this week in security — april 4 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 14 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Hackers tried to backdoor PHP, used by 80% of all websites (https://www.vice.com/en/article/xgzne4/hackers-backdoor-php-source-code) Motherboard: From the “this could’ve been so much worse” department: hackers broke into the internal code repo for the PHP web programming language and tried to backdoor the source code. PHP is used across the web, 80% of sites use it, which would’ve been terrible had the backdoor code made it to prod. PHP said (https://news-web.php.net/php.internals/113838) it was moving its infrastructure to GitHub after the attack, which may be because of a flaw (https://twitter.com/campuscodi/status/1376455446165340161) in the server. The hack was a botch job — the code referenced (https://twitter.com/mikko/status/1376446991983644673) Zerodium, the exploit broker, which denied any involvement. More: The Record (https://therecord.media/hackers-backdoor-php-source-code-after-internal-repo-hack/) | @campuscodi (https://twitter.com/campuscodi/status/1376455446165340161) | @official_php (https://twitter.com/official_php/status/1377339882645905408) https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d SolarWinds hack got emails of top DHS officials (https://apnews.com/article/solarwinds-hack-email-top-dhs-officials-8bcd4a4eb3be1f8f98244766bae70395) Associated Press: Sources say the SolarWinds hackers (suspected to be Russian intelligence) grabbed emails belonging to then-DHS head and senior staff. The AP spoke to more than a dozen people with knowledge of the breach. It was known that DHS was one of the federal agencies affected, but it’s believed classified networks were not compromised. More: @tonyajoriley (https://twitter.com/TonyaJoRiley/status/1376531787560714244)
These companies track millions of cars — and immigration authorities request the data (https://www.forbes.com/sites/thomasbrewster/2021/04/01/these-companies-track-millions-of-cars-immigration-and-border-police-have-been-grabbing-their-data/) Forbes: CBP and ICE demanded location data from three companies who track the movements of tens of millions of cars every day — GM OnStar, Geotab and Spireon. Most modern cars are connected and are beaming out location data, and now immigration authorities are catching on. @iblametom (https://twitter.com/iblametom/status/1377577861582880770) digs into who gets access to your vehicle’s location data and where it goes. Of course, none of this should be a surprise to anyone (read: no-one) who read GM’s privacy policy. More: @iblametom (https://twitter.com/iblametom/status/1377577861582880770) | @EFF (https://twitter.com/EFF/status/1377685693795799043?s=20)
MobiKwik investigating data breach after 100M user records found online (https://techcrunch.com/2021/03/30/mobikwik-investigating-data-breach-after-100m-user-records-found-online/) TechCrunch: MobiKwik, an Indian mobile payments service, is investigating after an apparent data breach after 100 million records were found for sale online. The data also contained “know your customer” documents, like IDs, passports, and other government-issued papers. Turns out MobiKwik may have known about the breach for a while. A leaked screenshot shows a MobiKwik executive asking Amazon for logs after it “came to know that our S3 [cloud storage] data is downloaded by some other person outside the organization.” Days alter, the MobiKwik breach seller claimed to delete the data and bid “adios!” Bizarre. (Disclosure: I edited this story.) More: DataBreaches.net (https://www.databreaches.net/mobikwik-offers-master-class-in-how-not-to-respond-to-a-breach-researchers-scoff-consumers-rage/) | Reuters (https://www.reuters.com/article/mobikwik-india-breach/indian-payments-firm-mobikwik-says-it-is-probing-date-breach-claims-idUSKBN2BM1GY) | @rajaharia (https://twitter.com/rajaharia/status/1376932853552795650?s=21)
America’s digital defender is underfunded, outmatched and ‘exhausted’ (https://www.politico.com/news/2021/03/30/cisa-cybersecurity-problems-478413) Politico: CISA is an agency that’s tired. That’s per @ericgeller (https://twitter.com/ericgeller/status/1376883336359124993) , whose tweet thread also breaks down the story. The Homeland Security cybersecurity agency is underfunded and struggling to stay ahead of a deluge of overseas threats. “People are somewhat exhausted,” said one staffer. More: @ericgeller (https://twitter.com/ericgeller/status/1376883336359124993)
Google caught North Korean trying to hack security researchers — again (https://www.cyberscoop.com/north-korean-hackers-fake-company-security-researchers-social-media/) Cyberscoop: Hackers linked with North Korea set up a fake security company to try to hack security researchers, according to Google, which poured cold water (https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/) on the campaign this week. The fake firm, SecuriElite, set up fake social media accounts with names like Sebastian Lazarescue (I’m dying (https://twitter.com/selenalarson/status/1377323469445099521?s=20) ). This is the second time Google has exposed the hackers targeting security defenders after catching an earlier (https://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/) iteration of the campaign. More: Google (https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/) | @shanvav tweets (https://twitter.com/shanvav/status/1377296973901000708) | Archive: ZDNet (https://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Zero-click vulnerability in Apple’s macOS Mail (https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c) Mikko Kenttala: Apple fixed a zero-click in Apple’s email client that invisibly allowed an attacker to write arbitrary files inside Mail’s sandbox to leak sensitive content from the victim’s inbox.
Dutch watchdog fines Booking.com €475k for keeping data breach quiet (https://www.theregister.com/2021/04/01/booking_dot_com_fine/) The Register: The Netherlands Data Protection Authority slapped Booking.com with a fine for notifying it too late that criminals had broken into its systems and stolen data on more than 4,100 customers. Just a friendly reminder that GDPR is still a thing.
Phone numbers for 533 million Facebook users leaked on hacking forum (https://therecord.media/phone-numbers-for-533-million-facebook-users-leaked-on-hacking-forum/) The Record: A massive list of 533 million Facebook users’ phone numbers — one-fifth of the site’s users — has been publicly posted on a cybercrime forum. It comes from a bug which threat actors exploited (https://twitter.com/campuscodi/status/1378423801218732035?s=21) prior to a Facebook fix in 2019. The large lists of data have been floating around for a while. Mark Zuckerberg and other Facebook founders’ information was in the data set. https://twitter.com/BleepinComputer/status/1378434280502747142 Feds indict Kansas man for allegedly hacking into water supply (https://www.vice.com/en/article/3anx79/feds-indict-kansas-man-for-allegedly-hacking-into-water-supply) Motherboard: A 22-year-old former employee of a Kansas district water authority was charged with hacking into a public water system in 2019. The former employee allegedly logged into the system and “shut down processes” at the facility, “with the intention of harming people,” per the indictment. This is the latest case among recent reports of intrusions (https://www.propublica.org/article/hacking-water-systems) into the U.S. water supply.
Recovering a full PEM private key when half of it is redacted (https://blog.cryptohack.org/twitter-secrets) Cryptohack: This is an incredible read on how a partially redacted PEM key could be recovered. There’s some major math here and the details are largely lost on me. But, the very fact that they could recover a key is something. “If you find something private, keep it that way.” https://twitter.com/BleepinComputer/status/1378434280502747142 Alleged Ubiquiti whistleblower claims recent breach was ‘catastrophic’ (https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/) Krebs on Security: An interesting development to the Ubiquiti security breach earlier (https://community.ui.com/questions/Account-Notification/96467115-49b5-4dd6-9517-f8cdbf6906f3) this year. @briankrebs (https://twitter.com/briankrebs/status/1376958635113349121) spoke to an employee, whose identity is not known, who said that the networking gear maker effectively covered up the breach after the hacker “obtained full read/write access to Ubiquiti databases,” hosted on Amazon’s cloud. The company said very little in a new statement (https://community.ui.com/questions/Update-to-January-2021-Account-Notification/3813e6f4-b023-4d62-9e10-1035dc51ad2e) , which said “no evidence that customer information was accessed.” The employee alleges that this is true, but only because Ubiquiti allegedly “failed to keep records of which accounts were accessing that data.” I’m sure this will be a story to watch… ~ ~
** OTHER NEWSY NUGGETS
Australia investigates reported hacks aimed at parliament, media (https://www.cyberscoop.com/australia-hacks-parliament-channel-nine/) Cyberattacks hit Australia’s parliamentary email system and broadcaster Channel 9 this week. The attacks left the broadcaster unable to air for several hours on Sunday. One of Channel Nine’s reporters said (https://tvblackbox.com.au/page/2021/03/28/exclusive-claims-russian-hackers-behind-channel-9-cyber-attack/) it was ransomware, which would make sense, but has not yet been confirmed. It’s not clear if the two incidents were linked. The country’s spy agency is looking into it.
Bug in how macOS handles .TXT files exposes private data (https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html) Great work by @PaulosYibelo (https://twitter.com/PaulosYibelo/status/1377946422344048640) , who found that macOS text editor TextEdit parses HTML even when it opens it as a .TXT file. That allowed him to remotely run code on a victim’s machine. https://www.chicagotribune.com/business/ct-biz-cna-insurance-cybersecurity-attack-20210324-e4skjycxvra4zh7dxoxqoz7lsm-story.html Amazon tweets were so bad that IT thought its Twitter account was hacked (https://arstechnica.com/tech-policy/2021/03/amazon-tweets-trolling-congress-were-so-bad-that-it-thought-account-was-hacked/) The headline says it all. Amazon went off (https://www.vox.com/recode/2021/3/28/22354604/amazon-twitter-bernie-sanders-jeff-bezos-union-alabama-elizabeth-warren) on a bunch of lawmakers this week ahead of a crucial union vote. The tweets were “so aggressive that one of the company’s own security engineers filed a support ticket.” The support ticket warned that the “unnecessarily antagonistic” tweets “may be a result of unauthorized access by someone with access to the account’s credentials.” That support ticket was published by The Intercept (https://theintercept.com/2021/03/29/amazon-twitter-hack-union-jeff-bezos/) .
The little-known data broker industry is spending big bucks lobbying Congress (https://themarkup.org/privacy/2021/04/01/the-little-known-data-broker-industry-is-spending-big-bucks-lobbying-congress) The Markup found 25 data companies spent $29 million in 2020, rivaling that of the big tech firms like Facebook, Amazon and Google, which spent $19M, $18M and $8M respectively. Just goes to show how big of a business data is — and how much some companies will spend to protect it, like Oracle, which spent $9M on lobbying last year. ~ ~
** THE HAPPY CORNER
Just a couple of things this week. This is nice, but please, please use a password manager. https://twitter.com/natashenka/status/1377412404116516865 And, this @simonw (https://twitter.com/simonw/status/1377094890002149378) thread is definitely a fun read, and I’ll leave you with just this tweet. https://twitter.com/simonw/status/1377094890002149378?s=21 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Shiloh. If you’re wondering why the side-eye, Shiloh knows you reuse passwords. Maybe don’t do that? A big thanks to Gh0sti for the submission! Please do keep sending in your cyber cats (and friends)!. You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) , and feel free to send updates on previously-submitted friends! ~ ~
** SUGGESTION BOX
That’s all! Please drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care and see you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .