A first-of-its-kind Log4j review, TikTok security moves and cyberattacks that weren’t

Rob Silvers (left), co-chair of the Cyber Safety Review Board, is pictured alongside Homeland Security Secretary Alejandro Mayorkas at a meeting Friday. DHS Policy/via Twitter

Welcome to Changelog for 7/17/22, published by Synack! Microsoft’s game of macro musical chairs appears to be over. The company said it’s planning to disable internet macros by default after all, following its decision to pause the change in key Office apps late last month. There are signs cyber criminals are already shifting away from macros as a go-to attack tool. Here’s what else happened last week:

 

The payload

The Log4j vulnerability is looking like a cybersecurity cicada brood that could crop up again ten years from now, based on a new report from a Department of Homeland Security panel.

The Cyber Safety Review Board, launched earlier this year to investigate the cyber equivalent of train derailments, explored the global fallout from the Log4j flaw in its inaugural report released last week. While there was some good news — malicious hackers haven’t exploited Log4j to launch devastating cyberattacks on critical infrastructure — the report also featured some grim takeaways, as Nathaniel Mott reported for README. The CSRB’s 15 members include officials like NSA cybersecurity director Rob Joyce as well as industry representatives like Wendi Whitmore, senior vice president for Palo Alto Networks’ Unit 42 cyber research team.

The CSRB said Log4j highlights “security risks unique to the thinly-resourced, volunteer-based open source community,” a problem that isn’t close to being fixed.

The group had a few recommendations to improve open source security, from developing a framework to prioritize widely used open source software packages in need of closer attention to launching initiatives to pay OSS developers.

The CSRB also described Log4j as a “once-in-a-generation security event.” I’m not so sure. Considering the steady drumbeat of major hacks and software bugs in recent years, “once-in-a-generation” cyber events remind me of the “100-year floods” that keep happening in our era of climate change. We may see another Log4j-level vulnerability before too long.

The week, compiled

You don’t typically hear about hacks that don’t happen.

So I got a kick out of a clever paper by Max Smeets, a senior researcher at the Center for Security Studies at ETH Zurich, that was published in the Bulletin of the Atomic Scientists last week.

Smeets reviewed cases where the U.S. military refrained from following through with disruptive cyberattacks on foreign targets — episodes that have been “largely overlooked as sources of insight,” as he put it. These include plans for offensive cyber operations targeting Libya’s air defense system in 2011, and a classified proposal in 2003 aimed at dismantling Iraq’s financial networks to block Saddam Hussein from being able to fund and equip his army.

 1_qBjH3a1Chz13bkkTab2NIw
An F-16 fighter jet is pictured preparing for a nighttime operation in Libya at Crete’s Souda Air Base in 2011. Metziker/Flickr

“What at first glance appear to be cyber non-events in fact help us to identify the difficulties of planning cyber operations alongside conventional military operations,” Smeets noted. “These non-events also aid in examining the US record (which actually shows considerable restraint), give context to institutional efforts, and show how uncertainty about collateral damage can lead to inaction.”

Here are some other newsy items from the week:

CNN: State-sponsored Chinese hackers have put U.S. journalists in their crosshairs in recent months, including in the days leading up to the Jan. 6, 2021, insurrection at the Capitol, according to researchers at cybersecurity firm Proofpoint.

MIT Technology Review: The Defense Advanced Research Projects Agency has launched a multimillion-dollar bid to help secure the open source software that underpins military and civilian critical infrastructure networks.

The New York Times: American company L3Harris seriously entertained buying Israeli spyware vendor NSO Group — purveyor of the Pegasus zero-click hacking tool — before scuttling the deal amid pressure from the Biden administration.

Reuters: TikTok’s Global Chief Security Officer Roland Cloutier announced he is stepping down from his post, but he will remain in the company in a strategic advisory role. Kim Albarella, formerly head of security risk at TikTok, will serve as interim head of security as the company faces increasing scrutiny from U.S. regulators over cybersecurity issues linked to its Chinese ownership.

A message from Synack

In today’s threat landscape, everyone agrees “it’s a jungle out there.” At Black Hat, Synack will share our cybersecurity expertise to help attendees survive this jungle. Visit us in booth #2328, where we’ll serve jungle juice in the tiki bar and host other events in our penthouse suite. You’ll gain a deeper perspective on adversary tradecraft from our live cyber talks in the Synack Cave, featuring experts from our elite Synack Red Team. Learn more here.

Flash memory

On July 12, 2021, the Senate confirmed Jen Easterly to be director of the Cybersecurity and Infrastructure Security Agency, weeks after confirming Chris Inglis to be the nation’s first national cyber director.

Back then, both officials were still dealing with the fallout from the ransomware attack on Colonial Pipeline, which galvanized the Biden administration to take action on critical infrastructure security.

 1_CTRMYvEKfRTJ0V1mQzH75g
Jen Easterly speaks at the World Economic Forum Annual Meeting 2022 in Switzerland. World Economic Forum/Flickr

The Washington Post’s Aaron Schaffer had a timely breakdown of Easterly and Inglis’ busy year since: They’ve had to deal with the U.S. response to Log4j, Russia’s invasion of Ukraine, and persistent workforce challenges brought on by a shortage of cybersecurity professionals, among other issues.

Both officials have received generally good reviews from bipartisan lawmakers, as Schaffer reported.

“Thanks to their actions, there is no question our nation is more prepared to deter online attacks and hold foreign adversaries and criminal hackers accountable for targeting our networks,” said Senate Homeland Security Committee Chairman Gary Peters (D-Mich.).

Local files

Reuters: The president of the European Central Bank was targeted by hackers who impersonated former German head of state Angela Merkel. ECB said the campaign against Christine Lagarde was quickly stopped before any information could be stolen.

The Washington Post: In a remarkable feat of fraud and social engineering, scammers in India set up a (physically real) fake cricket league and a designated Telegram channel to lure Russian gamblers into wagering on fixed matches.

Off-script

NASA stole the show last week when it released historic, jaw-dropping photos of faraway galaxies viewed through the powerful lens of its James Webb Space Telescope.

The images include the most distant clusters of stars, cosmic gas and dust yet observed by humankind — including some of the very earliest galaxies to form after the Big Bang. Some of the galaxies are so far away, the light they emit has traveled for over 13 billion years to reach us.

As if that wasn’t enough to blow my mind, NASA scientists shared this factoid about the first-of-its-kind picture below:

“If you held a grain of sand up to the sky at arm’s length, that tiny speck is the size of Webb’s view in this image.”

 1_XsvT7v7FRzOlpsFS9PYb5A
The first image released from NASA’s Webb telescope, which was launched into orbit last December. NASA

That’s all for now — please send tips, feedback, or any NASA best-ofs to bsobczak@synack.com. Catch you next Sunday!