~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 43
View this email in your browser

~ ~


U.S. seizes $6M in ransom payments and charges Ukrainian over REvil cyberattacks
CNN: The DOJ got the breakthrough it needed: this week prosecutors charged Ukrainian national Yaroslav Vasinskyi, 22, and Russian national Yevgeniy Polyanin, 28. Authorities in the U.S. and international law enforcement partners also recovered $6M in ransom payments. Vasinskyi is accused of using the REvil ransomware (likely as an affiliate) to hack Kaseya earlier this year, and faces extradition from Poland, where he was caught. Polyanin is still at large. (That'll be interesting to watch, per @DAlperovitch: "Will Moscow take action against him? If they don’t, that's a sign that they're not planning to cooperate.") The cat and mouse game continues on. This news came in the same week that another pipeline, a U.S. police department, and a bank were all hit by different strains of ransomware, per @GossiTheDog. The  U.S. Treasury is also upping its ransomware sanctions by taking action against cryptocurrency exchange Chatex (as well as three others) for facilitating ransom payments.
More: Washington Post ($) | Cyberscoop | @FBI
FBI wanted poster for Yevgeyeniy Polyanin, a Russian national believed to be on the run.
Robinhood says millions of names, email addresses taken in data breach
Robinhood: Trading platform Robinhood said it was hacked on November 3 after someone was able to obtain a "limited amount of personal information for a portion of our customers." True, but that's still 2 million names and 5 million email addresses gone, plus a more detailed set of account data for hundreds more. Robinhood said in a blog post that its customer support was socially engineered, but that no money was stolen or taken. Turns out the hackers tricked customer support into getting access to an internal tool used for removing security features and accessing sensitive user information, including balances and trades. Sounds like a similar case to the Twitter hack last year, in which it later rolled out physical security keys to prevent a repeat attack.
More: Motherboard | @josephfcox | @racheltobac

Hoax email blast abused poor coding in FBI website
Krebs on Security: Here's a strange one. A mass email sent out to thousands of people from the FBI's infrastructure (which was verified) on Saturday was sent by a hacker. @briankrebs got the scoop. The hacker said they took advantage of bad coding on the FBI's law enforcement enterprise portal, known as LEEP, which allowed them to send emails as though they were the FBI. And to think that it could've been used for something far more sinister! The FBI confirmed an incident but declined to comment, so no different from any other day, but said it encourages the public to be "cautious of unknown senders." Which, come on! @GossiTheDog put the pieces together before most, so a good thread to read.
More: Bloomberg ($) | NBC News @briankrebs
Dan Goodin tweet: “We continue to encourage the public to be cautious of unknown senders,” says the agency whose infrastructure was hacked to send emails from a legitimate account.
Apple isn't actually patching all the security holes in older versions of macOS
Ars Technica: macOS Big Sur got a security patch more than seven months before macOS Catalina did, even though both operating systems are still supported. This concerning revelation comes after Google's Threat Analysis Group disclosed a privilege escalation bug in Catalina that was used by a likely state-backed actor to target visitors to pro-democracy websites in Hong Kong. (Wired ($) also has a good write-up.) But Apple now faces heat for pushing out a big fix for a newer macOS version and taking months for an older macOS version, which many still use (and is still actively supported by Apple).
More: Google Threat Analysis Group | @theJoshMeister
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


NSO spyware found on 6 Palestinian activists’ phones
Associated Press: Security researchers at Front Line Defenders say they've found evidence of NSO's notorious Pegasus spyware on six phones belonging to Palestinian human rights defenders, whose work was designated "terrorist" activities by Israel despite little evidence. It's yet another concern for Israel's hack-for-hire industry, which critics say Israel does not do enough to regulate. It comes during a bad week for NSO, whose CEO just resigned after the company's claim that it was legally covered under state sovereign immunity was denied by a U.S. appeals court, allowing WhatsApp to bring its case against NSO for allegedly hacking 1,400 users, including activists and journalists, with Pegasus. @jsrailton explains more in a tweet thread. In related news, the Atlantic Council has a new report looking at the proliferation of offensive cyber tools and spyware. (Hint: it's a lot more than just NSO.)

MediaMarkt hit by Hive ransomware, initial $240 million ransom
Bleeping Computer: There's a good chance you haven't heard of MediaMarkt outside the U.S., but if you have — bad news, it's been hit by ransomware. MediaMarkt is one of the biggest electronic retailers in Europe, but was hit by Hive ransomware with a demand of $240 million. That seems like a lot for a typical ransom until you realize the company has over 1,000 stores in 13 member states, has 53,000 employees and make close to €21 billion last year. It shut down its IT systems to prevent further spread, but its site is still down a week later. Hive is relatively new, starting in July, and is known to use malware in phishing campaigns.

This parking lot at Trader Joe's has a 4,000-word privacy policy
Los Angeles Times ($): Parking your car at this one Trader Joe's in Los Angeles requires you to agree to a 4,000 word privacy policy, including signing away your rights to be tracked across devices, pretty much for the rest of time. Trader Joe's said it's a rare one-off and due to a tenancy contract. Still, it raises the wider question of why? Who needs all that data? The bigger issue is that this is how even run-of-the-mill, everyday apps operate.

A breakdown of the $1B cyber grant for local and state governments
Joseph Marks: Per @joseph_marks_, the $1 billion cyber grant program for local and state governments as part of the wider infrastructure bill comes with some interesting caveats. The money, which is spread over four years, cannot be used to pay a ransom to hackers. In this tweet thread, Marks explains where the infrastructure money is going — and why.
Joseph Marks tweet thread: "Fun fact: The $1 billion cyber grant program for state and local govs in the infrastructure bill specifically bars using any of the grant money to pay a ransom to hackers."
China says a foreign spy agency hacked its airlines, stole passenger records
The Record: In a rare public statement, Beijing says a foreign intelligence agency hacked several of its airlines in January 2020 and stole troves of passenger records. The hack wasn't attributed to a particular state. It's a touch ironic given earlier this year hackers operating to benefit China's interests stole passenger data to track persons of interest. This kind of data is an intelligence goldmine since it shows where people go and when. Last year, China was accused of stealing nine million records on easyJet customers.

ActMobile, which runs Dash VPN and FreeVPN, exposed IP and email addresses
Have I Been Pwned: Last week, it was reported that millions of records — including names, email and IP addresses, and more — belonging to ActMobile, which runs Dash VPN and Free VPN among others, were left exposed online. @MayhemDayOne found the exposed database. In its response, the company denied the lapse and appeared to threaten the researcher. According to the writeup, the exposed data could be "used to track VPN users by their devices’ IP addresses." Victims' email addresses are now searchable in Have I Been Pwned.
~ ~


Data broker shared billions of location records with Washington DC during pandemic
Washington Post ($): A data broker, Veraset — a spin-off of SafeGraph, which Google banned earlier this year — shared billions of "highly sensitive" phone location records with the Washington D.C. government last year that revealed how people moved about the city during the pandemic. The data contained 12 billion data points, since one phone can produce many data points over time. Worse, Veraset won't say which apps are collecting this kind of granular location data. The EFF also had a good writeup, and @drewharwell explains more in a tweet thread.

Hackers have breached organizations in defense and other sensitive sectors, security firm says
CNN: Palo Alto Networks says it's discovered a new cyberespionage campaign, possibly by China (based on overlapping tools and tactics), resulting in the breaches of nine organizations in the defense, energy, health care, technology and education sectors. At least one of those organizations is in the United States. The NSA and CISA are tracking the threat. The hackers are using stolen passwords to gain long-term persistence on their victim's network to steal key data from U.S. defense contractors. The end goal is to steal sensitive information sent between the contractors and the government. Palo Alto, which blogged here, expects more victims to emerge.

Microsoft patches 56 flaws in November's Patch Tuesday
Cisco Talos: Some five-dozen flaws have been squashed by Microsoft patches this week, including six critical flaws. CVE-2021-38666 is a remote code execution bug in Remote Desktop Client, allowing an attacker with control of a Remote Desktop Server to remotely run code on a client machine. Good for lateral movement and data theft. Meanwhile, CVE-2021-42292 is rated "important" but has been publicly exploited, and can allow an attacker to bypass security settings by targeting a bug in Excel (think email attachments). @wdormann says no Mac patches yet.

A cyber mercenary is hacking Google and Telegram accounts of politicians and journalists
Forbes ($): @iblametom with a solid story on how @FeikeHacquebord got access to an unprotected control panel used by a hacker-for-hire crew RocketHack. This is just one of many in an "underground industry of players" who will "break into people’s digital lives for the highest bidder, whether that’s a government, a corporate espionage client, a stalker or an abusive spouse." Hackquebord tracked RocketHack for a year and saw them hack into the Belarusian opposition, a country's minister of defense, and dozens of journalists. Oh, and IVF doctors for reasons that aren't clear, but the list also included a Russian tax officer — which may be because they have access to lots of data themselves. Fascinating stuff.

Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack
Cloudflare: In a blog post out this weekend, Cloudflare said it's blocked a 2 Tbps DDoS attack, that's the largest it's seen to date (which is saying something). The attack lasted just a minute, launched by a botnet of some 15,000 bots running a variant of the original Mirai code on IoT devices and unpatched GitLab instances. Cool, congratulations, and also commiserations, since it's only going to get worse from here.
~ ~


This week, this wireshark was floating around Twitter.
A toy shark with a hard hat and wires nearby, with the quote "Wire-shark".
Also this week, in what we might as well start calling "Hire This Hacker Kid," mom Victoria went viral on TikTok because her 11-year-old son Elijah got in "major trouble" for "controlling the internet at the school for the past three months." Wait, it gets so much better. "It was to the point that these kids had off school. Their teachers could not email each other, they could not instant message each other," Victoria said. "These kids were off school like every other week." Granted, hilarious as it was, he could've gotten in a ton of trouble. Instead he was given computer programming classes and some community service, which — OK — fair. But can someone please get this very talented kid a scholarship?
A screenshot of the TikTok video. Hit the link to listen — the audio works well here.
And finally. Put on your high-viz vests and science hats on and join @mattblaze to test some Faraday pouches. Clearly some are better than others!
Matt Blaze tweet thread: "I redid my informal tests of various cellphone-sized Faraday pouches, to measure the amount of attenuation they actually provide. Tl;dr: the expensive commercial ones generally work well. Cheap makeshift ones generally don’t."
Got some good news from the week? Get in touch:
~ ~


Meet Felix, this week's cyber cat. Office chair denial-of-service condition detected, no work can be completed today. Must give scritches before you go. Many thanks to Jack A. for the submission!
Please keep sending in your cyber cats (and your other fluffy non-feline friends). You can send them in with their name and photo by email here
~ ~


And that's a wrap. As always, the suggestion box is always open for feedback, or email me at Take care! Have a great week.