~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 11


It's open season for Microsoft Exchange server hacks
Wired ($): And it really is — but first, here's a quick recap: China-backed espionage group Hafnium is using four zero-days to mass backdoor on-premise Exchange servers — probably for spying. But now more than 10 hacking groups are also using the same flaws, and some are hitting these vulnerable servers with a new kind of ransomware, dubbed DearCry. @lilyhnewman explains all of this and more. Meanwhile, a proof-of-concept exploit was posted — and swiftly removed — from GitHub this week, much to the chagrin of some in infosec (and relief to others). But exactly how these groups got the same zero-days is a big mystery, one that @dangoodin001 does an excellent job of breaking down the technical details, but the Wall Street Journal ($) reports that Microsoft is investigating if a leak from a partner had anything to do with it.
More: Motherboard | Ars Technica | Cyberscoop
Giant datacenter fire takes down government hacking infrastructure
Motherboard: You ever had a cyber-op go up in smoke? A major fire at a datacenter run by cloud giant OVH brought thousands of websites in the aftermath — as well as government-backed hacking operations. OVH is said to host at least 140 servers used for hacking ops — including those run by Iranian threat actor APT39 and OceanLotus, a group of Vietnamese hackers. Kaspersky's director of global research and analysis @craiu told Motherboard that there's probably little impact on the hackers' operations, though.
More: PC Gamer | @craiu

Hackers breach thousands of security cameras, exposing Tesla, jails, and hospitals
Bloomberg ($): A hacker collective got access to 150,000 internet-connected cameras operated by Sequoia-backed startup Verkada, including at major companies — Cloudflare, Tesla and Intel — and hospitals, jails, and people's homes. The whole story is worth the read. Tens of thousands of the cameras apparently use facial recognition, though Cloudflare pushed back on the claim that it used the feature. IPVM, which researches and investigates video tech and surveillance, also has a great post with more of the technical details.
More: Motherboard | IPVM

The UK is secretly testing a controversial web snooping tool
Wired U.K.: Bad news for the British — the government's coming for your browsing history. No, it really is — the so-called Snooper's Charter (everyone calls it that, but not the government) was made law in 2016 but only now it's rearing its ugliest of heads with the end goal of logging and storing the web browsing of every single person in the country. Two unnamed internet providers have already run a trial — only Vodafone confirmed it wasn't involved, with the remaining ISPs staying mum. Per Wired: "People’s internet records can contain the apps they have used, the domains they have visited... IP addresses, when internet use starts and finishes, and the amount of data that is transferred to and from a device." Gross.
More: ISP Review
~ ~

Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


Microsoft email server hacks put Biden in a bind
BBC News: @gordoncorera looks at how the recent Exchange hacks, attributed to China, could put the Biden administration in a tough spot for its response — and digs into the geopolitical tensions that could warrant retaliation — or not. It's also worth reading @a_greenberg's story on how the U.S. is weighing its response against Russia for the SolarWinds attack — though retaliation likely isn't the answer, in large part because Russia hasn't crossed a line that the U.S. hasn't crossed itself. It's hard for the U.S. to throw rocks from inside its glass house.

Netflix is testing a crackdown on password sharing
The Streamable: The sweetest deal in streaming service history might be coming to an end. Netflix is running a test — one of "hundreds" each year — that aims to crack down on password sharing outside of your household. Netflix has always turned an eye to password sharing, even though it costs the company a ton each year. (I mean, who doesn't use their spouse's mother's boyfriend's Netflix account?)
GitHub discloses security bug related to handling of authenticated sessions
GitHub: On March 8 — or Monday for those who like me have lost track of time — GitHub said it had "invalidated all authenticated sessions on" out of caution to protect users from "an extremely rare, but potentially serious, security vulnerability affecting a very small number of sessions." There was no compromise, but basically the bug may have "misrouted" a user's session to the browser of another user.
~ ~


T-Mobile to step up ad targeting of cellphone customers
T-Mobile will automatically enroll its phone customers into an ad program that will be informed by their online browsing habits. Granted, it's no different from what the other cell carriers do — Sprint, which was acquired by T-Mobile last year, already does this. Does it make it any less gross? Absolutely not. Thankfully, @DrewFitzGerald walks you through how to opt-out.
Inside Israel's lucrative, and secretive, cyber-surveillance industry
Here's a great, deep-dive into the Israeli surveillance startup market — and how Israel became a powerhouse in developing and selling surveillance technology. It also looks at the work of Eitay Mack and others, who are part of a "loose, tiny, unofficial network of forces" pushing back against Israeli cyberweapon exports. Take the time to read this.

Accellion's breach keeps getting worse — and more expensive
Accellion, a file-transfer service used by enterprises around the world, fixed several bugs in its networking gear in December and January, but not before hackers deployed ransomware on dozens of Accellion customers — including Qualys, the Reserve Bank of New Zealand, and the U.S. state of Washington. This isn't a story that will go away — expect more victims to come forward.
~ ~


@konklone is returning to the U.S. government as a senior advisor to the new federal CIO Clare Martorana, at the U.S. Office of Management and Budget. Mill previously worked at 18F and on Google's Chrome security team. Congrats!

And good news for DocumentCloud fans (yes, I'm looking at you, fellow reporters). The document sharing platform has been revamped from the ground up and its code is now open source. @dylfreed has a thread.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Tara, this week's cyber cat. Tara enjoys, among other things, watching her human do school work and taking screenshots with her butt. (That sounds like a superpower, no?) A big thanks to @PumpkinFruitBat for the submission!
Please keep sending in your cyber cats (and your non-feline friends). You can drop them here.
~ ~


And we're out. Thanks for reading — and, as always, if you have any feedback, please drop it in the suggestion box. Take care, and see you next week!