~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 47
View this email in your browser

~ ~


Log4Shell attacks began two weeks ago, Cisco and Cloudflare say
The Record: The Log4j fallout continues into its second week after more bugs were found in the popular open source logging tool. Evidence suggests exploits first began on December 1, as the government and businesses scramble to update and lock down their systems from remote attacks. The initial exploit, Log4Shell, allows practically anyone to remotely run code on a vulnerable system by inputting a malicious log entry. The internet is on fire, and this is not a drill. Critical systems have been shut down in Canada, while the U.S. is trying to get everything fixed across the government. CISA's Jen Easterly says this is the "most serious" bug she's seen in her entire career, "if not the most serious." Hundreds of millions of devices are affected, even things you had no idea were running Log4j to begin with.
More: Daily Hive | CNN | Cyberscoop | ZDNet
Comic strip of brain telling a person trying to fall asleep that Log4j is on their toaster, and the person waking up angrily to check.
Hackers backed by China seen exploiting Log4j security flaw
Wall Street Journal ($): Remember earlier this year (can you believe it) when China-backed hackers were compromising Exchange servers en masse? Microsoft says those hackers — which it calls Hafnium — are now targeting Log4j servers on a massive scale. That's problematic since there are a lot more devices running Log4j than there are Exchange servers. The message is to patch, patch, and keep patching until this ongoing hot mess resolves. Where do you even start? CISA has a good running list of affected software.
More: Microsoft | Wired ($)

Facebook takes action against 7 surveillance-for-hire firms after Citizen Lab report
Citizen Lab ($): NSO Group may be best known for using its Pegasus spyware to spy on journalists, activists and human rights defenders on behalf of its authoritarian government customers. But it's by no least the only surveillance-for-hire outfit out there. Meta this week banned seven outfits from its platform which it says were used for reconnaissance, social engineering and sending malicious links to their victims. (@skirchy has a good run-through on the details, and @jsrailton with a solid tl;dr tweet thread.) One outfit, Cytrox, develops the newly discovered Predator spyware, which Citizen Lab found running concurrently alongside Pegasus on an ex-politician's phone. Yeah, you read that right! No wonder his phone was "running hot." Citizen Lab did a deep-dive on the spyware and how it works — and how it gains persistence where Pegasus cannot. In total, Meta alerted around 50,000 people in 100 countries that they were targeted by the seven groups. Cytrox's CEO Ivo Malinkovski didn't respond to journalists' requests for comment and scrubbed his LinkedIn page. But evidently, not well enough.
More: Forbes | Motherboard | @AmnestyTech | @iblametom tweets
Lorenzo Franceschi-Bicchierai tweet: "I reached out to Cytrox's CEO and founder Ivo Malinkovski via LinkedIn.   He did not respond, but after I reached out he removed all references to Cytrox from his profile...except a coffee mug that's in his profile pic."
Ransomware attack threatens paychecks just before Christmas
NBC News: Kronos, one of the largest workforce and payroll companies in the U.S., has been hit by ransomware — a week-ish before Christmas, no less (though not believed to be as a result of the Log4j bug). The platform will be down for "several weeks," it says. Americans are often paid twice a month, so December 17 would've been the last payday before Christmas. To call this really bad is an understatement — and practically crickets from the company. One Whole Foods employee said there was a "real fear" about their upcoming paychecks. Whole Foods (apparently) found a way to pay all employees, but other businesses are still trying to figure it out. This is the worst time for this to happen, and that's likely the point.
More: BBC News | NPR
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Defense Department blocks ads to counter malvertising
Cyberscoop: The Dept. of Defense says has "deployed various technologies to protect against online-advertising related malware and data collection threats," which is a nice way of saying it runs an enterprise-wide ad blocker to counter the risk of malicious or privacy-invading ads. The letter to Sen. Ron Wyden's office revealed that it uses a technology called Sharkseer, which scans incoming traffic for threats using AI. Though, I still prefer the mental imagery of the entire government's network traffic passing through a single Pi-hole in the corner of the office...

U.S. Senate passes $768B defense bill without cyber incident reporting provisions
ZDNet: @jgreigj with the goods on next year's NDAA, the U.S. government's annual defense and cybersecurity spending bill. The good news is that the bill packed in a few new cybersecurity measures — including testing the government's incident response by simulating a partial or complete cyber "incapacitation" and giving more funding to CyberSentry, a somewhat controversial technology that continually monitors risks to critical infrastructure. But the bill passed without a cyber incident reporting provision, which would've mandated reporting incidents within 72 hours of discovery.

Crypto exchanges keep getting hacked, and there's little anyone can do
NBC News: Millions of dollars worth of virtual assets have been compromised in the past year by a spate of hacks targeting crypto exchanges. A lot of the attacks targeted their hot wallets, which store crypto in wallets connected to the internet. But all too often those keys are compromised or stolen. Just this week VulcanForce became (at least) the third crypto exchange to be hit. No matter how futuristic the crypto world seems to be, in the end it's a legacy from the Web 2.0 world that's still causing havoc — the theft of private keys. Also this week, I stumbled on an interesting post this week by Cossack Labs on the common security mistakes built into crypto wallets.

Gumtree leaked personal info via the F12 key
Pen Test Partners: Gumtree, the U.K.-based classified ads site, was spilling private user data via the F12 key. That key, for those who don't know, opens up the browser's developer mode for viewing the web page's source code and things like that. Turns out Gumtree was exposing user data — postcodes, email addresses, and some GPS location data — in the source code of each webpage. Gumtree's response was frankly crap, and took weeks to fix completely — and the company tried to tie the researchers up in a non-disclosure agreement, which is also gross. Good luck explaining that to the ICO...
Screenshot of Gumtree's website source code, viewed from the browser, exposing personal information of its users.
~ ~


Iranian hackers abuse Slack for cyber spying
Forbes: A new Iran-linked hacking group has been found, which IBM researchers call MuddyWater (read IBM's research here). The group hacked into an airline in Asia and used Slack commands to control the malware, because, according to the researchers, those commands blend into regular network traffic and wouldn't get blocked. MuddyWater has been previously linked to ransomware attacks and using U.S. social networks to target government workers with malware.

This USB ‘kill cord’ can instantly wipe your laptop if snatched or stolen
TechCrunch: A new open source project that's finally come to fruition: BusKill is a hardware kill-cord that lets you lock (or wipe) your computer if the magnetic connectors are severed, such as if someone snatches and runs away with your laptop. The project has been in the works for the past couple of years, but now offers the complete cable for purchase after a successful crowdsourcing effort. (Disclosure: I wrote this.)
An animated GIF of a computer locking when the BusKill magnetic connectors are severed.
Grindr fined €6.5m for sharing data for ads
BBC News: Grindr, the location-based dating app for the LGBTQ+ community, was fined €6.5m (about $7.3M) this week by the Norwegian data protection authority for sharing users' data to advertisers without express permission. That data includes GPS location, advertising IDs (which can be easily deanonymized), age, gender, and the fact that the user was on Grindr), breaking GDPR rules in the process. The fine was the largest issued by the data protection agency for the company's "grave" infringements.

France latest to slap Clearview AI with order to delete data
TechCrunch: Meanwhile, in France... Clearview AI, the controversial facial recognition startup with 3 billion scraped images in its databases (allegedly), has been dinged by the French authorities and told to delete data. France's data protection authority, the CNIL, accused (en français) the company of "unlawful processing" of people's data. @RMac18 also spotted an interesting pattern in the statements given by its founder.

Microsoft releases end-to-end encryption for Teams calls
ZDNet: End-to-end encrypted calls are coming to Microsoft Teams. It's a feature that has to be switched on by the organization — which then users have to switch on the setting in their Teams. Which is a bizarre and odd way of doing it — seemingly opt-in twice? But it's still more than what Slack currently offers.
~ ~


Not much good news this week because, he says gesturing wildly in every direction, there's a lot going on! Log4j took up a lot of people's time this week — though, in times of crisis it's slightly(?) reassuring knowing that everyone's in the same boat. We even had some lighter moments this week, courtesy of NSA's @NSA_CSDirector.
Rob Joyce tweet: "I appreciate the #infosec community’s ability to find moments of levity during tough times. PS. It’s 'log-for-Jay'."
(Oh, and head over to his personal account @RGB_Lights for his annual custom Christmas light display, which is very much a thing.)

And finally:
Allan Liska tweet: "How a lot of us are feeling right now" — with defenders on fire in one corner and the three Log4j vulnerabilities in the other.
On a serious note — I haven't seen the internet so concerned in some time... (maybe since SolarWinds? Maybe WannaCry?) I think Allan's tweet says it all. Everyone's working tirelessly to secure their systems from the onslaught of attacks by those exploiting Log4j. Stay strong, defenders. You are literally saving the world right now and your efforts are extremely appreciated.
If you want to submit good news from the week, reach out!
~ ~


This week's cyber cat is Loki. He is a Manx cat and, according to his human, is very interested in treats and snuggles but less interested in mousing. I wonder if he's any good at findings bugs? A big thanks to his human Nick J. for the submission!
♬ Make my Christmas dreams come true...♫ by sending in your cyber cats and other fluffy non-feline friends! Drop an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~


Phew, what a week. Thanks so much for reading. Feel free to throw any feedback in the suggestion box or reach out at Hope you all have a chill and relaxing holiday — and a very happy Christmas to all those who celebrate. Back next week for the final newsletter issue of the year. Take care, friends.