~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 40
View this email in your browser

~ ~


Sinclair Broadcast hack linked to notorious Russian cybergang
Bloomberg ($): Sinclair Broadcast Group, one of the biggest broadcasters in the U.S., was hit by ransomware, forcing it offline for the best part of a week. The company was hit by the Macaw ransomware, believed to be a new strain of the WastedLocker ransomware developed by Evil Corp., a Russian cybercrime group that was sanctioned by the U.S. Treasury in 2019. Sanctions make it difficult for victims to pay the ransom (if they choose to), since U.S. companies aren't allowed to transact with them. Sinclair is one of two companies hit by Macaw this week, the second is Olympus' Americas network.
More: The Record | @jeffstone500 | @campuscodi

Commerce Dept. announces new rule to stem sale of hacking tools to Russia and China
Washington Post ($): A new U.S. rule will make it more difficult for countries like Russia and China to acquire hacking tools. The rule will affect spyware like NSO Group's Pegasus, which several authoritarian governments have used to spy on journalists and activists. A new license from Commerce will be required to export to certain countries. But the rules are incredibly confusing, but @nakashimae explains the nuance well. It comes as Israel, which allows NSO to sell access to its spyware to regimes like Mexico, Morocco, and Saudi Arabia, tries to repair relations with France after the phone hacking scandal made its way to the Élysée.
More: Axios | @jsrailton
Runa Sandvik tweet: "A tl;dr on spyware and regulation." (Follow the link for more.)
How hackers hijacked thousands of high-profile YouTube accounts
Wired ($): Hackers-for-hire are targeting high-profile YouTube accounts using cookie-stealing tactics. By stealing a cookie, you can log into a site, service or app as if you were that authenticated user, bypassing the need for passwords and two-factor codes. Google's Threat Analysis Group found the hacking campaign operating over the past two years. It starts with a phish, and the goal is to hijack YouTube channels to broadcast cryptocurrency scams or to sell off the account to the highest bidder.
More: Google TAG | @lilyhnewman

A massive ‘stalkerware’ leak puts the phone data of thousands at risk
TechCrunch: The private phone data of hundreds of thousands of people is at risk because of a security issue in widely used consumer-grade spyware, also known as stalkerware since it's often misused to spy on a spouse or domestic partner. Call records, text messages, photos, browsing history, precise geolocations and call recordings are easily accessible online because of the security issue. But neither the developer nor its web host Codero, which hosts the spyware's infrastructure, took action. As a result, the data is still accessible — and the number of victims is growing every day. (Disclosure: I wrote this story.)
More: TechCrunch | @zackwhittaker

Governments turn tables on ransomware gang REvil by pushing it offline
Reuters ($): REvil, the notorious ransomware group blamed for the Kaseya, Travelex and JBS hacks earlier this year, has gone offline after an apparent coordinated takedown by global law enforcement agencies. REvil's Tor site, which it uses for leaking stolen data when victims refuse to pay, displayed a default "nginx" web server error during the periods that the site wasn't offline completely. Reuters says, citing sources, that law enforcement compromised the group's backups, which was later discovered by one of the gang members. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them." The White House declined to comment. Maybe we'll hear more this coming week?
More: ZDNet | @kimzetter
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Nonprofit websites are riddled with ad trackers
The Markup: Incredibly good work here from The Markup's @alfredkng and @tenuous who looked at the use of ad trackers on non-profit sites. Turns out, it's quite a few. Planned Parenthood's website contained two-dozen ad trackers, including "session recorders," which monitor your mouse movements and which links you click on the page. That's obviously a major privacy issue for folks visiting their site looking for medical and reproductive help. The Markup used their own data from a tool, Blacklight, which checks websites for ad trackers to help you understand where your data is going. @juliaangwin has a good tweet thread on the story.
Julia Angwin tweet: "We scanned 23,000+ nonprofit sites and found they were heavily tracking visitors. Planned Parenthood was even monitoring visitor keystrokes."
SmarterASP blames power outage for thousands of lost databases
Computing ($): SmarterASP, a California-based web host, is blaming a power outage on the loss of thousands of customer databases. Some clients say they've lost "everything." I've since learned that the Cl0p ransomware group is claiming responsibility for the "outage." A Tor site associated with Cl0p published a screenshot with dozens of folders allegedly belonging to SmarterASP customers. Two years ago, SmarterASP was hit by a confirmed ransomware attack, but was able to recover customer files.

The day my script killed 10,000 phones in South America
Python for Engineers: Hands up who hasn't had a day like this? Shantnu Tiwari tells the story about how he created a script that accidentally locked thousands of phones in South America. It was a multi-faceted mess-up, but the post-mortem is well worth the read — especially for the "move fast, break things" crowd.

Cyber private eyes go after hackers, without counterattacking
Wall Street Journal ($): "Hacking back" is illegal but soon might not be, if a bipartisan bill gets its day on the Senate floor. While it's not uncommon for governments to hack the hackers — but it's illegal for private businesses to do this, because the law is the law. But there is a loophole: ask the hackers for permission first. This piece looks at one company, Redacted, and how it stays on the legal side of U.S. hacking laws while pursuing criminals without "hacking hack".

'Bulletproof' hosting operators sentenced for role in aiding the spread of Zeus malware
Cyberscoop: The Zeus malware stole more than $100 million in its time, but now the operators of the "bulletproof" hosting company — named because of their penchant for hosting cybercriminals and their ability to evade law enforcement agencies — that hosted the Zeus malware have been sentenced to prison. The Justice Department announced jail terms of 24 months and 48 months respectively for Estonian citizen Pavel Stassi and Lithuanian citizen Aleksandr Skorodumov.
~ ~


Dutch forensic lab says it has decoded Tesla's driving data
Reuters ($): This could get interesting. The Dutch government's forensics labs says it's decrypted Tesla's closely guarded driving data-storage system, allowing access to a ton of information that could be used to investigate crashes. The lab, known as the NFI, said Tesla encrypts its coded driving data "to keep its technology secure from other manufacturers and protect driver privacy," per Reouters. "Car owners can request their data, including camera footage, in the event of an accident."

Candy corn factory hacked at the worst possible time
The Takeout: Hallowe'en is ruined! Ferrara Candy has slowed production, including of its flagship autumnal Brach's candy corn, after — you guessed it — a ransomware attack. Ferrara said there was no worry of shortages. But given I was unable to find any in stores until Friday, I'd guess that demand was exceeding supply.
Anne Johnson tweet: "Pay the ransom in candy corn. They will rethink their life choices."
Accenture lost 'proprietary information' in summer ransomware attack
Cyberscoop: Accenture told the SEC in a filing that outsiders extracted "proprietary information" following a security incident earlier this year, though the company said "none of the information is of a highly sensitive nature." The incident coincides with the LockBit 2.0 ransomware group leaking the company's information from its Tor site, claiming Accenture failed to pay a $50 million ransom.
~ ~


This week saw the annual #ShareTheMicInCyber day that elevates the voices of Black cyber practitioners and those historically excluded from opportunities in what is a historically white field. You can read more about the movement in this post by @camilleesq and @lzxdc, and check out the #ShareTheMicInCyber hashtag.

Remember a few weeks ago when Let's Encrypt's root certificate expired? Actually, things didn't go as bad as some expected. Per @scott_helme, who wrote a detailed post-mortem of the root certificate switchover, said it "went really quite well, largely due to the work Let's Encrypt did around arranging for a new cross-signed chain to be available beyond the expiration of the IdenTrust root."

And, finally, this TikTok.
TikTok joke: "Why can't you use 'beef stew' as a computer password? It's not stroganoff."
Got some good news from the week? Get in touch:
~ ~


This week's cyber cat is Smitty, who as you can see here is sharpening her Ghidra skills... and doesn't know why you're not doing the same? A big thanks to @craigstuntz for the submission!
Don't forget to keep sending in your cyber cats (and your other fluffy non-feline friends). You can send them in with their name and photo by email here
~ ~


And that's it for this week. Thanks for reading! As always, drop any feedback you might have in the suggestion box or reach out at at Take care, see you next Sunday.