this week in security — august 6 edition
THIS WEEK, TL;DR
Cloud company assisted 17 different government hacking groups
Reuters ($): A little-known cloud host company is providing state-sponsored services to spy on and extort its victims. Cloudzy (previously known as RouterHosting) is registered in Wyoming but researchers say it's a front for an Iranian cloud host. Several state-backed APT groups are known to use Cloudzy's services, including APT10, FIN12, and spyware maker Candiru. The research comes from Halcyon, an anti-ransomware company, which highlights how hacking groups use under-the-radar hosts to carry out their cyberattacks.
More: Halcyon | Cyberscoop | TechCrunch
Multiple Chinese APTs establish beachheads inside U.S. infrastructure
Ars Technica: Onto something a little bigger: Three major campaigns from Chinese threat groups are keeping defenders on their toes, amid fears that China may be laying the groundwork for a cyberstrike on U.S. infrastructure networks. @dangoodin does a great job of parsing three major incidents: Kaspersky says China is increasingly looking to target air-gapped systems, and the other cites a New York Times ($) report that says China has hidden malware in the critical infrastructure systems used by U.S. military bases, likely as a way to slow down a U.S.-led response to a possible invasion of Taiwan by China. The third is Microsoft's recent email hack, which caught up several U.S. government agencies in the process. Still no word on those mysterious 25 organizations that were hacked, though one is the U.S. State Department and another is Commerce.
More: The New York Times ($) | Bleeping Computer
Hackers force hospital system to take its national computer system offline
NBC News: The FBI is said to be investigating a multi-state hospital hack involving Prospect Medical Holdings, which owns a chain of hospitals and more than 165 outpatient facilities. Some 16 hospitals across Connecticut, Pennsylvania, Rhode Island and Southern California were hit by the ransomware attack. It's not clear which group is behind the incident. NBC reports that staff are relying on pen and paper (which isn't unusual in a situation like this) and ambulances were being diverted. This'll be one to watch this week, given its size and scale. CISA said this cyber incident "underscores the seriousness of the cyber threat to our nation’s critical infrastructure." For when this inevitably comes up, PMH made almost $3B in revenue and a search of its website doesn't appear to mention "cybersecurity" anywhere.
More: NBC Connecticut | USA Today | The Record
Pentagon investigates 'critical compromise' of Air Force communications
Forbes ($): As if the U.S. doesn't need another case of government secrets in the open (or the wrong hands), the Pentagon is investigating what it's calling a "critical compromise" of communications across 17 Air Force facilities after an engineer at a base in Tennessee allegedly stole government radio equipment and brought them home. According to a search warrant, by pilfering almost $100k of equipment, the engineer allegedly had "unauthorized administrator access" to radio comms affecting 17 Pentagon installations as well as — potentially — the FBI and other Tennessee state agencies. Let's not forget the criminal case of Jack Teixeira is ongoing.
More: The Guardian ($) | CSO Online | @iblametom
~ ~
THE STUFF YOU MIGHT'VE MISSED
BeyondCorp finds CVSS 10.0 flaw, flubs the disclosure
Brian Krebs: BeyondTrust has found and disclosed a CVSS 10.0 vulnerability that allows an unauthenticated attacker to inject commands into an affected system to gain privileges as the site user. Yes, that's no passwords or credentials required, and that's really bad. BeyondTrust discovered the bug in-house and pulled an affected update, but also hid the details of the vulnerability behind a login wall. What a bad way for BeyondTrust to handle the situation. Did it get notes from Ivanti?
Feds say white nationalists may deploy Flipper Zero, citing little evidence
Daily Dot: According to an inter-agency U.S. intelligence fusion center, the NYPD is warning that "racially and ethnically motivated violent extremists," (i.e. white supremacists, aka "REMVEs") may seek to use hacking capabilities "in order to bypass access control systems," referring to the spate of electricity substations that have been attacked and shot at in recent years. The bad news is that the NYPD seems to pin the blame on Flipper Zero devices, the handheld Swiss army knife of hacking tools (for educational use only, of course). The cops say they haven't actually observed REMVEs "explicitly discuss the potential for Flipper Zero to be used in attacks," but it seems like this could be a precursor to trying to get these devices banned or restricted.
Senate votes to allow marijuana users to get security clearance
Marijuana Moment: Weed consumers will soon be allowed to work for the U.S. intelligence community if a Senate vote has its way. The must-pass NDAA bill that comes around every year had a bill tacked onto it that would ban the CIA and NSA from denying security clearance to applicants solely due to their past marijuana use. It still has to pass the House, and the White House hasn't said much on it. Senior senators on the Senate Intelligence Committee have been pushing for this bill for years, since the intelligence community can't hire a whole raft of very qualified and highly intelligent folks who are going to the private sector because they, like a good portion of America, get high, relax and eat chips.
Canon warns printer users to wipe Wi-Fi settings before discarding
Ars Technica: When does a factory reset mean actually reset? Not if it's a Canon printer. This week, the printer maker said wiping your printer before kicking it to the curb does not delete the user's Wi-Fi settings. In an advisory, Canon warned this could allow bad actors to break into your Wi-Fi network. As if you couldn't hate your printer any more than you already do, and then it does this.
Meet the trailblazer who helped secure the internet and billions of devices
TechCrunch: My TC colleague @lorenzofb spent months working on this incredible profile of Window Snyder, a cybersecurity professional who spent much of her career working at Microsoft, Apple, Fastly, and Mozilla, and helped to bring security to the early internet and encryption ubiquity to a billion-plus devices. If it wasn't for Window, we might not have end-to-end encrypted iMessages, full-disk encryption on Macs and iPhones, and the foundations of security for modern Windows computers. Get some coffee and take the time to read this one.
Hacking group plans system to encrypt social media and other apps
Washington Post ($): The famous hacking group Cult of the Dead Cow, once known for distributing hacking tools that cracked Windows and shaming software makers into improving their security, is working on a new system that will allow the creation of messaging and social media apps that won't hold users' personal data. The framework, dubbed Veilid, will work like a peer-to-peer network that gets stronger and faster over time as more people use it. More details about the framework are expected out at the Def Con security conference this week.
A new public AI incident database aims to capture AI harms
AI Incident Database: Here's a good idea: a new database called the AI Incident Database (apt!) is "indexing the collective history of harms or near harms realized in the real world by the deployment of artificial intelligence systems... to learn from experience so we can prevent or mitigate bad outcomes," according to its website. The database is great and easily navigable, and shows the real-world harms that AI can have on individuals, from short changing baristas at your local Starbucks all the way to labeling one academic as a "terrorist" and claiming to help catch COVID but actually not. To wit, @dril:
~ ~
~ ~
OTHER NEWSY NUGGETS
California agency probes connected car privacy: A new California privacy agency set up after the passing of CCPA, the state's GDPR-style data protection law in 2018, wants to know what happens to connected car data that's sucked up by car makers and manufacturers. Cars these days are nearly always connected to the internet and share data about where we go (location), how we get there (speed, distance) and other data from cameras, sensors, and even the in-car dashboard and entertainment systems. Plus, much of that data gets tapped by cops, too. (via CPPA, TechCrunch)
Five-year-old bug in 2022's most popular: U.S. cybersecurity agency CISA says 2022's most exploited bug is... a Fortinet bug from 2018, which has been the subject of numerous advisories and warnings, and known to be exploited by Russian hackers, yet still remains widely exploited. Log4Shell is also on the list. (via The Record, Data Breach Today)
Kenya halts Worldcoin eyeball scans: The very creepy Worldcoin project, which aims to scan billions of people's irises in exchange for free cryptocurrency — yes, I know, it's literally the worst idea, yet here we are in 2023 — has been halted in Kenya. According to the government, Worldcoin must stop collecting Kenyans' biometrics until it can figure out the risks to its population. Governments are clearly waking up to the massive privacy concerns here, but just in time to catch it after it had already started. Half the time, Silicon Valley disruption is simply causing a monumental mess and asking for forgiveness (or a pardon) later. (via BBC News)
Second-hand medical devices exposing Wi-Fi: It's not just discarded printers you have to worry about hackers using to break into your network. Rapid7 says discarded medical devices also store Wi-Fi credentials that could be used to break into a health organization's network. That's particularly troublesome, because many medical device vulnerabilities can be exploited once an attacker has a foothold on the network. (via Rapid7)
~ ~
THE HAPPY CORNER
Please leave your stress at the door. This is the happy corner.
A couple of things this week: Ad-blockers are getting so much better. Have you installed one yet? (via @koval_blazej)
And last but not least: LetMeSpy, an Android spyware app spying on thousands of people's phones, said this week that it has "ceased operations" and it will shut down after confirming earlier reports that a hacker broke into LetMeSpy's systems and wiped its servers, effectively nuking the huge trove of data that the operation stole from people's phones. (Disclosure alert: I wrote this one.) Normally the idea of a destructive cyberattack might be met with a raised eyebrow. But with another spyware network going under, this time it's worth raising a glass instead.
Cue the obligatory GIF of my reaction:
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This is Bastet, who is ensuring the left side of the keyboard is secure. Doing a great job, Bastet. Many thanks to their human Kenneth I. for sharing!
Send in your cyber cats! Drop me an email with your cyber cat (or non-feline friend) with a photo and their name, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
That's it for this edition. If you're in Las Vegas this week, have fun, be healthy and stay hydrated. I won't be there, but you bet that I'll be back next week with what you need to know from the big show(s). (If you see something cool for the newsletter, let me know!)
In the meantime, catch me by email with any newsletter you have.
All my best,
—@zackwhittaker