this week in security — march 14 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 11
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
It’s open season for Microsoft Exchange server hacks (https://www.wired.com/story/microsoft-exchange-patch-hacks-ransomware/) Wired ($): And it really is — but first, here’s a quick recap: China-backed espionage group Hafnium is using four zero-days to mass backdoor on-premise Exchange servers — probably for spying. But now more than 10 hacking groups are also using the same flaws, and some are hitting these vulnerable servers with a new kind of ransomware, dubbed DearCry. @lilyhnewman (https://twitter.com/lilyhnewman) explains all of this (https://www.wired.com/story/microsoft-exchange-patch-hacks-ransomware/) and more. Meanwhile, a proof-of-concept exploit was posted — and swiftly removed (https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github) — from GitHub this week, much to the chagrin of some in infosec (and relief to others). But exactly how these groups got the same zero-days is a big mystery (https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/) , one that @dangoodin001 (https://twitter.com/dangoodin001) does an excellent job of breaking down the technical details, but the Wall Street Journal ($) reports (https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793?mod=djemalertNEWS) that Microsoft is investigating if a leak from a partner had anything to do with it. More: Motherboard (https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github) | Ars Technica (https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/) | Cyberscoop (https://www.cyberscoop.com/microsoft-exchange-server-china-dhs-cyber/) Giant datacenter fire takes down government hacking infrastructure (https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure) Motherboard: You ever had a cyber-op go up in smoke? A major fire at a datacenter run by cloud giant OVH brought thousands (https://www.pcgamer.com/a-fire-that-wiped-out-rusts-eu-servers-may-have-been-caused-by-a-faulty-ups/) of websites in the aftermath — as well as government-backed hacking operations. OVH is said to host at least 140 servers used for hacking ops — including those run by Iranian threat actor APT39 and OceanLotus, a group of Vietnamese hackers. Kaspersky’s director of global research and analysis @craiu (https://twitter.com/craiu/status/1369633870786797568) told Motherboard that there’s probably little impact on the hackers’ operations, though. More: PC Gamer (https://www.pcgamer.com/how-rust-got-back-online-after-its-servers-literally-caught-fire/) | @craiu (https://twitter.com/craiu/status/1369633870786797568)
Hackers breach thousands of security cameras, exposing Tesla, jails, and hospitals (https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams) Bloomberg ($): A hacker collective got access to 150,000 internet-connected cameras operated by Sequoia-backed startup Verkada, including at major companies — Cloudflare, Tesla and Intel — and hospitals, jails, and people’s homes. The whole story is worth the read. Tens of thousands of the cameras apparently use facial recognition (https://www.vice.com/en/article/wx83bz/verkada-hacked-facial-recognition-customers) , though Cloudflare pushed back (https://blog.cloudflare.com/about-the-march-8-9-2021-verkada-camera-hack/) on the claim that it used the feature. IPVM, which researches and investigates video tech and surveillance, also has a great post (https://ipvm.com/reports/verkada-super?code=allow) with more of the technical details. More: Motherboard (https://www.vice.com/en/article/wx83bz/verkada-hacked-facial-recognition-customers) | IPVM (https://ipvm.com/reports/verkada-super?code=allow)
The UK is secretly testing a controversial web snooping tool (https://www.wired.co.uk/article/internet-connection-records-ip-act) Wired U.K.: Bad news for the British — the government’s coming for your browsing history. No, it really is — the so-called Snooper’s Charter (everyone calls it that, but not the government) was made law in 2016 but only now it’s rearing its ugliest of heads with the end goal of logging and storing the web browsing of every single person in the country. Two unnamed internet providers have already run a trial — only Vodafone confirmed it wasn’t involved, with the remaining ISPs staying mum. Per Wired: “People’s internet records can contain the apps they have used, the domains they have visited… IP addresses, when internet use starts and finishes, and the amount of data that is transferred to and from a device.” Gross. More: ISP Review (https://www.ispreview.co.uk/index.php/2021/03/two-uk-broadband-isps-trial-new-internet-snooping-system.html) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Microsoft email server hacks put Biden in a bind (https://www.bbc.com/news/technology-56325784) BBC News: @gordoncorera (https://twitter.com/gordoncorera) looks at how the recent Exchange hacks, attributed to China, could put the Biden administration in a tough spot for its response — and digs into the geopolitical tensions that could warrant retaliation — or not. It’s also worth reading @a_greenberg (https://twitter.com/a_greenberg) ‘s story on how the U.S. is weighing its response against Russia for the SolarWinds attack — though retaliation likely isn’t the answer (https://www.wired.com/story/us-solarwinds-russia-retaliation-cyber-policy/) , in large part because Russia hasn’t crossed a line that the U.S. hasn’t crossed itself. It’s hard for the U.S. to throw rocks from inside its glass house.
Netflix is testing a crackdown on password sharing (https://thestreamable.com/news/netflix-begins-test-to-crack-down-on-password-sharing-outside-your-household) The Streamable: The sweetest deal in streaming service history might be coming to an end. Netflix is running a test — one of “hundreds” each year — that aims to crack down on password sharing outside of your household. Netflix has always turned an eye to password sharing, even though it costs the company a ton each year. (I mean, who doesn’t use their spouse’s mother’s boyfriend’s Netflix account?) GitHub discloses security bug related to handling of authenticated sessions (https://github.blog/2021-03-08-github-security-update-a-bug-related-to-handling-of-authenticated-sessions/) GitHub: On March 8 — or Monday for those who like me have lost track of time — GitHub said it had “invalidated all authenticated sessions on GitHub.com” out of caution to protect users from “an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions.” There was no compromise, but basically the bug may have “misrouted” a user’s session to the browser of another user. ~ ~
** OTHER NEWSY NUGGETS
T-Mobile to step up ad targeting of cellphone customers (https://www.wsj.com/articles/t-mobile-to-step-up-ad-targeting-of-cellphone-customers-11615285803) T-Mobile will automatically enroll its phone customers into an ad program that will be informed by their online browsing habits. Granted, it’s no different from what the other cell carriers do — Sprint, which was acquired by T-Mobile last year, already does this. Does it make it any less gross? Absolutely not. Thankfully, @DrewFitzGerald (https://twitter.com/DrewFitzGerald) walks you through how to opt-out. Inside Israel’s lucrative, and secretive, cyber-surveillance industry (https://restofworld.org/2021/inside-israels-lucrative-and-secretive-cybersurveillance-talent-pipeline/) Here’s a great, deep-dive into the Israeli surveillance startup market — and how Israel became a powerhouse in developing and selling surveillance technology. It also looks at the work of Eitay Mack and others, who are part of a “loose, tiny, unofficial network of forces” pushing back against Israeli cyberweapon exports. Take the time to read this.
Accellion’s breach keeps getting worse — and more expensive (https://www.wired.com/story/accellion-breach-victims-extortion/) Accellion, a file-transfer service used by enterprises around the world, fixed several bugs in its networking gear in December and January, but not before hackers deployed ransomware on dozens of Accellion customers — including Qualys, the Reserve Bank of New Zealand, and the U.S. state of Washington. This isn’t a story that will go away — expect more victims to come forward. ~ ~
** THE HAPPY CORNER
@konklone (https://twitter.com/konklone/status/1369408761467666433?s=21) is returning to the U.S. government as a senior advisor to the new federal CIO Clare Martorana (https://www.fastcompany.com/90612932/biden-clare-martorana-chief-information-officer) , at the U.S. Office of Management and Budget. Mill previously worked at 18F and on Google’s Chrome security team. Congrats!
And good news for DocumentCloud fans (yes, I’m looking at you, fellow reporters). The document sharing platform has been revamped from the ground up and its code is now open source. @dylfreed (https://twitter.com/dylfreed/status/1370083329010237441) has a thread. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
Meet Tara, this week’s cyber cat. Tara enjoys, among other things, watching her human do school work and taking screenshots with her butt. (That sounds like a superpower, no?) A big thanks to @PumpkinFruitBat (https://twitter.com/PumpkinFruitBat) for the submission! Please keep sending in your cyber cats (and your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) ). You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And we’re out. Thanks for reading — and, as always, if you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care, and see you next week!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .