Sign in Subscribe
8 min read

this week in security — december 29 2024 edition

Clop hacks dozens of companies (again), hackers hijack Chrome extensions, Volkswagen location data exposed, and more.

THIS WEEK, TL;DR

Clop ransomware gang claims data-theft attacks on 66 Cleo victims
Bleeping Computer: The Clop ransomware is back with *checks notes* 66 new corporate victims after its latest round of mass-hacks. As mentioned last week, Clop has repeatedly targeted enterprise file transfer tools over the years for their propensity to hold highly sensitive corporate data. Clop eked out some partially redacted company names that it claims to have hacked, likely in an effort to extort the victims further. The hackers exploited CVE-2024-50623, a bug in Cleo Software that the company thought it fixed some weeks back but actually wasn't. Expect to see a fair number of these companies disclose the breaches in the next few days, and some of them are thought to be fairly big in size.
More: Cleo Software | TechCrunch | PCMag

Hackers hijack a wide range of companies' Chrome extensions
Reuters ($): A wild situation arose over Christmas when unnamed hackers broke into a corporate account of at least one company, Cyberhaven, to publish a malicious version of its Chrome extension capable of stealing passwords from potentially thousands of its downstream Chrome browser users. (The trouble with browser extensions is that they're often updated automatically without thorough checks on the Google extension store side.) Cyberhaven, a company that claims to prevent data-loss and exfiltration attacks (which... 👀), said in a post-mortem that the hackers broke into the company's account using phishing, and the end goal was... to target Facebook ads accounts?! OK, then...! In any case, the company warned customers to rotate and revoke "all passwords" and to review logs for suspicious activity, given the access that the malicious extension had to the user's browser. The supply chain attack also affected several other popular apps each with tens of thousands of users, as noted by @jaimeblascob's tweets. Also worth reading @mattjay's piece on this, it's very detailed.
More: Cyberhaven | Vulnerable U | TechCrunch | @lorenzofb

Lorenzo Franceschi-Bicchierai tweet: "NEW: Data-loss prevention startup Cyberhaven said hackers took over its official Chrome extension, pushing a malicious version designed to steal passwords and session tokens. @jaimeblascob told us Cyberhaven may be one several other hacked extensions."

White House says Salt Typhoon hacks possible because of telecoms' bad security
Cyberscoop: And let's not leave out a quick end-of-year update to the Salt Typhoon shenanigans, the China-backed threat group that has been rooting around in U.S. telecom networks for months. The White House on Friday squarely put blame on the now-nine listed telcos that were hacked — including AT&T and Verizon, which pinky-promises that its networks are now clear from the hackers. Top WH cyber official Anne Neuberger said that telecom networks are "not as defensible as they need to be" (which is about as scathing as Neuberger gets). In one case, the hackers broke into an admin account's credentials with access to over 100,000 routers. In another case, the hackers erased logs once they were on the inside, not that the companies were always keeping logs to begin with. Cyber pros are once again reminding folks to do the security basics since these do the most to keep bad actors out, not focusing all your energies on zero-days! These telcos made billions in profit this year alone, so it's not like they can't afford it. In all, less than 100 people had their communications targeted through the telco hacks — mostly U.S. government officials and those in the Washington DC area. To say that this could've been worse is an understatement; this should be a major wake-up call to the U.S. — even if history shows that it probably won't be.
More: Bloomberg ($) | The Record | USA Today | @malwaretech

~ ~

THE STUFF YOU MIGHT'VE MISSED

U.S. blames North Korea for $308 million crypto hack
FBI: In a brief statement, the FBI said it was attributing a hack and theft of $308 million in cryptocurrency from Japanese exchange DMM in May. A company employee was tricked into copying a malicious Python script into their Github by a North Korean threat actor masquerading as a recruiter, allowing the hacker to access the employee's cookie information and credentials, exposing access to the company's corporate systems. The hack was attributed to TraderTraitor (yes, there's more to North Korea than just the Lazarus hackers), a group that U.S. cybersecurity agency CISA says often uses recruitment lures to entice would-be victims into high-paying jobs. More from SecurityWeek.

Thousands of North Korean VPN IP addresses published online
Spur: Speaking of pesky North Korean spies, security firm Spur has released thousands of IP addresses linked to Astrill, a VPN service often used by North Korean IT workers to hide their location and online activity. Per Spur, the company says it continues to see reports from its customers about fraudulent North Korean IT workers trying to get hired at Western firms. This list of IP addresses can be used to scan logs for potential threat activity. For North Korea, it's all about that crypto (for the goal of making nukes). (via @campuscodi)

Trump's natsec advisor suggests use of 'offensive' cyberattacks
Politico: The next U.S. national security advisor, Rep. Mike Waltz, suggested (blustered?) in a tweet about going "on the offensive" in cyberspace in response to hacks targeting the United States; the idea is to "impose COSTS" (capitals not mine — we don't like to shout in this newsletter) on those who steal U.S. technology and the like. You'll struggle to find many experienced cyber and policy folks suggesting that's a good idea. @malwaretech (who has a very good thread on this), @hexadecim8, @ciaranm, and so many others have good posts and points. If billion-dollar corporate giants spent more time listening to the cyber-defense advice from the folks at CISA and not exploiting everyone else for the sake of their gargantuan profits, maybe we'd be in a much better cyber position as a country.

"We know where your [Volkswagen] is"
Der Spiegel: Fantastic reporting out of the Chaos Computer Club this year. Do you know where your Volkswagen is? These reporters certainly do. That's because the German carmaker was inadvertently exposing the GPS location data and other vehicle information from VW, Seat, Audi and Skoda vehicles. Some 800,000 cars had unprotected data left in Amazon's cloud that the researchers say contained enough information that the data could be linked to drivers, owners and fleet managers — including two German politicians. Cars; they're trackers on wheels! I long for the days of non-internet connected cars — or, as they used to be called back in the day... cars. Solid thread by @wchr here. And the takeaway: Don't collect data you can't guarantee its protection. Or, just don't collect the data to begin with.

A screenshot showing maps of several European cities, including London, Oslo, Stockholm, and Amsterdam, all featuring thousands of location dots in red showing where VW vehicles have been driven or parked.

~ ~

A collection of This Week in Security themed stickers and two mugs, one in black, one in white, on a grassy background.

~ ~

OTHER NEWSY NUGGETS

Last minute rule to limit healthcare leaks: Rita Mae Brown once said: "If it weren't for the last minute, nothing would get done." Cue the Biden administration's latest (and last minute) proposed rule change to HIPAA that would require healthcare organizations bolster their security, such as encrypting data, to help prevent repeat cases of massive data breaches like... Ascension, or Change Healthcare, or HCA, Kaiser, HealthEquity — all of which happened during 2024 and which collectively, by my count, have resulted in the theft of medical data on more than 130 million people this year alone. The rule could go into effect in early 2025, assuming nothing — or nobody — stands in its way. The rule change seems like a no-brainer, though. (via Reuters ($), The Record)

UN approves cybercrime convention nobody likes: The United Nations General Assembly approved a new cybercrime convention that by all accounts nobody seems to like. The effort was designed (in theory) to make collaboration of cross-border cybercrime investigations easier while reducing the safe havens that cybercrims can operate in. Except, plenty of folks (including big tech companies) have rightfully noted that the convention could be used to criminalize security research. The U.S. admitted it shares these concerns, but said that the convention has safeguards to prevent the rules being used to oppress or violate human rights. That's not hugely reassuring. (via United Nations)

Japan airline hack sparks delays: Japan Airlines was hit by hackers this week, and responded quickly by shutting down a router (used for data communications) that reportedly had a surge in traffic, which caused the disruption. The airline said some flights were canceled and many delayed. No word on who was behind the attack. (via Nasdaq, The New York Times ($))

~ ~

THE HAPPY CORNER

Psssttt... Is anyone around this week? For anyone who is, welcome! Here's the download from the happy corner.

It's the end of the year, so it's a little quieter on the wires than usual, but what a year it's been. Wired ($) has a look back at the worst hacks of 2024 — plus, TechCrunch has the badly handled breaches (disclosure: I co-wrote this story!); plus, our annual jealousy list of the best cybersecurity stories from the wider reporting world this year that you can get stuck-in with on this quiet pre-New Year weekend.

Plus, for those of you who are home for the holidays, give the gift of good security advice. You know that your friends and family need it! Start with the basics, since those are the easiest and most effective things to do to get your cybersecurity posture in the best possible position. And for those who don't yet have a "family password" — well, there's a very good reason why you and your family should have one preagreed and prearranged.

And for anyone who wants a deeper-dive into some of the more technical cybersecurity stories of the year — from hacking campaigns to malware, supply chain hacks to spyware and influence operations — @craiu has you covered with his round-up (plus, bonus podcast if you haven't checked out Security Conversations by @ryanaraine already!).

And finally, time for a new year's resolu... ahh, too easy.

nixCraft toot: "My New Year’s resolution? 3840 × 2160"

If you have good news you want to share, get in touch at: this@weekinsecurity.com.

~ ~

CYBER CATS & FRIENDS

This week's cyber cats are two brothers Eddie (left) and Ernie (right), who can be seen here chilling after a long, looong day of working the security defensive lines for their human. You deserve the rest! Many thanks to Christoph W for sending in!

Two cybercats snuggling next to each other on an orange blanket on a couch: Eddie is the red/ginger kitty and Ernie is the grey tabby kitty.

Send in your cyber cats! (or a non-feline friend). You can email them in at any time with a photo, including their name, and they'll be featured in an upcoming newsletter.

~ ~

SUGGESTION BOX

And that's it for this week... year! Thank you so much for reading this year. It means the world to me that so many people read weekly, and it's a joy putting this newsletter together every Sunday. My sincere thank you to everyone who has donated or subscribed to help support this newsletter's upkeep.

As always, get in touch any time with feedback or cyber-cats for the newsletter.

For now, have a safe, happy, and healthy New Year.

Catch you next,
@zackwhittaker

Published by:

Zack Whittaker