this week in security — october 4 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 39
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Ransomware attack hits Universal Health Services (https://www.wsj.com/articles/ransomware-attack-hits-universal-health-services-11601341873) Wall Street Journal ($): One of the largest hospital chains in the U.S. was taken offline after a ransomware attack. The incident forced some facilities to turn away patients and ambulances, reports say. Patient data, operated through a third-party, is said to be unaffected, according to UHS’ chief executive who spoke to the Journal (https://www.wsj.com/articles/ransomware-attack-hits-universal-health-services-11601341873) . Sources said the ransomware was consistent with the Russian ransomware group Ryuk (https://techcrunch.com/2020/09/28/universal-health-services-ransomware/) . UHS has 400 hospitals and healthcare facilities across the United States. The company’s U.K. operations were unaffected, per a statement. More: Associated Press (https://apnews.com/article/media-archive-21ebb97dc7b9e2a7c06244069a35b7e6) | ZDNet (https://www.zdnet.com/article/uhs-hospital-network-hit-by-ransomware-attack/) | TechCrunch (https://techcrunch.com/2020/09/28/universal-health-services-ransomware/) | Universal Health Services (https://www.uhsinc.com/statement-from-universal-health-services/) Russia’s Fancy Bear hackers likely penetrated a U.S. federal agency (https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency) Wired ($): New clues suggest Russia’s Fancy Bear, known as APT 28, may be behind an intrusion at an unnamed U.S. federal agency. CISA said hackers broke in — without attributing blame — but detailed their tactics and techniques, which security experts say point to hackers working for the Russian GRU. More: CISA (https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a) | @a_greenberg (https://twitter.com/a_greenberg/status/1311668662072348673?s=20)
Blackbaud hackers had access to banking info and passwords (https://www.bbc.com/news/technology-54370568) BBC News: Remember Blackbaud, a cloud provider for schools, faith groups, and non-profits that was hit by data-stealing ransomware earlier this year, tried to cover it up, but got a pinky promise from the hackers that they (allegedly) deleted the data (https://www.bbc.com/news/technology-53516413) ? In fact, it turned out to be one of the biggest security incidents of the year based on the number of organizations involved. But the company admitted in a regulatory filing this week that bank account information and users’ passwords may have been stolen in the breach. Previously it was just believed to be personal data that was stolen. It’s the cyberattack that just gets worse as time goes on… More: Blackbaud [PDF] (https://investor.blackbaud.com/static-files/58a4ae64-afc5-45f7-81df-69dfc93888fc) | Bleeping Computer (https://www.bleepingcomputer.com/news/security/blackbaud-ransomware-gang-had-access-to-banking-info-and-passwords/)
This is what Palantir and the LAPD know about you (https://www.buzzfeednews.com/article/carolinehaskins1/training-documents-palantir-lapd) BuzzFeed News: Newly obtained documents reveal how for more than a decade the LAPD used technology built by Palantir, the secretive data analytics and surveillance startup, which went public this week. The documents show that dozens of police depts, sheriff’s offices, airport police, universities, and school districts gave their data to the LAPD’s Palantir database. The documents give an unprecedented look into how the technology works. This is a really incredible read. More: @carolineha_ tweets (https://twitter.com/carolineha_/status/1311018283886411781)
Facebook shut down malware that hijacked accounts to run ads (https://www.wired.com/story/facebook-shut-down-malware-that-hijacked-accounts-to-run-ads/) Wired ($): Hackers drained $4 million from victims during a hacking spree that involved compromising Facebook accounts and buying malicious ads to promote scams on the platform, reports @lilyhnewman (http://twitter.com/lilyhnewman) . The operation, dubbed SilentFade, would compromise accounts using stolen passwords or account cookies, and even went as far as disabling Facebook notifications as to not alert the compromised user of the malicious activity. More: Cyberscoop (https://www.cyberscoop.com/facebook-silentfade-malware-fraud-millions/)
Confidential information released after school district refused to pay hackers’ ransom demand (https://www.cnn.com/2020/09/29/us/nevada-school-district-hack-ransom/index.html) CNN: Hackers who launched a data-stealing ransomware attack on the fifth-largest school district in the U.S. have published the information they stole after the school district failed to pay the ransom. The ransomware operators published employee Social Security numbers, addresses and retirement paperwork. For students, information released includes a data file with names, grades, birth dates, addresses and the school attended. The district has about 320,000 students More: Wall Street Journal (R) (https://www.wsj.com/articles/hacker-releases-information-on-las-vegas-area-students-after-officials-dont-pay-ransom-11601297930?mod=djemalertNEWS) | Clark County School District (https://www.ccsd.net/district/dataincident/) ~ ~ SUPPORT THIS NEWSLETTER
A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to maintain its upkeep. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Microsoft says Russia behind most nation-state cyberattacks (https://www.bloomberg.com/news/articles/2020-09-29/microsoft-says-russia-behind-most-nation-state-hacking-attempts?utm_source=google&utm_medium=bd&cmpId=google&sref=gni836kR) Bloomberg: In a new report, Microsoft said that Russia-based hackers are responsible for the majority of nation-state attacks on its customers. That is, to be clear, detected attacks. Microsoft issued 13,000 alerts about nation-backed hacking incidents between July 2019 and June 2020. More than half were attributed to Russia, and about one-quarter were blamed on Iran.
Helping to pay off ransomware hackers could draw big penalties from the feds (https://www.cyberscoop.com/ransomware-payments-treasury-ofac-notice/) Cyberscoop: In a new advisory this week, the U.S. Treasury said ransomware victims and cybersecurity firms that help companies respond to attacks could face severe penalties if they pay the ransom that then goes on to fund attackers on the U.S. sanctions list. It comes after the Garmin attack (https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/) in July, which sources said paid the ransom, even though the group allegedly behind the attack is on a U.S. sanctions list. @pwnallthethings (https://twitter.com/pwnallthethings/status/1311713844817989634?s=21) has a good thread on this. Google is creating a special Android security team to find bugs in sensitive apps (https://www.zdnet.com/article/google-is-creating-a-special-android-security-team-to-find-bugs-in-sensitive-apps/) ZDNet: Google is hiring to create a new Android security team that will try to find vulnerabilities in high-profile apps on Google Play, like coronavirus contact tracing and election-related apps.
Pressing YubiKeys (https://bert.org/2020/10/01/pressing-yubikeys/) Bertrand Fan: This deeply technical article is a fun read, even if the end result is hilariously underwhelming (and oddly specific for this person’s use case). Bertrand Fan built a robotic finger to trigger his YubiKey from his keyboard, rather than having to tap the YubiKey, which for some reason didn’t work one-in-five times. ~ ~
** OTHER NEWSY NUGGETS
Microsoft outage prevents millions from logging in (https://www.zdnet.com/article/microsofts-azure-ad-authentication-outage-what-went-wrong/) Well that wasn’t fun. For hours last Monday and Tuesday, millions were prevented from logging into their Office, Outlook, and Teams accounts because of an outage with Azure’s Active Directory. @maryjofoley (https://twitter.com/maryjofoley) explains what caused the hours-long incident.
After breach, Twitter hires a new CISO (https://www.zdnet.com/article/twitter-hires-new-ciso-in-industry-veteran-rinki-sethi/) Rinki Sethi has joined Twitter as its new chief information security officer. Sethi hails from Rubrik where she also served as CISO. Before then, she worked in cybersecurity positions at IBM, Palo Alto Networks, and Intuit. Her hiring comes just a couple of months since its very high-profile attack that saw hackers trick employees into giving over access to the company’s internal “admin” tool (https://www.vice.com/en/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos) , which the hackers used to spread a cryptocurrency scam on the accounts with some of the largest followers, including Barack Obama, Bill Gates, Elon Musk, Apple, and Uber. To hunt hackers, FBI works more closely with spy agencies (https://www.reuters.com/article/us-usa-cyber-fbi-idUSKBN26M5PF) The FBI is teaming up with the CIA, NSA, and the Secret Service as part of a wider task force effort to target and prosecute hackers who target U.S. organizations. Matt Gorham, the assistant director of the FBI’s cyber division, told Reuters that the goal was to combine “everyone’s tools and authorities” for better results. ~ ~
** THE HAPPY CORNER
And breathe. It’s the happy corner.
Here’s @kevincollier (https://twitter.com/kevincollier/status/1311648379542405120?s=20) with his annual October PSA. Don’t forget to be aware of your cybersecurity for the whole month! After that you can stop caring until October again. (I’m kidding!) And, per @SwiftOnSecurity (https://twitter.com/SwiftOnSecurity/status/1312110219091091456?s=20) , Google has dropped the blacklist/whitelist terminology in Chrome management policies. It’s part of a wider effort in the wake of the Black Lives Matter movement to move toward more inclusive language. Great move! If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Ellie. Here she is on the lookout for nation-state hackers. A big thanks to her human Nick S. for the submission! Don’t forget to keep sending in (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) your cyber cats! The more the merrier. They’ll always be featured. ~ ~
** SUGGESTION BOX
Thanks for reading this week! The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for feedback. Have a great week and see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .