this week in security — february 21 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 8
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
France ties Russia’s Sandworm to a multiyear hacking spree (https://www.wired.com/story/sandworm-centreon-russia-hack/) Wired ($): If there’s Sandworm in the story, you’re going to want to read @a_greenberg (https://twitter.com/a_greenberg) . This is no different: while everyone was looking at SolarWinds, the Russian hacker group known as Sandworm was burrowing into Centreon’s servers for years, according to a French security agency. Centreon is an IT monitoring firm, so not too dissimilar from SolarWinds in that respect. Specific details of the hacks weren’t revealed, but French authorities found evidence of two different pieces of malware, including Exaramel, which has been used by Sandworm before. Sandworm is a group of Russian hackers best known for the NotPetya ransomware attack in 2017 and the energy grid blackouts in 2015 and 2016. There’s been no major damage reported in this campaign as of yet — but this should serve as a warning, per @JohnHultquist (https://twitter.com/JohnHultquist) , whose FireEye has not yet independently attributed the Centreon hack to Sandworm. More: ZDNet (https://www.zdnet.com/article/france-russian-state-hackers-targeted-centreon-servers-in-years-long-campaign/) | Reuters (https://www.reuters.com/article/us-global-cyber-centreon-idUSKBN2AF1RA) | @rvawonk (https://twitter.com/rvawonk/status/1361497335591809025?s=21)
Suspected Russian hackers used U.S. networks, official says (https://www.bloomberg.com/news/articles/2021-02-17/solarwinds-hacks-perpetrated-from-inside-u-s-white-house-says) Bloomberg ($): Speaking on SolarWinds… more fallout from that breach, with the government saying the number stands steady at nine hacked federal agencies and now more than 100 private businesses that were hit, out of some 18,000 possible SolarWinds victims. That’s from Anne Neuberger, who’s heading the government’s response to the SolarWinds espionage campaign. Interestingly, Neuberger said the suspected Russian hackers actively launched the hack from within the U.S., and not overseas, which “further made it difficult to… observe their activity,” she said. As usual, @shanvav (https://twitter.com/shanvav/status/1362103885968642051) has a great tweet thread breaking down the story, and Neuberger’s remarks. Another victim came forward this week: the Norwegian sovereign wealth fund, the largest in the world that owns 1.4% of all stocks in the world, per @mikko (https://twitter.com/mikko/status/1362395993111752704?s=20) . More: ZDNet (https://www.zdnet.com/article/solarwinds-attack-hit-100-companies-and-took-months-of-planning-says-white-house/) | @mikko tweets (https://twitter.com/mikko/status/1362395993111752704?s=20) Hacker leaks files from Jones Day, which worked on Trump election challenges (https://www.vice.com/en/article/88a7jv/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-election-challenges) Motherboard: Hackers have broken into one of the largest law firms in the world, Jones Day, which famously (and controversially) worked on Trump’s immediate challenges to the 2020 election results. The hackers used the Cl0p ransomware to steal and encrypt the law firm’s data, which was first reported by DataBreaches.net (http://databreaches.net/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/) . The firm gave a statement to the Wall Street Journal ($) (https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/) , which blamed the breach on Accellion, a file-sharing company that was recently hacked (https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/) . The ransomware group claims to have stolen emails and other internal data, and is threatening to publish the files on their dark web portal, which advertises recent breaches. More: DataBreaches.net (https://www.databreaches.net/threat-actors-claim-to-have-stolen-jones-day-files-law-firm-remains-quiet/) | Wall Street Journal ($) (https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/)
U.S. accuses three North Koreans of conspiring to steal more than $1.3 billion (https://www.washingtonpost.com/national-security/north-korea-hackers-banks-theft/2021/02/17/3dccf0dc-7129-11eb-93be-c10813e358a2_story.html) Washington Post ($): Another busy week for the feds: U.S. prosecutors have accused three North Korean hackers, said to be associated with APT 38 (or Lazarus Group), of conspiring to steal more than $1.3 billion in cash and cryptocurrency from banks and businesses, building (https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and) from 2018 charges brought against the regime for the 2014 cyberattack on Sony Pictures and the WannaCry ransomware attack in 2017. North Korea relies on cryptocurrency for its nuclear weapons program as the country is under heavy sanctions. One Canadian-American citizen pleaded guilty to serving as a money launderer. More: Justice Department (https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and) | CISA Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-048a)
Brave browser leaks .onion addresses in DNS traffic (https://www.zdnet.com/article/brave-browser-leaks-onion-addresses-in-dns-traffic/) ZDNet: The Tor mode included with Brave web browsers that allows users to access .onion links in their usual browser had a bug that leaked queries for .onion domains to public internet DNS resolvers rather than Tor nodes. In other words, that could allow your ISP to see which .onion links you’re accessing. The bug was fixed (https://twitter.com/bcrypt/status/1362796915063021569?s=20) in a nightly build and was quickly added to as a stable hotfix. More: @albinowax (https://twitter.com/albinowax/status/1362737949872431108) | @bcrypt (https://twitter.com/bcrypt/status/1362796915063021569?s=20) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Myanmar’s proposed cybersecurity bill draws wide condemnation (https://www.zdnet.com/article/myanmars-proposed-cybersecurity-bill-draws-wide-condemnation/) ZDNet: The situation in Myanmar amid the military coup is obviously pretty awful. The ruling military has already shut off the internet and phone lines. Now the junta is pushing a cybersecurity bill through its own non-elected state-run council to outlaw content that it determines as “disinformation” and other things, as well as prosecuting the offending author. Critics say the bill will drive away international investors and impact civil society.
ShareIt Android app with over a billion downloads is a security nightmare (https://arstechnica.com/gadgets/2021/02/shareit-android-app-with-over-a-billion-downloads-is-a-security-nightmare/) Ars Technica: Here’s an Android app you probably don’t want on your phone: ShareIt, an app with some 1.8 billion users worldwide (thanks to its desktop apps, too), has a number of vulnerabilities that can “be abused to leak a user’s sensitive data and execute arbitrary code with ShareIt permissions.” Trend Micro, which did the research, said the massive scope of permissions is in part to blame.
Jamaica’s immigration website exposed thousands of travelers’ data (https://techcrunch.com/2021/02/17/jamaica-immigration-travelers-data-exposed/) TechCrunch: Hundreds of thousands of immigration records and COVID-19 tests of visitors who traveled to Jamaica in the past half-year were exposed thanks to an unprotected, entirely open S3 bucket run by a Jamaican government contractor. The government said it discovered the issue on February 16, but emails I published (https://twitter.com/zackwhittaker/status/1362482081184567298?s=20) show the Ministry of Health ignored the email disclosing the incident. Now the government has launched (https://twitter.com/jovanthony/status/1362563379932655618) a criminal inquiry into the security lapse, citing “unauthorized access” to the data. (Disclosure: I wrote this story!)
LastPass free accounts stripped of cloud syncing (https://www.vice.com/en/article/pkd88v/lastpass-free-accounts-will-now-work-on-either-your-phone-or-computer-not-both) Motherboard: LastPass has rejigged its free accounts to no longer allow cloud syncing across devices. Obviously that’s a major issue for existing free users who like to use passwords on multiple devices. Free users will have to pay for cloud syncing. Or, you can pay for alternatives (https://twitter.com/tallpoppyhq/status/1361779335569489924?s=21) like 1Password or Bitwarden (which also has a free tier).
Malware is now targeting Apple’s new M1 processor (https://www.wired.com/story/apple-m1-malware/) Wired ($): @patrickwardle (https://twitter.com/patrickwardle/status/1362127246056587266) has found what may be the first malicious program designed to target Apple’s new Arm-based M1 silicon. The malicious Safari adware extension was originally written to run on Intel’s x86 chips but was been redeveloped for the M1. The extension is called GoSearch22, and is a member of the Pirrit Mac adware (https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active) family. Apple didn’t comment but stripped the developer of its certificate, effectively nuking the extension from working ~ ~
** OTHER NEWSY NUGGETS
Clubhouse in China: Is the data safe? (https://cyber.fsi.stanford.edu/io/news/clubhouse-china) @alexstamos (https://twitter.com/alexstamos/status/1361759329204928512?s=20) and crew found that audio-only social network Clubhouse used Chinese servers to route traffic, even for conversations that only involved Americans. Clubhouse, which only weeks earlier drew controversy for forcing users to upload their contacts before they can invite new members, said in a statement that it would make changes (https://twitter.com/alexstamos/status/1361761681433497600) .
Apple has an updated platform security guide (https://support.apple.com/en-us/guide/security/welcome/web) Apple has updated its security guide, including for Macs and iPhones. There are a few interesting nuggets in here, and Wired ($) (https://www.wired.com/story/apple-platform-security-guide-researchers/) has a good explainer. But there’s still a lot missing, as Apple suffers from selective transparency. Even this week when I asked (https://twitter.com/zackwhittaker/status/1362528340528287746) how it curated its list of 1.5 billion breached passwords (by way of comparison, Troy Hunt’s Pwned Passwords is about half that), Apple declined to comment. Makes you wonder why!
Parents alerted to NurseryCam security breach (https://www.bbc.com/news/technology-56141093) A webcam system that lets parents drop in and watch their children while at nursery school has written to families to tell them of a data breach. NurseryCam is used in about 40 pre-schools around the U.K., and has alerted the data protection authority. A vulnerability in its systems exposed usernames, passwords, and email addresses. The Register (https://www.theregister.com/2021/02/18/nurserycam_security_problems_footfallcam_ltd/) has more on how the bug was discovered, thanks in large part because of a blog post (https://cybergibbons.com/security-2/a-warning-to-users-of-nurserycam/) by @cybergibbons (http://twitter.com/cybergibbons) . ~ ~
** THE HAPPY CORNER
A couple of fun things for the happy corner this week.
As of macOS Big Sur, the feature that autofills text message two-factor codes to your Mac, is now system-wide and not Safari specific. That’s going to reduce the friction in using two-factor on the Mac. A small but welcome change. And props to this kid (https://twitter.com/mfpiccolo/status/1360685864100237318) for tricking her parents, her school, and even Zoom’s technical support in order to play hooky. (This kid will go places in this world.) The full tweet thread (https://twitter.com/mfpiccolo/status/1360685864100237318) is worth the read. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Pavlova. She is a big fan of multi-factor authentication, system hardening, and snacks. A big thanks to her human, who asked to remain anonymous, for the submission! Plus! Bonus cat content this week, as Larry, the British government’s official mouser, marks ten years at 10 Downing Street. AFP has some nice photos (https://news.yahoo.com/larry-cat-marks-10-years-022058225.html) and a story to mark the occasion. Keep sending in your cyber cats (and your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) ). You can send them in here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all for this week — thanks for reading! Please leave any feedback you might have in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care, and see you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .