~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 31
View this email in your browser | RSS

~ ~


SMS phishing attack hits Twilio, Cloudflare, others
Cloudflare: News first hit that something was amiss on Monday when SMS and voice communications giant Twilio said it was briefly compromised after hackers socially engineered staff into turning over their credentials via a phishing page, which also asked for their one-time two-factor codes. The hackers accessed data on 125 customers (whether corporate customers or not, it's not clear). But the hackers were on a spree, targeting IT outsourcing companies, customer service providers, telcos and internet companies. Email marketing firm Klaviyo was also hit, with data on cryptocurrency-related accounts stolen. Cloudflare was also targeted, but its use of security keys meant the hackers couldn't get in. In a blog post, Cloudflare laid out the campaign in detail: credentials were stolen and siphoned via Telegram and immediately used to gain a foothold on the victim's network. Expect to hear more fallout this week.
More: Twilio | Ars Technica | @RachelTobac tweets
A screenshot of an iPhone with a SMS phish with a URL to a phishing page designed to capture credentials and two-factor codes.
Cisco confirms May attack by Yanluowang ransomware group
The Record: Cisco said it was attacked by a ransomware group in May but that the hackers only made off with a compromised employee's Box folder. Cisco said the stolen data was "not sensitive." Cisco's own Talos unit wrote the post-mortem, explaining how the attackers used voice phishing to convince an employee into accepting a MFA push notification, granting VPN access using the user's credentials. Bleeping Computer spoke with the hackers, who claimed 2.75GB of stolen data, including NDAs. In this case, Cisco said with reasonable confidence that the attacks were linked to Lapsus$, of which a few non-arrested members remain at large.
More: Cisco Talos | @josephmenn | @vxunderground | @BleepinComputer tweets

NHS IT supplier held to ransom by hackers
BBC News: What began as a "software outage" in early August at a vendor that powers much of the U.K.'s National Health Service later transpired to be ransomware. Advanced, the NHS vendor, provides digital services like patient check-in and the non-emergency 111 phone line. Advanced says it might take three to four weeks to recover from the attack, but has refused to say if NHS data was stolen. The impact is scattered across the different NHS services. NHS Wales said there was a "significant" impact on its services and ambulances may take longer, while NHS England said its disruption was "minimal." Scotland and Northern Ireland are also keeping tabs on the situation. But new reporting from the BBC's @joetidy shows many NHS doctors and services are facing considerable, potentially lengthy disruption in places, with some saying they can't access patient notes or files. Advanced hasn't said much about the incident.
More: Pulse | The Guardian | @joetidy
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Hacker finds kill switch for submachine gun-wielding robot dog
Motherboard: A not-so-cute robot dog with a submachine gun strapped to its back that terrified the internet earlier this year can be defeated with ease thanks to a little-known kill switch. In a tweet, @d0tslash found that you can use the @flipper_zero hacker's multi-tool to wirelessly (and instantly) freeze the robot dog if it "hears" a particular signal nearby at 433Mhz. Handy to have when the robots rise up.
An animated GIF of a robot dog collapsing on the floor after a button is pressed on a Flipper Zero hacker multi-tool, which broadcasts a particular signal on a frequency that acts as the robot's kill switch.
Security firm alerted Policybazaar a month before it revealed breach
Associated Press: In July, Indian online insurance giant Policybazaar said it was breached but that "no significant" customer data was exposed — and said little else. Now the AP is reporting that a month earlier a security firm had found critical vulnerabilities in the company's internet-facing systems that could expose personal data on 11 million customers, and "followed the ethical-hacker playbook" by giving the company time to patch, which it did. The security firm, CyberX9, said the vulnerabilities were easy to find and include highly sensitive employment, banking information, and driver's licenses and birth certificates. The AP verified the security firm's account and spoke with victims who confirmed their information was accurate, but they said they weren't notified of any security incident. It doesn't take much to fill in the blanks here but it sounds like a big company once again trying to shoot (or at least trying to) the messenger.

Instagram and Facebook can track you via their in-app browsers
Felix Krause: @KrauseFx found that Instagram and Facebook apps on iOS inject Javascript code into every website a user visits via the apps' in-app browsers, which can be used to track and monitor all user interactions. Krause's technical write-up is exquisite and explains the risks well. Not all in-app browsers do this but it's always wise to use your own browser — or configure apps to open in your default browser instead (where they allow it).

Microsoft fixes three-year-old zero-day
The Record: A bug dubbed "DogWalk" was first discovered in 2019 but Microsoft declined to patch as it didn't consider it a vulnerability. Now it's received a very-belated fix. The bug is a path traversal flaw, which can be abused to copy an executable file to the Windows startup folder. But the bug recently resurfaced and showed it could be abused to attack a fully-patched Windows box. Microsoft now fixed the bug, but for reasons that aren't entirely clear. Still, better late than never, I guess?
~ ~


FTC takes a stab at all things surveillance: The Federal Trade Commission said it'll take input from the public about the commercial surveillance business — which couldn't be more vague or broad if they tried. The issue at hand is whether the FTC should issue rules aimed at "systemic" causes behind the data surveillance industry. It's the FTC's first major look at how consumer data is shared and what happens when it gets lost, stolen or breached, from credit brokers and tech giants to advertising and stalkerware. Get your comments in before the 60 days are up.

Remotely hijacking door locks: At Black Hat, Trellix security researchers detailed vulnerabilities that allowed them to remotely lock and unlock doors, thanks to bugs in popular HID access control systems. You'd need access to the building's network first, but after that you could just walk right in. Patches were rolled out pretty quickly after the bugs were disclosed.

Homebrew crypto plagues VA records system: More, this time from Def Con, researchers are finding major security flaws in VistA, a U.S. Department for Veterans Affairs records program that dates back to the 1970s, but are struggling to report them because VistA is on death row and set to be phased out in the near-ish (but still undetermined) future in favor of a new $10 billion platform. Some of the flaws are worrying, like how VistA encrypts internal credentials and uses home-brew encryption that can be easily defeated. Despite efforts to disclose the bugs, VistA is out of scope for both of the VA's bug bounty programs, reports @lilyhnewman.

Zoom installer grants attackers root on macOS : Bugs in Zoom's macOS installer allowed root/superuser access to the entire operating system. Zoom fixed some, but not all of the bugs — and one remains unpatched. The installer needs a user's password to install or update Zoom, but the auto-update function then runs in the background as a superuser account. From there, simply giving the updater any file with the same name as Zoom's signing certificate would be able to run malware, or any code, at that superuser level of privilege. Which is to say, not great. More details from @patrickwardle's tweets.
~ ~


This week, Canada's first codebreaking unit finally took the spotlight after decades of staying silent about the work they did during World War II — cracking codes and ciphers used in secret and diplomatic communications. Their cracked intelligence was shared with Bletchley Park, the GCHQ codebreakers in the U.K., but also helped Canada's own independence on the world stage. (Reminds me of this mini profile about Canada's "Bletchley Park" last year.)

As deepfakes become more common, a pretty handy trick is to ask a suspected deepfaker to turn their head to the side. That's when computers start to struggle.
Computer-generated deepfakes are often defeated by asking the person to turn their head to the side, which complicates the rendering process.
And finally, this week. Don't worry. Mark isn't reading your Signal messages.
Tony Arcieri tweet: "Move over Mallory! There’s a new threat actor named Mark and he’s a real badass," followed by a screenshot of a forum posting that says "I love the Signal app but it says 'mark read,' but I don't know anyone named Mark."
To send in good news for the happy corner, please reach out to:
~ ~


This week's cyber cats are Peanut and Mighty, who couldn't be more different. But as a team they are formidable and can socially engineer anyone into giving them scritches and treats. Many thanks to @swgarst for the submission!
Don't forget to send in your cyber cats (or their friends)! Email here with their name and photo, and they'll be featured in an upcoming newsletter!
~ ~


That's all for this week. Hope you had a good one, and enjoyed this week's newsletter. If you liked it, please share on your socials. The suggestion box is open for feedback, or feel free to drop me an email if you want to get in touch.

Safe travels to everyone returning home from Vegas!

Be well, and see you next Sunday.
Share Share
Tweet Tweet
Share Share