A fresh Pwn2Own perspective, Cyber Command’s Ukraine revelation and some personal news

The Pwn2Own Miami hacking competition played out at the Fillmore Miami Beach in April. Photo credit: Blake Sobczak

Welcome to Changelog for 6/5/22! It’s me, Blake, and I’m thrilled to announce I’m taking on a new role as editor-in-chief of README and head of communications here at Synack. It’s an exciting but bittersweet moment for me, as it means saying goodbye to README’s founding EIC Mike Farrell, whose last day was Friday. Mike spearheaded README’s launch last summer and built the publication from the ground up. I wish him all the best in his next endeavor!

As for Changelog: I’ll still guide you through the week’s cybersecurity news each Sunday. And I can’t wait to steer README in some exciting new directions. Stay tuned, and if you’ll be at the RSA cybersecurity conference this week in San Francisco, swing by Fogo de Chão to say hi!

The payload

Pwn2Own hacking events attract the crème de la crème of the cybersecurity research community with their eye-popping cash payouts and fiendishly difficult zero-day challenges.

So it’s all the more remarkable that Vera Mens helped her team at Claroty take home top honors in Miami Beach this spring in her first-ever Pwn2Own event — just a few months after joining the industrial cybersecurity company.

Mens recounted her experience switching from a career in programming to one in the rarified world of industrial cybersecurity for README in a part-personal, part-technical recap.

Pwn2Own Miami, hosted by the Trend Micro-backed Zero Day Initiative, awarded $400,000 in April for more than two dozen unique zero-day vulnerabilities. Many of the flaws affected the software backbones that keep lights on and potable water flowing in critical infrastructure systems throughout the world.

“The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov needed a little time, but they did get their amazing buffer overrun chain to achieve code execution against Kepware KEPServerEx,” the Zero Day Initiative wrote in their summary of the event.

I respect the Zero Day Initiative’s goal of finding critical bugs before they can be exploited by malicious hackers. But I didn’t spend much time at the Pwn2Own stage when I covered the S4 industrial cybersecurity conference earlier this year because the bulk of the technical information there flew over my head.

Still, there’s a reason you won’t find too many of those technical details of Mens’ research in her README writeup—for now, vendors are busy fixing the vulnerabilities.

The week, compiled

Gen. Paul Nakasone, head of U.S. Cyber Command, ruffled feathers in foreign policy circles last week when he revealed that U.S. state-backed hackers have led “offensive” cybersecurity missions in support of Ukraine, as British broadcaster Sky News exclusively reported.

With all the handwringing over what constitutes an “act of war” in cyberspace, some observers treated Nakasone’s admission as a major escalation in U.S. involvement with Russia’s months-long war in Ukraine.

I’m not so sure. While I applaud Sky News technology reporter Alexander Martin for unearthing new and interesting information about Cyber Command’s operations, I doubt Nakasone’s comments will worsen any sort of ill-defined cyber Cold War with Moscow.

Cyber Command says in its 2018 vision statement that its day-to-day activities are aimed at “maneuvering seamlessly between defense and offense across the interconnected battlespace.”

It’s hardly a surprise that the first ground war to come to Europe in decades would elicit a response from USCYBERCOM, and it’s difficult to imagine a weakened Russian President Vladimir Putin will get too worked up about Nakasone’s latest comments.

Here are some other newsy nuggets:

 1_gDRDTTQBgIHTkYrRKkVmxg
Thomas Hawk/Flickr

README: A nasty zero-day bug in Windows sent cyber defenders scrambling to their posts over Memorial Day weekend, as I wrote last Wednesday. Nation-state groups are actively exploiting the previously unknown vulnerability in Microsoft Support Diagnostic Tool (MSDT). After the so-called Follina bug emerged, another zero-day in Atlassian Confluence Server software came to light late last week, keeping the cybersecurity community very busy.

Vice: The Discord messaging platform, known for its popularity among gamers, has become the go-to communications tool for cryptocurrency enthusiasts. That’s made it a target for scammers and cybercriminals. “The security concerns for gamers are very different from the high stakes world of crypto,” as one Ethereum entrepreneur put it.

BankInfo Security: Okta CEO Todd McKinnon said the Lapsus$ cybercriminal group’s headline-grabbing hack of an Okta workstation earlier this year did not have a material impact on the authentication company’s business.

A message from Synack

Synack Red Team mission data indicates that once-a-year pentests are no longer adequate to protect sensitive missions or meet most compliance requirements. Government Agencies Deserve A Better Way To Pentest, one that scales to find vulnerabilities that matter most and to meet M-22–09 zero trust requirements for dedicated application security testing. Find your Better Way to Pentest today in Synack’s FedRAMP Moderate In Process environment.

Flash memory

I’m attending the RSA conference this week for the first time since 2019, and it’s bound to be a fascinating one.

The last time I tuned into the massive infosec event, the disinformation campaigns of Russia’s state-backed Internet Research Agency troll farm were still making waves. In one session I covered, Nakasone sat down with CBS News’ Olivia Gazis to shed some light on Cyber Command’s “defend forward” doctrine, aimed at proactively blocking malicious cyber activity before it can cause too much damage.

 1_vQHqSmWjjZC4OQXIndLCdA
Army Gen. Paul Nakasone, head of U.S. Cyber Command, speaks at RSA in 2019. Photo credit: Blake Sobczak

Many of the issues in the 2019 conference are newly relevant. Russia at the time was enacting far-reaching censorship bills in a bid to tighten its grip on its domestic internet, as Ars Technica reported. And ransomware attackers were still menacing huge corporations and local governments alike. Speakers at this year’s RSA conference will explore some of the same challenges.

Local files

AP: The Cybersecurity and Infrastructure Security Agency detailed nine vulnerabilities in widely used voting software in an advisory to state election officials, though the agency noted there are no signs attackers abused the flaws.

Krebs on Security: Weeks after Costa Rican President Rodrigo Chaves declared a state of national emergency over a spate of ransomware attacks on government infrastructure, the Hive ransomware group struck at the country’s health sector with a hack of the Costa Rican Social Security Fund (CCSS).

Off-script

The Washington Post published an ambitious multimedia piece late last month that amounts to a time capsule of Cairo’s sights and sounds. The article brought me back to my time in the historic city in fall 2010, from the honks of taxicabs to the hum of window A/C units and periodic calls to prayer.

The Post highlighted the important work of Youssef Sherif, 28, and Nehal Ezz, 26, to document Cairo’s evocative soundscape before it disappears amid rapid changes in one of the biggest cities in the world. Even if you may not share in my nostalgia, I’d recommend checking it out.

 1_S-T1CWTxd_EDkNY9oYnroQ
The view from my apartment in downtown Cairo in 2010. Photo credit: Blake Sobczak

That’s it for now. Please send tips, feedback and your №1 favorite Journey song to bsobczak@synack.com. Hope to catch many of you at RSA — I’ll be in the Bay Area all week!