Copy

~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 37
View this email in your browser

~ ~

THIS WEEK, TL;DR

FBI held back REvil ransomware decryption key to run operation targeting hackers
Washington Post ($): A big mystery over the Kaseya ransomware attack has been solved. Kaseya, a company that makes IT management software for businesses, was hacked earlier this year and was used to push ransomware to hundreds of companies, including managed service providers, some of which in turn have hundreds of customers or more. REvil took credit, but quickly bolted after drawing attention from the U.S. government. Some three-ish weeks later, Kaseya said it had obtained a REvil universal decryptor for the attack — but didn't say where it had come from, only that it came from a "third party." Turns out it was the FBI — of course! — per new reporting by the Post. The FBI obtained the key "through access to the servers" of the Russia-based ransomware gang and held onto it in the hope of taking the gang down altogether — but it didn't work.
More: Daily Beast | @shanvav tweets | Background: @kevincollier tweets

2021 has broken the record for zero-day hacking attacks
MIT Technology Review: At least 66 zero-days have been found in use this year, almost more than double the previous year and more than in any recorded year. But the number is actually likely to be greater; defenders are just getting better at catching hackers in the act. Researchers say much of the zero-days in use can be traced back to financially motivated actors. But what's clear is that zero-days are getting harder to develop and more expensive to pull off. @HowellONeill looks at the zero-day market as it is now, what might be causing it, and critically, what it means for the rest of us.
More: @runasand | @HowellONeill tweets

Microsoft Autodiscover protocol found leaking hundreds of thousands of credentials
The Register: A flaw in how Microsoft's Autodiscovery protocol is implemented in apps (like email clients) is helping to leak hundreds of thousands of Windows (specifically Exchange) credentials to the web. The bug means that some apps are inadvertently contacting servers outside of that user's domain to external servers that look like autodiscover.tld, where the tld is the top-level domain, like .com, .uk or .fr. Turns out a lot of these top-level autodiscover domains were available to be bought and could be set to "listen" for apps that are constantly spitting out leaking credentials. It's a bit technical but the full write-up is a good explainer. Much of the research builds on earlier findings from 2017. But Microsoft didn't do anything about it then, and is now scrambling to secure the domains before bad actors do. The reality is that some might already be out there. Here's one website that is tracking potentially malicious autodiscover domains.
More: TechCrunch | Autodiscover TLDs
Bleeping Computer tweet: "One domain, autodiscover.ch (Switzerland TLD), was registered as far back as 2015 and uses microsoftonline.com as the DNS servers. Not clear who owns it."
Lithuania urges people to throw away Chinese phones
BBC News: Throw away your Chinese phones, according to Lithuania’s Defence Ministry (or, you know, recycle?). Per the government, several 5G phones from Chinese manufacturers contain security flaws and in one case in-built censorship tools that contained hundreds of terms that could be detected and censored, like "Free Tibet" and "Voice of America." The research also found the Xiaomi phone tested was transferring "encrypted phone usage data to a server in Singapore." Huawei and Xiaomi denied the allegations, but Xiaomi said that the censorship module was disabled inside the EU. The Lithuanian authorities said users should get rid of them "as fast as reasonably possible," and warned that non-Lithuanian citizens were also at risk. The English report is here [PDF].
More: The Record | Reuters ($)

U.S. government buying risky Chinese drones
Axios: Federal law enforcement agencies in the U.S. are buying surveillance drones from Chinese drone maker DJI, despite the Pentagon deeming the company a potential national security threat. The Secret Service bought eight DJI drones on July 26, per records obtained by IPVM, three days before the Pentagon memo said DJI products posed a threat. The FBI also bought 19 drones just days earlier. Much of the fears have been centered on the government's use of Chinese drones, which could share data back with China — fears that the company insists are unfounded.
More: @lachlan
~ ~
SUPPORT THIS NEWSLETTER
 
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~

THE STUFF YOU MIGHT'VE MISSED

Former NSA hacker describes being recruited for UAE spy program
Zero Day: You might start out, as I did, thinking, "how on earth could an experienced U.S. intelligence officer get hoodwinked into spying on heads of state for the UAE?" And then the further down you get into @kimzetter's latest, the deception piles up and the horror sets in. This interview with an ex-NSA hacker, who talks about how he was deceived by the company he was hired to work for, is really well done. It comes in the wake of three former U.S. intelligence operatives charged with helping the UAE spy on, among others, U.S. targets. 

U.K. Ministry of Defence shared more than 250 Afghan interpreters' details on email
BBC News: The U.K.'s defense ministry mistakenly sent out an email to 250 Afghan interpreters who helped British forces in Afghanistan without masking their email addresses — many of whom are still in hiding following the Taliban offensive last month. Yes, it's 2021 and governments can't seem to "bcc:" an email properly. In doing so, the U.K. government put those Afghanis at risk. Many had their names and profile photos attached. It's maddening incompetence.

The iOS 15 privacy settings you should change right now
Wired ($): iOS 15 is now out, sans the CSAM detection that Apple said it was delaying last month. It comes with a ton of security fixes and BlastDoor improvements, so hopefully it won't be hacked by NSO Group as often as it was during iOS 14. With a new software update comes new privacy settings. Wired explains what you need to change.

Zero-day flaw allows remote code execution even on fully-patched Macs
TechSpot: Millions of Macs, including users running the latest unreleased macOS Monterey, are vulnerable to silent remote code execution because of a bug in Finder. The full details are in a blog post here. Meanwhile, @patrickwardle has a thread on the bug.
A screenshot of the bug exploited on a macOS computer.
Researcher publishes source code for three unpatched iPhone exploits
Motherboard: Speaking of unpatched vulnerabilities... a security researcher published three iPhone zero-day bugs amid frustration that Apple only fixed one of four bugs, and "decided to cover it up and not list it on the security content page." The bugs were reproduced in about half an hour — so they're confirmed as working flaws — even if they probably aren't at the top of the severity scale, per @ihackbanme, since they can't be exploited remotely.

Let's Encrypt's root certificate is expiring!
Scott Helme: Let's Encrypt, the free SSL/TLS provider that's served more than two billion free certificates, will next week see its root certificate expire. For most people running the latest tech (say, in the past three to five-ish years) will be fine. But some older devices could face some headaches. We're talking Windows XP (SP3), iOS 10, and Android 7.1.1 and earlier might not be able to connect to some sites going forwards. Keep an eye out this week. @scott_helme said it's not clear exactly what will happen when the root certificate expires but "at least something, somewhere is going to break."
~ ~

OTHER NEWSY NUGGETS

Netgear routers can be remotely hacked
Tom's Guide: A dozen Netgear 'Nighthawk' routers have a vulnerability that can be exploited to get root. The flaw is in the Disney-designed parental control feature called Circle that costs $5 a month. Here's the catch: even if you didn't pay for the feature, the vulnerability still exists.

NSA and CIA use ad blockers because online advertising is so dangerous
Motherboard: The U.S. intelligence community has deployed ad-blocking tech on a wide scale, according to a letter sent by Sen. Ron Wyden's office to the federal CISO Clare Martorana. It's done this to "block unwanted and malicious advertising content," in other words malware served through bad ads. NSA's Rob Joyce confirmed the agency uses ad blocking. A spokesperson told Motherboard in a statement that it applies to its unclassified networks, which have internet access (unlike classified systems, which don't). That must be one hell of a Pi-hole...

EU formally blames Russia for GhostWriter influence operation
The Record: The European Council has blamed Russia for the "Ghostwriter" espionage and influence campaign that's been active since 2017 and targeted several EU countries, including Latvia and Poland. The warning came ahead of the German elections this weekend. FireEye previously attributed GhostWriter to a group codenamed UNC1151, which both Germany and the wider EU is now attributing to Russia.
~ ~

THE HAPPY CORNER

Right, that's done. Now onto the happy corner.

Shout-out to the kid who tried to trick parents into thinking school was canceled for the day by pretending to be the deputy headteacher by email. Nice try. Sounds like that kid has a future in a red team one day!

Meanwhile:
A screenshot of an error message saying the password is already in use by [username].
And, friends make sure other friends use multi-factor authentication.
Gabsmashh tweet: "imagine falling in love with someone and then finding out that they don't use mfa"
Got some good news from the week? Get in touch: this@weekinsecurity.com
~ ~

CYBER CATS & FRIENDS

Meet this week's cyber cat, Elli, who as you can see here is hunting for bugs (as any good cyber cat should). Many thanks to Dominik S. for the submission! 
Don't forget to send in your cyber cats (or your other fluffy non-feline friends). Send them in with their name and photo by email here.
~ ~

SUGGESTION BOX

And that's the week. Thanks so much for reading. As always, the suggestion box is always open or feel free to reach out directly at this@weekinsecurity.com. There's no newsletter next week (sorry!) as I'm long overdue for a vacation. See you in October!