this week in security — may 17 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 20
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Ransomware hits ATM giant, Pitney Bowes (again), Trump law firm (https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/) Krebs on Security: A spate of high profile ransomware attacks hit the headlines this week. @briankrebs (https://twitter.com/briankrebs) reported first that ATM giant Diebold Nixdorf, which has about a third of the global ATM market, was attacked. Shipping company Pitney Bowes was hit (https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/) for the second time in seven months after an intrusion in October (https://techcrunch.com/2019/10/14/pitney-bowes-ransomware-attack/) . And, a law firm said to hold “dirt” on Trump was hit by REvil (https://variety.com/2020/digital/news/law-firm-hacked-clients-lady-gaga-bruce-springsteen-1234603831/) , a ransomware-as-a-service. The law firm represents a ton of celebrities and high-profile clientele — and hackers are threatening to publish if they don’t get $42 million. These are stories to watch. More: ZDNet (https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/) | Variety (https://variety.com/2020/digital/news/law-firm-hacked-clients-lady-gaga-bruce-springsteen-1234603831/) | BBC News (https://www.bbc.com/news/technology-52632729) | @kevincollier (https://twitter.com/kevincollier/status/1261680994337390593) | @malwrhunterteam (https://twitter.com/malwrhunterteam/status/1261339041984897024)
FBI, DHS go public with suspected North Korean hacking tools (https://www.cyberscoop.com/north-korea-hacking-hidden-cobra-dhs-fbi/) Cyberscoop: From award-winning @shanvav (https://twitter.com/shanvav/) , the FBI and Homeland Security have gone public with new malware samples used by North Korean hackers. These samples were uploaded to help investigators and companies fend off attacks. The hackers, known as Hidden Cobra (https://www.us-cert.gov/ncas/current-activity/2020/05/12/north-korean-malicious-cyber-activity) , target financial institutions — including ATMs and cryptocurrency exchanges — which U.N. experts previously said helps finance North Korea’s nuclear weapons program. The samples landed exactly three years to the day after the WannaCry attack, which U.S. authorities blamed on North Korea, and just in time for Wired’s cover story (https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/) on @MalwareTechBlog (https://twitter.com/MalwareTechBlog/status/1260162731954458627) . More: @shanvav (https://twitter.com/shanvav/status/1260202526391128064) | Wired ($) (https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/)
NSO Group pitched phone hacking tech to U.S. police (https://www.vice.com/en_us/article/8899nz/nso-group-pitched-phone-hacking-tech-american-police) Motherboard: A brochure and emails obtained by Motherboard show NSO Group’s U.S. arm, Westbridge, was pitching a hacking tool called Phantom, which can siphon off a phone’s emails, text messages, contact lists, and even remotely switch on the device’s microphone and take photos. The emails came from San Diego’s police department, which later declined to purchase the hacking tool citing a lack of funds. NSO has long said it doesn’t operate (https://twitter.com/razhael/status/1260256319099076613) in the U.S. But this seems to show — technically, at least — otherwise. More: @jsrailton tweets (https://twitter.com/jsrailton/status/1260228266536861696?s=21) | @razhael (https://twitter.com/razhael/status/1260256319099076613) Senate votes to let NSA warrantlessly collect your browsing history (https://www.vox.com/recode/2020/5/13/21257481/wyden-freedom-patriot-act-amendment-mcconnell) Vox: It’s the kind of headline that makes you look twice, but it’s spot on. Sens. Ron Wyden and Steve Daines offered a bipartisan amendment this week that would’ve made it illegal for the government to keep collecting Americans’ private browsing histories without a warrant. The amendment was part of a wider effort to reform and reauthorize FISA, which is the basis of the U.S.’ surveillance laws. But the amendment fell by one vote (https://techcrunch.com/2020/05/13/senate-warrant-americans-web-browsing-data/) . Four senators weren’t even there — one was in isolation - and the other two (https://www.senate.gov/legislative/LIS/roll_call_lists/roll_call_vote_cfm.cfm?congress=116&session=2&vote=00089#position) were Democrats. A lot of people were mightily disappointed. Because another amendment went through, it’s now back to the House. More: TechCrunch (https://techcrunch.com/2020/05/13/senate-warrant-americans-web-browsing-data/) | Lawfare (https://www.lawfareblog.com/senate-proposes-five-amendments-fisa-reform) | Senate roll call (https://www.senate.gov/legislative/LIS/roll_call_lists/roll_call_vote_cfm.cfm?congress=116&session=2&vote=00089#position)
Flaws in Adobe Acrobat Reader allows malware to gain root on macOS silently (https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/) Tencent Security Xuanwu Lab: New findings from Tencent’s security team revealed three critical flaws that use Adobe Acrobat Reader to exploit a chain of vulnerabilities, which grant the attacker “root” user privileges without the user knowing. The proposed fix is for Adobe, but the real vulnerability is within macOS itself. More: @vladimir_metnew (https://twitter.com/vladimir_metnew/status/1261039800502693890)
Cyberattack hits internal IT systems of key player in British power market (https://www.cyberscoop.com/elexon-cyberattack-uk-electricity-market/) Cyberscoop: Elexon, a middleman company that facilitates transactions on the U.K. electricity grid, confirmed it was hit by a cyberattack. Attackers targeted its internal IT system, but the lights across the U.K. didn’t flicker. The U.K. National Grid said in a tweet (https://twitter.com/ng_eso/status/1260996779677569024) that the electricity supply wasn’t affected. The last major attack on the power grid was Christmas 2016, which saw the Ukrainian power grid black out because of powerful nation-state malware. More: @ElexonUK tweets (https://twitter.com/ELEXONUK/status/1260976763427065865?s=20) | Archive: Wired ($) (https://www.wired.com/story/crash-override-malware/) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads and subscribes to this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to keep the newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Zero-day broker stops buying iOS exploits due to market saturation (https://twitter.com/Zerodium/status/1260541578747064326) Zerodium: Interesting tweet: Zerodium, a zero-day broker, said it’ll stop receiving iOS exploits — local privilege escalations and Safari remote code execution exploits — because of the “high number of submissions.” In other words, it has too many. This kicked off a lot of discussion. Initially, some thought iOS was woefully broken — hence the spike in submissions. But @bing_chris (https://twitter.com/Bing_Chris/status/1260598136269086720) and @lorenzofb (https://twitter.com/lorenzofb/status/1260555119277551617) noted that this doesn’t tell the full picture of the exploit market — of course it doesn’t. No device is unhackable. But Apple’s persistence hasn’t exactly helped — it claims it can do no wrong (https://venturebeat.com/2019/09/06/apple-blasts-google-project-zero-over-ios-uighur-security-claims/) but that just leads to a false sense of security (excuse the pun). Watch this space as this continues to play out. Supercomputers hacked across Europe to mine cryptocurrency (https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/) ZDNet: Several supercomputers across Europe this week were hacked — likely due to compromised SSH passwords — to mine cryptocurrency. The breaches were quickly shut down (https://www.cyberscoop.com/archer-supercomputer-security-incident/) . “We now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe,” said the website (https://www.archer.ac.uk/status/) belonging to Archer, the supercomputer housed at the University of Edinburgh. ~ ~
** OTHER NEWSY NUGGETS
Slack now strips location data from uploaded images (https://techcrunch.com/2020/05/11/slack-strips-location-data/) After years (https://www.vice.com/en_us/article/43yjqn/journalists-activists-slack-doesnt-strip-image-metadata) of complaints, Slack now strips location data from uploaded photos. That’s a big deal for journalists and activists who want to share information but keep sources safe. Even if they strip the metadata from a photo before it’s published, governments could still demand the original files from Slack. Now it can’t turn over any new metadata, making it somewhat safer for high-risk users to use. (Disclosure: I wrote this story.)
Thunderspy: What it is, why it’s not scary, and what to do about it (https://arstechnica.com/information-technology/2020/05/thunderspy-what-is-is-why-its-not-scary-and-what-to-do-about-it/) There was a big splash when Thunderspy came out — the name of a new ‘evil maid’ attack (https://thunderspy.io/) used to break into a person’s computer through their Thunderbolt port. The vulnerability can — if exploited correctly — connect a malicious peripheral that bypasses the Windows lock screen, but it takes a lot of effort and is not likely to be used against the vast majority. So, should you worry? Probably not. Ars Technica (https://arstechnica.com/information-technology/2020/05/thunderspy-what-is-is-why-its-not-scary-and-what-to-do-about-it/) has a good, balanced write-up on this attack.
FBI, CISA warn against Chinese hackers targeting COVID-19 research (https://www.fbi.gov/news/pressrel/press-releases/fbi-and-cisa-warn-against-chinese-targeting-of-covid-19-research-organizations) The U.S. came down hard on the Chinese this week, accusing (https://twitter.com/Joseph_Marks_/status/1260572824651038720) its government of setting some of its best hackers against U.S. labs and research firms, in an apparent effort to steal COVID-19 research. The FBI pointed the finger of blame, but didn’t cite its evidence. That’s to come later, it said in a statement (https://www.fbi.gov/news/pressrel/press-releases/fbi-and-cisa-warn-against-chinese-targeting-of-covid-19-research-organizations) . What may be in China’s modus operandi, it’s fair to be skeptical until you see the U.S.’ working first. ~ ~
** THE HAPPY CORNER
A couple things from the bag of good news this week.
Microsoft is open-sourcing (https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/) its COVID-19 threat intelligence. Why? Because the more experts that have it, the harder the hackers’ job will be. Of course, Microsoft’s own customers will have the data, but it’s also pushing it out on GitHub (https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv) .
And, congratulations to @bing_chris (https://twitter.com/Bing_Chris/status/1261042819822690316) and @joel_schectman (https://twitter.com/joel_schectman) at Reuters for winning an award for their investigative work into Project Raven, a group of ex-NSA operatives that turned the UAE into a hacking superpower. You can read their work here (https://www.reuters.com/investigates/section/usa-raven/) . If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Five. She gets her name from Cat-5 network cabling! According to her human, she’s an expert packer wrangler. (And mouse hunter, too, I’m guessing.) A big thank you to Five’s human for the submission! Don’t forget to send in your cyber cats! You can email them in here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And we’re out! Thank you for reading. Please drop any feedback you might have in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . We got new foster kittens (https://twitter.com/zackwhittaker/status/1261702409983795201) in this week, so apologies for any typos — I’ve had very little sleep!
Take care and see you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .