this week in security — may 16 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 19 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Darkside retreats after blamed for Colonial Pipeline ransomware attack (https://zetter.substack.com/p/darkside-retreats-to-the-dark) Kim Zetter: So, that was a week, huh? Colonial Pipeline, which carries jet fuel and gasoline to most of the U.S. east coast, was hit by a ransomware attack and it was as bad as you’d expect. Panic buying led to fuel shortages. @kimzetter (https://twitter.com/kimzetter) led this week’s coverage into the incident. So much to cover… the FBI blamed (https://www.cyberscoop.com/fbi-darkside-colonial-pipeline-ransomware/) the Darkside ransomware-as-a-service group for the incident, then they began to bottle it after the pipeline was brought offline. @briankrebs (https://twitter.com/briankrebs) wrote a profile on Darkside, which was a good read (https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/) , as was Cyberscoop’s piece (https://www.cyberscoop.com/darkside-ransomware-pipeline-russia-hacker-colonial/) . After Darkside claimed it lost control (https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/) of its servers, speculation seems to ranges from U.S. law enforcement taking action, all the way to an exit scam by the operators themselves. More: Cyberscoop (https://www.cyberscoop.com/fbi-darkside-colonial-pipeline-ransomware/) | Zero Day (https://zetter.substack.com/p/biden-declares-state-of-emergency) | The Record (https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/) | Intel 471 (https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime) | @nicoleperlroth (https://twitter.com/nicoleperlroth/status/1392196162493444098?s=20) | @hacks4pancakes (https://twitter.com/hacks4pancakes/status/1391779256854884352)
Colonial Pipeline paid hackers nearly $5 million in ransom (https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom?sref=gni836kR) Bloomberg: Meanwhile, @williamturton (http://twitter.com/williamturton) (who had excellent coverage throughout the week) et al broke the news that Colonial Pipeline paid $5 million in ransom to get its systems back online. That’s against FBI advice (and pretty much everyone else) to never pay the ransom. That $5 million payment is keeping a vicious cycle (https://www.wired.com/story/colonial-pipeline-ransomware-payment/) turning, reports @lilyhnewman (https://twitter.com/lilyhnewman) , who looks at the wider picture. It comes in the same week that Washington DC’s Metropolitan Police Department tried to pay off (https://www.vice.com/en/article/5dbgbk/washington-dc-police-allegedly-offered-dollar100000-to-hackers-to-stop-leak) the Babuk ransomware group $100,000 to stop it leaking its sensitive files. More: Motherboard (https://www.vice.com/en/article/5dbgbk/washington-dc-police-allegedly-offered-dollar100000-to-hackers-to-stop-leak) | Wired ($) (https://www.wired.com/story/colonial-pipeline-ransomware-payment/) | Bloomberg ($) (https://www.bloomberg.com/news/articles/2021-05-10/cyber-sleuths-blunted-pipeline-hack-choked-data-flow-to-russia) | Associated Press (https://apnews.com/article/police-technology-government-and-politics-53e54780aa080decbb78d5b88d4ff44b) https://twitter.com/WilliamTurton/status/1392847175693049865 Biden signs executive order designed to strengthen federal digital defenses (https://www.washingtonpost.com/national-security/biden-executive-order-cybersecurity/2021/05/12/9269e932-acd5-11eb-acd3-24b44a57093a_story.html) Washington Post ($): After a wave of hacks targeting the U.S. federal government and thousands of vulnerable Exchange servers, the Biden administration has a new executive order out aimed at defending government agencies from similar attacks. The idea is to direct the Commerce Department to craft new standards for software vendors that make up the supply chain that serves the federal government, creating an NTSB-like model for investigating cybersecurity incidents, and some other new provisions. @jackhcable (https://twitter.com/jackhcable/status/1392667587956277248) has a great tweet thread on how the new executive order works and what it means. More: NPR (https://www.npr.org/2021/05/12/996355601/in-wake-of-pipeline-hack-biden-signs-executive-order-on-cybersecurity) | White House (https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/) | BBC News (https://www.bbc.com/news/technology-57101249) | @jackhcable (https://twitter.com/jackhcable/status/1392667587956277248) https://twitter.com/jackhcable/status/1392667587956277248 Wi-Fi devices going back to 1997 vulnerable to new Frag Attacks (https://therecord.media/wifi-devices-going-back-to-1997-vulnerable-to-new-frag-attacks/) The Record: Belgian security researcher @vanhoefm (https://twitter.com/vanhoefm) is back with a new set of Wi-Fi vulnerabilities, dubbed Frag Attacks (https://www.fragattacks.com/) . The design flaws in the Wi-Fi protocol affect devices as far back as 24 years ago, but others are caused by “widespread programming mistakes.” Obviously that makes patching a nightmare. The Wi-Fi Alliance has spent the past nine months fixing the standard and working with device vendors to fix the vulnerabilities. More: Wired ($) (https://www.wired.com/story/frag-attack-wi-fi-vulnerabilities/) | Frag Attacks (https://www.fragattacks.com/)
Ransomware attack hits Irish health service (https://www.bbc.com/news/world-europe-57111615) BBC News: Yes, more ransomware. This time the Irish health service, which described the ransomware attack as “possibly the most significant cybercrime attack on the Irish state.” The Irish taoiseach said he the state won’t pay the ransom, but that the health service had to shut down its IT system as a result. Per @kimzetter (https://twitter.com/KimZetter/status/1393195181894082560?s=20) , it looks like the Conti ransomware group is to blame. While some ransomware groups say they won’t hit medical facilities or infrastructure, Conti never did. Conti reportedly demanded (https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/) $20 million or it will publish the files it stole before encrypting them. More: Bleeping Computer (https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/) | Irish Times (https://www.irishtimes.com/news/health/hse-examines-extent-to-which-patient-records-were-compromised-in-cyberattack-1.4566421) | Background: DataBreaches.net (https://www.databreaches.net/exclusive-conti-describes-how-they-attacked-leon-medical-centers-shows-databreaches-net-almost-2-million-patient-related-files/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Millions at security risk from old routers, Which? warns (https://www.bbc.com/news/technology-56996717) BBC News: Researchers at Pen Test Partners (https://www.pentestpartners.com/) and consumer watchdog Which? (https://www.which.co.uk/news/2021/05/millions-of-people-in-the-uk-at-risk-of-using-unsecure-routers/) found millions of internet subscribers in the U.K. are using an insecure router. Out of 13 models, more than two-thirds had security vulnerabilities. Six million have a router that hasn’t been updated since 2018. ZDNet also has more (https://www.zdnet.com/article/millions-of-older-broadband-routers-have-these-security-flaws-warn-researchers/) . https://twitter.com/geoffwhite247/status/1390212840611536897 Phoenix police keep tabs on social media, but who keeps tabs on cops? (https://cronkitenews.azpbs.org/2021/05/13/phoenix-police-keep-tabs-on-social-media-but-who-keeps-tabs-on-cops/) Cronkite News: Incredible reporting here from Arizona’s PBS on how police in Phoenix are following protesters and other residents on social media. This kind of surveillance is gaining traction to address domestic terrorism, but the Phoenix Police Department work under “barebones guidelines when monitoring online activity,” which has civil liberties and privacy experts concerned about the policy gaps that could leave police with “broad powers that can stifle free speech.” A deep-dive, and worth the read. Includes words from @maassive (https://twitter.com/maassive/status/1393314947313008641) from the EFF.
Pentagon surveilling Americans without a warrant, senator reveals (https://www.vice.com/en/article/88ng8x/pentagon-americans-surveillance-without-warrant-internet-browsing) Motherboard: A letter from Sen. Ron Wyden’s office spells out that the Department of Defense is surveilling Americans’ without a warrant. Wyden, a member of the Senate Intelligence Committee where much (but not all) of its work is classified, is known for asking pointed questions that skirt very close to the line of what’s allowed to be disclosed, allowing others to dig in and investigate without revealing anything classified. Thus, this newly released letter shows Wyden pushing the Pentagon to reveal more, as the information remains classified. But it does suggest that the Pentagon is interested in and is collecting location data from phones without a warrant, simply by buying it from private companies. Solid reporting as always from @josephfcox (https://twitter.com/josephfcox/status/1392888206497091588?s=21) , who also has an explanatory tweet thread on the matter.
Rapid7 says attacker accessed its source code in Codecov supply chain hack (https://www.cyberscoop.com/rapid7-codecov-supply-chain-bash-uploader/) Cyberscoop: Security firm Rapid7 says (https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/) some of its source code was obtained by way of the Codecov supply chain compromise. Hackers are said to have gained access to hundreds of networks belonging to Codecov customers. (Twilio was another customer that last week said (https://www.twilio.com/blog/response-to-the-codecov-vulnerability) it was also hit by the Codecov fallout.) Rapid7 said its source code repositories also contained some internal credentials. Ouch. ~ ~
** OTHER NEWSY NUGGETS
Exploiting custom protocol handlers for cross-browser tracking in most browsers (https://fingerprintjs.com/blog/external-protocol-flooding/) Here’s some interesting research. The four top modern browsers are vulnerable to cross-browser tracking, allowing websites to track you across different browsers — including Tor. That’s because the browser can check to see if you have certain apps installed using URL scheme handlers, like skype://, for example. https://fingerprintjs.com/blog/external-protocol-flooding/ Kevin Beaumont’s review of May’s Patch Tuesday (https://twitter.com/GossiTheDog/status/1392211087601410054) @GossiTheDog (https://twitter.com/GossiTheDog/status/1392211087601410054) looks at this month’s Patch Tuesday with a fresh round of bug fixes for Microsoft users, including a remote code execution bug in the HTTP Protocol (CVE-2021-31166 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166) ), which should really get fixed, plus a ton of Exchange patches (https://twitter.com/GossiTheDog/status/1392212098680242180) from Pwn2Own. “Keep calm and patch,” he said. @briankrebs (https://krebsonsecurity.com/2021/05/microsoft-patch-tuesday-may-2021-edition/) also has a rundown of this month’s patches.
Riana Pfefferkorn has a lot to say about the Cellebrite hack (https://cyberlaw.stanford.edu/blog/2021/05/i-have-lot-say-about-signal%E2%80%99s-cellebrite-hack) Remember a few weeks back when Signal CEO @moxie (https://twitter.com/moxie/status/1384908290115739649) dropped a handful of zero-days on Cellebrite after he picked up a Cellebrite phone data extraction kit he saw “fall off a truck”? (Weeks earlier, Cellebrite said it could obtain Signal conversations from an unlocked Android phone, which — yeah.) Anyway, @Riana_Crypto (https://twitter.com/Riana_Crypto) has a new blog post (https://cyberlaw.staewford.edu/blog/2021/05/i-have-lot-say-about-signal%E2%80%99s-cellebrite-hack) out that has, as advertised, a lot to say about the whole affair and the legal repercussions that come next. A really fascinating read — can’t recommend enough.
Passing on your password? Streaming services are past it (https://apnews.com/article/arts-and-entertainment-technology-business-0f9fd76c86ada1d1162f9e9f0b8ca7f5) Well, we knew it might always turn out this way. Streaming services are said to be cracking down on password sharing. Exactly how this plays out will be interesting. Per the AP: “The video companies have long offered legitimate ways for multiple people to use a service, by creating profiles or by offering tiers of service with different levels of screen sharing allowed. Stricter password sharing rules might spur more people to bite the bullet and pay full price for their own subscription. But a too-tough clampdown could also alienate users and drive them away.” @gsuberland (https://twitter.com/gsuberland/status/1393260548536610819?s=20) has an interesting tweet thread on the counterpoints. https://twitter.com/gsuberland/status/1393260548536610819?s=20 ~ ~
** THE HAPPY CORNER
Not much in the happy corner this week, but after some promising revised CDC advice on mask wearing (in the U.S.), some of you had a bit of fun with it. My favorite was from @geoffbelknap (https://twitter.com/geoffbelknap/status/1392930899897978881) : https://twitter.com/geoffbelknap/status/1392930899897978881?s=20 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Crypto. As you can see, she’s sleeping on the job when she should be threat hunting (hackers, spies, mice, etc.) Thanks to her human, @sehnaoui (https://twitter.com/sehnaoui) , for the submission! Please keep sending in your cyber cats (and their friends)! You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) , and feel free to send updates on previously-submitted friends! ~ ~
** SUGGESTION BOX
Thanks so much for reading — let’s hope next week isn’t as strange or stressful as this one! The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for feedback. Have a great one, and see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .