Happy week 10!
In this week's cybersecurity roundup, I cover a range of critical incidents and developments, from a Google engineer's theft of AI trade secrets to the discovery of multiple vulnerabilities in QNAP's NAS software.
🌐 This Week in Cybersecurity
Google Engineer Steals AI Trade Secrets for Chinese Companies
- Theft of Proprietary Information: Linwei Ding, a Google software engineer, is accused of stealing trade secrets related to Google's AI supercomputing systems, data center management software, and AI models from May 2022 to May 2023. He siphoned the data to a personal Google Cloud account while secretly affiliating with two Chinese tech companies.
- Concealment Techniques: To conceal the theft, Ding allegedly copied data from Google source files into Apple Notes on his company MacBook, converted them to PDFs, and uploaded them to his Google account. He also allowed another employee to use his access badge to give the impression he was working from the U.S. while in China.
- Competitive Advantage for Chinese Firms: Ding's startup company in China aimed to replicate and upgrade Google's computational power platform, giving them an unfair competitive advantage. The stolen trade secrets could potentially accelerate the development of AI capabilities in China.
- Legal Consequences: Ding has been charged with four counts of theft of trade secrets, each carrying a maximum penalty of 10 years in prison and a $250,000 fine. The case highlights the ongoing threat of intellectual property theft and the need for robust cybersecurity measures to protect sensitive data.
Microsoft Confirms Russian Cyberspies Stole Source Code and Accessed Internal Systems
- Ongoing Intrusion: Microsoft has confirmed that the Russian cyberspies known as Midnight Blizzard (aka Cozy Bear, APT29) have stolen source code and gained access to internal systems. The intrusion, which began in November, is characterized as "ongoing" with a significant commitment of resources by the threat actor.
- Unauthorized Access Attempts: Midnight Blizzard is using information initially exfiltrated from Microsoft's corporate email systems to attempt to gain unauthorized access to source code repositories and internal systems. While there is no evidence of compromised customer-facing systems, the volume of password spray attacks increased ten-fold in February compared to January.
- Potential Misuse of Sensitive Data: Concerns have been raised about how the potential access to Microsoft's sensitive data and AI models may be misused by hostile nation states, especially with 42 percent of the world's population electing new leadership in 2024. The threat actor may be accumulating information to enhance their ability to attack targeted areas.
- Ongoing Investigation and Mitigation: Microsoft's investigation is ongoing, and they are reaching out to affected customers to assist them in taking mitigating measures. The security breach has not had any financial impact on Microsoft's operations yet. However, the incident raises questions about Azure's authentication and security mechanisms, and reinforces the need for robust cybersecurity measures in the face of sophisticated nation-state attacks.
QNAP Discloses Multiple Vulnerabilities in NAS Software
- Authentication Bypass Vulnerability: QNAP disclosed a critical vulnerability (CVE-2024-21899) in its NAS software that allows remote attackers to bypass authentication mechanisms and compromise the system's security without requiring prior access. This flaw is marked as "low complexity," indicating it is relatively easy to exploit.
- Command Injection and SQL Injection Vulnerabilities: Two additional vulnerabilities, CVE-2024-21900 and CVE-2024-21901, could allow authenticated users to execute arbitrary commands and inject malicious SQL code on the system, respectively. While these flaws require prior authentication, they still pose a significant risk to the integrity and security of the NAS devices.
- Affected Software Versions: The vulnerabilities impact various versions of QNAP's operating systems, including QTS, QuTS hero, QuTScloud, and the myQNAPcloud service. Users are strongly advised to upgrade to the latest patched versions to mitigate the risk of exploitation.
- NAS Devices as Attractive Targets: NAS devices often store valuable and sensitive data, making them lucrative targets for cybercriminals. Ransomware groups like DeadBolt, Checkmate, and Qlocker have previously targeted QNAP devices, sometimes using zero-day exploits to breach even fully patched systems. To minimize the risk of compromise, NAS owners should keep their software up to date and avoid exposing these devices directly to the internet
Apple Releases Security Updates for Two Actively Exploited Zero-Day Vulnerabilities
- Vulnerability Details: Apple has addressed two critical vulnerabilities, CVE-2024-23225 and CVE-2024-23296, which were actively exploited in the wild. CVE-2024-23225 is a memory corruption issue in the Kernel, while CVE-2024-23296 affects the RTKit real-time operating system (RTOS). Both flaws allow attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections.
- Affected Devices and Updates: The vulnerabilities impact various Apple devices, including iPhone 8 and later, iPad Pro models, iPad Air 3rd generation and later, and iPad mini 5th generation and later. iOS 16.7.6, iPadOS 16.7.6, iOS 17.4, and iPadOS 17.4 have been released to address these issues, with improved validation as the mitigation measure.
- Exploitation Details: Although the exact nature of the exploits is currently unknown, Apple has confirmed that these vulnerabilities were actively exploited in the wild. This marks the third set of actively exploited zero-day flaws addressed by Apple since the beginning of the year, highlighting the ongoing threat landscape.
- CISA Advisory: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two additional vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine (CVE-2021-36380). US Federal agencies are required to apply necessary updates by March 26, 2024, to mitigate potential risks associated with these vulnerabilities.
RA World Ransomware Targets Healthcare and Financial Sectors Globally
- Attack Chain: RA World employs a multi-stage attack involving compromised domain controllers, GPO modification, lateral movement, persistence, defense evasion, and data encryption. The ransomware is based on leaked Babuk source code and targets organizations primarily in the US, with some attacks in Germany, India, and Taiwan.
- Initial Access and Lateral Movement: The threat actors gain initial access through compromised domain controllers and deliver Stage1.exe to the SYSVOL share path. Stage1.exe checks for specific conditions, copies Stage2.exe and pay.txt to local machines, and executes Stage2.exe. This targeted approach allows the payloads to spread within the network.
- Persistence and Defense Evasion: Stage2.exe creates a new Windows service named MSOfficeRunOncelsls, configures the system to boot into Safe Mode with Networking, and decrypts the ransomware payload (Stage3.exe). It also deletes malware remnants and creates registry keys for persistence.
- Encryption and Impact: Stage3.exe, the actual RA World ransomware payload, encrypts data and drops a ransom note pressuring victims to pay by listing recent non-compliant victims. The operators also deploy SD.bat to wipe out security software folders, gather disk information, remove Safe Mode settings, and force a system reboot.
🛠️ Security Tools
- Alien Vault Ossim - Open-source SIEM for event collection, normalization, and correlation.
- Wazuh - Open-source platform for threat detection, integrity monitoring, incident response, and compliance.
- OpenEDR - Endpoint Detection and Response solution providing real-time data analysis and threat hunting.
🚀 Startup Watch
- Axonius raises $200 million from returning investors. The company, while unprofitable, plans to use new funding to accelerate growth through acquisitions, as it looks to build out its cybersecurity platform by adding tools that help manage different IT assets, CEO and Co-founder Dean Sysman told Reuters in an interview.
- Pentera unveils new cloud security testing solution. Pentera Cloud seems like a promising solution that can help organizations stay one step ahead of the bad guys as they migrate to cloud environments. I'm excited to see how this technology evolves.
- Todyl, a networking and security startup, has raised $50 million in a Series B funding round led by Base10 Partners to expand its cybersecurity platform and global presence. Todyl's ambition to consolidate critical functions (SIEM, EDR, GRC, SASE) into a single platform is promising but many have failed on this path.
📚 Recommended Reads
- Inspiring story of overcoming imposter syndrome as they transitioned from a military systems networking role into a dream job as a Linux Admin in a major DoD cybersecurity branch. I love how they found wisdom and self-confidence from an unlikely source - the movie Kung Fu Panda and Jack Black's character Po, who learned to believe in himself as the Dragon Warrior.
- Three hackers collaborate to find vulnerabilities in Google's AI systems during a special bug bounty event. Through their combined efforts, they uncovered several significant security flaws, including an IDOR vulnerability in Bard's Vision feature, a DoS issue in Google Cloud's GraphQL API, and a way to exfiltrate sensitive user data from Google Workspace via Bard. Their persistence, creativity, and teamwork allowed them to earn substantial bounties and recognition from Google for their impressive findings.
- Risk3sixty launches a free ISO 42001 Course. While the course is high-level, it provides a good foundation for implementing AI Management System and the new ISO standard.
⭐️ 3 Ways I Can Help You
- Work with me. I love helping people! Let's discuss your challenges, career, or ask me anything about cybersecurity in 25 minutes.
- Get access to Cyber Strategy OS. My curated collection of valuable resources for every cybersecurity professional..
- Looking for something different? Reach out.
If this sparked your interest, I'd love to hear from you in the comments. Stay tuned for more and consider following me on LinkedIn and X.
Nikoloz
