus for purchases but also laundering the services using Cryptomos payment API,” the company said in a statement.

SHELL GAMES

It is unclear if Cryptomus and/or Xeltox Enterprises have any presence in Canada at all. A search in the United Kingdom’s Companies House registry for Xeltox’s former name — Certa Payments Ltd. — shows an entity by that name incorporated at a mail drop in London in December 2023.

The sole shareholder and director of that company is listed as a 25-year-old Ukrainian woman in the Czech Republic named Vira Krychka. Ms. Krychka was recently appointed the director of several other new U.K. firms, including an entity created in February 2024 called Globopay UAB Ltd, and another called WS Management and Advisory Corporation Ltd. Ms. Krychka did not respond to a request for comment.

WS Management and Advisory Corporation bills itself as the regulatory body that exclusively oversees licenses of cryptocurrencies in the jurisdiction of Western Sahara, a disputed territory in northwest Africa. Its website says the company assists applicants with bank setup and formation, online gaming licenses, and the creation and licensing of foreign exchange brokers. One of Certa Payments’ former websites — certa[.]website — also shared a server with 12 other domains, including rasd-state[.]ws, a website for the Central Reserve Authority of the Western Sahara.

The website crasadr dot com, the official website of the Central Reserve Authority of Western Sahara.

This business registry from the Czech Republic indicates Ms. Krychka works as a director at an advertising and marketing firm called Icon Tech SRO, which was previously named Blaven Technologies (Blaven’s website says it is an online payment service provider).

In August 2024, Icon Tech changed its name again to Mezhundarondnaya IBU SRO, which describes itself as an “experienced company in IT consulting” that is based in Armenia. The same registry says Ms. Krychka is somehow also a director at a Turkish investment venture. So much business acumen at such a young age!

For now, Canada remains an attractive location for cryptocurrency businesses to set up shop, at least on paper. The IJF and CTV News found that as of February 2024, there were just over 3,000 actively registered MSBs in Canada, 1,247 of which were located at the same building as at least one other MSB.

“That analysis does not include the roughly 2,700 MSBs whose registrations have lapsed, been revoked or otherwise stopped,” they observed. “If they are included, then a staggering 2,061 out of 5,705 total MSBs share a building with at least one other MSB.”

Doughnut slinger Krispy Kreme has admitted to an attack that has left many customers unable to order online.

According to a mandatory 8-K filing [PDF], on November 29, the biz was notified regarding unauthorized access to a portion of its IT systems. Its security team waddled into action and sprinkled in support from “leading cybersecurity experts,” but said that delays in online orders were going to be hard to swallow for some.

“The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the company’s results of operations and financial condition,” it reported. “The company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident.”

The pastry purveyors remain tight-lipped about the nature of the incident. When asked if this was a straight-up ransomware attack, a data-theft incident, or a secondary ransomware extortion attempt that goes after customers, it declined to comment.

“We’re experiencing certain operational disruptions due to a cybersecurity incident, including with online ordering in parts of the United States. We immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts and other advisors,” a spokesperson told The Register.

“We, along with them, continue to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering. Our fresh doughnuts are available in our shops as always! Additionally, our fans can also visit their nearest grocery or convenience store to enjoy our doughnuts.”

The filing does appear to be a little late. The SEC requires companies to report “material” cybersecurity incidents within four business days, which suggests Krispy Kreme’s disclosure might be a little late out of the oven. Again, the company has no comment on the issue.

But the timing of the attack is certainly interesting. The US celebrated its Thanksgiving holiday on November 28 this year. With IT staff enjoying a break and incident response times slowed, holidays are an ideal time to hit servers, and there’s also a marked increase in general computer crime, for example the 2023 MOVEit intrusion was timed for America’s Memorial Day weekend.

As ever, if you’re a regular customer, check any credit cards associated with your bun account. A cholesterol check might be in order too. ®

MITRE Corporation released findings Wednesday from its latest round of ATT&CK evaluations, assessing the capabilities of enterprise cybersecurity solutions against some of the most prevalent ransomware tactics and North Korean malware.

The sixth such evaluation from the nonprofit research organization measured 19 different vendors’ ability to protect enterprise systems by evaluating them against two prominent ransomware strains -—Cl0p and LockBit — as well as North Korean-linked malware targeting macOS systems. For the latter, MITRE’s evaluation used advanced multi-stage malware emulations that highlighted sophisticated tactics, such as exploiting legitimate macOS utilities and stealthily exfiltrating sensitive data.

According to William Booth, the general manager of MITRE’s ATT&CK evaluations, the results revealed significant disparities between vendors’ detection rates and their ability to accurately distinguish malicious activity from benign system behavior.

“Some vendors had higher false-positive rates than detection rates, which indicates a need to better distinguish legitimate activity from malicious activity,” Booth told CyberScoop. 

How the tests were conducted 

The evaluation is conducted in multiple stages.

First, MITRE runs an initial emulation plan to assess the vendors’ baseline detection capabilities. This means they execute a series of malicious activities and see which ones the vendors can detect without any prior knowledge.

After this initial detection test, MITRE gives vendors a day to make configuration changes to their products. This could involve things like adding new detection logic, updating user interfaces, or making other adjustments to improve product performance.

The purpose of this configuration change period is to allow the vendors to enhance their products based on the initial test results. MITRE wants to see if the vendors can improve their detection and protection capabilities by making targeted changes.

In the second phase of testing, MITRE runs a separate emulation plan focused on the protection capabilities of the vendors’ products, complete with a new set of malicious activities that the vendors haven’t seen before.

By separating the detection and protection tests, and allowing the configuration changes in between, MITRE can assess how well the vendors can adapt and improve their security controls in response to new threats.

What the results show 

The organization explicitly states that “the evaluations do not rank vendors and their solutions, but instead provide insights” for organizations to make their own decisions based on their unique IT systems and threat models. However, Booth told CyberScoop there were surprising findings from the evaluation’s data. 

One of the most striking discoveries was that some vendors had higher false-positive rates than actual detection rates. Booth explained that this indicates a significant need for vendors to improve the specificity of their detection and blocking capabilities.

“There are certain vendors where you’ll see, yes, they had 100% detections, but their false-positive rate was also 90%,” Booth said. “That’s really interesting when you start to look at, OK, how can [vendors] determine what needs to be detected versus what is just noise?”

Another surprising finding was the difficulty vendors faced in protecting against threats in the post-compromise stage. Booth noted that MITRE’s evaluation placed a strong emphasis on assessing vendors’ ability to detect and mitigate ransomware activities after the initial breach, rather than just the initial infection.

“The assumption that you’re always going to block on the first piece of activity is not the case,” Booth said. “We’re focused on what happens after that initial compromise.”

Many vendors seemed to struggle with this post-compromise focus, as ransomware can often mimic normal system and file encryption behaviors. 

Booth also highlighted the varied approaches vendors are taking when it comes to detection, noting some key differences between machine learning-based methods and more heuristic-based techniques.

“There’s certainly some that are using AI, applying the language models on the raw data, and then there’s others that are using more of a heuristic approach,” Booth explained.

The evaluation revealed that these differing detection strategies can lead to vastly different results, both in terms of detection rates and false-positive rates.

A first for Mac

Booth told CyberScoop the inclusion of macOS in this latest evaluation round presented some unique challenges, noting that evaluating Mac-based threats required a different approach compared to previous Windows-focused assessments.

“MacOS was a bit tougher because there’s not a lot of public CTI [Cyber Threat Intelligence] on that,” Booth said.

That lack of public threat intelligence on Mac-targeted malware campaigns made it more challenging for MITRE to construct realistic, evidence-based emulation scenarios for the evaluation.

“There’s a lot that goes into formulating [the evaluation], in terms of our discussions with many different groups and organizations to get input into doing that. But Mac was hard because there’s not a lot of public CTI,” Booth acknowledged.

Despite these difficulties, MITRE included macOS in this round of testing to better reflect the evolving threat landscape. As more organizations adopt Apple devices, understanding the security capabilities of products against Mac-based attacks has become increasingly important.

Full list of vendors

The full cohort of products that MITRE evaluated included: 

• AhnLab
• Bitdefender
• Check Point
• Cisco Systems
• Cybereason
• Cynet
• ESET
• HarfangLab
• Microsoft
• Palo Alto Networks
• Qualys
• SentinelOne
• Sophos
• Tehtris
• ThreatDown
• Trellix
• Trend Micro
• WatchGuard
• WithSecure

The evaluation results are publicly available on MITRE’s ATT&CK evaluation website. 

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations’ telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore’s largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations’ networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

“All countries need to assume they are affected,” he says. “The impact [of these attacks are] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of ‘over the top’ encrypted communications applications for official government communications.”

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country’s economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

“As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown,” he says, adding that they “know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long.”

From Singapore to India and Beyond

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry’s Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

“General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done,” he says. “More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation.”

A Boost for Encryption

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

“Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries’ communications and that will also incentivize the adoption and use of encryption,” Nojeim says. “Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it.”

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry’s Wiseman says. “Many countries realized this earlier than the US [and] started widespread adoption of end-to-end app-based encrypted communications sooner,” he says. “The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries.”

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT’s Nojeim.

“One lesson of Salt Typhoon is that people who live in democracies can’t comfort themselves that their own government won’t listen in absent a good reason,” he says. “Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service.”