~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 27
View this email in your browser

~ ~


Dutch researchers found and reported Kaseya bugs before ransomware attack
Wall Street Journal ($): Dutch security researchers received wide praise this week after it emerged they found and reported several security vulnerabilities in Kaseya's technology, which is used by MSPs to remotely control and manage their customers' networks on their behalf. But just as the bugs were being fixed, REvil struck. Kaseya hadn't put the fixes in place in time. Hundreds are said to be affected by the ransomware attack, which spread to downstream victims. The researchers, led by @0xDUDE at @DIVDnl, found the seven vulnerabilities, and explained how the disclosure process worked. There was some sympathy for Kaseya for working quickly to fix the flaws, until Bloomberg ($) reported that former employees said the company failed to address critical security issues on several occasions in the years prior to the hack. @rj_gallagher, who wrote the story, has a good tweet thread on the story.
More: Bloomberg | NPR
A tweet thread by Ryan Gallagher about former employees who complained of security issues prior to the ransomware attack this month.
Microsoft's emergency patch fails to fix critical PrintNightmare flaw
Ars Technica: Ho-ho-holy moly, when will this nightmare end? PrintNightmare (tracked as CVE-2021-34527), the bug that allows anyone to easily punch a backdoor and take control of any computer running Windows, still hasn't been fully fixed. An emergency patch went out this week, but the patch failed to mitigate the bug — though it did manage to kill some printers in the process. Just 12 hours after the not-quite-patch went out, @gentilkiwi found a way around it. Ars looks at the gaffes that led up to this week's patching attempt, and why it keeps going wrong.
More: @gentilkiwi

Evidence found on a second Indian activist’s computer was planted, report says
Washington Post ($): Deeply troubling news from India. Two activists jailed in 2018, who were accused of plotting an insurgency against the Indian government, had evidence planted on their computers, according to a new forensic report carried out by Massachusetts-based digital forensics firm Arsenal Consulting. An unidentified hacker or hacking group (potentially a mercenary) used malware to break into their computers and deposit dozens of files in hidden folders. Experts say the malware campaign probably compromised other computers, too. U.N. officials have called for their release, though one of the imprisoned activists — 84-year-old Stan Swamy — died in custody this week. @jslaternyc has a good tweet-thread, as does @jsrailton
More: The Register | Background: Cyberscoop

'Barely able to keep up': America's cyberwarriors are spread thin by attacks
NBC News: Turns out after a brutal few months of tackling what feels like the entire cyber world is on fire, those working in incident response are knackered (that's British for tired). And then this most recent spate of ransomware happens. (@kevilcollier worked on this story before the Kaseya attack.) Sure, the pay isn't bad and the work can be interesting, but the hours are long and it's tough work that hits all hours (and then some). "There are only so many Friday night family dinners, weekends and holidays you are going to be willing to miss before you decide to pursue another, more comfortable line of work,” said @dalperovitch. To be fair, @kimzetter is right — this also sounds a lot like journalism.
More: @thegrugq

This facial recognition tool's manual shows just how much it tracks people
The Markup: Documents and emails obtained by The Markup show just how much AnyVision's facial recognition software tracks people. AnyVision (which just raised $235M from Softbank and Eldridge) is used in casinos, sports arenas, and hospitals, but also schools. In some cases, students can be tracked hundreds of over a thousand times a week. The technology has been used to justify trying to prevent school shootings — but reading how one school district "hasn’t heard any complaints about privacy or misidentifications since it’s been installed" grossly misses the point, which is why The Markup's reporting on this is so important.
More: TechCrunch

Inside the FBI, Russia, and Ukraine’s failed cybercrime investigation
MIT Technology Review: This was a brilliant read, looking back at the 2010 attempted takedown of the notorious crime and hacking group behind the Zeus banking trojan, which was responsible for $79 million stolen at the time — still one of the most lucrative cyber-operations in years. This long-read does an incredible job of telling the story of Operation Trident Breach in vivid detail of how the FBI, working with the Ukrainians, Russians, British and the Dutch, would launch simultaneous arrests. But the plan went south. I read this story twice, it was that good. The storytelling was exquisite.
More: @HowellONeill tweets | @malwaretechblog
~ ~

Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Kaspersky Password Manager: All your passwords are belong to us
Ledger Donjon: When is a password manager not a password manager? When it's as flawed as Kaspersky's Password Manager, which was cracked wide open this week. Jean-Baptiste Bédrune explains that the pseudorandom number generator in the password manager, while current at the time, hasn't generated secure passwords for a while. "Passwords generated by this tool can be brute-forced in seconds," wrote Bédrune. The whole post is worth the read (or read @matthew_d_green's tweet thread).

How does the Secret Service track fugitives?
Forbes: Forbes looks at how the Secret Service tried to catch an online scammer: by texting them to hand themselves in. But when the agents got a read notification from the scammer and heard nothing back, they escalated their tactics that involved asking Verizon for location data, which wasn't accurate enough, which is when they asked for a warrant to use a stingray. Whether it was used or not remains to be seen, but it's nevertheless an interesting read.
A text message from a Secret Service agent to a suspect asking him to turn himself in.
An office phone flaw can’t be fixed by Cisco alone
Wired ($): A vulnerability in more than a dozen Cisco IP desk phone models was patched this week, a flaw that could've allowed an attacker to gain complete control of a phone and eavesdrop on phone calls. But the patches don't eliminate the vulnerability altogether. That's because the bug is actually in the low-level firmware in Broadcom processors, which power the phones. The patches only make the bugs more difficult to exploit. But that means there are likely other devices with the same vulnerability out there.

The COVID-19 vaccines weren't hacked — this task force is one reason why
The Verge: A great semi-long read on how CISA's vaccine supply chain task force helped protect some of the manufacturers developing the COVID-19 vaccine from hackers. It wasn't vaccine makers like Pfizer and Moderna that were a worry, but the companies in the supply chain that weren't as protected from state-backed hacking campaigns.

Hacker risks jail to our Middlebury College employee for possessing child abuse imagery
Daily Beast: A nail-biter of a story. A security researcher was hunting for vulnerable computers when they found a cache of child abuse imagery belonging to a Middlebury College employee. The hacker had broken the law as part of their pentesting, but left the hacker in an ethical dilemma — do I tell the FBI about the cache and implicate myself in the process, or say nothing?
~ ~


14 cybersecurity deals announced in the first week of July
There's been a ton of M&A activity just in the first week of July alone, including: Barracuda acquiring Skout, HPE acquiring Zerto, Sophos acquiring Capsule8, and ZeroFox acquiring Vigilante. Lots of deals to catch up on!

U.S. cyber chief in limbo during REvil attacks
The White House plans to swear in Chris Inglis as its first U.S. national cyber director this coming week after his nomination, along with nominated CISA director Jen Easterly, was held up by political *cough* Rick Scott *cough* delays. Easterly is expected to be voted in potentially as early as next week, assuming the blocks are lifted. Obviously the appointment hold-ups can't come at a worse time, given the recent spate of attacks — including an apparent breach of the Republican National Committee's networks this week.

Jack Cable launches Ransomwhere to crowdsource ransomware details
One of the biggest problems in trying to tackle the ransomware problem is visibility — there just isn't enough understanding of who pays (and what), and if it even changes the dynamic of ransomware economics. @jackhcable has created Ransomwhere, a site that tracks and records ransomware payments. "Without such data, we can't know the full impact of ransomware, and whether taking certain actions changes the picture," he said in a tweet thread, which is well worth the read. All reports are manually verified. Solid idea.
~ ~


First up, @pwnallthethings is named as one of this year's Black Hat USA keynote speakers. Matt Tait, Correllium's COO, will give a talk on supply chain security, what happens when things go wrong, and what comes next.
A tweet from Black Hat announcing Correllium's Matt Tait as keynote speaker.
And, for reasons that nobody can seem to explain, Ron Swanson was somehow implicated in a Jordanian propaganda campaign, which Facebook suspended from the site this week. "I regret nothing. The end."
A screenshot of a Jordanian fake Facebook profile with Ron Swanson's photo as the profile photo.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Franklin, who is clearly in a cat-in-the-middle attack position. Watch out there, human, your passwords are next. A big thanks to Ingrid S. for the submission!
Please send in your cyber cats & friends! We're very low on reserves. Drop a photo with their name here. And of course you can submit more than one — or again!
~ ~


That's all for this week — thanks so much for reading. As always, feedback is welcome in the suggestion box. Take care — be well — and I hope you have a great week. See you Sunday.