~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 19
View this email in your browser

~ ~


Darkside retreats after blamed for Colonial Pipeline ransomware attack
Kim Zetter: So, that was a week, huh? Colonial Pipeline, which carries jet fuel and gasoline to most of the U.S. east coast, was hit by a ransomware attack and it was as bad as you'd expect. Panic buying led to fuel shortages. @kimzetter led this week's coverage into the incident. So much to cover... the FBI blamed the Darkside ransomware-as-a-service group for the incident, then they began to bottle it after the pipeline was brought offline. @briankrebs wrote a profile on Darkside, which was a good read, as was Cyberscoop's piece. After Darkside claimed it lost control of its servers, speculation seems to ranges from U.S. law enforcement taking action, all the way to an exit scam by the operators themselves.
More: Cyberscoop | Zero Day | The Record | Intel 471 | @nicoleperlroth | @hacks4pancakes

Colonial Pipeline paid hackers nearly $5 million in ransom
Bloomberg: Meanwhile, @williamturton (who had excellent coverage throughout the week) et al broke the news that Colonial Pipeline paid $5 million in ransom to get its systems back online. That's against FBI advice (and pretty much everyone else) to never pay the ransom. That $5 million payment is keeping a vicious cycle turning, reports @lilyhnewman, who looks at the wider picture. It comes in the same week that Washington DC's Metropolitan Police Department tried to pay off the Babuk ransomware group $100,000 to stop it leaking its sensitive files.
More: Motherboard | Wired ($) | Bloomberg ($) | Associated Press
Tweet says: "The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities."
Biden signs executive order designed to strengthen federal digital defenses
Washington Post ($): After a wave of hacks targeting the U.S. federal government and thousands of vulnerable Exchange servers, the Biden administration has a new executive order out aimed at defending government agencies from similar attacks. The idea is to direct the Commerce Department to craft new standards for software vendors that make up the supply chain that serves the federal government, creating an NTSB-like model for investigating cybersecurity incidents, and some other new provisions. @jackhcable has a great tweet thread on how the new executive order works and what it means.
More: NPR | White House | BBC News | @jackhcable
This tweet thread explains the Biden cybersecurity executive order very well. Follow the link.
Wi-Fi devices going back to 1997 vulnerable to new Frag Attacks
The Record: Belgian security researcher @vanhoefm is back with a new set of Wi-Fi vulnerabilities, dubbed Frag Attacks. The design flaws in the Wi-Fi protocol affect devices as far back as 24 years ago, but others are caused by "widespread programming mistakes." Obviously that makes patching a nightmare. The Wi-Fi Alliance has spent the past nine months fixing the standard and working with device vendors to fix the vulnerabilities.
More: Wired ($) | Frag Attacks

Ransomware attack hits Irish health service
BBC News: Yes, more ransomware. This time the Irish health service, which described the ransomware attack as "possibly the most significant cybercrime attack on the Irish state." The Irish taoiseach said he the state won't pay the ransom, but that the health service had to shut down its IT system as a result. Per @kimzetter, it looks like the Conti ransomware group is to blame. While some ransomware groups say they won't hit medical facilities or infrastructure, Conti never did. Conti reportedly demanded $20 million or it will publish the files it stole before encrypting them.
More: Bleeping Computer | Irish Times | Background:
~ ~

Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


Millions at security risk from old routers, Which? warns
BBC News: Researchers at Pen Test Partners and consumer watchdog Which? found millions of internet subscribers in the U.K. are using an insecure router. Out of 13 models, more than two-thirds had security vulnerabilities. Six million have a router that hasn't been updated since 2018. ZDNet also has more.
Link to Geoff White's tweet, which says: "And, frankly, a shit response from some of the ISPs who provide these boxes, in my opinion."
Phoenix police keep tabs on social media, but who keeps tabs on cops?
Cronkite News: Incredible reporting here from Arizona's PBS on how police in Phoenix are following protesters and other residents on social media. This kind of surveillance is gaining traction to address domestic terrorism, but the Phoenix Police Department work under "barebones guidelines when monitoring online activity," which has civil liberties and privacy experts concerned about the policy gaps that could leave police with "broad powers that can stifle free speech." A deep-dive, and worth the read. Includes words from @maassive from the EFF.

Pentagon surveilling Americans without a warrant, senator reveals
Motherboard: A letter from Sen. Ron Wyden's office spells out that the Department of Defense is surveilling Americans' without a warrant. Wyden, a member of the Senate Intelligence Committee where much (but not all) of its work is classified, is known for asking pointed questions that skirt very close to the line of what's allowed to be disclosed, allowing others to dig in and investigate without revealing anything classified. Thus, this newly released letter shows Wyden pushing the Pentagon to reveal more, as the information remains classified. But it does suggest that the Pentagon is interested in and is collecting location data from phones without a warrant, simply by buying it from private companies. Solid reporting as always from @josephfcox, who also has an explanatory tweet thread on the matter.

Rapid7 says attacker accessed its source code in Codecov supply chain hack
Cyberscoop: Security firm Rapid7 says some of its source code was obtained by way of the Codecov supply chain compromise. Hackers are said to have gained access to hundreds of networks belonging to Codecov customers. (Twilio was another customer that last week said it was also hit by the Codecov fallout.) Rapid7 said its source code repositories also contained some internal credentials. Ouch.
~ ~


Exploiting custom protocol handlers for cross-browser tracking in most browsers
Here's some interesting research. The four top modern browsers are vulnerable to cross-browser tracking, allowing websites to track you across different browsers — including Tor. That's because the browser can check to see if you have certain apps installed using URL scheme handlers, like skype://, for example.
A screenshot showing how the cross-browser tracking works by exploiting custom URL schemes, which includes Zoom and Skype.
Kevin Beaumont's review of May's Patch Tuesday
@GossiTheDog looks at this month's Patch Tuesday with a fresh round of bug fixes for Microsoft users, including a remote code execution bug in the HTTP Protocol (CVE-2021-31166), which should really get fixed, plus a ton of Exchange patches from Pwn2Own. "Keep calm and patch," he said. @briankrebs also has a rundown of this month's patches.

Riana Pfefferkorn has a lot to say about the Cellebrite hack
Remember a few weeks back when Signal CEO @moxie dropped a handful of zero-days on Cellebrite after he picked up a Cellebrite phone data extraction kit he saw "fall off a truck"? (Weeks earlier, Cellebrite said it could obtain Signal conversations from an unlocked Android phone, which — yeah.) Anyway, @Riana_Crypto has a new blog post out that has, as advertised, a lot to say about the whole affair and the legal repercussions that come next. A really fascinating read — can't recommend enough.

Passing on your password? Streaming services are past it
Well, we knew it might always turn out this way. Streaming services are said to be cracking down on password sharing. Exactly how this plays out will be interesting. Per the AP: "The video companies have long offered legitimate ways for multiple people to use a service, by creating profiles or by offering tiers of service with different levels of screen sharing allowed. Stricter password sharing rules might spur more people to bite the bullet and pay full price for their own subscription. But a too-tough clampdown could also alienate users and drive them away." @gsuberland has an interesting tweet thread on the counterpoints.
Graham Sutherland's tweet says "password sharing saves customers several billion dollars."
~ ~


Not much in the happy corner this week, but after some promising revised CDC advice on mask wearing (in the U.S.), some of you had a bit of fun with it. My favorite was from @geoffbelknap:
A joke tweet that says, "Update: CDC Says fully vaccinated people can now enable 2FA on all their personal accounts."
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Crypto. As you can see, she's sleeping on the job when she should be threat hunting (hackers, spies, mice, etc.) Thanks to her human, @sehnaoui, for the submission!
Please keep sending in your cyber cats (and their friends)! You can drop them here, and feel free to send updates on previously-submitted friends!
~ ~


Thanks so much for reading — let's hope next week isn't as strange or stressful as this one! 
The suggestion box is always open for feedback. Have a great one, and see you next Sunday.