~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 48


Nation-backed hackers backdoor SolarWinds software to hack U.S. agencies, companies
FireEye: So much for a quiet week. Several U.S. agencies, including Treasury, State, and Commerce, plus Microsoft and FireEye, have been hacked by a "highly evasive" attacker, likely backed by a nation-state. The hackers injected a backdoor in SolarWinds, the ubiquitous software that's found all over government networks and the Fortune 500 to remotely manage their enterprise devices. All eyes are on Russia — specifically Cozy Bear, the clandestine APT29 group typically charged with espionage activity — as the likely perpetrator. The fallout from what is probably the largest cyber-espionage attack against the U.S. ever — probably — will continue for many weeks, if not months or years and it'll take a long time before it's known what was stolen. SolarWinds said fewer than 18,000 customers installed its backdoored software, but it's unlikely that they were all hacked. Classified networks aren't believed to have been affected — so far.
More: Reuters | Washington Post ($) | @kimzetter tweets | @DAlperovitch

Industry responds to supply chain attack on the U.S.
Microsoft, Symantec: The industry sprung into action — that's not surprising since basically every major company uses SolarWinds in some capacity. SolarWinds tried (but failed) to hide its high-profile customer list after the hack was revealed — and includes more than 425 of the Fortune 500. CISA immediately told federal agencies to rip out SolarWinds technology from its networks, while the ODNI said that the government was definitely affected but isn't sure of the "full extent" of this hacking campaign. FireEye published IOCs to help defenders prevent attacks, and Symantec, meanwhile, described the backdoor in more detail. Microsoft also seized a domain name used as a C2 server by the attackers, which has effectively killed further infections.
More: Symantec | ZDNet | CISA | @JennaMC_Laugh
Government scrambles to remediate hack, as Trump blames China
Associated Press: Meanwhile, the response from the Trump administration has been cause for concern in Congress. While the government was trying to respond to what everyone had agreed was a highly sophisticated and audacious espionage attack against largely U.S. government agencies, Trump tweeted without evidence that China was to blame, bucking the trend and going against his own secretary of state, Mike Pompeo, who said the attack was "pretty clearly" Russia. Trump also wants to split up the NSA and Cyber Command, the offensive arm of the spy agency, drawing ire and resistance from lawmakers. Reuters also said the split, if it goes ahead, would hobble the government's response to the attack, weeks before Biden is set to take power.
More: Wall Street Journal ($) | Reuters | Axios

Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam
Reuters: OK — now onto some other news. Facebook said it disrupted a cyber-espionage campaign in Vietnam and Bangladesh, which the social media giant linked to APT32, known as Ocean Lotus. The company said Ocean Lotus was based out of an IT firm in Vietnam, working on behalf of the government there. The hackers, unsurprisingly, denied the claims. Facebook said the APT group spied on political dissidents, businesses and foreign officials as far back as 2013.
More: Facebook | Cyberscoop

Israeli spy firm suspected of accessing global telecoms via Channel Islands
The Guardian: Israeli private intelligence company Rayzone Group bought access to the SS7 network, used by phone networks to route calls and text messages across networks and internationally, from a telecoms network in Guernsey in the Channel Islands. That access allowed the spy firm to track the locations of cellphones across the world. SS7 is horribly flawed and has been abused to track people — and their calls and texts — for years. But a fix requires global collaboration, which many have been reluctant to lend their support. @jsrailton at Citizen Lab, as usual, has a fantastic tweet thread on this story.
More: TBIJ | @jsrailton tweets
~ ~

Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


Twitter fined €450,000 for breaking EU data law
BBC News: Twitter has been fined about $551,000 by the Irish data protection agency for failing to inform the EU of a breach in January 2019 within the three day window set in law. A bug meant that private tweets of some Android users were made public. Twitter accepted responsibility and said it was due to short staff over the Christmas break.

Meet Keytap2, an acoustic keyboard eavesdropping project
GitHub: This is cool. Keytap, a hobby project by @ggerganov, can detect with some accuracy which keys are being pressed on a keyboard. The algorithm listens to a keyboard's sounds and tries to figure out, based on the sound of each key you pressed, what you're typing in. It's like a keylogger but with sound. A very cool project, especially for red teamers.
Trump's Twitter account was hacked, Dutch ministry confirms
The Guardian: Dutch prosecutors have confirmed that Trump's Twitter account was hacked in October, despite denials from the White House and twitter. @0xDUDE said he guessed Trump's password — "maga2020!" — which was similar to a password he suggested the president use the first time he hacked his account back in 2016. Dutch prosecutors declined to press charges, saying the hacker was acting ethically as he tried to warn the government about Trump's weak password. The president's account was not protected by two-factor authentication. Twitter repeated its earlier statement that it had "no evidence" of the breach. But Twitter's denial has angered some reporters, who say the company has "much to answer for."
~ ~


Apple's app 'privacy labels' are here — and they're a big step forward
Apple's privacy labels have arrived in the app store, similar to nutrition labels on the side of food except for your personal data. The hope is that it will help users know up-front what kind of data downloaded iOS apps collect on you. "A label might reveal that an app wants to collect your location data, financial details, and contact information, and links all of that to an in-service account or identifiers like your device's ID number," reports @lilyhnewman.
Microsoft seeks Biden's support in case against Israeli spyware firm
Biden's not even in the Oval Office yet and Microsoft isn't wasting any time asking the incoming administration to weigh in on the legal case between spyware maker NSO Group and WhatsApp, which was targeted using one of NSO's exploits. NSO says it's immune from prosecution because it acts on behalf of foreign governments. Microsoft opposes that viewpoint, and wants the new administration to "weigh in with a similar view," Microsoft's Brad Smith wrote in a blog post.

Microsoft gets right to notify cloud client of U.S. data probe
Staying with Microsoft for a moment, the software giant won a weeklong legal battle to notify an enterprise customer that U.S. prosecutors demanded access to a user's email account information as part of a government investigation. The prosecutors threw a secrecy provision barring Microsoft from disclosing the investigation. Microsoft complied with the demand but fought the secrecy provision — and won — though, it's not allowed to tell the enterprise customer which specific email account was under scrutiny. Microsoft calls these "sneak and peek" warrants because they bypass the account holders.

Apple, Google, Microsoft, and Mozilla ban Kazakhstan's root certificate
Kazakhstan's government is trying again to intercept and decrypt HTTPS traffic in the country's capital by forcing residents to install a root certificate on their devices — or face being blocked from accessing foreign sites, including Google and Facebook. This is the third time Kazakhstan has tried to do this. Now Apple, Google, Microsoft and Mozilla have banned the root certificate, effectively rendering it useless.
~ ~


Right. Some good news.

Signal now has encrypted group calls, allowing users to speak in an end-to-end encrypted group video chats of up to five participants. The encrypted messaging app is working on expanding the number of participants.
Plus, Apple has a new self-defense guide out that will help survivors and other high-risk groups from the bulk of attacks. It's buried on Apple's site, but a direct PDF link can be found here. Props to Apple for writing this guide.

And seeing as it's the holiday season, have a great Christmas to all those who celebrate. Please stay safe. 
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Jarvis, this week's cyber cat. As you can see, he's very much getting into the spirit of the sleepy holiday season. A big thanks to Colin C. for the submission!
You can send in your cyber cats here. They're featured first come, first serve.
~ ~


Thanks for reading! Apologies for no newsletter last week due. If you have any feedback or comments, drop it in the suggestion box. Have a great holiday, and see you next week.

You can update your preferences or unsubscribe from this list.

~this week in security~ does not track email opens or link clicks.