Cybersecurity Snapshot: CSRB Calls Exchange Online Hack “Preventable,” While CISA, Others Warn About XZ Utils Backdoor Vulnerability

Check out why the Cyber Safety Review Board has concluded that the Microsoft Exchange Online breach “should never have occurred.” Plus, warnings about the supply chain attack against the XZ Utils open source utility are flying. In addition, a report says ransomware attacks surged in February. And the U.S. government issues a comprehensive AI usage policy for federal agencies. And much more!

Dive into six things that are top of mind for the week ending April 5.

1 - CSRB on 2023 Microsoft cloud breach: It was preventable

With basic security practices in place, Microsoft could have prevented last year’s Exchange Online breach in which Storm-0558, a hacking group affiliated with the Chinese government, stole emails from U.S. government officials.

That’s the key takeaway from a report released this week by the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) and titled “Review of the Summer 2023 Microsoft Exchange Online Intrusion.”

“The Board finds that this intrusion was preventable and should never have occurred,” the report reads. 

Specifically, the CSRB said it found Microsoft’s security investments insufficient and its risk-management practices lax, a sharp contrast to the tech giant’s prominent position in the tech industry and to the trust that customers place in the company.

“The Board recommends that Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products,” the DHS said in its announcement of the CSRB report.

The report points to a “cascade of Microsoft’s avoidable errors” and to the company’s inability to detect the compromise of its “cryptographic crown jewels” which a customer instead identified. 

Because its products are ubiquitous and underpin national security, the country’s economic foundations and public health, Microsoft must “demonstrate the highest standards of security, accountability, and transparency,” the report reads.

In a statement, Tenable Chairman and CEO Amit Yoran praised the CSRB, calling the report “a masterful piece of work.” 

“This is not some watered down, wishy-washy document full of government speak and platitudes. After a thorough investigation, this body of august experts issued a powerful document that should serve as a wake-up call to cloud providers that cybersecurity must be a priority,” Yoran said.

“While some cyber failures are unavoidable, we shouldn’t assume that to always be the case. The report states that ‘the intrusion was preventable’ and the Federal government has put its foot down over Microsoft’s repeated cybersecurity failures,” Yoran added.

Storm-0558 breached Exchange Online in May and June of 2023, compromising mailboxes from 22 organizations and 500-plus people around the world, including the U.S. Commerce Secretary, the U.S. Ambassador to China and a U.S. Congressman.

The report also offers recommendations for securing cloud environments and their identity and authentication infrastructure, as “cloud computing has become an indispensable resource to this nation, and indeed, much of the world.”

Recommended best practices for cloud service providers like Microsoft include:

• Continuously analyze and store the logs of all systems that could let attackers compromise your cloud environment, such as identity systems
• Design digital identity and credential systems in a way that reduces the chances of a “complete system-level compromise” by using, for example, stateful tokens and frequently rotating encryption keys
• Adopt standards designed to protect against credential attacks, such as Open Authorization (OAuth) 2, Demonstrating Proof-of-Possession (DPoP) and OpenID Shared Signals and Events (SSE)

2 - Hackers add malicious code to open-source library XZ Utils 

CISA and multiple security researchers are warning about a supply-chain compromise in which attackers added a backdoor to the XZ Utils open-source data compression library used in popular Linux distributions. Versions 5.6.0 and 5.6.1 of XZ Utils are impacted by this vulnerability (CVE-2024-3094).

To get all the details about this issue, read Tenable Research’s blog “Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils,” which recommends that developers and users downgrade to known, unaffected versions of XZ Utils. 

“However, in addition to downgrading, it is strongly advised that developers and users conduct incident response to determine if they have been impacted as a result of this backdoor,” the Tenable Research blog reads.

For more coverage and analysis, check out:

• “What we know about the xz Utils backdoor that almost infected the world” (Ars Technica)
• “XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack” (Dark Reading)
• “How one volunteer stopped a backdoor from exposing Linux systems worldwide” (The Verge)
• “Dangerous XZ Utils backdoor was the result of years-long supply chain compromise effort” (CSO Online)
• “Are You Affected by the Backdoor in XZ Utils?” (Dark Reading)

VIDEOS

XZ Utils Back Door AFTERMATH - Who did it? (SavvyNik)

Revealing the features of the XZ backdoor (Low Level Learning)

3 - Report: Ransomware attacks jump in February

Ransomware attacks swelled globally in February, increasing 46% from January, with the industrials sector being the hardest hit, absorbing almost one third of all attacks. That’s according to NCC Group’s “Monthly Threat Pulse” report for February.

Compared with February of 2023, the number of attacks observed by NCC Group ballooned 73%, and more than doubled (124%) compared with February 2022. And expect ransomware attacks to continue trending up.

“If 2024 is to follow the same pattern as 2023, we can expect a further increase going into March as we start to reach the baseline for 2024’s ransomware activity, which will likely consistently surpass that of 2023 based on previous trends,” the report reads.

LockBit 3.0 ranked as the most prevalent ransomware variant, accounting for 33% of all attacks in February.

NCC Group has also noticed an uptick in newer, smaller ransomware-as-a-service groups, with more than 10 emerging so far this year. What’s driving this trend? More frequent crackdowns on well-known, large ransomware gangs.

"Recent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in underground forums and markets,” Matt Hull, Global Head of Threat Intelligence at NCC Group, said in a statement about the February ransomware report.

4 - OMB issues first U.S. government-wide AI policy

Involved with crafting your organization’s AI usage policy? You may want to take a look at how the U.S. government is going about it.

The U.S. Office of Management and Budget (OMB) recently issued Uncle Sam’s first government-wide AI policy designed to help federal agencies mitigate the risks and maximize the benefits of using AI.

Specifically, the new policy mandates that federal agencies take a number of actions, including:

• Assess, test and monitor their AI systems to identify and prevent risks to the public, including algorithmic bias
• Expand transparency into how their AI systems work and how they’re being used
• Remove barriers that impede responsible AI innovation
• Hire staff that’s knowledgeable in AI and expand the AI skills of existing staff
• Appoint Chief AI Officers to coordinate AI use across agencies, and establish AI governance boards

To get more details, read this White House fact sheet.

For more information about developing and adopting a policy for secure, compliant and responsible use of AI:

• “How businesses can responsibly use AI and address ethical and security challenges” (Thomson Reuters)
• “AI Policy and Governance: What You Need to Know” (eWeek)
• “Key Considerations for Developing Organizational Generative AI Policies” (ISACA)
• “13 Principles for Using AI Responsibly” (Harvard Business Review)
• “10 top resources to build an ethical AI framework” (TechTarget)

VIDEO

Ultimate Guide to AI for Businesses (TechTarget)

5 - NTIA report aims to help White House craft AI regulations

After about a year of work, the National Telecommunications and Information Administration (NTIA) released its much-awaited report on AI accountability, for which it fielded almost 1,500 comments from individuals and organizations.

The report aims to help the White House develop guidance, policies and regulations to promote the secure and responsible development and use of AI systems. Here are some of the NTIA recommendations for the federal government and its stakeholders:

• Create guidelines for crafting and conducting independent audits of AI systems
• Improve standard information disclosures about AI systems
• Invest in areas including technical infrastructure and staff to facilitate AI-system auditing, testing and evaluations
• Mandate independent evaluations and regulatory inspections of AI models and systems considered “high risk”

For more details, check out the NTIA’s “Artificial Intelligence Accountability Policy” homepage and the report itself.

6 - DDoS attacks, quantum threat among banks’ emerging cyber risks

An intensification of distributed denial of service (DDoS) attacks. The need to boost encryption protection. The use of regulations as extortion methods. Hackers’ weaponization of AI.

Those are some of the cyber challenges the financial sector currently faces, according to the report “Navigating Cyber 2024” from FS-ISAC, a non-profit focused on reducing cyber risk and improving cybersecurity globally in the financial industry.

Although the financial services industry experienced a cyber landscape in 2023 that was more stable than in years past, it must be ready to tackle a number of challenging trends.

According to FS-ISAC, these trends include:

• Heightened hacktivism: With multiple elections occurring in 2024 globally, FS-ISAC expects hacktivists to ramp up disruptive DDoS attacks, which impact financial institutions disproportionately.
• A disinformation upsurge: Also triggered by elections, AI-fueled disinformation campaigns will surge. “These campaigns pose substantial threats to financial services, their customers, and the democratic process,” the report reads.
• Weaponization of data-protection regulations: Ransomware attackers will continue boosting their extortion methods by threatening to report their victims to their country’s data-protection regulators.
• Quantum attack preparedness: Expected by 2030, quantum computers will be able to break today’s encryption algorithms. Thus, banks must start preparing by, for example, inventorying the systems whose encryption will need to get upgraded to quantum-resistant cryptography.

For more information about cyberthreats to banks:

• “4 Cyber Defense Tips for Finance Industry CISOs” (Center for Internet Security)
• “Top 3 Cyberthreats Facing the Financial Sector (ISACA)
• “Financial sector faces systemic cyber threats: Moody’s” (Investment Executive)
• “For financial services firms, a pattern of malicious cyber activity is emerging” (Cybersecurity Dive)