Windows TCO and Security Leftovers

posted by Roy Schestowitz on Dec 31, 2024

• Silicon Angle ☛ US proposes tougher cybersecurity rules for healthcare organizations [Ed: Short of banning Windows, this simply won't accomplish anything]

  Healthcare providers in the United States might be forced to beef up their cybersecurity practices in the wake of new proposals made by the U.S. Department of Health and Human Services.

• Bruce Schneier ☛ Salt Typhoon’s Reach Continues to Grow [Ed: The cost of back doors]

  The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon.

• Windows TCO / Windows Bot Nets

  • The Verge ☛ The US Treasury Department was [breached] [Ed: BeyondTrust is a Microsoft proxy of sorts]

    In a letter to lawmakers seen by The Verge, the Treasury Department said BeyondTrust, the company behind its remote management software, notified the agency of a breach on December 8th.

    The threat actor stole a key used by BeyondTrust “to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users.” With the key, they overrode the security to remotely access those users' workstations and “some unclassified documents” they maintained.

  • The Record ☛ Beijing-linked [intruders] penetrated Treasury systems

    A Chinese state-sponsored actor was responsible for a “major incident” that compromised U.S. Treasury Department workstations and classified documents, according to a letter the agency sent congressional lawmakers on Monday.

    In a missive to the Senate Banking Committee, the department said it was notified on December 8 by BeyondTrust, a third-party software provider, that a foreign actor had obtained a security key that allowed the perpetrator to remotely gain access to employee workstations and the classified documents stored on them.

  • Axios ☛ Treasury says China [intruders] targeted it in "major" breach

    What's next: Treasury said in the letter that it is actively working with the FBI, the Cybersecurity and Infrastructure Security Agency and the intelligence community to investigate the breach.

  • Le Monde ☛ Cybersecurity: US Treasury says it was [breached] by China-backed cyberattack

    "The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information," the department's spokesperson said. In its letter to the leadership of the Senate Banking Committee, the Treasury said: "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor."

  • VOA News ☛ US Treasury: Chinese [intruders] remotely accessed workstations, documents

    The department said it learned of the problem on Dec. 8 when a third-party software service provider, BeyondTrust, flagged that [intruders] had stolen a key used by the vendor that helped it override the system and gain remote access to several employee workstations.

    The compromised service has since been taken offline, and there's no evidence that the [intruders] still have access to department information, Aditi Hardikar, an assistant Treasury secretary, said in the letter Monday to leaders of the Senate Banking Committee.

  • New York Times ☛ China [Broke Into] Treasury Dept. in ‘Major’ Breach, U.S. Says

    In a letter informing lawmakers of the episode, the Treasury Department said it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the [attacker] had obtained a security key that allowed it to gain remote access to certain Treasury workstations and documents on them.

    “Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter said. “In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”

  • Wired ☛ US Treasury Department Admits It Got [Breached] by China

    A disclosure notice to the United States Congress on Monday revealed that the US Treasury Department suffered a breach earlier this month that allowed [intruders] to remotely access some Treasury computers and “certain unclassified documents.”

    The attackers exploited vulnerabilities in remote tech support software provided by the identity and access management firm BeyondTrust, and Treasury said in its letter to lawmakers that “the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.” Reuters first reported the disclosure and its contents.

  • Silicon Angle ☛ Third-party provider [breach] exposes US Treasury Department unclassified documents

    Having gained access to the stolen key, the threat actor overrode the service’s security to remotely access Treasury workstations and access certain unclassified documents.

    Upon being made aware of the breach, the Treasury Department informed and started working with the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the intelligence community and third-party investigators to determine the cause of the breach and its overall impact.

  • Reuters ☛ US Treasury says Chinese [intruders] stole documents in 'major incident'

    The Treasury Department said it was alerted to the breach by BeyondTrust on Dec. 8 and that it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact.

  • Security Week ☛ Chinese [Intruders] Accessed US Treasury Workstations in ‘Major' Cybersecurity Incident

    While the Treasury described the situation as a “major cybersecurity incident,” the scope of the breach was not detailed, with no information on how many workstations had been compromised or what types of documents may have been accessed.

    In a letter to lawmakers, Aditi Hardikar, Assistant Secretary for Management at the U.S. Department of the Treasury, said the Department learned of the problem from BeyondTrust on December 8th when the vendor said a threat actor had gained access to a key used by BeyondTrust to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users.

  • Modern Diplomacy ☛ Cyber Pandora’s Box

    Imagine opening your eyes one fine day and there is a blackout, banks cannot carry out transactions and government’s sensitive information has fallen into the clutches of the enemy. This is not a snapshot from the silver screen but an unsettling reality which looms large and nations across the world have often come across. In 2021, fuel supplies across the East Coast in the United States were halted for approximately 5 days as a result of a ransomware cyberattack on Colonial Pipeline by a hacker group known as DarkSide. This incident shook one of the world’s most advanced economies. If powerful nations like the United States are a sitting duck to such nefarious attacks, where do we stand? Can Pakistan manage to pay a ransom to cybercriminals if it falls prey to a large-scale cyberattack? What if our defense systems and critical infrastructure become captives? Pakistan is no novice to cyberattacks. The Federal Board of Revenue (FBR) encountered a cyberattack in October 2023, on account of an outdated [sic] Microsoft Hyper-V software, resulting in a 72-hour outage of its websites. In addition, the recent power blackout in January 2023 also holds testament to Pakistan’s power sector’s vulnerability to potential cybersecurity breaches. Pakistan’s banking sector is also in the lion’s den. From January to October 2024, Kaspersky reported a 114 per cent increase in banking and financial malware attacks compared to the same period in the previous year. This is just the tip of the iceberg in an era where states and non-state actors alike have resorted to cyberattacks as a sought-after weapon to bring their sinister objectives to fruition.

• Confidentiality

  • SANS ☛ Changes in SSL and TLS support in 2024

    With the end of the year quickly approaching, it is undoubtedly a good time to take a look at what has changed during the past 12 months. One security-related area, which deserves special attention in this context, is related to the use of different versions of SSL and TLS on various servers on the internet, since information about support for these protocols can provide us with a good informal indicator for the overall “level of security” on the global network as a whole.

    This is true especially when it comes to web servers, since there are a lot of them, and the continued support for deprecated[1] versions of the aforementioned cryptographic protocols (i.e., SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1) on a specific web server shows quite well that the server is not configured in line with current security best practices (and it gives a good indication that it probably lacks important updates and patches as well).

• Integrity/Availability/Authenticity

  • The Record ☛ On the sixth day of Christmas, an X account gave to me: a fake 7-Zip ACE

    Igor Pavlov, the developer behind 7-Zip, was less generous, telling the 7-Zip discussion forum’s bugs section: “This report on Twitter is fake. And I don’t understand why this Twitter user did this. There is no such ACE vulnerability in 7-Zip / LZMA.”

  • Krebs On Security ☛ U.S. Army Soldier Arrested in AT&T, Verizon Extortions

    Immediately after news broke of Moucka’s arrest, Kiberphant0m posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.