this week in security — april 10 edition
THIS WEEK, TL;DR
FBI disrupts Cyclops Blink botnet linked to Russian GRU
Justice Department: Big news out of the DOJ this week when it announced the FBI had conducted an operation to disrupt the Cyclops Blink botnet, attributed to a threat group called Sandworm, otherwise known as Russian military intelligence. The operation didn't involve mass-removing malware from infected devices, but instead targeted the command and control servers used to control the botnet by locking Sandworm out of the servers — specifically. The U.K.'s NCSC sounded the alarm on Cyclops Blink in February, but only about 39% of device owners updated and patched their devices, leaving the majority still vulnerable. How well did the operation go? Given that only about half of the C2 servers targeted by authorities were in the U.S., that leaves half... still active. We shall see.
More: Ars Technica | Motherboard
Hackers breach MailChimp's internal tools, Block employee steals customer data
Bleeping Computer, TechCrunch: Bad week for insider attacks. First up, Mailchimp (which delivers this newsletter*) was targeted by hackers who accessed internal company admin tools in order to access data on 319 customers. The hackers ultimately downloaded audience data (email addresses) on 102 customers, mostly in the cryptocurrency space. It follows a spate of similar hacks on companies involving their internal admin tools. And, Block, which used to be Square, said in an SEC filing this week that a former employee downloaded reams of customer information — somehow — after they left their employment. Block is contacting some 8.2 million customers. Ouch, and it wasn't detected for four months. Double ouch. (*I wasn't notified, like others were, of an account breach so I think you're safe.)
More: Wall Street Journal ($) | @kimzetter
How German police shut down 'Hydra,' one of the largest dark web marketplaces
BBC News: German authorities are credited with the takedown of a massive Russian dark web marketplace called Hydra, one of the largest suppliers of drugs and money laundering services, facilitating some $5 billion in Bitcoin transactions since its inception in 2015. @joetidy has the explainer of how the takedown went down. Police say Hydra had 17 million users in total.
More: Bundeskriminalmt | Motherboard | Wired ($) | @joetidy tweets
Google bans apps with hidden data-harvest software
Wall Street Journal ($): Great reporting here on another location and data-harvesting SDK packaged with a ton of Muslim prayer apps, QR code readers, and speed trap detector apps. The SDK was run by a Panamanian company called Measurement Systems, which surreptitiously collects device data and phone numbers(!) of millions of users who installed the apps. The company that wrote the code is linked to a Virginia-based cyber intelligence company that does intercept work for U.S. national security agencies. The shady activity was first spotted by AppCensus, which details the technicals in a blog post. Google removed several Android apps for violating its rules — which doesn't help users who have already downloaded and installed the suspect apps — but some of the apps are already back in the app store after removing the SDK.
More: AppCensus | BBC News | @dnvolz
~ ~
~ ~
THE STUFF YOU MIGHT'VE MISSED
Police records show women are being stalked with Apple AirTags across the U.S.
Motherboard: @samleecole does incredible work here reporting on the threat that women across the U.S. face from Apple AirTags, the tiny pebble-sized trackers that have become the center of harassment and stalking claims. Police departments across the U.S. are seeing reports flood in. Apple put in some protections, including adding an Android app, after the fact, but AirTags continue to pose a real-world security risk to many.
The FBI is spending millions on social media tracking software
Washington Post ($): The FBI has contracted for 5,000 licenses to use Babel X, a software made by Babel Street that lets users search social media sites within a geographic area and use other parameters, reports the Post. The deal for the OSINT tool is said to be worth $27 million. FedScoop with more.
Hackers flood internet with what they say are Russian companies' files
NBC News: A look at Distributed Denial of Secrets, an organization known for publishing leaked files from a variety of sources — police departments, right-wing social media platforms, and far-right groups themselves. Now the organization is inundated with a flood of data from Russian companies, like banks, energy companies, and government agencies, since Russia's invasion of Ukraine. @kevincollier explains: "The leaks are part of a larger ecosystem of amateurs trying to help Ukraine’s war efforts with their own keyboards."
~ ~
OTHER NEWSY NUGGETS
FIN7 adds ransomware to its belt: The financially motivated group FIN7 has a new trick up its sleeve: ransomware. The new findings via Mandiant confirm that FIN7 has been getting cozy with ransomware actors, and even used ransomware as part of its attacks.
Raspberry Pi ditches default user account: See you later "pi" account, you're out. The longtime default "pi" account has been phased out for security reasons. That may break some software and scripts. It seems to coincide with a new U.K. law that specifically forbids default credentials in new tech, and companies can face steep fines for falling foul of the new rules.
Windows 11 gets a drop of new security features: A ton of new security features were announced for Windows 11 this week. "Among the updates is Microsoft Pluton, a security processor integrated directly into versions of AMD Ryzen and Qualcomm CPUs; a Smart App Control feature for preventing unsigned and untrusted apps from running; and controls enabled by default for protecting against credential theft, for authenticating users, and for blocking vulnerable drivers." Microsoft explains more in a blog post.
Google Meet to get end-to-end encryption: Google's answer to Zoom, aka Google Meet, will get end-to-end encryption for all video and voice meetings later this year, the company announced. Client-side encryption will land in the interim.
~ ~
THE HAPPY CORNER
Despite the ongoing war in Ukraine, there was a droplet of good news for the many in Russia who are still trying to get access to news from outside of the country. but are faced with oppressive censorship at home, coupled by sanctions.
Mozilla enabled DNS-over-HTTPS by default in Firefox across Russia and Ukraine to make it easier for users in the region to evade censorship. Meanwhile, the U.S. Treasury has carved out exceptions for telecoms providers amid sanctions targeting Russia, allowing Russians to access communications outside of Russia (which internet rights defenders had been calling for).
To send in good news for the happy corner, please reach out to: this@weekinsecurity.com
~ ~
CYBER CATS & FRIENDS
This week's cyber cats are Cicero and Kepler, who can be seen here looking like they're about to drop the year's hottest new album. Probably the coolest cats I've seen in some time. A big thanks to Hassan K. for the submission!
Don't forget to send in your cyber cats — and their friends! Drop an email here with their name and photo, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
That's all for this shorter-than-usual (by my count, anyway) newsletter. Feel free to drop any feedback in the suggestion box or email me any time. Head's up — there will be no newsletter next week, but back the week after. Don't forget to send in your cyber cats... we're running low.
Be well, and see you in a couple of weeks.
—@zackwhittaker