Cyber Security Headlines: China’s MSA key hack, cyberwar crimes, North Korea targeting Russia

How Chinese hackers stole a Microsoft signing key

Microsoft released details how the Chinese-linked Storm-0558 threat group obtained a MSA key. The attackers used this key in the recent Exchange Online and Azure Active Directory breaches. This came from a cascade of failures. The MSA key leaked after a crash dump occurred on a consumer signing system. The dump should not contain the key, but it got added due to a race condition. The crash dump eventually moved to Microsoft’ internet-connected debugging environment. When the Storm threat actors compromised a Microsoft engineer’s corporate account, it discovered the key in the crash dump. 

(Bleeping Computer)

The ICC to prosecute cyberwar crimes

Last month in the publication Foreign Policy, Internaltional Criminal Court lead prosecutor Karim Khan said his office will investigate and prosecute cybercrimes for acts such as war crimes, genocide, and crimes against humanity. The announcement in the publication did not get much press notice at the time, but Khan’s office told Wired this is now the office’s official stance. In the piece, Khan also mentioned that disinformation remained a separate area of concern for prosecution, as a “gray zone” tactic between war and peace. 

(Wired)

North Korean cyberattacks against Russian targets

This finding comes from a new report from Microsoft. There’s not a lot of details in this report. No word on specific victims or even ties to a specific threat group. These attacks occurred in March 2023, targeting Russian diplomats and an aerospace research institute. Microsoft said this appeared as a crime of opportunity to seize intelligence with Russia embroiled with its war in Ukraine. This finding came as part of an overall report on cyberespionage activity and capabilities in East Asia. 

(Reuters)

China broadens iPhone ban

Bloomberg’s sources say the Chinese government began expanding its ban on iPhones. Several agencies reportedly started telling staff to not bring the devices to work. More formal restrictions are reportedly in progress, which would see the phones restricted across state-owned enterprises and other areas with government oversight. iPhones retain significant market share in the country, but increasingly come into conflict with government objectives to lessen dependence on American-owned technology. 

(Bloomberg)

Huge thanks to our sponsor, DataBee, from Comcast Technology Solutions

DataBee, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes.

Built by security professionals for security professionals, DataBee makes your data a gold mine, rich with information that enables you to examine the past, react to the present, and protect the future of your business.

Learn more at https://comca.st/DataBee.

LockBit hits Seville 

Local media reports that the city council of Seville, Spain attributed a recent ransomware attack to LockBit. It says it will not pay a $1.5 million ransom. The attack began on September 4th and impacted the response of emergency services and tax collection. The city does not know if LockBit exfiltrated any data in the attack. LockBit did not post any information from an attack on Seville on its leak site as of this recording. 

(The Record)

Android patches actively exploited zero day

The Septmeber 2023 Android security update patched a high-severity zero day discovered in the Android Framework. This opens the door to privilege escalation without user interaction. In its advisory, Google said it discovered signs of “limited, targeted exploitation.” The patch fixes the flaw in Android 11 and newer. Older versions of Android remain vulnerable. As with most Android updates, Pixel owners receive these updates immediately, while other OEMs need to validate the update for their hardware. 

(Bleeping Computer)

Aviation organization hacked by multiple groups

CISA issued a joint advisory with the FBI and Cyber Command’s Cyber National Mission Force warning that several threat groups tied to different nation-states gained network access to an “Aeronautical Sector organization…involved in the broader aviation sector.” This began at least as far back as January 18th. Attackers gained access through a vulnerability in Zoho ManageEngine ServiceDesk Plus and using disabled credentials into Fortinet’s VPN service. A lack of proper network segmentation and overall lax organization on the victim’s network meant CISA cannot determine what information the attackers exfiltrated. CISA’s incident response team worked with the victim from February through April to respond to the multiple breaches. 

(CyberScoop)

Flipper Zero can launch Bluetooth spam attacks

The Flipper Zero made a name for itself as a versatile network and mobility pentesting tool. The security researcher known as “Techryptic” found another use, sending Bluetooth spam on iOS. The researcher sent spoofed advertising packets over Bluetooth Low Energy, seemingly to transfer a number, connect an AirTag, or set up a new iPhone. They also claimed that sending a high enough volume of these spoofed notifications could severely disrupt the iOS UI. This functionality requires a custom firmware update to enable Bluetooth and a settings file. Techryptic claims this technique works even on phones in Airplane mode. 

(Bleeping Computer)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.