~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 45
View this email in your browser

~ ~


GoDaddy data breach impacts 1.2 million WordPress site owners
The Record: Not great news if you own a WordPress site on GoDaddy (or one of its many affiliates), after the web host confirmed its managed WordPress environment was breached. GoDaddy announced the breach in an SEC filing. Up to 1.2 million active and inactive WordPress customers had their email address and customer number exposed (putting users at higher phishing risk), but also their WordPress admin passwords, database usernames and passwords, and SSL private keys were also exposed as a result of the breach. GoDaddy said it's resetting passwords and keys. WordFence, a security plugin for WordPress, explains in technical details how users are affected. It's GoDaddy's second breach in as many years.
More: Reuters ($) | Dark Reading

Devious 'Tardigrade' malware hits biomanufacturing facilities
Wired ($): A "surprisingly sophisticated" malware is snaking its way into biomanufacturing facilities, purporting as ransomware, but how it operates caught the eye of researchers. The malware, known as Tardigrade, was found in a biomanufacturing facility in North America and can adapt to its environment and operate autonomously when it wasn't connected to its command and control server. The malware's goals aren't clear, but cyberattacks against the biotech and pharma companies are becoming increasingly common.
More: BIO-ISAC | @lilyhnewman

Apple sues Israeli spyware maker NSO, seeking to block its access to iPhones
The New York Times ($): Here's an interesting approach for Apple to take: suing NSO Group to effectively ban it from ever using its products and services again. NSO, the maker of Pegasus spyware that's been deployed against journalists and activists, uses iMessage to deliver Pegasus, researchers have found, hence Apple's action. Since suing the company, Apple said it's notified Pegasus victims that it's identified, said to be in the hundreds, including six Thai government critics and a Polish public prosecutor. Apple explains more about its threat notifications here. In response, Israel narrowed its list of approved countries that it will allow hacking tools to be exported to, but it's feared this may do little to stem the spread of these tools to autocratic nations. MIT Technology Review ($) explains just how much trouble NSO is in.
More: TechCrunch | @chronic | @f_potkin | @jsrailton
Forbidden Stories tweet: "This brings the number of potential journalist victims of Pegasus spyware around the world to more than 220."
Malware now trying to exploit new Windows Installer zero-day
Bleeping Computer: Well that didn't take long. Malware creators are already testing a new proof-of-concept escalation of privileges exploit in Windows Installer, which lets attackers become an admin on the affected machine. All versions of Windows are affected, including fully-patched Windows 11. Microsoft released a fix for CVE-2021-41379 but the patch wasn't enough to fix the flaw. Worse, this bug can allow attackers with limited access to a compromised system to elevate their access and move laterally within a victim's network.
More: Cisco Talos | @gossithedog
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Hash collisions found in Microsoft's PhotoDNA
Matthew Green: Researchers say in a new paper that they can create hash collisions in PhotoDNA, the software that Microsoft uses to detect for known child abuse imagery. Much of the hubbub around hash collisions was from earlier this year when Apple announced (and subsequently delayed) child sexual abuse (CSAM) scanning capabilities in iOS 15. Researchers found hash collisions in the new software, essentially meaning it could be tricked into flagging a false positive. @matthew_d_green's students and colleagues found PhotoDNA is vulnerable to machine-learning based attacks that can produce false positives.

Facebook to delay full E2EE rollout until 'sometime in 2023'
TechCrunch: Facebook/Meta said it's delaying a rollout of end-to-end encryption until "sometime in 2023." Facebook said back in the Before Times that E2EE was on its way, in large part spurred by the Cambridge Analytica data misuse scandal — all while governments continue to push Facebook not to go down the encrypted messaging route. Former Facebooker David Thiel explains in a long tweet thread why the delays.

What does the U.K.'s new IoT bill mean for me?
Pen Test Partners: The U.K. has a new bill targeting poorly secured Internet of Things devices. The bill, if passed, will enforce IoT security to a set minimum standard. That includes no default passwords, the vendor must have a vulnerability disclosure policy, and the vendor must also explain for how long their products will receive updates. Fines will range up to £10 million ($13.3M) or up to 4% of global revenue for violating the law.

Israel and Iran broaden cyberwar to attack civilian targets
The New York Times ($): Israel was behind an October cyberattack that paralyzed thousands of gas stations in Iran, which took the country close to a week to resolve. The attack was attributed to Israel by two U.S. defense officials. Days after the gas station cyberattack began, Iran allegedly hacked a major medical facility and an LGBTQ+ dating site in apparent retaliation. It's an interesting read on how state-backed cyberattacks targeting other states are spilling out into the public sphere, catching ordinary citizens in the crossfire.
~ ~


North Korean hackers caught snooping on China's security researchers
Daily Beast: Hackers with links to Pyongyang are targeting Chinese security researchers with Chinese-language lures sent over email in the hope of infecting their machines. It's believed the North Korean hackers — the so-called Lazarus Group — are trying to steal exploits or learn new hacking skills they otherwise wouldn't have. It's part of the wider aim of hacking to raise money for North Korea's nuclear weapons program.

Wind turbine giant Vestas says data was compromised in security incident
Cyberscoop: Danish wind turbine manufacturer Vestas Wind Systems said it was forced to shut down part of its IT systems to prevent the spread of a cyberattack. Some data was compromised, reports Cyberscoop. It's believed the incident may be ransomware. The company eventually put out a statement, two days after the head of Norway's energy CERT tweeted their frustration at being impacted by the incident but not hearing anything from the company.
Lars Karlslund tweet: "This is the Norwegian energy CERT tweeting in frustration about being impacted by the Vestas cyber incident, NO info from the company and NOT being able to reach them."
The McDonald’s ice cream machine hacking saga has a new twist
Wired ($): You probably remember @a_greenberg's story on broken McDonald's ice cream machines earlier this year. He's back with the latest twist in the long battle between the ice cream maker Taylor and a startup called Kytch that can effectively diagnose and understand problems with the machine. Turns out there was a lot more going on behind the scenes, thanks to a trove of internal emails released as part of a lawsuit.

On legal demands and press freedoms
TechCrunch: In August 2020, two FBI agents were standing on my doorstep, unannounced, wanting to ask me questions about a story I had published on TechCrunch the year before about a breach of a Mexican government server. After our story went out, the Mexican government asked the DOJ for help in investigating the hacker, which led the feds to my door. There's been no suggestion of wrongdoing and so our response to the DOJ declined to provide anything more than what was already in the story, though it's unclear what actions Mexico would take if I ever stepped foot on its soil. In a column I wrote this week explaining what happened, I explore the risks that security researchers and journalists alike face when reporting on security incidents, and what that chilling effect has on cybersecurity and press freedoms. (Disclosure: I wrote this story.)
~ ~


Thanksgiving is over in the U.S., so the holiday season is in full swing. So in that spirit:
Photo of joke lyrics, set to the tune of "Santa Claus is Coming To Town," about Santa Claus' naughty or nice list and how that's in contravention of article 4 of GDPR.
Meanwhile, the perfect tweet doesn't exi...
DrenRepus tweet: "I add commas to my password to fsck with CSV file it will eventually be dumped into after a breach."
And, if you're still at home for the holidays, it's that annual time of the year to perform your tech support duties. 
Matt Blaze tweet: "Happy Provide Tech Support To Your Relatives Weekend, everyone. And don’t forget to turn on auto update before you depart."
Got some good news from the week? Get in touch:
~ ~


This week's cyber cat is Tigrou, whose human is a neighbor. Tigrou likes to hang out at his neighbors' house (and stays over when his owners are on vacation) but poses no insider threat. He's earned his trust. Good boy, Tigrou. A big thanks to Fabian L. for the submission.
Please send in your cyber cats and other fluffy non-feline friends. Drop an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~


And we're out. Thanks for reading! As always, the suggestion box is open for feedback or feel free to email Back same time next Sunday. Have a great week.