~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 13
Coronavirus continues to dominate the headlines, which is why this newsletter (like last week) is a little lighter than usual. This newsletter will continue to go out every Sunday, bringing you as much cybersecurity news as there is from the week. Stay safe.
~ ~


As coronavirus surveillance escalates, personal privacy plummets
New York Times ($): Italy, South Korea, and Israel — three states ravished by coronavirus, which are turning to domestic surveillance efforts to trace infected victims. That ratcheting up of surveillance has drawn ire from those who saw the U.S. turn to domestic surveillance after 9/11. These emergency uses of surveillance comes at a price: the personal privacy of millions.
More: NPR | Washington Post ($)

Revealed: Saudis suspected of phone spying campaign in US
The Guardian: Saudi Arabia is said to be tracking millions of Saudis in the U.S. by exploiting a flaw in the SS7 protocol, which carriers use to route phone calls and text messages around the world. A whistleblower provided a cache of data over a four month period beginning November 2019. "The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies," the report said. SS7 is horribly broken and has been for years. It's been exploited to track users but also steal SMS messages, like two-factor codes.
More: @profcarroll | @MalwareJake

Elite hackers target WHO as coronavirus cyberattacks spike
Reuters: Elite hackers, believed to be the DarkHotel group, tried to break into the World Health Organization's systems earlier this month during the middle of a massive spike in coronavirus cases. The WHO's chief information security officer said it was more than a two-fold increase in cyberattacks. The DarkHotel group has been active since at least 2007, using a mix of spearphishing and malware to steal data from its targets.
More: @razhael

Microsoft says a Windows code-execution zero-day is under active exploit
Ars Technica: A flaw in the Adobe Type Manager Library, which has been maintained by Microsoft since the early 2000s, can allow remote code execution in all supported versions of Windows — including Windows 10, but also Windows 7, which fell out of support earlier this year. Microsoft said some customers have already been hit by "limited, targeted attacks" using the zero-day. A patch isn't yet available but the software giant has published a workaround.
More: TechCrunch | Microsoft | @rosyna

Bosses panic-buy spy software to keep tabs on remote workers
Bloomberg: As millions of workers continue to work from home for the second week, some bosses are scrambling to buy monitoring software to see if their workers are in fact working. One firm, Axos Financial, told its staff that their keystrokes are being logged and the webcam would activate every 10 minutes. The company declined to say if the CEO was subject to the same draconian measures imposed on the rest of the staff.
More: Business Insider

Cybersecurity experts come together to fight coronavirus-related hacking
Reuters: Some 400 volunteers from around the world formed this week to fight hacking efforts related to the coronavirus. The top priority is working to combat hacks against medical facilities, which some ransomware groups have already said they would either not target or would give over their decryption keys for free. According to @marcwrogers, one of the four managers of the group, the volunteers have already helped to dismantle one malware-spreading group.
More: @evacide | @elinormills
~ ~

Thanks to everyone who reads this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for exclusive perks), it helps to maintain the upkeep of this newsletter. You can contribute to the Patreon here.
~ ~

THE STUFF YOU MIGHT'VE MISSED open redirect abused to spread coronavirus malware
Bleeping Computer: An open redirect on was being actively abused this week by attackers pushing malware to unsuspecting victims. The open redirect meant that anyone can tack on a URL to the end of the domain and spread malware (or other malicious content) while making it look like it's coming from @SecSome posted an example to Twitter.

Medical and military contractor Kimchuk hit by data-stealing ransomware
TechCrunch: Kimchuk, an electronics maker for medical organizations and the military, has become the latest victim of data-stealing ransomware, DoppelPaymer. The company didn't pay the ransom, prompting the attackers to post some of the company's files posted online. The CEO also inadvertently confirmed the breach when he emailed me back (by mistake) thinking he was telling just his staff to tell me "no comment," and, "how did he learn of this?". (Disclosure: I wrote this story.)

Over 4,000 Android apps silently access your installed software
Ars Technica: Here's an interesting one: an Android API lets apps collect a list of all other installed apps on the device without requiring any permission from the user. That's the finding from a research paper [PDF] out this week. One of the biggest risks to users, the paper says, is that developers can build up a detailed profile of users — including guessing a user's gender, race, age and income with a surprisingly high accuracy rate.
~ ~


Hackers are taking over Twitter accounts to advertise face masks
If you saw a bunch of tweets this week promoting a link to face masks, it was part of a Twitter account hacking campaign. Accounts were hacked, tweets posted, and DMs sent — all with the same link to a face mask website. Twitter said it acted quickly against the spam.

Google sends "we see you" message to Russia's Sandworm hackers
In a blog post, Google provided a rare, detailed look at phishing efforts by Russia's Sandworm hacking group, which was blamed for the NotPetya attack and knocking out Ukraine's power grid. Google also said it's seen a rise in the number of phishing efforts impersonating and targeting journalists.
~ ~


Here are some of the good things that happened this week.

Firstly, this @PaulRoth cartoon is perfect.
Troy Hunt may have snagged its biggest Have I Been Pwned user to date: the U.S. government. In a short and sweet blog post, Hunt said CISA, Homeland Security's cybersecurity agency, now has the ability to query U.S. government domains and receive notifications if they're impacted by data breaches.

And congrats to @MaliciousLink, who this week became a VP and CISO of IBM Public Cloud.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet this week's cyber cat, Codita, which means "small tail" in Romanian, according to his human, because he was born with a crooked third of a tail. He likes to sit on his human's laptop to make sure she's not slacking. Thank you to @andrazaharia for the submission!
If you, like me (and the rest of the world) are cooped up at home, please send in your cute cyber cat photos! Now is a better time than ever, You can send them here
~ ~


That's all for now. Thanks again for reading and subscribing. As always, feel free to drop any feedback you may have in the suggestion box. Please stay safe, stay at home wash your hands, and be healthy. See you next week — have a good one. 

You can update your preferences or unsubscribe from this list.