this week in security — may 19 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 19.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
This was a very busy week for infosec. Buckle up!
WhatsApp Discovers ‘Targeted’ Surveillance Attack (https://www.bbc.com/news/technology-48262681) BBC News: WhatsApp fixed a bug that allowed malware developed by NSO Group and bought by governments to spy on a target’s device. First reported by the Financial Times ($) (https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab) , at least one known target was a U.K. lawyer, according to @iblametom (https://twitter.com/iblametom/status/1128261231071170561?s=21) . Panic ensued — even there was little need (https://techcrunch.com/2019/05/14/whatsapp-vulnerability-risk/) — but users should update their apps if they haven’t already. The buffer overflow bug (https://m.facebook.com/security/advisories/cve-2019-3568) was triggered by making several dropped phone calls to a device. WhatsApp said (https://twitter.com/RMac18/status/1128094903639035905) the attack “has all the hallmarks of a private company reportedly that works with governments to deliver spyware.” More: Facebook (https://m.facebook.com/security/advisories/cve-2019-3568) | @rmac18 (https://twitter.com/RMac18/status/1128094903639035905) | Forbes (https://www.forbes.com/sites/thomasbrewster/2019/05/14/whatsapp-hack-target-i-fear-more-victims-are-out-there/)
A Cisco Router Bug Has Massive Global Implications (https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/) Wired ($): As if that news wasn’t bad enough, @lilyhnewman (https://twitter.com/lilyhnewman) scored a great scoop on how security researchers broke the secure boot in Cisco routers. That’s a major problem — how do you even patch if you can’t trust the firmware? The researchers called the flaw “Thangrycat.” Cisco released a patch for a separate remote code execution bug needed to exploit the secure boot flaw, but said secure boot patches could be months away. “Given Cisco’s ubiquity, the potential fallout would be enormous,” wrote Newman. Yeah, and then some. More: Thangrycat (https://thrangrycat.com/) | Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot)
New Secret-Spilling Flaw Affects Almost Every Intel Chip Since 2011 (https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/) TechCrunch: Tuesday became the busiest day. Security researchers and Intel released a new set of speculative execution bugs affecting pretty much every Intel processor since 2011. Great! Dubbed “ZombieLoad” (yes, there’s a website (https://zombieloadattack.com/) ), a successful attack can obtain secrets from the processor in real-time, like passwords and secret keys. It also transcends virtual machine boundaries, and affects cloud systems, too. Is it easy to exploit? Hell no. But it’s an interesting bug nonetheless. Microcode and OS-level software updates are out, so patch your stuff (https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/) . (Disclosure: I wrote this story.) More: TechCrunch (https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/) | ZombieLoad (http://zombieload.eu)
Microsoft Patches Windows XP To Try To Head Off ‘Wormable’ Flaw (https://www.zdnet.com/article/microsoft-patches-windows-xp-server-2003-to-try-to-head-off-wormable-flaw/) ZDNet: Just after two years after WannaCry hit, another wormable Windows flaw is all we need. If you thought the ZombieLoad bug sounded bad, this latest RDP attack is so much worse and more likely to affect you. Microsoft has more on CVE-2019-0708 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) and @GossiTheDog (https://twitter.com/GossiTheDog/status/1128431661266415616) has a mega tweet thread on the bug. In short, the bug if exploited can take remote control of a system or install malware on a system with RDP exposed to the internet. Many are older Windows XP boxes, hence Microsoft jumping to patch a near-two decade old operating system. Dragos also had a great impact assessment (https://dragos.com/blog/industry-news/ics-impact-from-microsoft-rdp-vulnerability/) on the flaw. More: Dragos (https://dragos.com/blog/industry-news/ics-impact-from-microsoft-rdp-vulnerability/) | Microsoft TechNet (https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/)
Trump Signs Order Setting Stage To Ban Huawei from U.S. (https://www.politico.com/story/2019/05/15/trump-ban-huawei-us-1042046) Politico: President Trump signed an executive order all but banning Huawei from the U.S. on grounds of national security. The 5G tech giant has ties to China’s military, sparking worries in the U.S. that the equipment could be used for spying. Huawei wasn’t named in the order but it’s the strongest signal yet that the tech giant could be forced to sit 5G out — in the U.S. at least. More: Ars Technica (https://arstechnica.com/tech-policy/2019/05/trump-tries-to-shut-huawei-out-of-us-market-with-executive-order/) | White House (https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/)
Ransomware Recovery Firms Often Just Pay The Hackers (https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/) ProPublica: This reporting — excellently done as always on ProPublica — will make your blood boil. Two data recovery firms said they can recover files but all they did was paid the ransom and charge the organizations a premium for it. There’s no law against paying ransoms, even though the FBI asks people not to ever pay up. But this kind of shady dealings is the reason why you should always have a backup plan. More: Ars Technica (https://arstechnica.com/information-technology/2019/05/these-firms-promise-high-tech-ransomware-solutions-but-typically-just-pay-hackers/)
Radio Navigation Systems In Planes Can Be Hacked (https://arstechnica.com/information-technology/2019/05/the-radio-navigation-planes-use-to-land-safely-is-insecure-and-can-be-hacked/) Ars Technica: Almost every aircraft flown in the past 50 years is aided by radios to safely land at airports, particularly in bad weather or heavy fog. But these systems aren’t secure — at all — and can be tricked with radio-replay attacks. Using a $600 software defined radio, researchers can spoof signals used in these airport landing systems to trick a plane into thinking its going off-course, potentially causing accidents. More: Paper (PDF) (https://aanjhan.com/assets/ils_usenix2019.pdf) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
How to brick a Samsung phone (https://medium.com/@fs0c131y/how-to-brick-all-samsung-phones-6aae4389bea) Medium: Baptiste Robert, who goes by the online handle Elliot Alderson (https://twitter.com/fs0c131y) , found a bug in most Samsung phones that if triggered can cause a local denial-of-service condition. In his proof-of-concept code, he built a Locker app that effectively trips the device into a loop.
SHA-1 collisions now a lot easier to carry out (https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/) ZDNet: New research out this week showed it’s much easier (and cheaper) to carry out successful SHA-1 collision attacks. SHA-1 is deprecated but it’s still in wide use, particularly in file and document verification. The first collision attack was a breakthrough but now they’re far easier to carry out. @kennwhite (https://twitter.com/kennwhite/status/1127933324931076096) , everyone’s favorite crypto expert, had an interesting mini tweet thread (https://twitter.com/kennwhite/status/1127933324931076096) on the new findings. As @campuscodi (https://twitter.com/campuscodi) writes: “What this means is that SHA-1 collision attacks aren’t a game of roulette anymore, and now, threat actors can forge any SHA-1-signed documents they want, ranging from business documents to TLS certificates.” The paper can be read here (https://eprint.iacr.org/2019/459.pdf) (via @ProfWoodward (https://twitter.com/ProfWoodward/status/1127515939052953600) ).
EFF wins national security letter lawsuit (https://www.eff.org/deeplinks/2019/05/victory-eff-wins-national-security-letter-transparency-lawsuit) EFF: Great news from the EFF: the secretive world of FBI-issued national security letters are about to get a hearty dose of sunlight (https://www.eff.org/document/eff-v-doj-nsl-foia-order) after it won a lawsuit in San Francisco. More than 500,000 have been issued since 2001 when NSL powers first came out after 9/11. NSLs come with gag orders, but are occasionally lifted when they’re no longer necessary. Now, the EFF hopes, it’ll have a better idea of when and how gag orders are lifted. That could make it easier to fight them in future.
Russians accessed two Florida voting databases (https://www.apnews.com/a2af9039533b42bba0e4e04af11ecd67) Associated Press: Russian hackers gained access to voter databases in two Florida counties ahead of the 2016 presidential election, according to Florida governor Ron DeSantis. A hacker got in through a spearphishing email. Data wasn’t manipulated and election results weren’t compromised. Florida votes statewide on paper ballots, according to the AP.
Over two-dozen government ransomware attacks in 2019 alone (https://www.recordedfuture.com/state-local-government-ransomware-attacks/) Recorded Future: A new report out this week gives an insight into the state-of-the-union of ransomware in government. The research shows there were 53 ransomware attacks in 2018, and close to half that for the first four months of 2019, indicating an upward trend. SamSam, Ryuk, WannaCry and CryptoLocker seem to be the biggest hitters in local and state governments, according to the report (https://www.recordedfuture.com/state-local-government-ransomware-attacks/) .
AV makers confirm (and deny) network breaches (https://gizmodo.com/antivirus-makers-confirm-and-deny-getting-breached-afte-1834725136) Gizmodo: This was dogged reporting by @dellcam (https://twitter.com/dellcam/status/1127997828092002305?s=21) and clearly wasn’t easy. He found the three most likely culprits of previously reported breaches at three large antivirus makers (https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/) : Symantec, Trend Micro, and McAfee. Hackers reportedly broke into the AV makers’ systems, according to a Russian research outfit, but there’s still a lot of mystery around exactly how they were breached — if at all. It’s a story to watch, for sure.
CloudCMS, Picreel websites hacked, hitting thousands of customers (https://twitter.com/gwillem/status/1127617495911804935) Willem de Groot: de Groot found two supply chain attacks underway this week: marketing software @Picreel (https://twitter.com/Picreel_) and @CloudCMS (https://twitter.com/CloudCMS) had their sites hacked and data exfiltrating code installed on their websites. That affected their downstream customers — more than 4,600 customers in the end. According to de Groot, data was being siphoned off to a server in Panama. Less than a day later, the companies removed (https://twitter.com/gwillem/status/1127859001885175808) the malicious code.
Hack into school lunch company website leads to arrest of competitor (https://www.sfchronicle.com/bayarea/article/Hack-into-school-lunch-company-web-site-leads-to-13818239.php?psid=4gxTg) San Francisco Chronicle: This is hilarious: the lede alone had me cracking up. “Heated competition” between two Bay Area school lunch firms turned criminal after a top executive at one of the companies allegedly hacked into the other’s website. The chief financial officer was arrested on two counts of hacking. The Register has more (https://www.theregister.co.uk/2019/05/06/school_lunch_data/) . The things people do when they’re hangry… ~ ~
** OTHER NEWSY NUGGETS
Europol, DOJ take down GozNym banking malware (https://techcrunch.com/2019/05/16/europol-doj-goznym-banking-malware/) Six countries, including the U.S. and with help from Europol, took part in the takedown of the GozNym malware network. Prosecutors on both sides of the pond said the malware attempted to steal $100 million from business bank accounts. Five defendants remain wanted (https://www.documentcloud.org/documents/6006353-GozNym-FBI-poster.html) by the FBI. The DOJ said in a statement (https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled) that the “cybercrime as a service” was taken down following the earlier dismantling of the Avalanche crime network (https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation) . (Disclosure: I also wrote this story.)
Google recalls and replaces Titan security keys (https://security.googleblog.com/2019/05/titan-keys-update.html) Welp — a little embarrassing — but better full disclosure than not. Google said its Bluetooth security keys had a flaw that allowed an attacker within a close proximity to communicate with the key or the device it’s connected to. Google said anyone with a T1 or a T2 security key is eligible for a free replacement. Ars Technica explains the situation (https://arstechnica.com/information-technology/2019/05/google-warns-bluetooth-titan-security-keys-can-be-hijacked-by-nearby-hackers/) in more detail. Props to Google for coming clean but definitely bruising.
OGUSERS forum hacked by another hacker (https://www.vice.com/en_us/article/bj97nd/infamous-forum-for-instagram-hackers-gets-hacked-by-other-hackers) Props to @lorenzoFB (https://twitter.com/lorenzofb) for getting “hack” three times in his subhed for this story. The forum, OGUSERS, known for trading stolen Instagram and Twitter accounts, was itself hacked. “Motherboard obtained a copy of the database and verified that the data within it was real by searching for two accounts that our reporters registered,” he wrote. Source code, website data, and private messages were all stolen, along with emails and IP addresses. Someone at the FBI is having a really good week.
Hospitals push device makers to improve security (https://www.wsj.com/articles/rattled-by-cyberattacks-hospitals-push-device-makers-to-improve-security-11557662400) From the Wall Street Journal ($), this was an insider’s look at how hospitals are trying to ensure the devices they use are protected and secured. Hospitals are red teaming to try to find flaws and asking device makers to identify issues — and rejecting bids for devices that don’t contain security features. Healthcare companies and hospitals have reported close to 150 hacks exposing health data in the last year alone. Given most hospitals are private enterprises, it’s a financial decision as much as it is for the protection of their patients.
Twitter snafus iOS location data again (https://help.twitter.com/en/location-data-collection) In case you missed it: Twitter revealed this week it exposed iOS users’ location data with one of its partners in some cases. “If you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,” wrote the disclosure (https://help.twitter.com/en/location-data-collection) . The data was deleted by the partner, Twitter said.
Hackers abuse Asus’ cloud service again to install backdoors (https://arstechnica.com/information-technology/2019/05/asus-cloud-service-abused-to-install-backdoor-on-pcs/) Asus customers just can’t catch a break. This week, Eset researchers say they discovered router man-in-the-middle attacks that exploit HTTP connections between users and Asus’ servers. By exploiting this insecure update mechanism, attackers installed malware that backdoored networks, coupled by a lack of code-signing. The latest security lapse lands two months after hackers pushed a malicious software update (https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers) to hundreds of thousands of Asus PC owners.
Aussie medicare data sold on the dark web — two years after breach (https://www.theguardian.com/australia-news/2019/may/16/australians-medicare-details-illegally-sold-on-darknet-two-years-after-breach-exposed) Details “of any living Australian citizen” have been available on a dark web marketplace since September 2018, according to The Guardian. It comes two years after an apparent breach (https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet) of Australian Medicare data. ~ ~
** THE HAPPY CORNER
And breathe. Here’s some good news:
Congrats to @josephmenn (https://twitter.com/josephmenn/status/1129828086332002304) , who finally showed off his new book, Cult of the Dead Cow, about one of the most prolific hacktivist groups on the internet. Earlier this year revealed that presidential candidate Beto O’Rourke was a long-time member (https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/) . Also congrats to @a_greenberg (https://twitter.com/a_greenberg/status/1129114053635379200) for his book reveal this week about the Russian hacker group Sandworm. Really excited to read both.
And in dog-related infosec news, @MalwareJake (https://twitter.com/MalwareJake/status/1129460597794508802) meets a cute airport therapy dog, and @maassive (https://twitter.com/maassive/status/1128424805093371904) shows off his dog sporting some fancy anti-facial recognition sunglasses.
And for anyone wondering why this newsletter is late this week — well, duh! Have you seen how busy it’s been this week? Thanks to @lorenzoFB (https://twitter.com/lorenzofb/status/1128402751384367105) for empathizing. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
Extremely handsome cybercat alert! This week’s cybercat is Marty, who wants to remind everyone to encrypt their data in transit. A big thanks to Marty’s human, Robert Meineke, for this week’s submission. (You may need to enable images in this email.) Another regular call to send in your cybercats! All I need is a name, a photo, and an optional caption and they will always be featured in an upcoming newsletter. You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
And that’s it for now. Wow, what a week. As always you can leave your suggestions and feedback here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|