this week in security — february 28 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 9
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Senate hearing on SolarWinds hack lays bare U.S. shortcomings and remaining mysteries (https://www.cyberscoop.com/solarwinds-fireeye-microsoft-crowdstrike-senate-ssci/) Cyberscoop: Senators grilled the three executives, including SolarWinds’ CEO, at the center of the ongoing Russian espionage campaign targeting the federal government. Two months on, and questions remain. Cyberscoop walks you through the hearing, and the critical questions that still need answering. There was a lot of focus (https://twitter.com/RayRedacted/status/1365710423006339073?s=20) on the SolarWinds CEO blaming an intern for using “solarwinds123” as a server password. (Remember when Equifax’s CEO pulled a similar stunt (https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony) ?) But really, it just shows poor leadership (https://twitter.com/decryptlyfe/status/1365678688499458049) from the top down and inadequate security policies across the company. @thegrugq (https://gru.gq/2021/02/28/solarwind-enough-with-the-password-already/) has a good post (refreshed from December) exploring why the password issue is only a small matter to consider. More: CNN (https://www.cnn.com/2021/02/26/politics/solarwinds123-password-intern/) | The Register (https://www.theregister.com/2021/02/24/microsoft_solarwinds_congress_disclosure_law/) | The Grugq (https://gru.gq/2021/02/28/solarwind-enough-with-the-password-already/) | @runasand (https://twitter.com/runasand/status/1365707240058081294?s=20) | @hexadecim8 (https://twitter.com/hexadecim8/status/1365637701198893067) Hackers broke into ‘biochemical systems’ at Oxford University Lab studying COVID-19 (https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/) Forbes: One of the leading biology labs researching COVID-19 has been hacked. Oxford University confirmed the breach on Thursday that its Division of Structural Biology was breached, shortly after Forbes revealed hackers were touting access to a number of systems. Screenshots were provided to Forbes revealing the access, though it’s not known exactly who was behind the attack or their motives. The university said its research was not affected by the breach. More: Reuters (https://www.reuters.com/article/us-health-coronavirus-britain-cyber/oxford-university-says-research-not-affected-after-media-reports-of-covid-lab-hack-idUSKBN2AP2SE) | @iblametom tweets (https://twitter.com/iblametom/status/1364963823371907075)
Kamacite, tied to Russia’s GRU, targeted the U.S. grid for years (https://www.wired.com/story/russia-gru-hackers-us-grid/) Wired ($): New research from Dragos has revealed a new group adjacent to the disruptive Russian intelligence hacker group known as Sandworm. Dragos calls the new group Kamacite, which has successfully targeted U.S. electric utilities, oil and gas facilities as far back as 2017. The group also serves as Sandworm’s “access” team by breaking into networks and handing off the access to Sandworm. Kamacite uses spearphishing and brute-forcing cloud logins, like Office 365, to gain a foothold onto the victim’s network and gains persistence. “If you see Kamacite in an industrial network or targeting industrial entities, you clearly can’t be confident they’re just gathering information. You have to assume something else follows,” said @cnoanalysis (https://twitter.com/cnoanalysis) . More: Dragos (https://www.dragos.com/threat/kamacite/) | @a_greenberg (https://twitter.com/a_greenberg/status/1364568902760562689)
ICE used a private utility database to pursue immigration violations (https://www.washingtonpost.com/technology/2021/02/26/ice-private-utility-data/) Washington Post ($): ICE have tapped into a private database storing millions of utility bill records in order to probe immigration violations. ICE uses CLEAR, which has at least 400 million names, addresses, and records from more than 80 utility companies, and is updated daily. CLEAR is run by Thomson Reuters, which sells the platform as a “legal investigation software solution,” but has allowed ICE to tap into the database under a $21 million contract. One rights defender said: “It puts people in a tremendously difficult situation. They have to decide whether to have electricity or subject themselves to having ICE get access to this information.” Excellent reporting. More: @drewharwell (https://twitter.com/drewharwell/status/1365379825351950337)
Apple will make it harder to hack iPhones with zero-click attacks (https://www.vice.com/en/article/pkd4kg/apple-is-going-to-make-it-harder-to-hack-iphones-with-zero-click-attacks) Motherboard: Last year it was revealed that dozens of Al-Jazeera reporters had their iPhones hacked (https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/) using zero-click exploits — the kind of hacks that require no user interaction at all. Now Apple is working to make it harder to launch these attacks with iOS 14.5 by signing ISA pointers, making it much harder to exploit corrupted memory that can be used to inject malicious code. More: @lorenzoFB (https://twitter.com/lorenzofb/status/1363863771551330308) | @josephfcox (https://twitter.com/xoxogossipgita/status/1363866073297281031) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
A race to reverse-engineer Clubhouse raises security concerns (https://techcrunch.com/2021/02/22/clubhouse-security/) TechCrunch: There was a ton of chatter this week about Clubhouse having a security breach. Not the case in the strictest sense, but a matter of scraping audio content from the app’s public APIs. Because Clubhouse is still only available on iOS, developers have started building their own apps to feed in Clubhouse streams so they can access from non-iOS devices. @ritacyliao (https://twitter.com/ritacyliao) explores the security and privacy ramifications, including China, where Clubhouse is banned. @lilyhnewman (https://twitter.com/lilyhnewman) digs into the security issues in more detail on Wired ($) (https://www.wired.com/story/clubhouse-privacy-security-growth/) .
The ‘real consequences’ of ransomware against schools (https://statescoop.com/k12-ransomware-attacks-cybersecurity/) Statescoop: Research shows there have been at least 130 ransomware incidents involving school districts across the U.S. since 2016, and it’s getting worse. Some attacks have compromised personal and financial data, but others have disrupted the learning process altogether. The pandemic may have solved the snow day problem, but now schools have “cyber days.”
Apple nukes ‘Silver Sparrow’ malware after revoking the developer’s certificate (https://www.cnn.com/2021/02/21/tech/mac-mysterious-malware/index.html) CNN: Last week, Red Canary researchers discovered (https://redcanary.com/blog/clipping-silver-sparrows-wings/) a new Mac adware targeting the new Apple M1 chip, dubbed Silver Sparrow, which had infected close to 30,000 Macs in over 150 countries as of mid-February. Apple has now taken action and revoked the developer’s certificate, preventing future infections. ~ ~
** OTHER NEWSY NUGGETS
Treasury watchdog warns of government’s use of cell data without warrants (https://www.wsj.com/articles/treasury-watchdog-warns-of-governments-use-of-cellphone-data-without-warrants-11614003868) A Treasury watchdog report says that law enforcement and intelligence agencies may not be on firm legal footing by buying access to location data without first obtaining a warrant, reports the Wall Street Journal ($) (https://www.wsj.com/articles/treasury-watchdog-warns-of-governments-use-of-cellphone-data-without-warrants-11614003868) . It comes as the IRS is under scrutiny for using a commercial database to track cellphones. Ultimately it’s down to the courts to decide, but it’s the strongest suggestion so far that the practice may not be constitutional — and therefore any case that uses warrantless access to location data may be built on shaky ground.
‘Millions of people’s data is at risk’: Amazon insiders sound alarm over security (https://www.politico.eu/article/data-at-risk-amazon-security-threat/) Whistleblowers — two in the U.S. and one in the EU — say they were forced out of Amazon after raising privacy and compliance issues. The report is well worth the read: the former employees allege that the company “prioritizes growth over other factors, such as the security of customers’ information, compliance with rules designed to safeguard that data and the careers of employees the company hired specifically to flag problems.” Just last year, Amazon admitted it fired (https://www.vice.com/en/article/dy8zwz/amazon-fired-employee-leaking-customer-emails) a third employee for leaking customer email addresses to an unnamed third party. NASA, FAA named as federal agencies hit by SolarWinds hackers (https://www.washingtonpost.com/national-security/biden-russia-sanctions-solarwinds-hacks/2021/02/23/b77039d6-71fa-11eb-85fa-e0ccb3660358_story.html) We know that nine federal agencies have been hacked by the SolarWinds hackers (allegedly the Russians), which included State, Justice, Treasury, Energy, Commerce and Homeland Security, as well as the National Institutes of Health. Now we know that NASA and the FAA make up the remaining two agencies that weren’t named, thanks to @nakashimae (https://twitter.com/nakashimae/status/1364257740214910976) ‘s reporting. It’s worth noting that the two agencies weren’t compromised because of the SolarWinds software, but through brute-force password cracking. ~ ~
** THE HAPPY CORNER
Right. Now that’s out of the way, onto the happy corner.
A big congratulations to @campuscodi (https://twitter.com/campuscodi/status/1363929549877227523?s=20) , who leaves ZDNet after 2.5 years to join Recorded Future (https://therecord.media/catalin-cimpanu-joins-the-record-as-its-first-cybersecurity-reporter/) as its first cybersecurity reporter.
After the successful landing of the Mars Perseverance Rover, it was revealed that NASA coders hid an Easter Egg in the colored pattern of its parachute. It reads “Dare Mighty Things.” Here’s the explainer of how it works (https://twitter.com/FrenchTech_paf/status/1363992051734478852) . @micahflee (https://twitter.com/micahflee/status/1363719097884811266?s=21) has a new version of OnionShare out, a file sharing service that uses the Tor network. It’s a fantastic tool that I’ve personally used several times and recommend. It’s easy to use, and open source. More details on Micah’s blog (https://micahflee.com/2021/02/onionshare-tabs-anonymous-chat-cli/) .
And, congrats to @Fox0x01 (https://twitter.com/Fox0x01) , who joined Corellium this week as its chief product officer. It comes after the iPhone virtualization software maker scored a win over one of Apple’s claims in its lawsuit against the company — that it infringed iOS copyright. @pwnallthethings (https://twitter.com/pwnallthethings) will become Corellium’s chief operating officer. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
Say hi to Meadow, who was featured a while back but returns with a Taco Truck. Cats get hungry when they’re busy fighting hackers. A big thanks to @IDAccessGoddess (https://twitter.com/IDAccessGoddess) for the submission! Keep sending in your cyber cats (and your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) ). You can send them in here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it for now. Thanks so much for reading. As always, drop any feedback you might have in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week, and see you next week. Be well.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .