this week in security — november 1 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 42
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
European ransomware group is targeting U.S. hospital networks, analysts warn (https://www.cyberscoop.com/ransomware-hospitals-ryuk-fireeye/) Cyberscoop: FireEye (and several other security firms) said this week that a European ransomware group, dubbed UNC1878, has hit several U.S. hospitals with the Ryuk ransomware in the past week, and in some cases have caused major disruption. Ryuk most recently hit Universal Health Services (https://techcrunch.com/2020/09/28/universal-health-services-ransomware/) , one of the biggest hospital chains in the United States. The group behind these attacks is using TrickBot to infect machines before dropping the ransomware payload; TrickBot was previously targeted (https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/) by Microsoft with mixed results. The attacks have prompted alerts from DHS and the FBI, warning of more attacks to come. It couldn’t come at a worse time unless it hit during the second wave of a pandemic… oh wait. More: Reuters (https://www.reuters.com/article/us-usa-healthcare-cyber-idUSKBN27D35U) | ZDNet (https://www.zdnet.com/article/fbi-warning-trickbot-and-ransomware-attackers-plan-big-hit-on-us-hospitals/) | Wired ($) (https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/) | CISA (https://us-cert.cisa.gov/ncas/alerts/aa20-302a) | @johnhultquist (https://twitter.com/johnhultquist/status/1321612797113999360?s=21)
A hacker is threatening to leak patients’ therapy notes (https://www.wired.com/story/hacker-threaten-release-therapy-notes-patients/) Wired ($): In equally terrifying healthcare-related ransomware news, a hacker is threatening to leak thousands of notes belonging to therapy patients in Finland. Healthcare provider Vastaamo was hit by ransomware in September, after which the attacker demanded a payment to keep the files out of the public eye. “This attacker has no shame,” said @mikko (https://twitter.com/mikko) . Some 300 records have already been published on the dark web, per the AP. The Finnish government held an emergency meeting last Sunday night to address the incident. More: Associated Press (https://apnews.com/article/psychotherapy-cabinets-finland-6b27c895df0abd532a4fb000c9d5d517) | BBC News (https://www.bbc.com/news/technology-54692120) Cops turn to Canadian firm after infamous ‘stingrays’ become ‘obsolete’ (https://gizmodo.com/american-cops-turns-to-canadian-phone-tracking-firm-aft-1845442778) Gizmodo: After L3Harris, the company previously known as Harris, said it would no longer sell its “stingray” technology to local law enforcement in the U.S., several police departments have warned their existing stingrays will become obsolete. Now they’re looking for new, similar technology manufactured by a Canadian firm called Octasic. Some police departments have paid hundreds of thousands of dollars to buy stingray alternatives — also known as cell site simulators — which they use to track the location of phones within its range. More: @dellcam (https://twitter.com/dellcam/status/1319716623188660225)
Surveillance startup used own cameras to harass coworkers (https://www.vice.com/en/article/pkdyqm/surveillance-startup-used-own-cameras-to-harass-coworkers) Motherboard: Verkada employees were caught harassing their colleagues on Slack using their very own surveillance cameras. The company’s sales team abused their access to the state-of-the-art cameras that the company builds to make “sexually explicit jokes about women who worked at the company,” per a report by IPVM (https://ipvm.com/reports/verkada-culture?code=samr) and corroborated by Motherboard. The offending Slack channel was reported to the company’s HR in February. The CEO gave the employees an option: be fired, or have their stock reduced. They all chose the latter. After Motherboard’s report was published, the CEO decided to fire them after all. More: IPVM (https://ipvm.com/reports/verkada-culture) | @zenalbatross (https://twitter.com/zenalbatross/status/1320749642439708674?s=20)
Spy agency ducks questions about ‘back doors’ in tech products (https://www.reuters.com/article/us-usa-security-congress-insight-idUSKBN27D1CS) Reuters: The NSA is ducking questions from Sen. Ron Wyden, a member of the Senate Intelligence Committee, on whether the agency still places backdoors in commercial tech products. Cast your mind back to 2015, when Juniper said it discovered a backdoor, likely set (https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/) by the NSA. The NSA told Wyden in 2018 that it had created a “lessons learned” document about the Juniper incident. But now the agency says it can’t find that document. Does that mean the NSA is still planting backdoors? According to Wyden, he’s not giving up on trying to find out if more backdoors have been planted. More: @dnvolz (https://twitter.com/dnvolz/status/1321447353975513094) | Archive: Wired ($) (https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/)
Munich Security Conference attendees targeted with Iran-linked spearphishing (https://www.cyberscoop.com/munich-security-conference-phishing-iran-apt35/) Cyberscoop: Iran-backed hackers, also known as APT 35, have been sending spoofed emails to potential attendees of the Munich Security Conference and the Think 20 Summit in Saudi Arabia, according to Microsoft. It wasn’t immediately clear what the goal of the operation was, besides trying to steal credentials and what Microsoft described as “intelligence collection purposes.” Many of the 100 or so targets were high-profile former government officials and policy experts. More: TechCrunch (https://techcrunch.com/2020/10/28/microsoft-iran-hackers/) | Microsoft (https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to maintain its upkeep. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Grayshift, the startup that breaks into iPhones for the feds, raises $47 million (https://www.forbes.com/sites/thomasbrewster/2020/10/26/grayshift-the-startup-that-breaks-into-unlocked-iphones-for-the-feds-raises-47-million/) Forbes: Grayshift, the maker of the GrayKey device used by feds and police to break into encrypted iPhones, has raised $47 million, an unusually large amount for a forensics company. The device is used by ICE, CBP, and the FBI, as well as dozens of local law enforcement across the U.S. — and is believed to be able to break into iPhone 11 devices and earlier. The Series A round was led (https://www.prnewswire.com/news-releases/grayshift-secures-47-million-series-a-financing-round-led-by-peakequity-partners-301159372.html) by PeakEquity Partners.
Security blueprints of many companies leaked in hack of Swedish firm, Gunnebo (https://krebsonsecurity.com/2020/10/security-blueprints-of-many-companies-leaked-in-hack-of-swedish-firm-gunnebo/) Krebs on Security: Gunnebo, a Swedish security firm, was hit by ransomware, allowing the intruders to steal thousands of sensitive documents — including schematics of client bank vaults and surveillance systems of banks, government agencies, airports, casinos, and even nuclear power plants.
Marriott fined pennies for each of the 339 million hotel guests whose data was stolen for years (https://www.theregister.com/2020/10/30/marriott_starwood_hack_fine_just_18_4bn/) The Register: Another GDPR failure? Sounds like it, after U.K. authorities fined hotel chain giant Marriott just pennies for each of the 339 million victims whose data was stolen by hackers over a four-year period between 2014 and 2018. The final fine amounts to £18.4 million (or $23.8m), reduced from £99 million ($128m) in large part (https://techcrunch.com/2020/10/30/uk-watchdog-reduces-marriott-data-breach-fine-to-23-8m-down-from-123m/) because of the impact that coronavirus had on the business. (Marriott made $20.7 billion in revenue in 2018, for the record.) Names, addresses, phone numbers, email addresses, dates of birth, and passport numbers were stolen in the breach. The U.K.’s Information Commissioner’s Office, which issued the fine, did the same thing with British Airways a few weeks ago, reducing a fine of $230 million down to just $25.8 million. ~ ~
** OTHER NEWSY NUGGETS
Amazon fired employee for leaking customer emails (https://www.vice.com/en/article/dy8zwz/amazon-fired-employee-leaking-customer-emails) Third time unlucky for Amazon, which emailed customers this week warning that their personal information had been improperly obtained by an Amazon employee to an unnamed third-party. Yes, it’s the third time this has happened after similar incidents in 2018 (https://techcrunch.com/2018/11/21/amazon-admits-it-exposed-customer-email-addresses-doubles-down-on-secrecy/) and again earlier this year (https://techcrunch.com/2020/01/10/amazon-employees-email-address/) . And, as per usual, Amazon declined to answer basic questions, such as how many customers were affected. At least Amazon can’t be accused of taking the “security and privacy of its customers seriously” because clearly it doesn’t give a hoot.
Iranian hackers probed election-related websites in 10 states, U.S. officials say (https://www.cyberscoop.com/iran-election-hacking-state-websites-probe-fbi/) Iranian hackers probed the election-related websites of at least ten states, and in one case accessed voter registration data. The hackers were “conducting broad scanning” of state and local websites in September. CISA later said (https://us-cert.cisa.gov/ncas/alerts/aa20-304a) that the activity was linked back to the same threat actor “responsible for the mass dissemination of voter intimidation emails to U.S. citizens,” which John Ratcliffe, the director of national intelligence, warned about (https://www.washingtonpost.com/technology/2020/10/20/proud-boys-emails-florida/) last week.
Google’s Project Zero discloses Windows 0day that’s been under active exploit (https://arstechnica.com/information-technology/2020/10/googles-project-zero-discloses-windows-0day-thats-been-under-active-exploit/) Google’s Project Zero dropped a zero-day, affecting “at least” Windows 7 and Windows 10, this Friday, after the researchers found the vulnerability was under active attack. Google therefore gave Microsoft just a week to fix the bug. That deadline came and went, and no fix was published. The escalation of privilege vulnerability was used in conjunction with another bug (https://www.zdnet.com/article/google-discloses-windows-zero-day-exploited-in-the-wild/) in Chrome, disclosed and fixed last week, to break out of the Chrome sandbox and get access to the host operating system. Google’s @benhawkes (https://twitter.com/benhawkes/status/1322206828202127360) confirmed that the bug is not related to the U.S. election. Still, not great to drop on a Friday night but from the sounds of it there’s not much IT admins can do until Patch Tuesday anyway. ~ ~
** THE HAPPY CORNER
And now, the happy corner.
This week, @thepacketrat (https://twitter.com/thepacketrat/status/1321418280536604672) got an unusually accurate horoscope reading. Also, terrible opsec Sean — now everyone knows you have a birthday.
Academics at Harvard, working with the Electronic Frontier Foundation, have written a guide for non-lawyers, like security researchers, interested in getting a rough idea of when U.S. law can create legal risks. Finally! Something easy to read for hackers and researchers alike to know where the legal lines are in the sand. Definitely worth a read [PDF] (https://clinic.cyber.harvard.edu/files/2020/10/Security_Researchers_Guide-2.pdf) .
Consumer Reports recently revamped and relaunched its security planner, which helps ordinary folk access and understand security risks and what they can do to be more secure. Check it out here (https://securityplanner.consumerreports.org/) .
And, some controversy in the U.K. after the list of registered companies, Companies House, had to email (https://twitter.com/zofrex/status/1319286955314614275) everyone to warn about one particular company that had an XSS bug in its name. Seriously! Here’s the company name (https://twitter.com/russss/status/1319343871889969154) . The company name wasn’t unlawful, but after what’s believed to be “some encouragement,” the company later changed its name (https://find-and-update.company-information.service.gov.uk/company/12956509) to “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD.” Brilliant. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Sterling. As you can tell, Sterling takes security and privacy very seriously, unlike the CEOs who just say they do after they discover they were hacked. Good job, Sterling. A big thanks to @addiml (https://twitter.com/addiml) for the submission! Please keep sending in (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) your cyber cats! They will always be featured. ~ ~
** SUGGESTION BOX
And we’re done! Thanks for reading. If you have any feedback or comments, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care, have a safe and healthy week — see you next Sunday!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .