this week in security — april 26 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 17
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
ZecOps claims zero-click iPhone bug, Apple disputes findings (https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/) ZecOps: Security outfit ZecOps revealed this week what it called a zero-click vulnerability in iOS 13. The bug, says ZecOps, dates back to at least 2012. The bug can be triggered remotely by sending a specially crafted email to a victim (https://twitter.com/ihackbanme/status/1252983336391176192) , triggering a buffer overflow on the victim’s Mail app. ZecOps said there was evidence to show the flaw was under active attack. But Apple had an entirely different spin, saying (https://twitter.com/lorenzofb/status/1253513625584709637?s=21) the bugs were not enough for a successful remote exploitation as described. That said, Apple said the bugs will still be fixed in an upcoming update. ZecOps said it’ll release more details soon. More: Motherboard (https://www.vice.com/en_us/article/pken5n/iphone-email-zero-day-hack-in-the-wild) | Ars Technica (https://arstechnica.com/information-technology/2020/04/apple-disputes-report-of-non-click-ios-0day-under-exploit-for-two-years/)
Hackers target top officials at World Health Organization (https://www.bloomberg.com/news/articles/2020-04-21/top-officials-at-world-health-organization-targeted-for-hacks) Bloomberg ($): WHO’s chief information security officer says the global health organization has seen an “increasing number” of attempted cyberattacks since mid-March. Lists of accounts were floating around the web this week of apparent credentials of WHO staff, as well as the Gates Foundation and others. But turns out (https://twitter.com/janelytv/status/1252960619931873280?s=21) they were mostly old and recycled credentials. More: WHO (https://www.who.int/news-room/detail/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance) | @rj_gallagher (https://twitter.com/rj_gallagher/status/1252733467885998085?s=21) | @janelytv (https://twitter.com/janelytv/status/1252960619931873280?s=21)
Facebook says NSO Group used U.S. servers in operations against WhatsApp users (https://www.cyberscoop.com/nso-group-us-servers-whatsapp-lawsuit/) Cyberscoop: A new twist in the WhatsApp vs. NSO Group saga. Facebook (which owns WhatsApp) now claims NSO Group, the mobile surveillance maker, used U.S.-based servers against WhatsApp users. That’s a major blow to the hacking outfit’s claims it doesn’t run operations in the United States. Some of the servers were hosted on Amazon Web Services, Facebook said in its court filing this week. The whole case came to be after WhatsApp discovered attackers using an exploit, likely developed by NSO Group, to target users on its platform. Citizen Lab’s @jsrailton (https://twitter.com/jsrailton/status/1253502213353361412) has a great thread on this, by the way. More: New Statesman (https://tech.newstatesman.com/security/whatsapp-ties-nso-groups-hacking-operations-to-america-in-new-court-evidence) | @shanvav (https://twitter.com/shanvav/status/1253707903674003464?s=20) | @jsrailton (https://twitter.com/jsrailton/status/1253502213353361412) Hackers target oil producers as they struggle with a record glut of crude (https://arstechnica.com/information-technology/2020/04/hackers-target-oil-producers-as-they-struggle-with-a-record-glut-of-crude/) Ars Technica: Oil producers were already hit hard this week because of negative crude prices. But a new campaign spotted in the wild by Bitdefender attempted to implant a notorious trojan to siphon off vast amounts of sensitive communications and data. Launched by a spearphishing campaign, the attack targeted about 150 oil and gas companies. The trojan in question is Agent Tesla, which has been active since 2014, can keylog and more. More: Bitdefender (https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/)
CFAA will soon have its day in court (https://www.cyberscoop.com/cfaa-will-soon-day-supreme-court/) Cyberscoop: This could be one of the most significant court rulings in U.S. history — at least for hackers and security researchers. The CFAA, the foundation of U.S. hacking laws, are widely known to be vague and widely interpreted. But now the Supreme Court will take up a case of a cop who used his computer to search a license plate database on behalf of an acquaintance. That case (and most other CFAA cases) comes down to “authorization.” Obviously this could go either way for hackers and researchers who often find flaws without having been granted permission first. But there’s hope this would effectively “legalize” security research. More: EFF (https://www.eff.org/deeplinks/2020/01/eff-asks-supreme-court-put-stop-dangerously-broad-interpretations-computer-fraud) | @marciahofmann (https://twitter.com/marciahofmann/status/1252235908079775747) | @orinkerr (https://twitter.com/OrinKerr/status/1252291592389525507)
UK ministers plan to give more UK public bodies power to access phone data (https://www.theguardian.com/world/2020/apr/22/ministers-plan-to-give-more-uk-public-bodies-power-to-hack-phones) The Guardian: Filed under the “what could go wrong” category. U.K. surveillance laws, or the so-called “snoopers charter,” is set to expand to allow other public authorities access to vast databases of phone and computer records. Now the U.K. wants to give even more government departments access to the database — including, I kid you not, the pensions watchdog. What a great time to expand controversial surveillance powers, while everyone is at home distracted by a global pandemic. Classy. More: @libertyhq (https://twitter.com/libertyhq/status/1253240118472818689) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks for reading this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps keep this newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Nintendo shuts down NNID logins after 160,000 accounts breached (https://techcrunch.com/2020/04/24/after-160000-accounts-are-compromised-nintendo-shuts-down-nnid-logins/) TechCrunch: A bad week for Nintendo after it confirmed (in Japanese (https://www.nintendo.co.jp/support/information/2020/0424.html) ) that 160,000 Nintendo Network ID accounts, used for accessing online services, were compromised. Nintendo has seen a massive boom in users thanks to the pandemic and the equally virality of Animal Crossing (weeks into this pandemic, there are still no Switch consoles within a 15 mile radius of me). Earlier in the week, Nintendo chalked up the activity to a wave of fraudulent attacks (https://www.bbc.com/news/technology-52369435) , and warned customers to use two-factor authentication.
Netflix now supports TLS 1.3 for faster, more secure streams (https://netflixtechblog.com/how-netflix-brings-safer-and-faster-streaming-experience-to-the-living-room-on-crowded-networks-78b8de7f758c) Netflix: Streaming giant Netflix has upgraded its systems to support TLS 1.3. That means Netflix is faster and safer. In its blog post (https://netflixtechblog.com/how-netflix-brings-safer-and-faster-streaming-experience-to-the-living-room-on-crowded-networks-78b8de7f758c) , Netflix gave the run down on the decision, including over 7% improvement in media rebuffering.
Google sees state-sponsored hackers ramping up coronavirus attacks (https://www.wired.com/story/google-state-sponsored-hackers-coronavirus-phishing-malware/) Wired ($): New data from Google shows at least a dozen governments are using coronavirus as a platform to launch cyberattacks. Google says it’s spotted 240 million COVID-19-related spam messages, including 18 million phishing and malware emails, each day. Google’s post (https://blog.google/technology/safety-security/threat-analysis-group/findings-covid-19-and-online-security-threats/) is here.
Israel’s parliamentary oversight group stops phone location tracking effort (https://www.bbc.com/news/technology-52395886) BBC News: A couple of weeks ago we looked at how Israel was using phone location tracking to trace positive coronavirus cases. Now an oversight group in the Israeli parliament has put a halt to it, saying the effort did more harm than good. ~ ~
** OTHER NEWSY NUGGETS
Threat actor targeting Uyghurs resurfaces with iOS exploit and updated implant (https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/) Security firm Volexity says the same hackers (likely China (https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/) ) behind the targeting of oppressed Uyghur Muslims with sophisticated iOS malware last year are back with a new updated exploit and implant. No surprise, since Apple and Google nixed the attacks. But now it looks like they’re up to their old tricks again. This post is super detailed (https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/) . Great research. Vietnamese hackers targeted Wuhan and Beijing in coronavirus espionage effort (https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html) FireEye said this week (https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html) it spotted Vietnamese hackers, APT 32, targeting the Chinese Ministry of Emergency Management and the Wuhan government in an effort to steal coronavirus-related data. Interestingly, FireEye said the move was part of an effort in which the hackers were “desperately seeking solutions and nonpublic information” about the spread of the virus. APT 32 uses spearphishing loaded with malware to run malware.
You won’t believe what this one line change did to the Chrome sandbox (https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html) When Microsoft modified the Windows kernel ever so slightly, it was enough to break not only Chrome’s sandbox, but also Firefox and Edge, too, according to Google’s elite bug hunting team. The bug was fixed earlier (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0981) this month. ~ ~
** THE HAPPY CORNER
Not much in the world of good news this week. But, as always, @iancoldwater (https://twitter.com/IanColdwater/status/1254013928029540352) graces us with an insightful (and at times hilarious) thread on things people wished they heard more in infosec. The balaclava preference (https://twitter.com/Mr_Ballsnacks/status/1254014681242632193) was one of my favorites.
If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Puff. We first featured him last year (https://mailchi.mp/zackwhittaker/this-week-in-security-march-3-edition) . His human, @nofawkesgiven (https://twitter.com/nofawkesgiven) , told me this week that Puff went to the big farm upstate in the sky, and this was his last photo before he went. We love you Puff. Please send in your quarantine cyber cats. You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all for now. Thanks again for reading. If you have any feedback, drop it in the the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care, and see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .