~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 40
View this email in your browser | RSS

~ ~


Ukrainian charged for operating Raccoon Stealer malware service
Bleeping Computer: A 26-year-old Ukrainian national is charged over his involvement with the Raccoon data stealer malware, which bad actors can rent access to. The DOJ accuses Mark Sokolovsky of stealing millions of credentials and other forms of ID, such as email addresses, bank accounts and credit card numbers stolen from victims' machines. The FBI set up a site "Have I Been Pwned"-style to let anyone check if their information was collected as part of the cache. Sokolovsky is currently awaiting extradition to the U.S. in a Dutch prison after he was arrested in March.
More: Justice Dept. | Raccoon IC3 | Bloomberg ($) | TechCrunch

FTC brings action against Drizly CEO over data breach
Washington Post ($): Here's a novel one to look out for: the Federal Trade Commission is bringing action against the former CEO of alcohol delivery site Drizly, which had a sizable data breach back in 2020. I remember because I obtained a portion of the data — containing phone numbers, IP addresses and geolocation data — and verified it as authentic. Now, the FTC is holding Drizly — and its former CEO — liable for the breach. (If you're wondering why it took so long, that's just the glacial pace at which the FTC works.) In its complaint, the federal regulator dug into the company's security practices and found — no surprise — that they were not good! In one case an employee posted internal credentials to GitHub by mistake that was later abused for mining cryptocurrency. On the bright side it means that CEOs who walk away from their own house fires can be held responsible for the damage caused on their watch.
More: FTC | Cyberscoop | @konklone | @linakhanFTC

A bug in macOS Ventura breaks third-party security tools
Wired ($): For all the good Apple does with security, it massively lets itself down on the basics. Close towards the end of macOS Ventura's development, Apple "accidentally introduced a flaw that cuts off third-party security products from the access they need to do their scans," reports @lilyhnewman. The problem is that while there's a workaround, many who upgrade their Macs to Ventura "may not realize that anything is amiss or have the information needed to fix the problem." Yeah, that's not good! Apple said it'll fix the bug but won't say when (read: Apple really doesn't want anyone to notice). Security monitoring tools like antivirus engines need "full disk access," and ensuring that the feature is working properly is easy, but critically, "once you know to do it." It's a shame when the only people who will get hurt by this are Mac users.
More: Ars Technica | @lilyhnewman | @patrickwardle

Australia admits data laws 'inadequate' as medical hack hits millions
AFP, France24: We're in week three of "WTF is going on in Australia?" after several major hacks left the country scrambling. After one of its main telcos Optus was hacked, fast forward two weeks and now Medibank, the country's biggest private health insurance company, was breached. Per the insurer's statement, the criminal had access to all ahm, international students, and Medibank customers' "personal data and significant amounts of health claims data." Which is to say, the motherlode. The only bright side here is that Medibank was honest and transparent in the end — that's it. This will likely have consequences for Australians for generations, especially if the attack was state-sponsored or involved. As a result, the Aussie government admitted this week that the nation's cyber safeguards were "inadequate." Understatement of the decade.
More: Medibank | The Record | The Guardian ($) | Reuters ($)
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Pendragon being held to $60M ransom by dark web hackers
CarDealer: Pendragon, one of the U.K.'s largest car dealerships, said it was hit by the LockBit 3.0 ransomware gang, which demanded $60 million. CarDealer magazine said the incident began earlier in October. Pendragon has 160 showrooms around the U.K. In a tweet, @campuscodi says it's one of the biggest demands seen, which may be because LockBit 3.0 knows about a shareholder letter that said Pendragon received an "unsolicited proposal" to be acquired.

Chinese influence operation designed to 'sow political discord' ahead of midterms
Cyberscoop: So we're back to Russia China trying to influence the U.S. elections, according to new research by Google cyber unit Mandiant. The research shows the pro-Chinese government actors, known as Dragonbridge, are "aggressively" targeting the U.S. ahead of the midterms next week by using "narratives regarding racial strife and social injustice" on social media. That's pretty much torn right out of the Russian-2016 playbook. It's just the latest example of how pro-China actors are influencing Americans. @ShaneHuntley drops some knowledge bombs from Google TAG's point of view.
AJ Vicens tweet: "The activity included overt messaging encouraging Americans not to vote, marking a continued escalation of willingness to attempt to influence elections in the U.S." Under the tweet is an image of President Biden with the captions "Can voting make America a better place," as an example of the Chinese influence campaign.
If Musk starts firing Twitter's security team, run
Wired ($): This week Elon Musk took over the helm at Twitter after a tumultuous few months. Mass firings. Executives gone. Does Musk now have access to our DMs? (Yes.) While the current picture of inside Twitter is murky, when we do get clarity it's not going to be pretty. But, despite the explosive testimony from former Twitter security head Mudge, Twitter still has a CISO and a security team — for now — but a lack of investment in the new Twitter era "could pose a real danger to users over time."

U.K. cyber director departs with sage security advice
National Cyber Security Centre: In an appropriately headlined — and illustrated — blog post, the U.K.'s NCSC's departing technical director Ian Levy wrote his final thoughts after more than two decades in government. The post — refreshingly candid for a former civil servant — is worth the read (and some highlights from @jackhcable and @ciaranmartinoxf).
~ ~


GitHub fixes repo-hijack bug: Researchers at Checkmarx found a vulnerability, now addressed by GitHub, which allowed attackers to take control of code repositories because of a naming issue. Per The Record, thousands of GitHub users — including those in control of popular repositories and packages – opt to change their usernames, "leaving namespaces including their old usernames open to exploitation." It's because old usernames become available again for anyone to claim, create a matching repository name, and hijack the namespace. Also more at SC Media.

Liberia DDoS'er charged with running dark web marketplace: Daniel Kaye will ring bells for some. Kaye was arraigned on federal charges this week for alleged device fraud and money laundering as part of his role in running The Real Deal, a dark web marketplace that sold hacking tools and stolen credentials, including for NASA, the U.S. Navy — oh, and Twitter and LinkedIn. But Kaye is also known for knocking Liberia's internet offline during a 2016 DDoS attack, for which he was arrested and detained by U.K. police. I remember reporting on the DDoS at the time (despite some skepticism from others!). If you didn't read Bloomberg's ($) story about Liberia's internet, you should. @MalwareTechBlog reminisces in a tweet thread.

Leaked data shows TheTruthSpy tracked thousands of Americans: Earlier this year, I obtained the core database of TheTruthSpy's stalkerware operation, and built a lookup tool to let anyone check if their devices were compromised. Since then we spent weeks analyzing the rest of the database, and it's huge. The leaked data shows at least 360,000 devices were compromised (up until April, when the database was leaked). But in just six weeks of the most recent data, the database included thousands of GPS location data points, millions of call logs and text messages, and more. Stalkerware is an international problem but more, including from antivirus companies, has to be done to combat it. (Anyone from the FTC reading?) More in my tweet thread. (Disclosure alert!)
This time lapse shows six weeks of cumulative location data from devices compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9 and MxSpy.
Apple's security mixed messages: Apple this week published a new security research hub and a blog on memory corruption bugs (interesting), plus news that it's paid out $20 million in total to security researchers, or about 0.02% of what Apple made in profit last year. In related news, Apple also confirmed that it only fully patches its latest operating systems, per Ars Technica.

Android malware dropper on Google Play: Researchers at Threat Fabric found a new set of Android malware droppers in Android's app store, Google Play. The offending apps themselves don't contain malicious code so they can slip through Google's security checks easier, but then pull in malware once they're installed on a user's device. Three apps disguising droppers were installed more than a hundred thousand times. Bleeping Computer has more.
~ ~


With the news done, let's move onto the good stuff.

This week, @TheRock near-guaranteed that @HackingDave will be sleeping on the couch for the foreseeable future. Worth it, though.

Meanwhile, here's a far, far more honest version of the Magic Quadrant for Ransomware.

And, with Halloween this week (tomorrow!), please, please make sure you check your candy for Doom. (h/t @adafruit
A candy-like bar which when unwrapped from its wrapper shows a mini-display that's running Doom.
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat is Shiloh, who we featured last year. Shiloh passed over the rainbow bridge to the big happy farm in the sky after living through nine very, very happy lives with his human. Rest well, Shiloh. Many thanks, and much love, to his human, Gh0sti.
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Submitted before? Send me an update!
~ ~


That's it for this week after a brief one-week break (to sleep!). Thanks again for reading and subscribing. As always, the suggestion box is open, or drop me an email with any feedback.

Enjoy your week, and see you again next Sunday. If you want to share this week's newsletter, hit those social share buttons below.

Take care, all.
Share Share
Tweet Tweet
Share Share