~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 24
View this email in your browser

~ ~


The Clop bust shows exactly why ransomware isn’t going away
Wired ($): The raid and arrest of several Clop members this week saw the ransomware gang hobbled, if not dismantled. Ukrainian authorities working with South Korean police arrested six members across Kyiv, and seized computers, cash, and equipment. The dark web site that the group used to publish the files they stole from their victims is still up but hasn't been updated in weeks. But the arrests only touch the tip of the iceberg of ransomware actors, and don't expect wholesale changes until Russia, which gives safe harbor to several ransomware gangs, intervenes. That might be closer than we've been after the Biden-Putin summit in Geneva, which brought up recent ransomware attacks. All eyes are on Russia now to act — if it will at all.
More: ZDNet | Yahoo News | Cyberscoop

Critical entities targeted in suspected Chinese cyber spying
Associated Press: An espionage campaign linked to China-backed hackers was "more sweeping" than first thought, reports the AP. The hacking campaign relied on exploiting a zero-day vulnerability found in Pulse Secure, a VPN used by some of the world's biggest enterprise networks, discovered back in April. The hackers broke into the NYC Subway system (which I mentioned a couple of weeks back), but aren't believed to have taken anything, but researchers now say dozens of other high-value targets were targeted, including Verizon and the country's largest water agency. Questions remain about the espionage campaign, given that it's not clear what — if any — data was actually stolen.
Archive: New York Times ($)

Bombshell report finds GPRS encryption was deliberately weakened
Motherboard: A new academic paper found two old encryption algorithms still used in phone networks can be exploited to snoop on phone's internet traffic. GEA-1, the algorithm used when the phone industry adopted GPRS standards in 2G networks, was effectively backdoored that could allow the decryption of a phone user's traffic. One of the researchers said millions of users were poorly protected for years as a result of having to "meet political requirements." GEA-2, the succeeding algorithm, did not contain the same weaknesses. But GEA-1 is still baked into some phones as a fallback when there's only GPRS coverage in certain countries. @matthew_d_green has a tweet thread out, which is well worth the read.
More: Washington Post ($) | The Register
A list of new devices (including iPhones) that contain the backdoored GEA-1 algorithm.
Cyberattacks against America's water supply are going largely unreported
NBC News: @kevincollier has a deep-dive on the state of America's water supplies. Turns out a lot of hacks against water systems are going unreported — there are some 50,000+ water treatment plants in the U.S. — because there's no incentive to tell anyone. One apparent breach at a Bay Area plant allowed a hacker to break in remotely using a TeamViewer account and deleted programs used to treat drinking water. (The local officials said there was no risk to public safety). It comes after the high-profile breach at a Florida water treatment plant earlier this year.
More: San Francisco Chronicle | @kevincollier

Hackers are selling data stolen from Audi and Volkswagen
Motherboard: Last week, Volkswagen said a vendor left 3.3 million customers' data on an exposed server over a period of two years. Now it turns out that the data was found and is now for sale on an underground hacking forum. The data was stored on an unprotected Azure blob. Most of the exposed data includes names, email and postal addresses, and phone numbers, but some 90,000 people had more sensitive data taken, like Social Security numbers. (The data that was taken didn't include SSNs, though.)
More: TechCrunch | Reuters ($)

Why no-one in America was arrested as part of Trojan Shield
ABC News (AU): Operation Trojan Shield (also known as Ironside) was the bust of encrypted service Anom that allowed the FBI and Australian police to arrest hundreds of alleged criminals thought to be involved in organized crime by intercepting millions of messages over the ostensibly private network. But the FBI was not allowed to download or read any Americans' data found in the Anom cache. @granick has an interesting take on the report, noting that we don't really know much more than the narrative that the FBI has given. "It sounds like an effort to work around US law," said Granick. The thread is well worth the full read. It seems like the FBI is using this as a way to undermine confidence in encryption, without having to break it.
More: @granick tweets | Wired ($) | Gizmodo
~ ~

Thanks to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


How does one get hired by a top cybercrime gang?
Krebs on Security: How does a computer programmer get hired by one of the most notorious botnet groups? That's what happened to 55-year-old Latvian woman Alla Witte, who the DOJ last week charged with developing TrickBot, a malware-as-a-service used to infect millions of computers. @briankrebs looks at how Witte got involved, and how the DOJ tracked her down.

Building a WebAuthn click farm: Are CAPTCHAs obsolete?
Better Appsec: Luke Young built a makeshift click farm to "bypass" Cloudflare's 'CAPTCHA killer' feature. Young used an Ardunio, a handful of cheap USB security keys, and some Python code to intercept WebAuthn requests and send them to a remote FIDO key to be solved. In other words, it's possible to automate Cloudflare’s Attestation of Personhood challenge. Oh, and Young open-sourced the code so you can try at home, too.
A Slack screenshot explaining the problem of trying to set up a Yubikey to bypass Cloudflare's human check.
Wire fixes two high-rated security bugs
Kane Gamble: @gkane_ reported two security bugs in encrypted messaging app Wire — a stored XSS bug and a Denial-of-Service bug. The advisories were published on GitHub here and here, with both ranked "high" for severity.

Inside the market for cookies that lets hackers pretend to be you
Motherboard: Here's a look at the Genesis Market, an underground marketplace that lets you buy stolen cookies — the tiny bits of code that are used to keep you logged in to a service without having to re-enter your password. Steal a cookie and you effectively steal someone's login. It's how EA got hacked last week — someone bought a stolen cookie for EA's Slack, and then the hackers socially engineered an MFA token from IT support.
A redacted list of Slack credentials stolen from Fortune 500 companies.
~ ~


SEC settles with First American over massive data leak for nearly $500,000
Remember that massive 800 million+ document exposure a few years ago by First American? The company made $7.1 billion in revenue during 2020, but was just fined a meager $487,000 by the SEC, which is approximately 0.007% of its 2020 revenue. Gross.

Contractor exposed the movements of people wearing ankle GPS bracelets
A contractor for the Cook County Sheriff's Office, a law enforcement agency that covers Chicago, exposed the private data — including the ankle bracelet movements — of people who are under house arrest and being monitored through GPS devices. The exposure was fixed after it was discovered by an investigative journalist. The sheriff's office blamed Protocol, the company that maintained the exposed database. Protocol is part of BI Incorporated, a company that describes itself as "the largest and most complete provider of location and compliance monitoring technologies and related services, offering government agencies a complete solutions continuum for managing low- to high-risk offenders."

A new bill would restrict the use of stingrays
Stingrays, or cell site simulators, mimic cell towers to intercept phone calls and text messages, but there are no laws that govern how police and law enforcement agencies use these devices. That's set to change with a new bicameral bill by @ronwyden and @tedlieu that aims to protect innocent bystanders whose data is often inadvertently collected as a result. @jakelaperruque explains the importance of this bill in a tweet thread.
~ ~


Alright, here are a couple of things that might bring a smile to your face.

Congrats to @vm_call who accidentally discovered a zero-day that bricks an iPhone's Wi-Fi functionality with a specially-crafted SSID. Whoops!

And, @mxSophieH has a new Safecracking Simulator available for download (and on Steam) — and it looks absolutely ace. They have clearly spent a lot of time on this project, and I am really excited to try it out for myself.
A GIF of the safe-cracking simulator.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Milton, this week's cyber cat. Milton hails from a rescue shelter in Kansas City and now lives in New England with this human. What a handsome boy! Big thanks to @BevatronDrummer for the submission. 
This week's cyber cat is a ginger kitty called Milton.
Send in your cyber cats (and their friends)! Drop me a photo with their name, and email it here
~ ~


That's it for this week. The suggestion box is open as always — so if you have any feedback, please drop it in there. See you again next week. Take care, and have a great one.