Cyber Security Headlines Week in Review: Microsoft MSA answers, Keystroke monitoring software, G-Man Mudge

This week’s Cyber Security Headlines – Week in Review, is hosted by Rich Stroffolino  with guest Dan Walsh, CISO, VillageMD

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at

How Chinese hackers stole a Microsoft signing key

Microsoft released details how the Chinese-linked Storm-0558 threat group obtained a MSA key. The attackers used this key in the recent Exchange Online and Azure Active Directory breaches. This came from a cascade of failures. The MSA key leaked after a crash dump occurred on a consumer signing system. The dump should not contain the key, but it got added due to a race condition. The crash dump eventually moved to Microsoft’ internet-connected debugging environment. When the Storm threat actors compromised a Microsoft engineer’s corporate account, it discovered the key in the crash dump. 

(Bleeping Computer)

Companies using software to track remote workers

An article in Business Insider highlights how certain companies are using keystroke monitoring software to track remote workers’ time on the keyboard, resulting in dismissals when a required number of keystrokes per hour is not achieved. Named in the story are large companies like JPMorgan and Tesla. It also quotes an earlier New York Times story that showed that eight of the 10 largest US private companies track their employees’ productivity. The story also refers to a Business Insider article from October 2022 which points out that “not turning your webcam on for a work meeting may get people fired with little chance of winning a wrongful termination claim.”

(Business Insider)

CISA hires ‘Mudge’ to work on security-by-design principles

On Monday, the US government’s cybersecurity agency (CISA) confirmed it has added Peiter ‘Mudge’ Zatko to its roster as a Senior Technical Advisor. Zatko most recently served as the CISO at Twitter and blew the whistle on the social media giant’s security shortcomings. Zatko’s resume also credits him with some of the earliest buffer overflow vulnerability research, serving as a DARPA program manager and creating the Cyber Fast Track program. Jen Easterly said, “Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country.”


Technical details of Sandworm malware ‘Infamous Chisel’ released

Security agencies from the Five Eyes intelligence alliance – the US, the UK, New Zealand, Canada, and Australia, have released technical information of malware named Infamous Chisel, used by the Russian hacking group Sandworm as part of the war effort against Ukraine. The malware focused on Android devices used by members of Ukrainian military and was deigned to collect intelligence. Largely searching for files with .jpg or .txt extensions, Infamous Chisel is considered in the report as “low to medium sophistication, giving little thought to avoiding detection.” Cyberscoop points out that since many Android devices do not have a host-based detection system, there are few ways to monitor the Android devices for malicious behavior.

(Cyberscoop and CISA)

Huge thanks to our sponsor, DataBee, from Comcast Technology Solutions

DataBee™, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes.
Built by security professionals for security professionals, DataBee makes your data a gold mine, rich with information that enables you to examine the past, react to the present, and protect the future of your business. Learn more at

Okta warns of IT help desk attacks

Okta, an identity and access management company, has issued a warning about a new wave of social engineering attacks aimed at IT service desk agents at some of its US-based customers. The company says these attacks are aimed at Okta Super Administrator accounts in order to get them to reset MFAs for power users. According to Bleeping Computer, “Okta has provided indicators of compromise for attacks observed between July 29 and August 19” and has also provided a list of IP addresses associated with these attacks, as well as security measures that should be taken.

(Bleeping Computer)

LockBit leaks documents swiped from UK defense contractor

Last month, British perimeter security company, Zaun Ltd., was breached by the notorious LockBit group. In its public breach disclosure on September 1, Zaud Ltd. indicated that LockBit had breached a PC used to control one of its manufacturing machines. The PC was running Windows 7, support for which concluded in 2020, with extended security updates ending in January 2023. Zaun said its cyber defenses prevented threat actors from encrypting their data but that about 10 gigabytes of info was stolen. Lockbit appears to have leaked sensitive documents relating to the physical security of agencies in the UK Ministry of Defence. However,  Zaud said it does not believe that any classified documents were compromised in the attack.

(Dark Reading)

Krebs on cracked LastPass keys

Security journalist Brian Krebs reports that a rash of cracked crypto wallets indicates that threat actors began successfully cracking stolen LastPass keys. Back in November, LastPass disclosed a data breach involving stolen password vaults for over 25 million users. According to MetaMast CEO Taylor Monahan, their researchers connected thefts targeting 150 to potentially cracked vaults, with over $35 million in losses. Monahan began tracking these thefts in March. These users all seemingly stored their private key “seed phrase” in LastPass. Krebs and Monahan recommend changing important credentials stored in LastPass since November. 

(Krebs on Security)

Connected cars not great for privacy and security

A recent report on connected cars from Mozilla gave all 25 major brands in the report a failing grade on security and privacy. Mozilla noted that privacy polies from these cars informs customers the companies can collect health and genetic information, immigration status, facial expressions, location, and in some instances sexual activity. This includes data colleced from telematics systems, but also extends to mobile apps and dealership visits. Over half the brands said they can share information with law enforcement, while 76% gave them the right to sell personal data to third parties. 

(Security Week)

Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.