this week in security — april 23 edition
THIS WEEK, TL;DR
How democracies spy on their citizens
New Yorker ($): New details emerged this week about how Spain, a democratic nation, targeted politicians and European lawmakers involved in the dispute over Catalonia's independence with phone spyware, according to new findings from Citizen Lab. The report also looks at how phones belonging to those working for the U.K. government, including in the prime minister's office and the U.K.'s foreign ministry, were infected with Pegasus, activity that was likely linked to the UAE. Although NSO's Pegasus was involved, investigators also found that Candiru, another spyware maker, impersonated COVID-19 communications from the Spanish government. Spain is not the first EU country to have used Pegasus (or spyware at large), but it is the latest, after Hungary and Poland were found to have also used spyware. @RonanFarrow's long read on this is worth it.
More: Citizen Lab | Amnesty International | @dnvolz | @razhael | @jsrailton
CISA: Shields up, fearing a Russian cyberattack
CISA: Amid concerns that Russia could target the U.S. with a massive cyberattack (or attacks plural), government officials fear a case of when, not if. Since the start of the invasion, Russia's wartime cyber offensive has been, well, not great, but it's not to say the threat doesn't exist. That's why CISA has been on a tear trying to get organizations to patch their systems to prepare for the incoming hurricane, so to speak. CISA chief @CISAJen was one of many urging folks on CBS News' 60 Minutes to put their "shields up" ahead of anticipated Russian activity. CISA also has a full doc of what to expect, from whom, and what IOCs to look out for.
More: CISA | 60 Minutes | @CISAJen | @snlyngaas
Google, Mandiant share data on record pace of zero-day discoveries
SecurityWeek: Google's Project Zero and Mandiant have reports out this week detailing the current state of zero-days. The firms found between 58 zero-days (which is to say a previously undiscovered vulnerability that's exploited in the wild) and upwards of 80. The difference in the number isn't a surprise, since Google's scope is narrower. Still, although only a window into wider zero-day activity since it's near-impossible to know for sure, the data suggests more zero-days are being used in attacks — including wealthy and well-resourced actors — but that the detection around zero-days is also getting better.
More: MIT Technology Review ($) | Wired ($) | @_MG_
Major cryptography blunder in Java enables 'psychic paper' forgeries
Ars Technica: In Doctor Who, the Doctor will on occasion flash a piece of "psychic paper" that appears to show whatever the holder wants to show — a security pass or a police badge, for example, even though the paper is actually blank. All of this to say, a vulnerability in Oracle's Java framework basically allows for this exact kind of attack because of how Java implements ECDSA. This could allow an adversary to forge TLS certificates and two-factor authentication messages, allowing them to "trivially and completely bypass" Java's security mechanisms. According to Neil Madden, who discovered the bug, "almost all WebAuthn/FIDO devices in the real world" (including Yubikeys) use ECDSA signatures. If you've deployed Java 15-18 in production, you might want to update your stuff sooner than later. A good thread by @tqbf on the impact.
More: Oracle Security Updates | Neil Madden
Leaked chats show Lapsus$ stole T-Mobile source code
Krebs on Security: Congratulations to T-Mobile for its seventh breach since 2018. The second largest U.S. cell network confirmed its latest data breach after @briankrebs obtained chats that showed the Lapsus$ hacking and extortion group accessed T-Mobile's network and stole source code. T-Mobile said the breach was "several weeks ago" (earlier in 2022) and that the code contained "no customer or government information." But screenshots show just how close the hackers were to T-Mobile's systems, accessing internal tools for carrying out SIM swapping attacks. T-Mobile just needs three more breaches to get a full hackers' punch card.
More: Motherboard | @briankrebs
~ ~
~ ~
THE STUFF YOU MIGHT'VE MISSED
Virginia police routinely use secret GPS pings to track people’s cell phones
Virginia Mercury: Incredible local reporting about how police in Virginia obtained real-time location warrants addressed to telephone companies ordering them to "regularly ping a customers’ phone for its GPS location and share the results with police." Here's the thing though. One of the people regularly surveilled was a man who was never described as a suspect, nor was he charged with any crime, but instead police tracked his location anyway because they thought it would lead authorities to a drug dealer who was responsible for a person's death. The report also found many other instances of police using real-time location warrants against individuals who simply "associate" with possible suspects. In some cases, the report said, police sought the warrants even in cases where officers weren’t sure who exactly they were tracking.
Netflix hints at password sharing crackdown as subscribers fall
BBC News: The day of sharing streaming passwords may be over (notwithstanding the many legal weirdisms about sharing passwords). Netflix said it may crack down on streamers who share their account passwords with friends or family. According to the company, which this week announced its latest earnings report, said about 100 million households watch its service for free using shared passwords out of about 220 million total subscribers. Cracking down on password sharing, though, probably won't be an easy sell when the cost of living is going up.
U.S. phone tracking firm demoed surveillance powers by spying on CIA, NSA
The Intercept: More incredible reporting here: Anomaly Six, a secretive government contractor, claims to have the location data of billions of devices around the world, and used that data, according to The Intercept, as a proof-of-concept to demonstrate how easy it was to use this data to spy on even CIA and NSA operatives. The data is collected from SDKs embedded in smartphone apps, which often the user agrees to without reading the privacy policy. That said, this is clearly pretty alarming, even if other companies are doing much of the same thing. (If anything, that makes it even more concerning.) @WolfieChristl, who was quoted, has a good tweet thread on the story.
Surfshark, TurboVPN, VyprVPN are installing risky root certificates
TechRadar: Breaking news: VPNs are a hot mess of security problems. But really, new research shows several major VPN providers — including Surfshark, TurboVPN and VyprVPN — use a risky security practice that involves users installing trusted root certificates — and in some cases not obtaining explicit permission to do so. Root certificates are supposed to be trusted and installed carefully since they can allow vast access to your network data (which can contain secrets and private information). But if a root certificate is compromised, it's game over — since that allows an attacker to impersonate websites and steal sensitive information. The use of root certificates is the sort of thing we've seen governments attempt to use (frequently and badly) for spying.
ESET uncovers UEFI vulnerabilities in Lenovo laptops
The Register: ESET found a set of vulnerabilities in the UEFI secure boot feature in Lenovo laptops that could be used to sneakily hide malware in the boot process. Per ESET, the bugs are "executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed." As the bugs are found in the secure boot process, a lot of Lenovo laptops are vulnerable — more than a hundred models, per ESET.
~ ~
OTHER NEWSY NUGGETS
Web scraping is legal, says appeals court (again): Good news for archivists, researchers and anyone who wants to scrape publicly accessible content, it's legal, according to the U.S. Ninth Circuit of Appeals. LinkedIn brought a case against Hiq Labs for scraping user profiles without permission, and claimed Hiq was hacking, essentially, and in breach of the CFAA. The Ninth Circuit ruled on it back when, saying scraping was basically fine, but it was appealed to the Supreme Court — which bounced the ruling back to the Ninth Circuit for another review, only to find its original ruling was sound. (Disclosure: I wrote this story.)
North Korea targets cryptocurrency workers: CISA dropped the details on new North Korean threat activity. According to the agency, North Korean hackers are targeting a variety of tech companies and cryptocurrency exchanges by sending spearphishing emails sent under the guise of recruiting, but they're actually packed with malware that's designed to steal cryptocurrency. North Korea has long stolen and used cryptocurrency to fund its nuclear weapons program, and was recently accused of the $650 million Axie Infinity heist.
Okta's breach post-mortem: Identity giant Okta said two of its customers had information accessed after it was compromised earlier this year by Lapsus$ hackers. Okta's post-mortem also says the company fired Sitel, the customer service company that the hackers initially compromised before moving onto Okta. That's a far, far different take from Okta's initial response, which customers criticized Okta for failing to notify them of the incident months after the compromise happened. Cloudflare said it found about Okta's security incident not from Okta, but from a tweet.
Ransomware's half-year: Thought ransomware was dying down? Think again. Ransomware "sommelier" @uuallan has a helpful chart explaining the state of ransomware variants from the past six months. It's... complicated, but helpful for visibility.
~ ~
THE HAPPY CORNER
Happy Sunday. Here's the good stuff.
First up, Windows lock-screen wallpapers are getting really realistic.
Congratulations to Let's Encrypt, the internet's favorite free TLS/SSL certificate provider for winning this year's Levchin Prize, which honors major innovations in cryptography (or as I frequently call it, the "OG crypto"). It was just in September that Let's Encrypt hit the incredible milestone of 2 billion certificates issued.
Meanwhile...
And finally, please enjoy this brief moment of peace in the form of a haiku from one of my colleagues, who isn't on Twitter and is probably better off for it.
To send in good news for the happy corner, please reach out to: this@weekinsecurity.com
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Lily, who was just skimming through your files for no reason... absolutely no espionage here. Many thanks to @fanofwheels for the submission!
Please keep sending in your cyber cats (or their friends)! We're running low... drop an email here with their name and photo, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
That's all for this week. Thanks for reading! As always, feel free to drop any feedback in the suggestion box or email me any time. And, please — send in your cyber cats! Repeat cyber cats are always welcome.
Hope you have a great week. See you Sunday.
—@zackwhittaker