this week in security — january 31 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 5
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
North Korea targets — and dupes — a slew of cybersecurity pros (https://www.wired.com/story/north-korea-hackers-target-cybersecurity-researchers/) Wired ($): Here’s a wild story of how North Korean hackers targeted security researchers by using a blog laced with a zero-click vulnerability as a lure. The hackers reached out by Twitter DMs, Keybase and LinkedIn, in what’s believed to be an effort to steal security research. But it’s a brutal reminder that hackers can be targets too, and worse that it preyed on the collaborative and open spirits of security research. @richinseattle (https://twitter.com/richinseattle/status/1353864756109578241?s=21) confirmed he was hit, but luckily the damage was limited to a virtual machine. Google revealed the campaign in a blog post (https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/) , and Microsoft also attributed (https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/) the hackers to North Korea. More: Microsoft (https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/) | @shanehuntley (https://twitter.com/shanehuntley/status/1353856344655204352?s=21) | @maddiestone (https://twitter.com/maddiestone/status/1353885746344517633?s=20) | @snlyngaas (https://twitter.com/snlyngaas/status/1353860259518017536?s=21) Suspected Russian hack extends far beyond SolarWinds software, investigators say (https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601) Wall Street Journal ($): Investigators now say there’s solid evidence that SolarWinds wasn’t the only route that suspected Russian hackers used to break into several security companies and federal agencies. About 30% of the victims had no connection to the backdoored SolarWinds software, per the new CISA chief Brandon Wales, in an interview with the Journal. The attackers “gained access to their targets in a variety of ways,” he said. If you recall, some Microsoft cloud accounts were also compromised, allowing the attackers to break into the networks of companies like Malwarebytes, which didn’t use the SolarWinds technology (though CISA said it is not yet aware of companies other than Microsoft targeted in the attack). It comes as four new security vendors — including Palo Alto Networks and Mimecast — confirm they were targeted (https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/) by the compromised SolarWinds software. More: ZDNet (https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/) | Cyberscoop (https://www.cyberscoop.com/mimecast-solarwinds-software-certificate-russia/)
Emotet disrupted by Europol, U.K. and U.S. authorities, mass-uninstall in April (https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action) Europol: Emotet is dead — if not considerably disrupted — after U.S. and European authorities took down the notorious botnet, said to be the world’s largest, following a two-year long operation. Ukrainian police arrested two members of the alleged Emotet group and released a video seizing computers, cash and gold bars. Emotet had hooks in millions of computers and used to serve malware, ransomware and spam campaigns. ZDNet has a good explainer (https://www.zdnet.com/article/emotet-worlds-most-dangerous-malware-botnet-disrupted-by-international-police-operation/) of the operation. The authorities said they plan a mass-uninstall on April 25. Until then, network admins are urged to take time to investigate their networks for Emotet to prevent new payloads from being deployed. More: ZDNet (https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-april-25-2021/) | Wired ($) (https://www.wired.com/story/emotet-botnet-takedown/) | @milkr3am (https://twitter.com/milkr3am/status/1354459859912192002) Justice Dept. and Bulgarian authorities announce NetWalker ransomware takedown (https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware) Department of Justice: It was a busy week for international law enforcement after the DOJ confirmed it also disrupted the notorious NetWalker ransomware-as-a-service group. A Canadian national was charged, and over $450,000 in cryptocurrency seized, along with the website the group used to communicate with the victims. NetWalker made at least $25 million (https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/) since the start of the pandemic by renting access to its infrastructure to other threat groups. More: Chainalysis (https://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest) | ZDNet (https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/)
More Muslim apps worked with X-Mode, which sold data to military contractors (https://www.vice.com/en/article/epdkze/muslim-apps-location-data-military-xmode) Motherboard: Five more Muslim prayer apps worked with X-Mode, a controversial data broker that sold data to military contractors, and by extension the U.S. military. One of the newly discovered apps had 5 million installs to date. The findings were checked against new research (https://www.expressvpn.com/digital-security-lab/investigation-xoth) looking into data brokers and the trackers buried in hundreds of popular apps. The current versions of the apps in Google Play no longer transmit location data after Google (and Apple) banned X-Mode in response to @josephfcox (https://twitter.com/josephfcox) ‘s story in November on a Muslim app with over 96 million users was sending location data to X-Mode. A separate story I wrote (disclosure!) found that the Google ban was not effective. At least one popular U.S. subway map app (https://techcrunch.com/2021/01/28/x-mode-location-google-apple-ban/) in Google Play was still sending location data to X-Mode, despite the ban. Google later pulled the offending app. More: TechCrunch (https://techcrunch.com/2021/01/28/x-mode-location-google-apple-ban/) | ExpressVPN Digital Security Lab (https://www.expressvpn.com/digital-security-lab/investigation-xoth)
Apple warns of “remote attacker” security threat on iPhone and iPad, releases iOS 14.4 update (https://www.cbsnews.com/news/apple-update-iphone-security-ios-14-4/) CBS News: Apple released iOS 14.4 this week with patches for three vulnerabilities said to be “actively exploited” (https://techcrunch.com/2021/01/26/apple-says-ios-14-4-fixes-three-security-bugs-under-active-attack/) by hackers. The two sets of bugs — two in WebKit (likely an entry route for the attackers) and one in the kernel — which would give escalated (if not full) access to an affected device. @k8em0 (https://twitter.com/k8em0) said: “Your regular web browsing may cause you to be held compromised, without having to do really much of anything else. And that’s a problem.” In true Apple style, it said nothing about the what or the why — or even who is affected — but did say additional details would be available soon, but did not say when. Five days later and still nothing. It’s a disappointing if not entirely predictable response from a company that ostensibly claims to care about its users’ security, but sure has a strange way of showing it. More: TechCrunch (https://techcrunch.com/2021/01/26/apple-says-ios-14-4-fixes-three-security-bugs-under-active-attack/) | Apple (https://support.apple.com/en-us/HT212146) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
How did iOS 14 block a zero-day attack used to target journalists? (https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html) Google Project Zero: But… credit where credit’s due. Google’s Project Zero did a deep-dive at iMessage in iOS 14, after researchers at Citizen Lab said the update blocked a zero-click zero-day attack (https://techcrunch.com/2020/12/20/citizen-lab-iphone-nso-group/) allegedly used by customers of NSO Group to infect dozens of journalists with its Pegasus spyware. Google found that iOS 14 did prevent the attack from running because of hardening of iMessage under the hood with a new service called BlastDoor. Google has more technicals (https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html) in its blog post. Dutch COVID-19 patient data sold on the criminal underground (https://www.zdnet.com/article/dutch-covid-19-patient-data-sold-on-the-criminal-underground/) ZDNet: Not a headline you want to see during normal times, let alone in the middle of a pandemic. Two individuals have been arrested by Dutch police after a reporter found Dutch citizens’ data, collected from the health ministry’s COVID-19 systems, on the criminal underground. The ads contained photos of computer screens listing citizens’ COVID-19 data and claimed to have citizens’ home addresses, emails, telephone numbers, dates of birth, and the equivalent of Dutch citizens’ social security number.
Facebook ad services let anyone target U.S. military personnel (https://www.wired.com/story/facebook-ad-targeting-us-military/) Wired ($): Facebook has no plans to fix a potential vulnerability in its ad targeting system that allows anyone to direct ads at serving U.S. military personnel, despite fears that a malicious actor could abuse the system to “run influence operations against US military members at a large scale or in a more targeted way,” There are some 1.3 million serving personnel. Wired said it corroborated (https://twitter.com/lilyhnewman/status/1354823002588803083) the findings, but the researcher @bravebosom (https://twitter.com/bravebosom?lang=en) said there is “no incentive for Facebook to fundamentally change” the system. After all, Facebook makes the very vast majority of its money from ads and tracking its users.
Apple’s iOS anti-tracking feature will be enabled by default, and arrive in ‘early spring’ (https://techcrunch.com/2021/01/27/apple-app-tracking-transparency/) TechCrunch: Apple said its new anti-app tracking feature will go live in early spring, and will allow iOS users to deny individual apps access to their private data, effectively preventing them from tracking you. Even better, Apple said it will let users blanket ban app tracking altogether(!) so “no apps can even ask you to use tracking.” No wonder Facebook is spitting feathers — it’s reportedly planning to file an antitrust suit. (Good luck with that, he said sarcastically.) And better late than never on Apple’s part, some two years (https://www.macworld.com/article/3331597/apple-privacy-billboard.html) after the company put up billboards wrongly claiming that “what happens on your iPhone, stays on your iPhone.” Revealed: A massive Chinese police database used to surveil the Uyghur minority (https://theintercept.com/2021/01/29/china-uyghur-muslim-surveillance-police/) The Intercept: This is an absolutely incredible long-read, and you should take the time out this weekend to dig in. The Intercept obtained a massive police database, developed by private defense company Landasoft, used by the Chinese government to facilitate police surveillance of citizens in Xinjiang, home to millions of oppressed Uyghur Muslims. This took over a year to report. Breathtaking reporting from one of the best in the business, @yaelwrites (https://twitter.com/yaelwrites) . ~ ~
** OTHER NEWSY NUGGETS
Grindr fined $11.7 million for violating EU privacy law (https://www.nytimes.com/2021/01/25/business/grindr-gdpr-privacy-fine.html) Gay dating app Grindr was fined $11.7 million for illegally disclosing private details of its users to advertisers, per The New York Times ($) (https://www.nytimes.com/2021/01/25/business/grindr-gdpr-privacy-fine.html) . The app transmitted precise locations to at least five tracking companies, tagging users as LGBTQ+ without their explicit permission in violation of European law. That could’ve put users in parts of the world where LGBTQ+ rights are nonexistent or actively criminalized in extreme harm or danger of death.
Chris DeRusha is the new U.S. government’s CISO (https://www.cyberscoop.com/chris-derusha-federal-ciso-biden/) Congrats to Chris DeRusha for the new job in the Biden administration, after helping to protect the then-Biden campaign from cyberattacks. DeRusha will oversee and coordinate cybersecurity policy across the federal government, a highly bureaucratic role, that will likely start by focusing on fortifying their networks in the wake of the Russian espionage campaign discovered late last year. Cyberscoop (https://www.cyberscoop.com/chris-derusha-federal-ciso-biden/) has more on his background.
Police say they can use facial recognition, despite bans (https://themarkup.org/news/2021/01/28/police-say-they-can-use-facial-recognition-despite-bans) Incredible reporting from @alfredwkng (https://twitter.com/alfredwkng/status/1354796210461302784?s=21) on legal flaws in facial recognition laws. In at least six cities with facial recognition bans, police say they can still use the technology, citing loopholes and loose language in the law’s text. “If you create a carve-out for the cops, they will take it,” the ACLU said. ~ ~
** THE HAPPY CORNER
Right, onto the good stuff. Turns out Asana (with “extra delight” enabled) has a fun cat-themed easter egg. Hit “tab + B” — yes, tabby — in the app and your screen will be littered with kittens. I stumbled on this Imgur post (https://imgur.com/gallery/m3IrnhZ) about password-protected alphabet soup earlier this week and laughed way more than I should’ve.
For anyone watching the stonks this week, spare a thought for this unfortunately-named reporter who was barraged with requests for trading advice. And finally, with just days to go before it was set to shut down after more than 27 years, the Bugtraq mailing list has been picked up (https://seclists.org/bugtraq/2021/Jan/1) by Accenture Security. The list has been dedicated to disclosing security bugs since 1993.”Bugtraq has been a valuable institution within the Cyber Security community for almost 30 years,” wrote Accenture. “Many of our own people entered the industry by subscribing to it and learning from it. So, based on the feedback we’ve received both from the community-at-large and internally, we’ve decided to keep the Bugtraq list running.” If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Zoe, who as you can see likes to take a hands-on approach to micromanaging her human. A big thanks to Don E. for the submission! The cyber cat reserve is almost empty. Please send in your cyber cats! And yes — that includes your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) . Send them in here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all for now. The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open as usual. Have a great week, and see you next Sunday. Stay safe and be well.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .