this week in security — march 7 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 10
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Microsoft blames new Exchange Server attacks on new China-backed hackers (https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/) Microsoft, Volexity: Cancel your weekends, if you haven’t already. This one looks nasty. Microsoft says (https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/) a new threat group, Hafnium (here’s an explainer (https://twitter.com/webjedi/status/1368031744096616448?s=21) on the name), which operates in and is backed by China, is exploiting four zero-day vulnerabilities in on-premise Exchange Server installations. These four bugs are chained (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) and allow for total server compromise, including email and contacts theft for the entire organization. Worse, the emergency patches rolled out this week don’t necessarily fix the backdoors left behind by Hafnium. Yes, this is bad. Reuters (https://www.reuters.com/article/us-usa-cyber-microsoft-idUSKBN2AX23U) is reporting tens of thousands of organizations are affected; whereas Wall Street Journal ($) (https://www.wsj.com/articles/china-linked-hack-hits-tens-of-thousands-of-u-s-microsoft-customers-11615007991) is going as far as 250,000 victims. Volexity, which helped Microsoft with the disclosure, also has a blog post (https://twitter.com/Volexity/status/1366858421019045890) on the vulnerabilities — as does Kaspersky (https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/) . The federal government is weighing its response, while CISA has issued its second emergency alert (https://cyber.dhs.gov/ed/21-02/) of the year. And it’s only March… More: Microsoft Security (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) | Volexity (https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/) | Wall Street Journal ($) (https://www.wsj.com/articles/china-linked-hack-hits-tens-of-thousands-of-u-s-microsoft-customers-11615007991) | @kimzetter (https://twitter.com/KimZetter/status/1367216041642790913?s=20)
Far-right platform Gab has been hacked — including private data (https://www.wired.com/story/gab-hack-data-breach-ddosecrets/) Wired ($): Do you remember reading this story and thinking, wow this is huge, but totally spaced on the fact that it was less than a week ago? Enter @a_greenberg (https://twitter.com/a_greenberg/status/1366208261897261061) , who was contacted last Friday about a major breach of Gab’s backend. WikiLeaks-style group Distributed Denial of Secrets obtained more than 70 gigabytes of Gab’s data — some 40 million posts — taken by a hacktivist. (Journalists and academics have access to the data, but the general public won’t.) Gab CEO Andrew Torba accused Greenberg of helping the hackers (which Wired denied, obviously). Torba, who is widely regarded as a terrible person, later used a transphobic slur to insult the hackers “attacking” the site. Enter Greenberg’s response (https://twitter.com/a_greenberg/status/1366210903482507270?s=20) , posted below. Ars later reported that Gab’s own CTO, a former Facebook engineer, may have introduced (https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/) the SQL injection, which the hackers used to siphon off the site’s data. If so, that’s quite the self-own. More: Ars Technica (https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/) | @a_greenberg (https://twitter.com/a_greenberg/status/1366208261897261061) Google says it won’t adopt new tracking tech after phasing out cookies (https://techcrunch.com/2021/03/03/google-renounces-ad-tracking/) TechCrunch: Google said (https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html) this week it will not build an alternative to third-party cookies to track users. But this one requires some unpacking, because it doesn’t mean that ads won’t be targeted in the future. @swodinsky (https://twitter.com/swodinsky) had a great explainer (https://gizmodo.com/stop-letting-google-get-away-with-it-1846414787) walking through what this means and critically, what it doesn’t. @saramorrison (https://twitter.com/saramorrison) also explains more: “Google will still track and target users on mobile devices, and it will still target ads to users based on their behavior on its own platforms, which make up the majority of its revenue and won’t be affected by the change.” The move may have significant implications for the digital ad industry, it likely won’t for Google itself. More: Google’s Chromium blog (https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html) | Recode (https://www.vox.com/recode/2021/3/3/22311460/google-cookie-ban-search-ads-tracking) | Gizmodo (https://gizmodo.com/stop-letting-google-get-away-with-it-1846414787)
Casting a wide intrusion net: Dozens burned with single hack (https://apnews.com/article/donald-trump-politics-europe-eastern-europe-new-zealand-f318ba1ffc971eb17371456b015206a5) Associated Press: A hack at file-transfer company Accellion is already affecting dozens of major organizations — New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, and the high-powered U.S. law firm Jones Day — and more. Accellion was hit in December and January with a two-stage attack, blamed on hackers believed to operate out of Eastern Europe. Up to 100 Accellion customers have been hacked so far, and the AP does a great job of walking through the breach — which you’ve likely heard of, but been bogged down by SolarWinds, Hafnium… and pretty much everything else going on at the moment. More: Dark Reading (https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323) | @fbajak (https://twitter.com/fbajak/status/1368572421033299970)
Navajo Nation hospital targeted by large-scale ransomware hack (https://www.nbcnews.com/tech/security/ripe-extortion-navajo-nation-hospital-targeted-large-scale-ransomware-hack-n1259457) NBC News: A ransomware attack at one New Mexico hospital forced staff to revert to pen and paper to keep going. Sensitive personnel files were later posted online by the hacking group trying to cash in after the attack. The hospital paid the ransom, reports @kevincollier (https://twitter.com/kevincollier/status/1367148375133605893) . It’s the latest hospital to be hit by hackers — some 560 healthcare facilities last year were hit with ransomware. More: @kevincollier (https://twitter.com/kevincollier/status/1367148375133605893)
Virginia becomes second state with consumer data protection law (https://www.virginiabusiness.com/article/va-set-to-become-2nd-state-with-consumer-data-protection-law/) Virginia Business: Some news if you’re a Virginia resident: Governor Ralph Northam has signed what’s been described (https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/) as the “industry-friendly” Consumer Data Protection Act, the second such GDPR-style bill to pass in the U.S., following California. It will allow residents to receive, amend and delete their data, and opt-out of marketing. It’s a big law and lots to digest, though not everyone’s happy with it. EFF has a strong (https://www.eff.org/deeplinks/2021/02/virginias-weak-privacy-bill-just-what-big-tech-wants) rebuttal, arguing it does more to protect businesses. More: Electronic Frontier Foundation (https://www.eff.org/deeplinks/2021/02/virginias-weak-privacy-bill-just-what-big-tech-wants) | Washington Post ($) (https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/) | National Law Review (https://www.natlawreview.com/article/new-virginia-privacy-bill)
Students are easily cheating ‘state-of-the-art’ test proctoring tech (https://www.vice.com/en/article/3an98j/students-are-easily-cheating-state-of-the-art-test-proctoring-tech) Motherboard: This earns jealousy points from me; I wish I had written this story. Proctoring tech has become all the rage during the pandemic, but it’s a privacy nightmare and the tech doesn’t seem to work half the time. Now students are proving their case by showing that it’s not only possible to cheat, but easy to cheat using remote proctoring software. In some cases all a student needs is a HDMI cable hooked up to a TV screen that mirrors their screen. More: @zenalbatross (https://twitter.com/zenalbatross/status/1367860407403167745) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Hackers are finding ways to hide inside Apple’s walled garden (https://www.technologyreview.com/2021/03/01/1020089/apple-walled-garden-hackers-protected/) MIT Technology Review ($): Apple’s walled garden approach to device security is making it difficult for researchers and investigators to examine if a user’s iPhone has been targeted by hackers. That means hackers or nation states can sneak in and plant malware (or spyware — like NSO’s Pegasus), but researchers are stuck, unless they use similar tools or jailbreaks, which aren’t always available. That includes the good folk up at Citizen Lab, who struggled to investigate (https://techcrunch.com/2020/12/20/citizen-lab-iphone-nso-group/) state-backed zero-click attacks against journalists last year. As @HowellONeill (https://twitter.com/HowellONeill) explains: “Apple’s extraordinary defenses end up protecting the attackers themselves.”
Three top Russian cybercrime forums hacked (https://krebsonsecurity.com/2021/03/three-top-russian-cybercrime-forums-hacked/) Krebs on Security: Three of the longest running Russian-language hacking forums have themselves been hacked. Two of the attacks saw the hackers make off with the forum’s user database — including email addresses, IP addresses, and hashed passwords. (Intel 471 says there was a fourth (https://intel471.com/blog/mazafaka-hacked-cybercrime-forums-exploit-crdclub-verified/) forum hacked.) One of the forums hacked was Maza, which includes ICQ numbers for many users. This is notable, Krebs says, because ICQ numbers are tied to specific accounts and can be used “to connect multiple accounts to the same user across many forums and different nicknames over time.” More from @campuscodi (https://twitter.com/campuscodi) , whose new home is at The Record (https://therecord.media/maza-cybercrime-forum-hacked-user-data-dumped-online/) . Military unit that conducts drone strikes bought location data from ordinary apps (https://www.vice.com/en/article/y3g97x/location-data-apps-drone-strikes-iowa-national-guard) Motherboard: From Motherboard, the motherlode story for anyone covering in-app trackers. The 132d Wing of the Iowa National Guard, which provides intelligence, surveillance, and reconnaissance — and crucially “conducts strikes with Reaper drones” — bought access to Locate X, a product that lets users search by a specific area to see which devices were present. @josephfcox (https://twitter.com/josephfcox/status/1367476472823353346) has all the details in his story and tweet thread. Next time someone says that in-app trackers are fine and are nothing to be concerned about, you should just send them this story.
Okta says it’s buying security rival Auth0 for $6.5 billion (https://www.cnbc.com/2021/03/03/okta-is-buying-security-rival-auth0-for-6point5-billion-stock-falls.html) CNBC: An interesting acquisition this week: Online identity giant Okta bought Auth0 for $6.5 billion in an all-stock deal. Why does it matter? Auth0 has a huge number of free accounts for hobbyist developers, and Okta is, well, enormous and mostly enterprise focused. Auth0 will remain an independent business. For now, at least. ~ ~
** OTHER NEWSY NUGGETS
Russian and Chinese hackers gained access to European Medicines Agency (https://www.volkskrant.nl/nieuws-achtergrond/russian-and-chinese-hackers-gained-access-to-ema~bdc61ba59/) Last year, the European Medicines Agency (EMA) was hacked by a Russian intelligence agency and a Chinese espionage group. According to De Volkskrant ($) (https://www.volkskrant.nl/nieuws-achtergrond/russian-and-chinese-hackers-gained-access-to-ema~bdc61ba59/) , the Russians gained access to EMA’s internal network by exploiting a setting in the authentication system that allowed them to abuse the two-factor verification. The Dutch publication says the EMA did not configure two-factor verification properly.
Universal Health Services reports $67 million in losses after ransomware (https://www.cyberscoop.com/universal-health-services-ransomware-cost-ryuk/) UHS, a U.S. healthcare chain with more than 400 hospitals, was hit with Ryuk ransomware last year and took more than three weeks to get its systems back online. Its latest earnings show the attack cost the company $67 million in pre-tax losses. Don’t feel too bad for the company, it made more than $3 billion in the fourth quarter last year alone… and the company has cybersecurity insurance, which the company expects to cover most of its costs incurred.
Facebook will pay $650 million to settle class action suit centered on Illinois privacy law (https://techcrunch.com/2021/03/01/facebook-illinois-class-action-bipa/) Facebook has been ordered to pay $650 million for running afoul of Illinois’ biometric privacy law, which has tripped up several tech companies over the years (and has its eyes set (https://www.biometricupdate.com/202101/clearview-ai-biometric-data-privacy-suit-sent-back-to-state-courtz) on Clearview AI, too.) The suit against Facebook was first filed in 2015, alleging that Facebook’s practice of tagging people in photos using facial recognition without their consent violated state law. Some 1.6 million state residents will get at least $345 under the final settlement. Facebook made about $86 billion in revenue last year. ~ ~
** THE HAPPY CORNER
And now for a brief moment of calm, and good news.
This week @runasand (https://twitter.com/runasand/status/1366389068087590916) announced she is joining the Norwegian Armed Forces Cyber Defense as a senior advisor, and will stay in New York. Sandvik previously defended the New York Times newsroom from cyberattacks.
In more job-related news, @selenalarson (https://twitter.com/selenalarson/status/1367837602498441216?s=20) is joining Proofpoint, after more than three years (at least according to my terrible math, maybe longer) at Dragos. Larson, a former reporter, will be the email protection giant’s new senior threat intelligence analyst.
Meanwhile, more from the movers and shakers department — four new CISOs, all women. Also in incredible news, @k8em0 (https://twitter.com/k8em0/status/1367162030835179523?s=21) has donated $1 million through her Pay Equity Now Foundation (https://www.payequitynowfoundation.org/) to Penn State Law to found a gender equity litigation clinic to address financial discrimination in the workplace. The lab is named after Moussouris’s late mother and will be known as the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity. The full statement (https://news.psu.edu/story/649274/2021/03/03/administration/cybersecurity-pioneer-gives-1-million-penn-state-law-gender) is here — and worth the read.
Some more good news: a CISA directive (https://cyber.dhs.gov/bod/20-01/) from 2020 requires most federal civilian executive branch agencies to have a vulnerability disclosure policy (VDP). As of this week, it’s a little more than 60% of the way there — which is a major step forward. All the details are here (https://github.com/cisagov/vdp-in-fceb) on GitHub.
And, last on the list this week: If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
Meet Bear. As you can see, he has crumblies on his face. What you can’t see is that he has a Yubikey in his paws. What a good boy. A big thanks to @infosecos (https://twitter.com/infosecos) for the submission! Don’t forget to keep sending in your cyber cats (and your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) ). Drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all for now. If you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Hope you have a great week — and see you next Sunday. Take care and be well.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .