Skip links

US House approves FISA renewal – warrantless surveillance and all

Infosec in brief US Congress nearly killed a reauthorization of FISA Section 702 last week over concerns that it would continue to allow warrantless surveillance of Americans, but an amendment to require a warrant failed to pass.

Section 702 of the Foreign Intelligence Surveillance Act has long been contentious for its provisions which indirectly allow surveillance of US citizens without a warrant. That’s why a group of Republican holdouts joined Democrats in the House this week to block a floor vote on the bill to reauthorize the measure.

The sticking point was that FISA Section 702 only technically authorizes the US to spy on foreigners overseas considered a threat, but if those foreigners communicate with US citizens, then those citizens’ electronic communications can also be used for intelligence gathering.

The rebel Republicans, alongside Democrats, demanded an amendment be made to the reauthorization bill to require warrants to be issued before data belonging to United Statesians could be collected. After an amendment was proposed Friday morning, the holdouts fell in line – sending the Section 702 renewal bill to the House floor for a full vote.

The amendment [PDF] that would ban warrantless surveillance of US persons, proposed by Andy Biggs (R-AZ), failed to pass on a split vote of 212-212. Which means US citizens who find themselves in communication with foreigners the government is watching will continue to be surveilled without a warrant. Additional amendments – included in the PDF linked in this paragraph – all passed.

The full bill to reauthorize Section 702 surveillance – which was rushed through the House to prevent it from lapsing on April 19 – later passed the House with bipartisan support despite all the clamoring to end warrantless surveillance. The Senate will now have to pass the bill before the April 19 expiration, giving the body all of this week to do so.

Chinese-owned Dutch chip fab hit by hackers

Dutch chipmaker Nexperia admitted Friday that its IT systems were attacked in March, but offered few details as to the extent of the attack.

Nexperia, a subsidiary of Chinese firm Wingtech Technologies, disclosed in a statement that some of its servers were compromised by an unauthorized third party last month. Affected systems were taken offline and the chipmaker has enlisted the help of third-party investigators to examine the scope of the incident.

It didn’t share any specifics – like the nature of the attack or if any data was stolen – but Dutch media outlet RTL Nieuws reported that the attackers claimed to have stolen hundreds of gigabytes of data, some of which has been published online.

RTL verified that some of the data uploaded to the dark web by the culprits included internal emails and the passport of a former company senior vice president.

Critical vulnerabilities of the week

Last week featured a Patch Tuesday – and disclosure of more critical vulnerabilities after we published our headline article – including:

  • CVSS 9.8 – Multiple CVEs: Juniper Networks has patched Junos OS versions prior to 23.4R1-S1, 23.4R2 and Junos OS Evolved to resolve multiple vulnerabilities in its cURL implementation.
  • CVSS 9.8 – Multiple CVEs: Juniper Networks has resolved a number of vulnerabilities in Junos cRPD versions prior to 23.4R1, several of which are critical.
  • CVSS 9.8 – Multiple CVEs: Juniper Networks has resolved a number of issues in its Cloud Native Router versions prior to 23.4, several of which are critical.
  • CVSS 9.8 – Multiple CVEs: Siemens Scalance W1750D access points contain several vulnerabilities allowing for classic buffer overflow.
  • CVSS 9.4 – A single CVE for FortiClientLinux version 7.0 and 7.2 that would expose a user visiting a malicious website to an improper control of generation of code attack.
  • CVSS 8.8 – Multiple CVEs: Siemens TeleControl Server Basic V3 contains a bunch of vulnerabilities related to inadequate encryption.
  • CVSS 8.7 – CVE-2024-2424: Rockwell Automation 5015-AENFTXDT ethernet adapters contain an input validation vulnerability that could be used to crash devices.
  • CVSS 8.6 – CVE-2024-3313: SUBNET’s PowerSYSTEM Server and Substation Server 2021 contain vulnerabilities in third-party components that could allow DoS, RCE, and privilege escalation.
  • CVSS 8.2 – Multiple CVEs: Siemens RUGGEDCOM APE1808 application hosting platform contains a number of vulnerabilities that can allow various issues.

Microsoft-signed executable found to contain backdoor

Watch out what you install – even if it’s been signed by a valid Microsoft Hardware Publisher Certificate.

Security researchers at Sophos reported last week that they discovered a file disguising itself as a “Catalog Authentication Client Service” but was actually an executable setup file for an Android screen mirroring tool that bills itself as able to connect hundreds of devices for batched automation called LaiXi.

Sophos notes it can’t speak to the legitimacy of the LaiXi software, but added it’s confident that the sneaky software in this case “is a malicious backdoor.”

The code appears to be making use of a stolen Microsoft Windows Hardware Compatibility Publisher signature, and upon installation embeds a freeware proxy server intended to monitor and intercept network traffic.

Microsoft added the signature to its revocation list in this month’s Patch Tuesday release, but let this serve as a warning: Even if software is signed it doesn’t mean you can just run it with reckless abandon.

Let CISA scan that suspicious file for you …

The US Cybersecurity and Infrastructure Security Agency released an update to its malware analysis system this week that allows anyone to submit malware samples or fishy files for analysis.

Dubbed “Malware Next-Gen,” the new system is designed to be scalable and provide “advanced and reliable malware analysis” that will enable “timely, actionable intelligence” on the latest malware.

CISA revealed that Malware Next-Gen has been in testing with government and military organizations since November, and in that time has identified around 200 suspicious and malicious files and URLs that were able to be shared with partners.

While anyone can submit content for analysis, CISA said only authorized and registered users will receive analytics in return – so no checking your home-brewed malware to see if it’s tough to detect.

Malware Next-Gen can be accessed on the web from CISA’s website.

… and warn you about Sisense

On Friday CISA also issued an attack alert about data analytics biz Sisense, and admins have been scrambling over the weekend to reconfigure their systems.

This appears to be a nasty third-party supplier attack. Sisense only has a few thousand customers, but they are big ones – including the Nasdaq exchange, Verizon, and Air Canada. It appears that passwords, access tokens, and possibly certificates were stolen from an open Amazon S3 bucket and are being actively exploited.

CISA warned that users need to “reset credentials and secrets potentially exposed to, or used to access, Sisense services,” and to make contact immediately if there are any signs of intrusion.

“If these credentials were encrypted it wouldn’t have been so bad; it’s negligence on their part,” Chris Hughes, Cyber Innovation Fellow at CISA and chief security advisor at Endor Labs, told The Register. “It’s the keys to the kingdom.” ®