TikTok ban passes the US House
The bill passed as part of a larger foreign aid package by a vote of 360-58. THe House passed a similar standalone TikTok ban last month by a vote of 362-65, but that currently sits stalled in the Senate. Due to the new bill’s ties to allies in Ukraine and Israel, the Senate will likely vote on it much faster. Senate Commerce Committee Chair Maria Cantwell already signed her support of the legislation. The new bill gives ByteDance potentially up to a year to divest of TikTok prior to a formal ban, up from six months laid out in the earlier bill. If it passes the Senate as-is, President Biden already signaled he would sign it into law.
Sandworm targets critical Ukrainian orgs
The Ukrainian Computer Emergency Response Team, or CERT-UA, released a report on activity by the Russian affiliated threat group Sandworm, believed to be associated with Russia’s GRU military intelligence unit. The report claims that in March 2024, Sandworm disrupted IT systems at energy, water, and heating suppliers throughout 10 regions in the country. The group accessed these providers through a variety of vectors, including supply chain attacks, technical support, and novel malware. CERT-UA believes Sandworm coordinated the cyberattacks with missile strikes on infrastructure facilities.
North Koreans animating streaming shows
A new report from the Stimson Center’s 38 North Project and Mandiant shows that a misconfigured North Korean server contained animation files with editing notes and instructions on them. The researchers traced back the assets to material used on Amazon’s animated show Invincible and a Cartoon Network show Iyanu: Child of Wonder. The server showed no signs that any production studio violated sanctions by contracting with North Korea directly, as this appeared to be significantly downstream of production. Traffic to the server shows access from three cities in China and Spain. Mandiant researcher Michael Barnhart said these animation efforts likely served to raise funds for the country’s regime. We’ve seen similar schemes with contracted North Korean IT workers in the past.
(Wired)
European police warn tech industry about encryption
Tech platforms adding end-to-end encryption to messaging platforms remains a contentious issue. The most recent sign, a group of 32 senior police officials from across Europe released a statement over the weekend warning that the tech industry is “at risk” of damaging its relationship with law enforcement over the issue. The statement didn’t name a company but likely refers to Meta rolling out encryption as a default in Messenger. The statement claims encryption undermines both the platform’s and police’s ability to identify illegal behaivor like drug smuggling, human trafficking, and sexual abuse. Meta’s global policy director for Messenger, Gail Kent said in response that Meta uses other signals like metadata and public posts to detect predators.
Huge thanks to our sponsor, Veracode
LLM content threatens CSAM reporting system
The nonprofit National Center for Missing and Exploited Children runs CyperTipline, which represents a federally authorized reporting system and repository for child sexual abuse material, or CSAM. This system takes in millions of reports a year across social platforms and forwards them to law enforcement. However a report from the Stanford Internet Observatory found that resource and funding constraints mean that only 5-8% of reports lead to arrests. Report co-author Alex Stamos says this percentage could significantly dwindle as AI-generated CSAM floods the system, taking further resources away from actual children in peril. The report calls for investing in improving the current system, rather than legislative remedies like requiring encryption backdoors or requiring client side scanning by platforms.
(WaPo)
CrushFTP exposes system files
Security researcher Simon Garrelou reported a vulnerability in the CrushFTP service. All versions of CrushFPT under 11.1 contain the flaw, which for virtual file system escape and access to full system files. CrowdStrike reports seeing the flaw under active exploitation “in a targeted fashion.” CrowdStrike’s intelligence report indicates these attacks represent politically motivated recognizance. CrushFTP released a patch for the flaw, available through its dashboard.
Windows Rootkit-like flaws
SafeBreach security researchers documented new flaws in the DOS-to-NT path conversion process on Windows that allows any unprivledged users to remove “trailing dots from any path element and any trailing spaces from the last path element.” This could allow some to hide files and process, identify malware as a verified executable, and hit Process Explorer with a denial of service. This attack uses four flaws in a chain, Microsoft patched three already.
Medical diagnostic services disrupted by ransomware
The medical diagnostic and testing services provider Synlab Italia announced it suffered a security breach on April 18th. It took all IT systems offline including email and suspended medical services. This impacted 380 labs and medical centers across Italy. It did not impact the rest of the Synlab group, which operates in 29 other countries. Synlab Italia did not confirm if it lost patient data in the attack. No word on any group taking responsibility for the attack.