this week in security — november 3 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 42
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
WhatsApp sues Israel’s NSO for allegedly helping spies hack phones (https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/whatsapp-sues-israels-nso-for-allegedly-helping-spies-hack-phones-around-the-world-idUSKBN1X82BE) Reuters: The big news this week: after NSO was blamed for a “silent call” exploit on WhatsApp some months ago, WhatsApp responded with a lawsuit, blaming the Israeli spyware outfit for building it. The exploit allowed users of the spyware — usually governments — access to a victim’s phone data. By hacking the device and getting access to its data, end-to-end encrypted messages can be lifted from the device. A follow-up scoop said (https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/exclusive-whatsapp-hacked-to-spy-on-top-government-officials-at-u-s-allies-sources-idUSKBN1XA27H) government officials around the world were targeted, including Indian dissidents, per BuzzFeed (https://www.buzzfeednews.com/article/pranavdixit/an-unidentified-government-spied-on-dissidents-in-india?bftwnews&utm_term=4ldqpgc#4ldqpgc) and a Rwandan exile living in the U.K., per BBC News (https://www.bbc.com/news/technology-50249859) . NSO has denied the allegations. More: Reuters (https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/exclusive-whatsapp-hacked-to-spy-on-top-government-officials-at-u-s-allies-sources-idUSKBN1XA27H) | Risky Business (https://risky.biz/RB560/) | @alexstamos tweets (https://twitter.com/alexstamos/status/1189430655676846080)
BlueKeep’s first mass hacking is here — but don’t panic (https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining) Wired ($): The first mass hacking incident involving BlueKeep, the Windows RDP “wormable” vulnerability that had both DHS (https://www.zdnet.com/article/homeland-security-weve-tested-windows-bluekeep-attack-and-it-works-so-patch-now/) and the NSA (https://techcrunch.com/2019/06/05/nsa-advisory-bluekeep-patch/) in a panic following the devastation from WannaCry. But, as @a_greenberg (https://twitter.com/a_greenberg) notes, it’s not yet wormable — so it’s not spreading from one device to another, rather being infected directly from the internet. And the hackers are only using the exploit to install cryptocurrency miners. So, it could be a lot worse but it’s a marked escalation in what’s been tested to date. More: Kryptos Logic (https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/) | @MalwareTechBlog tweets (https://twitter.com/MalwareTechBlog/status/1190802833324462081)
Microsoft funded Israeli firm that surveils West Bank Palestinians (https://www.nbcnews.com/news/all/why-did-microsoft-fund-israeli-firm-surveils-west-bank-palestinians-n1072116) NBC News: Microsoft says it’s committed to protecting democratic freedoms. But then it funded an Israeli facial recognition firm that secretly watched West Bank Palestinians. AnyVision is a facial recognition tech company. The West Bank, if you recall, is under heavy surveillance by Israeli authorities. Microsoft said it “takes these mass surveillance allegations seriously because they would violate our facial recognition principles.” More: @oliviasolon tweets (https://twitter.com/oliviasolon/status/1188792560367521792)
The hapless shakedown crew that hacked Trump’s inauguration (https://www.wsj.com/articles/the-hapless-shake-down-crew-that-hacked-trumps-inauguration-11572014333) Wall Street Journal ($): This was a great post-mortem of the pre-inauguration surveillance camera attack that saw hackers seize control over the capital’s video monitoring system with ransomware. The attacks were carried out by a group of Romanians, just eight days before the inauguration — a once-in-four year major policing event. More: The Verge (https://www.theverge.com/2019/10/30/20939885/surveillance-hack-trump-inauguration-ransomware-hackers-washington-dc) | Background: WTOP (https://wtop.com/dc/2018/09/woman-pleads-guilty-in-cyberattack-on-dc-police-cameras-before-2017-inauguration/) https://www.wsj.com/articles/the-hapless-shake-down-crew-that-hacked-trumps-inauguration-11572014333 Pen testers hired by courthouse plead not guilty (https://www.desmoinesregister.com/story/news/crime-and-courts/2019/10/28/iowa-courthouse-break-ins-men-security-firm-plead-not-guilty-trespassing/2488314001/) De Moines Register: Remember this long-running saga? The pen testers who were told to physically test a courthouse’s security were “caught” and arrested, then charged with breaking in. Now the pair are pleading not guilty, pointing to a contracted pen test. @SwiftOnSecurity (https://twitter.com/SwiftOnSecurity/status/1189570774530756609) has a good long-running thread on the case. Coalfire’s CEO, which employs the pair, called the ongoing case “ridiculous,” and TrustedSec’s @HackingDave (https://twitter.com/HackingDave/status/1189647647407259648) also posted some words in support. More: Coalfire (https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-CEO-Tom-McAndrew-statement) | TrustedSec (https://www.trustedsec.com/blog/a-message-of-support-coalfire-consultants-charged/?utm_content=104475775)
Tiversa’s sharp rise and stunning collapse (https://www.newyorker.com/magazine/2019/11/04/a-cybersecurity-firms-sharp-rise-and-stunning-collapse) New Yorker ($): Remember Tiversa? The controversial cybersecurity was raided back in 2016 with claims it was threatening companies with being reported to the FTC if they didn’t subscribe to its services. Later, the DOJ said Tiversa falsified information (https://www.reuters.com/article/us-tiversa-doj-probe-exclusive/exclusive-doj-probes-allegations-that-tiversa-lied-to-ftc-about-data-breaches-idUSKCN0WK027) about data breaches at companies that didn’t buy its services. This long form dives into how the company went wrong, and collapsed. More: The Register (https://www.theregister.co.uk/2016/03/18/fbi_raids_cybersecurity_firm_tiversa/)
Chinese hacking group breached a telecom to monitor texts, metadata (https://www.cyberscoop.com/chinese-hacking-group-breached-telecom-monitor-targets-texts-phone-metadata/) Cyberscoop: Chinese hackers are breaking into telcos in an effort to monitor certain subscribers’ text messages and metadata, according to FireEye research (https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html) . APT 41 “sought individuals’ records from call detail record (CDR) databases, which provide metadata such as the time the calls were made, the phone numbers involved, and the length of the conversations,” the story reports. It’s a similar situation to a few months ago when Cybereason found hackers breaking into telcos (https://techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/) ostensibly for the same reason. More: FireEye (https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html) | Background: TechCrunch (https://techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/)
NordVPN users’ passwords used in credential-stuffing attacks (https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/) Ars Technica: NordVPN had a second wave of headlines this week after its breach last month (https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/) . This time, a number of users’ credentials have been found in several Pastebin posts used in credential stuffing attacks. More: Ars Technica (https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Georgia websites hacked in mass cyberattack (https://news.yahoo.com/2-000-georgia-websites-hacked-cyber-attacks-154327826.html) AFP: Thousands of websites belonging to the Georgian president, courts and media were hacked in a “massive” cyberattack on Monday. Some linked the hackings back to a single web provider (https://www.zdnet.com/article/largest-cyber-attack-in-georgias-history-linked-to-hacked-web-hosting-provider/) . It’s not the first time Georgia has been attacked in this way. In 2008 during the war with Russia, Georgia’s government accused the Kremlin of knocking out most of its websites and major banks.
New cyberattacks targeting sporting and anti-doping organizations (https://blogs.microsoft.com/on-the-issues/2019/10/28/cyberattacks-sporting-anti-doping/) Microsoft: Another APT28 attack targeting anti-doping agencies. APT 28, also known as Fancy Bear, are Russian-backed hackers linked to disinformation campaigns, particularly during the 2016 U.S. presidential election. Microsoft isn’t naming the victims, but said the attacks used spear-phishing, password spraying, exploiting internet-connected devices and the use of both open-source and custom malware to target the victims. APT 28 was accused of pulling the same stunt (https://www.nytimes.com/2018/01/10/sports/olympics/russian-hackers-emails-doping.html) back in 2018 in the run-up to the Olympics.
The ransomware superhero of Normal, Illinois (https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinois) ProPublica: ProPublica’s recent ransomware coverage (over the past year or so) has been impeccable. This time they look at Michael Gillespie, an Illinois resident, who fights ransomware for a living. Just last week I wrote about how he built (https://techcrunch.com/2019/10/18/stop-djvu-puma-decryption-tools/) a slightly janky but successful Stop (Djvu/Puma) ransomware decryption tool. By finding flaws in ransomware and building decryption tools, Gillespie has helped hundreds of thousands of ransomware victims unlock their files. A true modern-day hero.
Congress still doesn’t have an answer for ransomware (https://www.wired.com/story/congress-still-doesnt-have-an-answer-for-ransomware/) Wired ($): Speaking of which… Congress is stuck trying to figure out how to protect small and local governments, hospitals and other infrastructure from ransomware attacks. “There’s a gap between the focus and resources here in Washington and what happens in a town of 200,000 people,” said Jim Himes, a lawmaker from Connecticut and member of the House Intelligence Committee. His congressional colleagues are now asking the government for technical expertise on how to combat these attacks.
Norsk Hydro’s cyber insurance has paid only a fraction of its breach-related costs so far (https://www.cyberscoop.com/cyber-insurance-norsk-hydro-lockergoga-attack/) Cyberscoop: If you think cyber-insurance will save your ass, you might want to think again. Norsk Hydro, hit by ransomware earlier this year, has only seen about 6% of its anticipated payout from the breach, per its latest earnings report. It’s not the only case, if you recall — Zurich infamously declared the NotPetya attack as an “act of war” and declined to pay out (https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/) to U.S. snack maker Modelez. ~ ~
** OTHER NEWSY NUGGETS
Microsoft launches ‘911’ on-demand service for security emergencies (https://www.zdnet.com/article/microsoft-launches-911-on-demand-service-for-emergency-security-threats/) Microsoft has rolled out its new service offering enterprise customers a direct hotline to the company’s top cybersecurity experts. It’s hoped the new service, dubbed Threat Experts on Demand (https://www.microsoft.com/security/blog/2019/10/28/experts-on-demand-your-direct-line-to-microsoft-security-insight-guidance-and-expertise/) , can serve as help in larger organizations that may not have the security skills to handle malware outbreaks.
Facebook sues hosts behind hacking sites (https://www.cnet.com/news/facebook-sues-hosts-behind-hacking-sites-targeting-the-social-network/) In a lawsuit filed Monday, Facebook is asking a federal court to take down a number of cybersquatted domains which it says are being used to target the social network. Microsoft asked a court a similar thing when it wanted sites linked to Iranian hackers (https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/) taken offline.
Indian nuclear power plant’s network was hacked, officials confirm (https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/) Sounds scary but don’t panic: North Korean hackers hit an Iranian nuclear plant’s administrative network with malware but denied (https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/) that it could have affected the plant’s output. The malware used, DTrack, is used as an espionage nad recon tool, gathering data on infected systems and capable of logging keystrokes, reports @thepacketrat (https://twitter.com/thepacketrat) . ~ ~
** THE HAPPY CORNER
Ah. The happy corner. We meet again.
This week, @Stammy (https://twitter.com/Stammy) wrote an incredible guide to using security keys (https://paulstamatiou.com/getting-started-with-security-keys/) . It’s a highly detailed, engaging read — and very informative. Definitely something we can all learn from (even the experts!) and should be bookmarked for reference.
Spare a thought for this coffee shop with a seemingly impossible Wi-Fi code. https://twitter.com/adielkaplan/status/1186301745238085633 A big congrats to @malwareunicorn (https://twitter.com/malwareunicorn/status/1189982669938970624) , who will be keynoting Black Hat Europe this year. Amanda Rousseau, for those who don’t know, is one of the best malware reverse engineers and red teamers around.
And, in case you needed a final pick-me-up this week, it’s reported that encrypted web traffic is now over 90% (https://netmarketshare.com/report.aspx?options=%7B%22filter%22%3A%7B%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22secure%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22https%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222019-10%22%2C%22dateEnd%22%3A%222019-10%22%2C%22segments%22%3A%22-1000%22%7D) . That’s a huge milestone from about 50% just five years ago, according to Google’s data. In fact Google says the figure is today — at 94%. TLS, you wonderful thing. If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This is Dana, this week’s cybercat. She’s always on the lookout for advanced purr-sistent threats. Many thanks to @jeremymacmull (https://twitter.com/jeremymacmull) for submitting! (You may need to enable images in this email.) Still scraping the barrel in the cybercat department. Please send in your cybercats today! They’ll always be featured — first come, first serve basis. Send them in here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . Can’t wait to feature them! ~ ~
** SUPPORT THIS NEWSLETTER
A year ago when a flood of donations came in, the newsletter was at just 2,000 subscribers. Now we’re double that — over 4,000 subscribers — and growing every day. This newsletter will always be free to anyone who wants to read.
I’ve set up a Patreon (https://www.patreon.com/thisweekinsecurity) for anyone who wants to support this newsletter as costs increase for as little as $1/month — or more for exclusive perks.
You can also Venmo me @zackwhittaker (QR code (https://gallery.mailchimp.com/e1ad6038c994abec17dafb116/images/c9234576-806a-4786-a328-98eda084bd09.jpg) ) or donate over PayPal (http://paypal.me/thisweekinsecurity) .
Thank you to all of you who subscribe and read online, and thanks for reading. If you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week. ~ ~
============================================================ Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|