~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 39
View this email in your browser | RSS

~ ~


Chinese tech threatens future global security, U.K. spy chief warns
Wall Street Journal ($): In a spicy speech in London, the head of Britain's signals intercept agency GCHQ warned of a growing threat from China amid claims the country is effectively trying to export its authoritarianism around the world. Jeremy Fleming (side note: what an extremely English name) said that technologies like its digital currency and satellites "deliberately and patiently set out to gain strategic advantage by shaping the world’s technology ecosystems." Without action from like-minded allies — presumably the Five Eyes and beyond — the spy chief said the "divergent values of the Chinese state will be exported through technology," said Fleming, who called it a "huge threat to us all." Rare speech from a top British spy, but wow, let's keep it light?
More: Reuters ($) | BBC News | Politico

CISA adds Fortinet bug to exploited vulnerabilities list
The Record: Bad week for Fortinet customers — and government agencies — that have to scramble to fix a critical-rated vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, tracked as CVE-2022-40684. The bug allows unauthenticated attackers to "perform operations on the administrative interface," which is pretty bad for a security appliance. CISA has ordered civilian fed agencies until November 1 to shore up their systems. Security researchers say some 10,000 appliances are exposed to the internet, but there are likely many more vulnerable appliances out there. Proof of concept code is out already as internet watchers note a rise of active exploitation in the wild. "An attacker can use this vulnerability to do just about anything they want to the vulnerable system," including adding users and changing networking configurations.
More: | Bleeping Computer | @Gi7w0rm

NHS vendor Advanced won't say if patient data was stolen during ransomware attack
TechCrunch: Well here's what should be an easy one, but NHS vendor Advanced won't say if patient data was compromised or taken during an August ransomware attack. If you recall, some NHS health trusts were struggling after IT systems were pulled offline following the incident, to the point where it was "compromising" care. But in a new report obtained by my TechCrunch colleague @carlypage_, Advanced said "legitimate" third-party credentials were used to break into its network (no MFA!), after which the LockBit 3.0 malware exfiltrated and encrypted its data. But was patient health data in there? Advanced's COO wouldn't say, or even if it had logs to determine what, if any, data was taken. LockBit 3.0 is a double-extortion racket, so if data was exfiltrated, fears it could soon appear online. It appears at least 16 care homes had patient data stolen, per @joetidy.
More: DigitalHealth | The Register | @joetidy tweets | @brettcallow

Secret agents targeting drug cartels in Australia exposed in breach
Sydney Morning Herald: What on earth is going on in Australia? First, Optus was breached, then Telstra, and now the Australian Federal Police is mopping up after a massive breach of emails from the Colombian government apparently exposed the identities and methods of agents working to stop drug importations to Australia. The leak contains information of 35 AFP operations — some still active, reports the Herald, which delayed publication to reduce the risk of endangering the lives of agents and informants. Much of the emails were in Spanish, and reviewed by reporters. Guacamaya, the hacktivist group with environmental motives which also recently hacked the Mexican military, claimed responsibility for the breach.
More: ABC News (Australia) | Bleeping Computer | Reuters ($) | Dark Reading
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


The Google plasma globe affair of 2012
@lcamtuf: Fascinating notes from @lcamtuf, the creator of an internal Google red team exercise involving an "evil" USB-powered plasma globe, which when plugged in would register as a keyboard and deliver a malicious payload. Why, you might ask? It was at a time when USB threats weren't fully explored. Plus, bonus video.
An animated GIF illustration of a plasma globe infecting a tower PC.
QBot infects over 800 corporate users in new, ongoing campaign
SecurityWeek: Kaspersky is warning that QBot, aka Qakbot, an information stealer with a backdoor and self-spreading capabilities, has infected at least 800 corporate users in the U.S., Germany, Italy and India, since late-September. QBot exploited the Follina vulnerability earlier this year, but the malware is also known to hijack email threads in an effort to trick unsuspecting victims into downloading and installing the malware. Keep an eye out for suspicious emails.

'Thermal attack' reveals passwords in seconds
University of Glasgow: Researchers have developed a system that's capable of guessing a user's password by analyzing traces of heat left behind by fingerprints on keyboards and screens. The research uses thermal imaging and an AI model to make informed guesses about what the password or passcode could be. Though not necessarily a novel concept, the researchers found they could identify 86% of passwords when thermal images are taken within 20 seconds.

Office 365 message encryption flaw exposes scrambled text
WithSecure: Wild findings from security researchers at WithSecure, which found a flaw in Office 365's Message Encryption (OME), which utilizes Electronic Codebook (or ECB, keeping up?). But this mode is "generally insecure" as it can "leak information about the structure of the messages sent, which can lead to partial or full message disclosure." The researchers explain the goods, but in short, while the actual cleartext of an encrypted email message isn't revealed directly, information about its structure is, which means you can see "outlines" of letters. Case in point, this RAW image that's been AES encrypted in ECB mode, per the researchers:
A screenshot of what appears to be outlined text on a green lined background, saying, "You failed at crypto."
~ ~


Drones dropping zero-days: Here's a great thread by @Laughing_Mantis about a real world breach involving a drone-delivered exploit system that allowed the attackers into the target's Confluence instance "in order to target other internal devices from credentials stored there." It just goes to show that attackers are spending big for one-time attack scenarios, said @Laughing_Mantis. For those wanting more, The Register has more.

300,000 Toyota customers emails leaked over five years: Plenty of egg on Toyota's corporate face after admitting it left access to a database of 300,000 email addresses exposed for five years. A contractor uploaded source code to a public GitHub repo back in 2018(!) that inadvertently included an access key to the Toyota database. TechCrunch has a short write-up, and the Toyota newsroom post is here, in the highly likely event your Japanese is better than mine.

Shein owner fined for covering up data breach: Speaking of 2018... some 39 million customers should've been notified of a 2018 data breach involving their information from online fashion giant Shein, but weren't, according to the New York attorney general's office, which has fined the company $1.9 million as a result. Shein's parent company Zoetop was breached in 2018 leading to the theft of login details of all of its customers. But New York's AG says Zoetop lied and notified "only a fraction" of affected customers. And the BBC News has the story.
~ ~


Here's the good stuff in the happy corner. First up, spicy memelord @NSA_CSDirector is upping his meme game, presumably for Cybersecurity Awareness Month. 5/5, no notes.
Rob Joyce tweet: "Continue to appreciate the exceptional capabilities of our industry partners!" with a photo of the A-Team truck with the caption: "Industry and government A-Team chasing an APT together."
Scandal hits Fat Bear Week after the National Park Service warned of the undermining of bear democracy (shriek!). Someone tried to sway the annual tournament dedicated to choosing a very fat brown bear by stuffing the virtual voting box with 9,000 votes over a "very short period of time." Not sure which bear to blame, Fancy Bear, Cozy Bear, Fat Bear... @milesklee has the scoop at Rolling Stone. (Someone get CISA on the line, stat!)

And, with Halloween approaching, watch out kids.
b0tster tweet: "parents, please be careful this halloween. i found a chocolate bar running a copy of doom inside of it" with a photo of a Crunchie snapped in half with a small screenshot of "Doom" in the chocolate inside.
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat and friend are Brindle (left) and Cinder (right). Their human tells me that though they’re not internet-level snuggly with each other, they will hang out in close proximity (especially when there's sun involved). Big thanks to Nikita R. for the submission!
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Repeat submissions welcome.
~ ~


Aaaand that's all for now! Thanks so much for reading. The suggestion box is open as usual, or feel free to email me any feedback.

No newsletter next week(!) as I'll be taking a week off. See you the week following?

All the best,
Share Share
Tweet Tweet
Share Share