~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 41
View this email in your browser

~ ~


A rare win in the cat-and-mouse game of ransomware
The New York Times ($): A solid @nicoleperlroth scoop: Emsisoft researchers found a bug in the BlackMatter ransomware, allowing them to build a decryption tool to help some victims recover their files without having to pay the ransom. It's a rare win in the cat-and-mouse game with ransomware actors. Emsisoft is a small New Zealand company that quickly became a known resource for understanding ransomware in the early days. With the backing from CISA, Emsisoft helped save tens of millions of dollars in ransom payments from going to cybercriminals' wallets.
More: Emsisoft | @brettcallow

Core member of REvil ransomware gang identified
Zeit Online: Sticking with ransomware for a second: a major player in the REvil ransomware group has been identified, according to German news outlet Zeit Online. The known cybercriminal, known as Nikolay K., lives in Russia, and has a warrant ready for his arrest, but he rarely travels and hasn't left Russia or Crimea in years. But since Russia isn't exactly willing to hand him over to the U.S., he's not likely to face a courtroom any time soon. @hatr explains the reporting in a tweet thread
More: Zeit Online (German) | Reuters ($)

SolarWinds hackers continue to hit tech companies, says Microsoft
Wall Street Journal ($): Smooth segue from Russia to... the SolarWinds espionage campaign. According to Microsoft, the same hackers from Russian foreign intelligence are still hitting technology companies to hit their targets as part of efforts to steal sensitive information. Some 140 tech companies were targeted and around 14 were hit using relatively unsophisticated password spraying or phishing. SolarWinds, if you recall, saw Russia hack into nine federal agencies last year. Per Bloomberg ($), the Russian hackers used residential IP proxies to evade detection by "laundering" internet traffic through unsuspecting home users' internet connections.
More: Cyberscoop | Bloomberg ($) | Microsoft

FIS’s Worldpay replaces PAX terminals over security concerns
Bloomberg: The FBI and Homeland Security have raided the Jacksonville offices for PAX Technology, a Chinese maker of point-of-sale devices. Brian Krebs reports that the raid is "tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations." It comes as FIS' online payments processing unit Worldpay began replacing the 5% of its terminals made by PAX over concerns over their security, namely that the terminals are allegedly being used as malware droppers and as command and control servers. Bloomberg cited the detection of "unusual network packets" from these terminals. Definitely a story to watch in the coming days and weeks, though PAX has largely denied the allegations so far.
More: Krebs on Security | BBC News
Courtney Cole tweet: "There are several agencies involved in this investigation @ PAX Technology Warehouse. ⬇️ We’ve seen FBI, Homeland Security + JSO here to assist."
U.S. Copyright Office eases rules on computer security research
The Register: Hackers, rejoice! Your security research work just became slightly less illegal in the U.S.-of-A. It's a small victory but it's still significant: the U.S. Copyright Office has revised DMCA to relax some of the legal restrictions on things like breaking copy protections. The EFF has a good post on the laws and what they mean. All too often, these laws are used to suppress research that companies find embarrassing to their brands. It's a (small) step in the right direction..
More: The Verge | EFF Deeplinks
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
Sophos: The NPM repository for node.js was briefly hijacked to deliver a malicious script last week. On Linux machines it installed a Monero miner and on Windows it tried to steal credentials. Sophos' @thepacketrat explains in a long tweet thread and a blog post explaining how the campaign worked.

NRA responds to reports of Grief ransomware attack
ZDNet: Grief, the rebranded ransomware gang tied to the Russian crime gang Evil Corp., published a post claiming it had stolen data from the National Rifle Association, the big firearm lobbying group in the U.S. The NRA wouldn't confirm a ransomware attack. But the post disappeared from Grief's Tor leak site for reasons that nobody seems to know why yet. It might be that there's a negotiation under way, or that a ransom was paid. That could be interesting, as Wired ($) notes, because Evil Corp. is under U.S. government sanctions, and "transacting" with them is prohibited.

The Pixel 6 Tensor chip’s best upgrade isn't speed. It's security
Wired ($): Sticking with Wired for a second. Google's latest flagship Android phone, the Pixel 6, is out — and it comes with a new custom Tensor smartphone chip. It packs in a ton of new security measures and features. An interesting takeaway: a new Google Binary Transparency service, which allows anyone to check whether the version of Android running on a Pixel is verified and not somehow compromised. @lilyhnewman explains: "The system stores signed hashes on a public ledger that should match hashes you can generate from your own device. If they don't match, it's an instant red flag. And if researchers discover that the hash of a known compromised phone does match the hash logged in Google Binary Transparency, it could reveal an insider threat within Google."

Location data firm Huq got GPS data from apps even when people opted out
Motherboard: Huq, a location data vendor that obtains the granular location data from phone apps, was receiving GPS data even when people opted out, researchers and Motherboard found. Huq is based in the U.K. and processes over one billion mobile events every day from 161 countries. Motherboard tested the opted-out data collection. BBC News also has coverage.
~ ~


Docket security bug exposed COVID-19 vaccine records
TechCrunch: An app called Docket is the "vaccine passport" of choice for the states of New Jersey and Utah. But the app, developed by a private company, had a security bug that allowed anyone access to records of other people who have been vaccinated against COVID-19. The bug was discovered by TechCrunch and was fixed at the server level a short time later. (For the technical folks, we're looking at an enumerable IDOR.) Makes you wonder why the CDC approved the app to begin with. (Disclosure: I wrote this one.)

A cyberattack paralyzed every gas station in Iran
NPR, Associated Press: Iran says a cyberattack which paralyzed every gas station in the country was likely to spark anger and protests, according to the Iranian president. (Well that's one guaranteed way to do it.) No group has claimed responsibility for the attack that began Tuesday, but it comes at a precarious time for the country's economy, under the weight of U.S. and international sanctions. Electronic billboards in other cities appeared to taunt the country's leaders. @campuscodi has more in a tweet thread.
Shayan Sardarizadeh tweet: "Iranian petrol stations have been targeted by a nationwide cyber-attack, with digital screens displaying the message "64411" at pumps. Some billboards have been caught on video display the messaging: 'Khamenei, where is our petrol?'"
Police arrest hackers behind over 1,800 ransomware attacks
Bleeping Computer: Europol has arrested 12 individuals believed to be linked to over 1,800 ransomware attacks in 71 countries. The hackers deployed LockerGoga, MegaCortex, and Dharma, and others to target their victims, including Norsk Hydro, the aluminium manufacturer. @uuallan says this is the 10th law enforcement action taken against ransomware actors this year.

Chrome 95 update patches exploited zero-days, flaws disclosed at Tianfu Cup
SecurityWeek: Another batch of zero-days just dropped. Google pushed out updates for Chrome, while participants at this year's Tianfu Cup found bugs in Windows 10, iOS 15, Microsoft Exchange, and Docker. @ryannaraine says the number of zero-days revealed this year is 77.
~ ~


OK. Let's move on to the happy corner.

Great news from last week's #ShareTheMicInCyber. Some 50+ people donated more than $5,000 to help @BlackGirlsHack hit $10,000 for a new program for young Black kids to take security training and get interested in cyber. With participation from @craignewmark, the fund now stands at $15,000. Absolutely incredible.

And, #CaptionContest this.
Martin Matishak tweet: "Gonna need the backstory on the giant shark head in the corner, @CISAJen."
Got some good news from the week? Get in touch:
~ ~


Meet Rell, this week's cyber cat. Rell is named after the cyclops in the movie Krull. Her human tells me that she's super chirpy and keeps her eye on her humans while they work. Absolutely brilliant photo! A big thanks to Kerry Q. for the submission.
Please keep sending in your cyber cats (and your other fluffy non-feline friends). You can send them in with their name and photo by email here
~ ~


That's all for this week — thanks for reading! If you have any feedback, feel free to drop it in the suggestion box or reach out at at See you next week!