~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 48
View this email in your browser

~ ~


CISA, Five Eyes issue guidance meant to slow Log4Shell attacks
Cyberscoop: Alright, here we are, Log4j in its third week — the bug that's slowly dying down after a fortnight of intense patching. Now the U.S., U.K., Canada, Australia and New Zealand — the so-called Five Eyes group of countries that share the bulk of the West's signals intelligence — have put out guidance to help defenders block Log4Shell attacks. It comes as ransomware attacks emerge following mass exploitation of this popular open-source logging tool, as well as cryptominers and targeted attacks by nation states. This week also saw Alibaba, the cloud giant that is China's answer to AWS and the first company to find and report the Log4j bug, has been "disciplined" by Beijing for notifying the Log4j developers before first reporting the bug to its state regulator — even though it's encouraged but not obligated to. One can only imagine why.
More: CISA | South China Morning Post
Tonya Riley tweet: "Yule Log4j"
U.S. and Britain help Ukraine prepare for potential Russian cyberassault
The New York Times ($): As the Russian military builds up on Ukraine's eastern border, the West is looking to see what Russia's president Vladimir Putin plans next — likely to be an invasion of Ukraine, again, years after Russia annexed the Crimean peninsula. The U.S. and the U.K. have come to Ukraine's assistance by sending defensive cybersecurity experts to the non-NATO country to help against the inevitable onslaught of cyberattacks that previously led to power outages across the country. @DAlperovitch has a good thread on the threat from Russia and the likely next steps. What could become yet another kinetic conflict will also be fought in cyberspace.
More: U.S. Dept of Defense | @DAlperovitch tweets

Polish opposition senator hacked with Pegasus spyware
Associated Press: Next, and what appears to be the first known case of election meddling involving nation-state spyware. Polish opposition figure Krzysztof Brejza’s phone was hacked by Pegasus, a spyware developed by NSO Group. His texts were leaked and doctored in a smear campaign, involving the state broadcaster, which the ruling party narrowly won. Now the opposition senator is asking if the election was fair. Citizen Lab found the spyware on the senator's phone several months in 2019. The disclosures come after Apple sued NSO this month and sent notifications to victims around the world. Three people whose phones were hacked, including the senator, said they blamed the Polish government, which wouldn't confirm or deny (but then later denied) it ordered the hacks. NSO has since been put on the U.S. government's so-called Entity List, preventing U.S. companies from working with the Israeli spyware maker.
More: CNN | The Times of Israel

US charges former GRU officer with hacking and stock market trading scheme
The Record: U.S. prosecutors have charged five Russians, including a former Russian GRU officer, with hacking into two U.S. SEC filing agents and stealing non-public information for the purpose of making bank by making beneficial trades ahead of time. This'll be the third time that the former GRU officer, Ivan Yermakov, has been charged in the U.S., reports @campuscodi (who has a good tweet thread on this), including efforts to interfere with the 2016 U.S. presidential election. The hacking scheme involved phishing and stealing documents that would help the hackers make money by trading against companies like Tesla, IBM and Snap. The DOJ said the attackers made tens of millions of dollars in illegal trades. Only one of the five charged, Vladislav Klyushin, was extradited to the U.S. after authorities nabbed him in Switzerland while on vacation.
More: U.S. Dept. of Justice | @EamonJavers tweets
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Lights out: Cyberattacks shut down building automation systems
Dark Reading: Well this is terrifying. Security researchers in Germany found at least four buildings, which use building automation system (BAS) devices for controlling the lights, blinders, shutters, and more, were hacked to switch on a security feature — a programming password — that effectively locked out the building owners and its manufacturer. The attacker's identity is not known but they must have specialist knowledge of BAS devices running the KNX standard. By installing the password and locking out users, prompting a manual reset of the device, investigators point to a ransomware-like attack but with no apparent motivation, or ransom note. A real head scratcher. Here's the full research.

Digital security for filmmakers
Freedom of the Press Foundation: If you're a filmmaker — professional or hobbyist — or just want to protect your photos from a range of threats in a number of scenarios (from footage security and crossing borders to keeping your workstation secure), this guide has it all. This comes from the Freedom of the Press Foundation, whose job it is to help those working in journalism (including videographers and filmmakers!) protect their footage.

Spy Sites of New York City plotted on a Google Map
Runa Sandvik: @runasand has put together a Google Map of the 240+ places mentioned in the Spy Sites of New York City, a book that delves into the city's local history of spycraft and espionage. (I bought last year on Runa's recommendation, and am slowly making my way through!) This is a fun way to explore hundreds of historical spy sites. Can you figure out what this particular "government office" is?
A "government office" in the middle of Manhattan. (Psst: It's the NSA's TITANPOINTE station.)
Honeypot experiment reveals what hackers want from IoT devices
Bleeping Computer: A new honeypot experiment aimed to figure out what malicious actors want from vulnerable IoT devices. The experiment simulated several low-interaction IoT devices — from Windows-embedded IoT devices to a range of IP cameras — to see for what reason they're targeted. The research found that among 22 million hits to the honeypot, the honeypot was targeted for recruitment into DDoS botnets or infected with cryptocurrency coin miners. The full academic paper can be found here.

RSA conference postponed until June 6
RSA: The RSA annual security conference has moved to June 6 as a fresh wave of omicron sweeps across the United States. The new COVID-19 variant has seen infection figures rise over the past couple of weeks. RSA was to be held in-person in February but will now be in June — assuming nothing changes again. Adjust your travel plans! (Thanks for the spot, @hacks4pancakes.)
~ ~


Proctorio's anti-cheating software exposes students to hackers
Techdirt: Here's your regularly scheduled reminder of why at-home proctoring tech is crap. Not only does this software invade a student's privacy — given there's no way to opt out — it's known to be buggy, often unable to detect non-white faces, and requires overly broad access to a student's devices and their data. Now, Dutch officials say that attackers are exploiting flaws in one proctoring software, Proctorio, to access to a student's online accounts — and their webcams.

A Bluetooth bug in a popular at-home COVID-19 test could falsify results
TechCrunch: New findings from F-Secure show that it was possible to fake a positive COVID-19 test using the Ellume At-Home test that relies on Bluetooth — which researchers found could be tricked into falsifying a positive test by modifying the Bluetooth traffic. The bug was fixed.
A screenshot of an app showing a falsified positive COVID-19 test result.
Phishing in organizations: Findings from a large-scale, long-term study
Daniele Lain, Kari Kostiainen, Srdjan Capkun: Fascinating findings here from new research studying phishing simulations in organizations. The full paper is worth the read. Analyzing 14,000 employees over 15 months found that simulated phishing exercises do "not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing."

Microsoft notifies customers of Azure bug that exposed their source code
The Record: New research from Wiz, a team that includes former Microsoft cloud engineers, found a new bug in Azure that exposed the source code of web apps since at least September 2017. (Just to be clear: that's over four years.) The bug is nicknamed NotLegit, per the Wiz team, and exists where Azure customers selected the option to deploy their website from a Git repo on the same server. Microsoft's blog post is here.

Former Uber CSO indicted on three more counts of wire fraud
FBI: Remember in 2016 when Uber paid off hackers, who stole 57 million user and driver records (and were later charged for separate hacks) as part of a pseudo-bug bounty? Uber CSO Joe Sullivan oversaw that payment, which the government saw as a cover-up and charged Sullivan as a result. Sullivan, who was fired from Uber but now serves as Cloudflare's CSO, was this week charged with three additional counts of wire fraud, said the FBI, and according to a superseding indictment. “We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company,” according to the prosecutor in the case, per Bloomberg Law ($). Sullivan's attorney accused the government of "recycling" old meritless charges.
Tweet from FBI: "FBI and @USAO_NDCA  announce superseding indictment against former Uber Chief Security Officer Joseph Sullivan."
AWS support allegedly got access to users' S3 data
Victor Grenu: A long tweet thread by @zoph, which explores an apparent security incident that may have allowed AWS support teams access S3 data. The incident came about because of an addition of a new user role, which was later rolled back. Grenu's blog has more, and AWS had this to say in a short post.
~ ~


A happy holidays to all those who celebrate. First up, the 12 Days of Malware sang by @racheltobac, @jaysonstreet, @rayredacted, @dinah_davis, @camilleesq, and many more.
The "12 Days of Malware" as sang by security experts.
Next: here's a new way to write and script custom privacy and security settings on Windows and macOS. There are over 120 scripts at the time of print. A great resource for anyone wanting to lock down their systems. (Thanks to @ryanaraine for the spot.)

@_MG_, the internet's favorite cable hacker, has a great tip on how to spot some malicious charging cables. Use your phone's camera backlight!
MG tweet: "Did you know that a flashlight is all you need to detect a malicious USB cable?"
And finally. Motherboard put out its annual cybersecurity journalism jealousy list. It's a good reminder (and refresher) of the best cybersecurity reporting of the year. I, for one, am pretty much jealous of everything Motherboard reports!
If you want to submit good news from the week, reach out!
~ ~


Meet Daisy, who features this week (and is our final of the year!). Her human says that Daisy often stops him from being productive. Can you blame her with such a cute face? You're a good pup, Daisy. A big thanks to Arnav D. for the submission!
Please(!) keep sending in your cyber cats and other fluffy non-feline friends. You can drop me an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~


And that's it for the week... and the year. As always, thanks so much for reading, subscribing, sharing and giving feedback this year. It's hugely appreciated. The suggestion box is always open, or feel free to reach out at See you on the other side... take care.