~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 37
View this email in your browser | RSS

~ ~


Fast Company hacked to send obscene push notification
The Verge: Pour one out for Fast Company, whose website is still down a week after its backend content management system was hacked — and very publicly. Credentials stored in the CMS allowed the cybercriminal to push a racial slur as an Apple News push notification. Apple really wanted you to know it had nothing to do with it and it was Fast Company's fault. (Cue the sound of a bus reversing.) How did it go down? Thankfully an article posted by the cybercriminal described exactly how they did it, putting much of the blame on a shared password with wide CMS access. Newsrooms are typically underfunded and cybersecurity often isn't a priority. But websites and media outlets wield wide readerships and influence, making them an easy target. @josephfcox interviewed the hacker, who had an ominous warning: the breach "had the potential to shift markets. Instead, I chose to embarrass Fast Company."
More: Washington Post ($) | CNN | Reuters ($) | Motherboard

How CIA's messaging system failures compromised Iranian informants
Reuters ($): Incredible reporting here that uncovered a network of hundreds of mass-produced fake websites, set up by the CIA, but with rudimentary security flaws, which the agency used to communicate with low-level spies operating in Iran. Yahoo News broke the news back in 2018 that a flawed CIA messaging system used by CIA agents had been compromised, leading to the arrests of dozens of informants, but Reuters found the sites that were actually used. "The CIA really failed with this," said Citizen Lab's Bill Marczak, one of the two researchers who examined the sites. @joel_schectman has a good tweet thread on the story, but the full piece is worth your time.
Archives: Yahoo News | More: The Guardian | Citizen Lab | @billmarczak | @skirchy

Microsoft confirms exploitation of two Exchange Server zero-days
SecurityWeek: Well it wouldn't be a week in security without a zero day drop. This week it's two Microsoft Exchange flaws — one an SSRF and the other an RCE — that allow attackers to deploy backdoors and move laterally through a victim's network. The bugs were discovered by Vietnamese outfit GTSC and confirmed by Microsoft a few hours later. But no immediate fix for on-premise server owners just yet. Since there's no fix, you might want to look at some remediation advice.
More: DoublePulsar | TechCrunch
Ryan Naraine tweet: "Microsoft is aware of limited targeted attacks using the two vulns. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. Authenticated access to vulnerable Exchange Server is necessary to successfully exploit the two flaws."
'People search' websites create privacy nightmares for abortion rights advocates
Cyberscoop: Since the overturning of Roe v. Wade that saw nationwide rights protecting abortion dismantled by the U.S. Supreme Court, reproductive rights advocates are facing increasingly violent threats and fear that their personal information — collected without their consent by 'people search' websites — can identify where they live. The FTC has already taken action against geolocation data brokers but has not yet included data brokers trading in public records. It's a real problem. While there are public data removal tools and services, they are not silver bullets — and some have basically refused to remove their home addresses, despite several requests and a lawyer's letter.
More: @TonyaJoRiley tweets | @jshermcyber

Australia minister slaps Optus 'sophisticated' hack: "It wasn't" Australia's cyber security minister Clare O'Neill finally said what everyone's been thinking — by calling BS on Optus, which claimed a "sophisticated" cyberattack exposed millions of Australians' personal information. When asked on breakfast telly if O'Neill believes Optus' claim that it was sophisticated, her response was: "Well, it wasn’t. So no." (You really have to watch the clip.) O'Neill isn't wrong — it looks like an unauthenticated internet-facing API was to blame, no login needed — the cyber equivalent of having unrestricted guest access to Fort Knox's gold vault. The Australian government pushed Optus to pay for replacing affected citizens' passports (since identity documents were caught up in the breach). Optus was also criticized for its handling of breach notifications, and is now prominently displaying its breach on ad displays in malls across the country. Australia has some data protection laws, whereas stateside T-Mobile had its seventh security breach this year and America barely flinched...
More: BBC News | Bleeping Computer | @ClareONeilMP | @tommcilroy
An animated GIF of Australian cyber minister Clare O'Neill telling a TV presenter, in response to Optus claiming the hack was "sophisticated," that, "Well, it wasn't, so no."
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Parking apps can let anyone track your car, this hacker wants to stop it
Daily Dot: A cybersecurity expert found he was able to pinpoint the live location of vehicles in about a quarter of all cases over a 100 day period using three different techniques, which is now public. De Ceukelaire warned that parking apps — even if you don't use them — can be used to register license plates without verification, which can be used to send alerts any time a target vehicle enters a license plate-reading (known as ANPR or ALPR) parking lot. He described it as a "privacy disaster" throughout Europe and the United States.

Flaws in Matrix's end-to-end encryption now patched
Ars Technica: Developers of the open source Matrix messenger protocol released an update on Wednesday to fix critical end-to-end encryption bugs. Matrix is a sprawling ecosystem of interoperable apps, clients and servers across platforms that allows users to exchange end-to-end encrypted real-time messages — or some 69 million Matrix accounts and 100,000 servers. But, vulnerabilities disclosed this week found major weaknesses that could compromise scrambled messages, all of which rely on a malicious or compromised server. Ars has a great breakdown of what went down, and what needs fixing, and @claucece has an excellent breakdown by tweet thread.

New U.S. intel unit logo 'erroneously posted'
Cyberscoop: What's this new U.S. intel logo all about? This was, or appeared to be, the new logo for the National Intelligence Manager for the Air Domain, an aviation-focused unit of the Office of the Director of National Intelligence, the federal department that oversees the U.S. intelligence community. Look closely and you'll see what looks like a UFO and a Russian fighter jet(?!) leading to considerable chatter and analysis. Alas, all things edgy in intel don't last long. A government spokesperson said the seal was "erroneously posted" and that the seal is both unofficial and incorrect. Buzzkills.
A mockup of a DNI seal with what appears to be a Russian fighter jet and a UFO on it.
Ransomware attack affecting U.K. patient care months later
BBC News: It's now been two months since a ransomware attack on Advanced, a major IT vendor for the U.K.'s National Health Service, but its aftermath lingers on and is still "compromising" the quality of provided care, according to the CEO of one of the affected NHS trusts. Check-ins, notes, and the NHS' non-emergency hotline remain affected, amid ongoing fears that massive amounts of patient data was stolen. Replacement systems are in place but they're time consuming and cumbersome. There's absolutely no excuse at this point for this extreme level of jackassery. Computer Weekly also has more.

Microsoft says North Korean hackers are weaponizing open source software
Ars Technica: North Korea-backed hackers are back with a bang. The group known as Lazarus Group have successfully compromised "numerous" media, defense, aerospace and IT companies by lacing open source software, like PuTTY and TightVNC, with highly encrypted code that ultimately installs clandestine malware. Microsoft, which calls the North Korean-backed hackers "Zinc," published more details and IOCs.

NSO hacked more people for longer, says new research
Donncha Ó Cearbhaill: @DonnchaC and @billmarczak found that when Apple releases security fixes, it doesn't always patch the same bug in older versions of its software — including actively exploited bugs(!) — leaving users running older software vulnerable to attacks (via @josephmenn). That means spyware makers like NSO Group have hacked both more people and for longer than previously known. That also means NSO's WhatsApp attack that hit 1,400 targets back in 2019 "was much larger" in scope. Wow.
~ ~


Anonymous bug reports rocket after Beijing slapdown: When Log4j first emerged, it was researchers at Chinese cloud giant Alibaba who disclosed the bug and got it fixed, much to the anger (and eventual sanctions) by Beijing, which wanted to be informed first. As a result, China stemmed the ability of researchers to share vulnerability reports. But new research from the Atlantic Council found a huge drop in reports from China in Log4j's wake — but that it also saw "an increase of similar size and significance in contributions tagged either to individuals, companies with no known country tag, or no acknowledgement at all" (via The Register). The researchers say it could be that Chinese researchers are still reporting bugs, but anonymously.

Can Kaspersky survive the Ukraine war? Cyberscoop looks at Kaspersky, the Russian antivirus and cybersecurity giant, dogged by controversies in the U.S. and abroad, amid claims its technology could help Moscow achieve its wartime goals. But with sanctions hitting both the Russian government and high-level Russian citizens — including the company's founder, Eugene Kaspersky — and with more to come, the future doesn't look so bright for the once rising star of the security community.

Hyperjacking hypervisors: Mandiant, the newly-owned Google unit, has new research out this week revealing a "mysterious" team of hackers are targeting VMware's virtualization software, known as a hypervisor, which lets you run multiple operating systems on a single bit of hardware. But by targeting the hypervisor itself, the attackers can invisibly watch and run commands on those virtual computers nearly invisibly. The attackers appear to be tied to China, but even by its own analysis, Mandiant isn't entirely sure. Wired ($) has a good write-up.

VA investigating breach after source code leak: The Dept. of Veterans Affairs in the U.S. is conducting a breach investigation after a federal contractor published source code — including sensitive credentials — on GitHub months ago. The hardcoded admin credentials published to GitHub allowed "six foreign IP addresses" to clone the source code, including "at least one from a country hostile to the U.S." Yikes. A dozen internal applications were exposed, but the VA only discovered after someone reported the issue on September 9. Fedscoop has the... well, scoop.
A timeline of the VA breach, starting at July 5 when it was discovered, ending "early September" when Microsoft engaged to respond to the incident.
~ ~


Happy Sunday, and welcome to the happy corner. And breathe. Here we go.

This week we got the first glimpse at a brand new Matrix-style rain simulator, and it looks absolutely brilliant. The simulator was built by Jeremy Sachs, a software developer who goes by the handle @Rezmason, and published the code to his GitHub. Motherboard spoke with Lilly Wachowski, one of the two sisters who wrote and directed the Matrix movies, who said the new simulation looks as good, if not better than the original. Nice!
An animated GIF of the new Matrix simulation that's available to download on GitHub.
Back with @robertmlee again this week, whose staff keep getting spam and scam messages impersonating him. What about the goats, though?

Meanwhile, ahead of Halloween this year, make sure you check your kids' candy for warez and 'sploitz.
Griffin tweet: "Remember, always check your kid's Halloween candy for warez and sploitz" with a photo of a Kit-Kat finger broken in half revealing a USB port.
And finally, some really good news: A court in San Francisco found a geofence warrant was unconstitutional. That's a huge move, since geofence warrants remain highly controversial (and hotly debated) but widely used, per Google's own data last year. Geofence warrants allow police to determine who was in a particular geographic area at any given time, just based on their phone's location data.
If you have good news you want to share, get in touch at:
~ ~


A rare cyber cat + friends medley this week. Meet Daisy, Pancho, and Theodore (left to right). According to their human, Daisy will meow at you and annoy you until you watch her eat, but maybe that's because she's distracting them while the dogs hijack your computer... they're all still very cute though! Many thanks to Phillip B. for the submission!
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Repeat submissions welcome.
~ ~


Aaaaand that's it for this week. Thanks for tuning in! As always, you can reach me via the suggestion box or drop me an email with your feedback. If you want to share this week's newsletter, there are some share buttons below. 

Enjoy your week, and see you next Sunday.
Share Share
Tweet Tweet
Share Share