~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 2
View this email in your browser

~ ~


U.S. catches Kremlin insider who may have secrets of 2016 hack
Bloomberg ($): A fascinating look at the case of Vladislav Klyushin, a Russian IT executive whose tech company has done work for senior Russian officials, including President Vladmir Putin. Klyushinin is charged with securities fraud and is now in U.S. custody after leaving Russia for Switzerland for vacation. But U.S. officials believe the Russian national may have intelligence to offer over the DNC hack that embroiled the 2016 election. @emptywheel, who has closely covered the 2016 hack and its fallout, digs into the case and what it might mean.
More: Emptywheel | @hatr

Albuquerque impacted by ransomware attack on Bernalillo County government
The Record: County government buildings and public offices across the cities of Albuquerque, Los Ranchos, and Tijeras were closed on Wednesday following a ransomware attack on the IT network of the Bernalillo County government. Much of the county's network access was severed as a result. Albuquerque is one of the largest cities in the U.S. Nearby-ish Arkansas was also hit by a similar attack on the network of Crawford County, with a senior judge telling local media that jury lists couldn't be accessed nor marriage licenses issued. Not a great start to the year for millions of residents unable to access local government services.
More: Bernalillo County | ZDNet | KOAT

FTC settles with data analytics firm after millions of Americans’ mortgage files exposed
TechCrunch: The FTC has approved a settlement order with a mortgage data analytics firm for a 2019 security lapse that exposed millions of sensitive financial and mortgage documents on tens of thousands of Americans. It follows an investigation I worked on two years ago. The Elasticsearch database in question was exposed by a vendor working for the data analytics firm Ascension. The FTC accused Ascension of failing to ensure its vendors were complying with necessary data security safeguards as required under the law. Interestingly, the FTC said logs showed the data was exposed for about a year, during which more than 50 IP addresses accessed the exposed database — mostly from computers located in Russia and China. Now that's something I didn't know when I first reported the incident! (Disclosure: I wrote this story.)
More: TechCrunch | Federal Trade Commission

EU fines psychotherapy service Vastaamo over data breach You might recall a major data breach involving a Finnish psychotherapy service called Vastaamo, which resulted in thousands of patients having their private therapy notes exposed online. It was a breathtakingly personal — and damaging — hack for tens of thousands of patients. But Vastaamo tried to cover up the breach, which EU authorities accused Vastaamo of knowing as far back as a year before it was publicly revealed that it was hacked. does a great job of explaining the history of the case. Vastaamo, since declared bankrupt, was fined €608,000 — or about $690,000.
Background: Wired ($) | More: European Data Protection Board | Lexology
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Jerusalem Post targeted by hackers on anniversary of Soleimani's death
Jerusalem Post: The Jerusalem Post was caught in the cyber-crossfire this week after it was hacked on the anniversary of the U.S. drone strike that killed Iranian general Qasem Soleimani. The newspaper's site was hacked with a full-page image (archived) of what looks like a missile strike with the phrase, "We are close to you where you do not think about it." It's not the first time The Post has been targeted by pro-Iranian hackers.

The Mac malware of 2021
Objective-See: @patrickwardle is back with a new blog post rounding up the Mac malware from the past year. Wardle's list has eight new malware samples that targeted macOS this past year, including ElectroRAT and XLoader. Dark Reading also has a write-up.

Salesforce to require multi-factor authentication for all users
The Record: CRM giant Salesforce will require all customers, starting February 1, to use some form of multi-factor authentication. Per @campuscodi, customers can select security keys or a range of authenticator apps — but not through SMS, voice calls, or email authentication.
Catalin Cimpanu tweet: "They won't be able to use SMS, phone call, or email-based MFA."
NY attorney general notifies 17 companies of credential stuffing attacks
ZDNet: A total of 17 companies have been notified by the New York attorney general's office of account compromises as a result of credential stuffing — the reuse of the same passwords across different websites. The companies weren't named, but are said to be "well-known online retailers, restaurant chains, and food delivery services." Some 1.1 million credentials were compromised in total, the AG's investigation found.
~ ~


The former NSA official vying to steer Biden’s cyber policy
Bloomberg ($): @williamturton's latest is a deep profile of Anne Neuberger, a former NSA official who went on to steer the Biden administration's cybersecurity policy. But as noted, the White House created an "awkward situation from having nobody in charge of cyber to having two people in charge of cyber” — Neuberger is one of them, while Chris Inglis, the new national cyber director, is the other. The profile describes the strain between the two.

FBI's backdoored Anom phones secretly harvested GPS data around the world
Vice: After compromising the Anom phone network, used almost exclusively by criminals, not only did the FBI surreptitiously record every message sent by the phones' users, they also harvested their GPS location and transferred that information to authorities. The news provides more clarity on the scope and capabilities of the backdoor managed by the FBI, @josephfcox writes.

FTC warns companies to remediate Log4j security vulnerability
Federal Trade Commission: More FTC news this week — this time about Log4Shell, the ongoing bug involving the ubiquitous Log4j logging software that's used practically everywhere. The FTC said companies should fix their systems to prevent compromise — or face the risk of legal action. The federal agency referenced Equifax's "entirely preventable" data breach, which investigators said was caused because the company didn't patch an Apache Struts flaw when it was known about months before its massive 2017 data breach. It's not about the FTC going door-to-door, @dotMudge said, but about collecting data points down the line.
Peiter Zatko tweet: "The FTC isn’t going to go door to door auditing Log4j. They are (smartly) signaling that this will be a data point acquired when already working an issue."
How to read your iOS 15 app privacy report
Wired ($): A new feature brought to iOS 15.2 allows you to examine what networks and domains your iOS apps are connecting to, plus how frequently they access your device data — including contacts, location, camera and microphone. Sure, you might expect your weather app to access your location, but does that flashlight app really need access to your contacts? Now you'll know just how often it does.
~ ~


After this week's news that Norton now comes with a cryptominer, this tweet reply is submitted without comment:
Jeopardy question asks, "an attack using this disrupts normal functioning of a computer." The answer is ransomware, but someone commented instead: "What is Norton Antivirus"
And, lastly. The final recipient of the Chatter toy phone (details in last week's newsletter) goes to @RayRedacted, following a $666.66 donation to the @DianaInitiative. This crap piece of infosec history will be shipped off to you soon!
If you want to submit good news from the week, reach out!
~ ~


This week's cyber cats are Shadow (left) and Edmund (right), who mostly love to snuggle with each other — and sometimes with their humans. A two-for-one advanced purr-sistent threat. A big thanks to @SQLSevorg for sending them in!
Keep sending in your cyber cats (or friends)! Drop me an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~


That's all for this week. As usual, the suggestion box is open, or feel free to reach out at See you next week — have a good one!