Copy

~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 44
View this email in your browser

~ ~

THIS WEEK, TL;DR

U.S. accuses Iranian hackers of 2020 voter intimidation by sending spoofed emails
Wall Street Journal ($): A voter intimidation effort to disenfranchise voters from going to the polls during the 2020 presidential election was carried out by Iranian hackers, who broke into non-public voter information in one state, believed to be Alaska, and sent phony emails purporting to be the far-right group, Proud Boys. The emails, which also went out to some residents in Florida, urged recipients to vote for then-President Trump on Election Day "or we will come after you." The hackers also tried to break into a CMS used by dozens of newspapers with the goal of publishing false news. After all, local news is still widely trusted in the U.S. But the attempt failed after the FBI alerted the CMS maker, a company called Lee Enterprises. Lee customers include New York's Buffalo News, the Daily News in Washington DC, and the St. Louis Post-Dispatch in Missouri, as well as many other local news outlets. It wasn't even the only "media outlet hack" story this week, after the Middle East Eye was also hacked to serve as a watering hole to target specific victims visiting the website.
More: Wall Street Journal ($) | Motherboard | @dnvolz tweets | @emilybell

GitHub fixes flaw in the NPM JavaScript package registry
The Register: GitHub said it's fixed a vulnerability that allowed anyone to publish new versions of any NPM package using an account without proper authorization. That's a major problem since NPM is used by millions of developers. In this case, the NPM registry had a bug that "provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package." The bug was fixed after six hours, but existed since at least September 2020 (gasp). GitHub said the bug wasn't exploited at least since September 2020.
More: GitHub | Bleeping Computer
Yan Zhu tweet: "lawful good: reporting the npm authentication bypass to github. chaotic good: using the npm authentication bypass error to fix npm audit errors in other people's packages"
'Ghostwriter' looks like a purely Russian op — except it's not
Wired ($): The Ghostwriter hacking and disinformation group has targeted countries across Europe and the Baltics for years, hitting states with anti-NATO and anti-U.S. messages — you know, like Russia does — leading many (including the EU itself) to believe that the Kremlin was behind the group. Turns out — they weren't far off — it's likely Belarus behind the attacks, according to new research by Mandiant. Belarus, which has close links to Russia, crushed dissent in the country following its presidential election last year, whose incumbent president Alexander Lukashenko claimed victory amid accusations of election rigging. Google's TAG group, which tracks nation-state actors, said the findings are consistent with what it has observed. Germany — a Ghostwriter victim — stands by its assessment that Russia is behind the group (not surprising given the very close links between Russia and Belarus). The research was presented at Cyberwarcon in Washington DC, which I was fortunate enough to be there in person.
More: Mandiant | @hatr tweets

Six million Sky routers had serious security flaw
BBC News: Not a good look for Sky, one of the biggest ISPs in the U.K., after it took 18 months to fix a vulnerability in its home broadband routers that could have allowed anyone to take over a home network. The DNS rebinding bug was discovered by Pen Test Partners, which has all the technical details in a blog post. Some six million were vulnerable to the bug. In a proof-of-concept, the researchers showed that a malicious IFRAME on any website could have led to hijacking the Sky router (especially esy with default credentials still set). Sky missed several deadlines for fixing the bug, eventually resolving the issue in October, a year and a half after it was first submitted.
More: Pen Test Partners | @thekenmunroshow
A screenshot of the proof-of-concept webpage remotely obtaining a Sky router's password from the internet.
~ ~
SUPPORT THIS NEWSLETTER
 
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~

THE STUFF YOU MIGHT'VE MISSED

Hackers targeted Afghan officials on Facebook amid Taliban offensive
AFP: Hackers from Pakistan associated with a group called SideCopy used Facebook to target people connected to the government, military and law enforcement in Kabul during the Taliban takeover of the country earlier this year. Facebook (aka Meta for reputational reasons) said the hackers created fake accounts to lure their targets into clicking phishing links or downloading malicious apps in an effort to steal their Facebook credentials. More from Cisco Talos, which wrote about SideCopy in July. Facebook/Meta explains more technical deets, and has TTPs.

Debunking worthless 'security' practices
Ars Technica: I'm so glad @thepacketrat wrote this. We've all heard some dodgy security advice over the years. I won't spoil them for you, but there are some real shockers in here. Seasoned security pros push back on the "advice" that these days is just wrong or outdated (and there's so much of it), and dispels some myths in the process. Case in point:
Patrick Kelley tweet: "“Don’t put your password in your wallet.” You will literally have to kick my ass to get it. Heck of a lot stronger than notepad."
Thousands of Firefox users accidentally commit login cookies on GitHub
The Register: Thousands of Firefox cookie databases can be found in GitHub repos, exposing those accounts to hijacks. Firefox cookies.sqlite databases store a user's logged-in cookies, so users don't have to keep re-entering their passwords every five minutes. These cookie databases normally reside on the user's local computer, but many have been inadvertently uploaded and are findable online. Sure, some of that is on the user for uploading them — but GitHub, when reached, won't prevent users from searching for these files.

Wait, the FBI got hacked over a beef with a guy named Vinny?
The Daily Beast: Remember last week when one of the FBI's servers was hacked to send out a mass email? Props to @shanvav for the explainer (and the headline) about what went down, even as noted, "hacking for shits, giggles, and maybe personal vendettas is a bit unusual these days."

How cellphone data collected for advertising landed at U.S. government agencies
Wall Street Journal ($): Mobilewalla, a company that collects and sells location data obtained from cellphones, said it was the source of some of the data that was used by Homeland Security and other government agencies to track phones without warrants. Mobilewalla has data on 1.6 billion devices across 35 countries, and collects data from 75,000 apps. But which apps work with which brokers remains a close industry secret. Take the time to read this one, it's a touch complicated but it's a good guide for those new to the grubby work of location data brokering.

'Crypto' means cryptocurrency. We lost the war, and it's OK
Motherboard: Controversial, but an important read. "Crypto" has for as long as I can recall referred to cryptography. But after a $700 million deal to rename the iconic Staples Center in Los Angeles will be renamed the Crypto.com Arena, @lorenzoFB posits that it's time to call it a day and accept defeat. "Crypto" now means cryptocurrency. Sure, we won't always agree, and context matters. Crypto.com was for more than two decades, until 2018, the personal website of @mattblaze. He sold the domain to the cryptocurrency company for an undisclosed sum.
~ ~

OTHER NEWSY NUGGETS

Alan Paller, a mover on cybersecurity threat, is dead at 76
New York Times ($): SANS Institute founder Alan Paller died earlier this month at 76. Paller was a long-time champion of cybersecurity education. @nicoleperlroth writes a fitting tribute to him, including recounting a story in 2001 about how he brought dozens of security experts in to help the NSA combat the threat of Code Red, a new computer virus (for the time) that had spread to thousands of computers in a single day.

Iran-backed hackers accused of targeting critical U.S. sectors
Associated Press: Iran-backed hackers have been targeting a "broad range" of victims inside the U.S, including deploying ransomware, according to an advisory published by U.S., British and Australian authorities. Microsoft also said this week that it had seen at least six groups operating inside Iran deploy ransomware since last year, in some cases spending considerable time building rapport with their victims before targeting them with spearphishing emails, often with fake conference invitations or interview requests. Per @snlyngaas, it's not the first time that the feds have warned of Iranian ransomware, but rare indeed.

Popular adult cam chat exposed users data
Bob Diachenko: @MayhemDayOne found an exposed Elasticsearch database containing about 65 million user records, including email addresses, usernames, IP addresses, and more, of Stripchat viewers and models. Diachenko contacted Stripchat multiple times but didn't acknowledge his efforts to disclose the unprotected database. The database also contained 719,000 public and private chat messages sent to models. Stripchat later acknowledged the incident in a blog post, but effectively denied responsibility.

Conti ransomware gang suffers security breach
The Record: In a relatively fast-paced story this week, the Conti ransomware group appears to have been hit by a security breach after a security firm identified the group's real IP address of one of its payment portals and gained access for more than a month. Swiss security firm Prodaft described in a 37-page report how it effectively 'hacked-back' to monitor the ransomware group. That caused the group to scramble for a new host after its clearweb and Tor domains went offline. A day later, the Conti gang appeared back online and said in a statement, claiming that it was "going full throttle." @campuscodi has a good tweet thread on the incident.
A tweet by Catalin Cimpanu explains the takeaways from the Prodaft report. Follow the link for more.
~ ~

THE HAPPY CORNER

A little something from the happy corner this week: CISA marked its third birthday this week. The federal government's first dedicated cybersecurity agency was created by law in 2018. It's also one year since its first director @C_C_Krebs was fired by tweet after rejecting Trump's unfounded claims of voter fraud during the election last year. (At least Krebs got a cool jacket out of it.) A big congrats to CISA and all those who contribute to its mission.
Jen Easterly tweet: "Happy Birthday to CISA, kudos to our amazing team, and thanks to our incredible partners!"
Got some good news from the week? Get in touch: this@weekinsecurity.com
~ ~

CYBER CATS & FRIENDS

This week's cyber cat is Berta. She likes to stay close to her human while he works. Great work keeping up the morale, Berta! A big thanks to Lorenzo M. for the submission!
Don't forget to keep sending in your cyber cats (and your other fluffy non-feline friends)! Drop an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~

SUGGESTION BOX

That's it for this week. The suggestion box is open, or email this@weekinsecurity.com. See you next week, hope you have a good one.