this week in security — april 30 edition
THIS WEEK, TL;DR
Exploit released for 'critical' PaperCut flaw already under attack
Ars Technica: Security flaws in a popular and widely used enterprise print management software PaperCut are under active exploitation. Of the most damaging bugs, an attacker could gain system-level privileges to vulnerable PaperCut servers on an enterprise network. At least 1,800 publicly exposed servers exist, per Huntress, but the figure is likely higher. PaperCut issued patches in March but said unpatched servers are getting hit. Huntress said it witnessed attacks exploiting the bug to deploy Truebot, an initial malware used by the Clop ransomware group, which was blamed for the recent Fortra mass-hack targeting GoAnywhere file transfer systems. Microsoft said later that the notorious LockBit ransomware group is also exploiting the flaws.
More: PaperCut advisory | Huntress | Horizon3 | TechCrunch | @MsftSecIntel
FBI warrantless searches of Americans' data sharply dropped
Wall Street Journal ($): The number of warrantless searches of Americans data by the FBI dropped sharply from millions of searches to about over 120,000 — a near-90% drop in year-over-year searches. That's according to the ODNI, the office of the U.S. chief spy, which oversees the intelligence community. The drop — still some 300 warrantless searches a day, per @LizaGoitein — comes as lawmakers debate the use of the government's so-called Section 702 authority, amid numerous reports detailing how the FBI abused its authorities on more than several occasions. The FBI said the number dropped this year because of "internal reforms." Sounds great, but self-policing hasn't worked thus far. Lawmakers are set to vote on whether to extend or reform Section 702, which is due to expire at the end of the year.
More: Associated Press | CBS News | Electronic Frontier Foundation
DOJ detected SolarWinds hack six months earlier than first disclosed
Wired ($): The SolarWinds espionage campaign, which saw Russian GRU officers hack into federal networks via the popular network management software, was detected six months earlier than was first reported. The DOJ spotted the hackers in May 2020 but reportedly didn't understand the scale or significance of the hack, and SolarWinds couldn't find a vulnerability in its code. So, everyone went on their merry way for months, until Mandiant discovered it was hacked by the same maliciously modified SolarWinds software update that was also running on the DOJ's network. @kimzetter has the scoop on the breakdown in government communications.
More: Wall Street Journal ($) | @dnvolz | @lhn
Iran gained access to election results website in 2020
Washington Post ($): U.S. military (aka "cyber warriors") spotted Iranian hackers in the network of a local government website that was set to report 2020 U.S. election results (you know, that one). Military officials disclosed the hack at RSA this week after the incident was "declassified for Monday's presentation." (See, the government can move fast when it wants to!) "It could make it look like the votes had been tampered with," said one of Cyber Command's generals. That's pretty much one of the worst-case scenarios for the election. Yes, while hacking election machines sounds terrifying, it's incredibly unlikely since voting machines are generally not directly connected to the internet). But what is more likely are hackers tampering with poorly secured election result websites to create confusion that causes voters to think that the outcome was meddled with.
More: NBC News | Associated Press
Twitter is complying with more government demands under Elon Musk
Rest of World: Twitter has not refused a single request since Elon Musk took ownership of the social media giant, per self-reported data. In the past six months of Musk's ownership, Twitter received more government demands for users' information — including anonymous accounts (such as those who are oppressed by their own governments). Since Twitter doesn't break down the figures any more, Rest of World obtained the information from Lumen. Under previous ownership, Twitter regularly faced shutdowns, bans and blocks from governments for actively resisting authoritarian demands.
More: Twitter | Techdirt | @russellbrandom tweets
~ ~
THE STUFF YOU MIGHT'VE MISSED
Sources speak of security failures at TikTok's Virginia data centers
Forbes ($): Unescorted visitors. Poor access controls. Unmarked flash drives plugged into servers produced by a sanctioned tech company. All the things you don't want happening in your data center, but that's what sources tell Forbes is happening in TikTok's Virginia server farm. According to Senate intel committee chair Mark Warner, "Each new story raises more concerns and provides additional examples of TikTok appearing to misrepresent its data security practices."
10/10 critical flaw in Illumina's DNA sequencing tech
TechCrunch: CISA and the U.S. Food and Drug Administration have published advisories regarding a critical-rated 10.0 vulnerability in Illumina DNA sequencing machines. The reason for the top severity warning is because an unauthenticated attacker — ie. no passwords needed — can remotely and over the internet access exposed Illumina devices and alter, destroy, or steal patients' medical data stored inside. It's believed there are thousands of devices out there, but not known how many are connected to the internet, since the company declined to say. So much for transparency.
A security team is turning this malware gang's tricks against it
Wired ($): The Gootloader malware is an initial-access-as-a-service, whereby hacking groups use the access to steal files, plant ransomware, or do whatever they want to do with that initial backdoor. It's popular too — the Russia-based ransomware group REvil used it during its heyday. But it turns out that the way Gootloader covers its tracks to stay stealthy can also be used against it. And it sounds like it's working...
DHS pushes Congress to formally establish Cyber Safety Review Board
The Record: Homeland Security is pushing for a bill that would codify the Cyber Safety Review Board into law. The CSRB is a board set up by CISA and staffed by top industry experts that helps to post-mortem major cyber-catastrophes to understand how to prevent similar incidents in the future by finding recommendations. Log4j was the board's first report and the Lapsus$ mass-hacks are up next. By codifying the board, it would give the panel more powers to subpoena victims (and others) to speak honestly and get the information it needs. More from @DHS_Policy in the tweets.
~ ~
OTHER NEWSY NUGGETS
Google flubs its cloud 2FA rollout: Google updated its Authenticator app, which spits out two-factor codes, to sync secrets with the cloud. That means you can get your 2FA codes on any device via your Google Account. Aside from the fact that if someone compromises your Google account, it's game over, the app itself doesn't sync secrets using end-to-end encryption. Per @mysk_co, which discovered the flaw, the app still works just fine if you switch off the syncing feature (and more advice here if you've already turned it on). Google said it'll add E2EE "in the future." Great. (via Gizmodo)
AT&T hackers stealing customers' cryptocurrency: Cybercriminals claiming internal access to AT&T's network are creating "mail keys," which customers can use to access their AT&T email from email clients that don't support OAuth or single sign-on. With this access, the hackers are resetting passwords for more lucrative accounts like cryptocurrency exchanges in order to cash out a victim's cryptocurrency. @lorenzofb found victims who were compromised. AT&T, however, claimed its systems weren't compromised but blamed it on an API issue... (yes, my eyes rolled, too). (via TechCrunch)
CryptBot domains takedown: Google secured a court order this week granting the search giant the authority to "take down current and future domains that are tied to the distribution of CryptBot." The "future domains" is the big part of this, since it allows Google to perpetually keep CryptBot at bay (in theory). Google said it found CryptBot impersonating its own products, like Google Chrome and Google Earth Pro. Google said it traced the info-stealing malware's activity to several of its "major distributors" that it believes are based in Pakistan. (via Google)
Salesforce sites leaking private data: A common misconfiguration in Salesforce websites — used by a ton of organizations, including banks and healthcare giants — exposes private and sensitive data. The issue allows unauthenticated users to access records that should be locked down. Salesforce said it gives clear guidance to customers on how to set up their instances. But some customers pushed back on that, saying Salesforce makes it more difficult to configure these systems than they say it has to be. (via KrebsOnSecurity, Platinum7)
~ ~
~ ~
THE HAPPY CORNER
Welcome to the happy corner. For those who went to RSA, I hope you enjoyed it and got home safely. Seems like everything went well... for the most part?
And, a short one this week: Georgia is paying hackers to try to break into its Medicaid portal via a HackerOne bug bounty. The state's health department has already dished out $200k to hackers to help secure its portal as part of the state's efforts to stay "one step ahead" of bad actors. Since the Deloitte-developed portal is also used in other states, Georgia said it's sharing details of bugs it finds with other states.
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
Meet this week's cyber cat, Balthazar, who you can see here carefully monitoring his secure enclave for intrusion attempts. A very good boy, give him a treat. Many thanks to his human, Ollie J., for sending in!
Don't forget to send in your cyber cats (or their friends). Send in a photo and their name, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
That's it for this week... and next. I'll be taking this coming Sunday off. In the meantime, you can always send in any feedback (or suggestions!) by email.
Take care, be well, and see you soon.
—@zackwhittaker