Summary:
With everyone working remotely, the security of off-site employee computers is crucially important. Microsoft fell victim to this, and although the damage was minor, the red flags for all companies are obvious. During "a five-day window of time between January 16-21, 2022 ... an attacker had access to a support engineer's laptop." Microsoft notes that the breach provided only "'limited access'" to company systems, including source files. Nonetheless, the hackers, believed to be a group known as Lapsus$, show "a sophisticated grasp of technology supply chains, understanding how to use one organization's relationships or reliance on another to its advantage."

Summary:
Okta is an identity provider company, and it was also hit by the Lapsus$ hackers. In this case, a contractor to Okta had an engineer whose computer was hacked. Okta said that private data of "at most" 366 customers may have been exposed. Some observers were startled at Okta's subdued response to the problem which was discovered in January. The contractor was quickly identified as the problem source, but Okta did not provide a full report to the contractor for 2 months. It was only then that the contractor was able to stop the exposure.

Summary:
Industrial control systems in the energy sector (and others) often use a simple, serial protocol called SCADA. Interfaces between Internet systems and SCADA controls allow operational control of larges networks of devices. Malicious software that attacks SCADA systems is not common, but a new instance of it surfaced recently and was detected, thwarted, and analyzed by the US government and security firms. Their opinion is that is circumstantially connected to prior Russian exploits. The targets were, initially, liquefied natural gas and electric power sites in North America.

Summary:
An attack on servers that might be involved in managing Internet traffic on an undersea cable was thwarted by DHS's Homeland Security Investigations team. At least one person was arrested in connection with the "unauthorized access." There were no reports of exploits associated with the breakin, but agents emphasized the potential of causing various forms of havoc on Internet service. See also this article from CYBERSCOOP on Apr 13, 2022 by A. J. Vicens: DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii.

Summary:
Most ransomware has an Achilles heel: the reliance on a few allied Internet servers that direct the attack after the initial breach. These "command and control servers" have to be surreptitious and anonymous, else they would give away the identity of the attackers. Attackers register meaningless DNS names for the servers, pay for them via circuitous routes, and often move them from one physical infrastructure to another. If the DNS names can be wiped out, then the attack will cease. Microsoft claims to have done exactly that by seizing 65 DNS domains used by "ZLoader". A court order allowed the seizure. Although this doesn't mean that ZLoader cannot be resurrected, it might mean that there will be a hiatus before it is reconstituted. The identity of one hacker was discovered and referred to authorities.

Summary:
Perhaps one measure of the success of a cryptocurrency scheme is the amount of theft that it can tolerate without becoming useless. Last year, about $3.2bn was stolen. This year it will be more, and part of it will be from the hack that drained the "Ronin Bridge" of half a billion dollars.

"Axie" is a "wildly popular" video game in which players purchase cartoon characters that are NFTs. The NFTs can be sold to other players. This commerce uses Ethereum for exchanging money. What could go wrong? One problem is that while Ethereum transactions are faster than Bitcoin, they aren't fast enough for the volume of activity in a wildly popular video game. Thus, one needs an Ethereum "sidechain" that processes transactions faster by bridging between the game and Ethereum. The sidechain is called Ronin, and it runs smart contracts for Axie players. What could go wrong?

The smart contracts are pieces of software in which the actions are secured by private keys. Smart contracts sometimes have exploitable bugs. In the case of Ronin, hackers were able to extract private keys via the contracts, and once they got enough keys, they were able to commandeer the system and collect all the money for themselves.

Who carried out the dastardly deed? Possibly North Korea. But the fact that $500 million was left dangling in an insecure cryptocurrency bag shows that this technology is hardly mature, and ordinary people who just enjoy playing a video game can be simply putting their money out on the porch for any clever software expert to carry away.

Summary:
When a large software company makes a newbie mistake in its security code, it's cause for embarrassment. Oracle became the butt of many jokes and general derision when it revealed a security patch showing that a crucial piece of code was trivially vulnerable and had been for as much as 6 months.

Much of cryptography that Internet security depends on uses digital signatures. Oracle undertook to implement their elliptic curve digital signature software in Java. The original code was in C++, and the translation from that to Java was successfully carried out and introduced into Java version 15. Unfortunately, a crucial check to prevent the use of the "zero signature" was omitted. A "zero signature" always satisfies the verification step, and for this reason it must be summarily rejected, but Oracle's Java code didn't look for it. Oracle has not explained how such a serious error was overlooked during code review. Perhaps there was some clever but non-obvious way it was coded in C++, and the expression was "simplified" in the Java version.

Summary:
It seems like an eon has passed since the Ukraine invasion began. As Russian forces gathered on the border, the US warned about Russian cyberattacks on Ukraine assets. Microsoft monitored the Ukrainian Internet, watching for attack attempts, and documented several of them.

"NATO officials David Cattler and Daniel Black noted a series of alleged Russian data-wiping hacks aimed at Ukrainian organizations over multiple weeks." They noted that the attacks seems to be timed to support Russian military objectives. The correlations are difficult to see in the overall "fog of war" and the images of unrelenting violence.

Summary:
This report summarizes the known cyberattacks launched against Ukraine as part of the military offensive against that country. These are infrastructure attacks as well as disinformation attacks.

Summary:
Given that "an estimated 300,000 companies comprise the US defense industrial base" and also given the ability of hackers to move through supply chains stealthily, the Defense Department has been looking for ways to improve the security of those 300,000 companies. Smaller companies are assumed to be especially vulnerable because they might not have the resources needed to keep their systems locked up tight. A pilot program of the Pentagon called VDP ("Vulnerability Disclosure Program", shows some promise. Over the course of a year, the Pentagon probed the computers of a few dozen participating small companies to "to find and fix flaws in the email programs, mobile devices and industrial software".

The pilot program was successful in identifying a panoply of weaknesses, but it is a drop in the bucket. The Pentagon is looking for ways to expand the program.

Summary:
The US state department wants to apprehend the people behind the Conti ransomware group. The $15 million reward offered is one tenth of the amount the Russian affiliated group is believed to have extorted. They attacked 16 medical and first responder groups in the United States and hurt Costa Rica's tax and customs systems.

Summary: Costa Rica has not paid a ransom to the hackers who have damaged government systems, and the problems are widening. There is some suspicion that locals are cooperating with the Russian group behind the attacks.