this week in security — february 11 edition
THIS WEEK, TL;DR
Chinese hackers lurked in US infrastructure for 'at least five years'
CNN: The China-backed hacking group known as 'Volt Typhoon' has been in U.S. systems for at least five years, according to a new warning by U.S. cyber and intel agencies. CNN broke the news about the joint U.S. advisory out this week, which explored China's aggressive espionage campaign in more detail. Volt Typhoon attempted to stay hidden and embedded in U.S. critical infrastructure networks in the event of "a major crisis or conflict with the United States," in which the hackers could activate disruptive or destructive cyberattacks that could hobble the U.S.' response in, say, a future invasion of Taiwan. The full read is worth it. While the U.S. has disrupted Volt Typhoon's botnet of infected routers, the hackers are said to have attempted to make up for its loss.
More: CISA | Lumen | Reuters ($) | Bleeping Computer | TechCrunch
Inside the underground site where 'neural networks' churn out fake IDs
404 Media ($): Wild reporting by @josephfcox on an underground site called OnlyFake, which claimed to use "neural networks" to spit out computer-generated fake IDs, such as driver's licenses, on the fly for $15 a pop. The fakes might not be enough to fool most, but it only takes one good enough to beat a verification system. That's what Cox found: the fakes were good enough to trick at least one cryptocurrency exchange into thinking that a fake British passport was real. Fake IDs are a real problem, especially for KYC (or "know your customer") checks, which are supposed to weed out fraudsters, criminals and money launderers who use fake IDs. But KYC checks often rely on flawed (or just bad) algorithms, or — rarely — human moderators that aren't incentivized to spend more than a second or two examining each ID. OnlyFake went dark following the story... until the next one appears.
More: 404 Media ($) | @josephfcox tweets
Government hackers targeted iPhone users with European spyware, says Google
Google TAG: In a new report diving into commercial spyware vendors (aka CSVs), Google says government hackers exploited three zero-day flaws to target individuals' iPhones with spyware, which was developed by a European startup called Variston, which Google initially outed back in 2022. While there has historically been focus on spyware developed by Israeli companies (think NSO, Candiru and QuaDream), there's been little focus on the burgeoning European spyware market. The three zero-day bugs were not known to Apple at the time they were disclosed in March 2023 (hence zero days' heads-up to fix them), but were used to target iPhones in Indonesia. Google didn't say who the government customer was, and Apple didn't say whether it was aware of the spying campaign at the time. A key theme of this report was that governments need to do more to combat spyware...
More: TechCrunch | @maddiestone | @lorenzofb
France, U.K. pitch rules to curb spyware abuse
Politico: Speaking of spyware... France, the U.K., and several allies called for international guidelines for the "responsible use" (lol?) of spyware. Several countries signed up to the pledge, including Italy (which has long allowed spyware companies to flourish), Greece (which absolutely hasn't used spyware against journalists 😉) and Poland (same, but for opposition lawmakers). Yet, noticeably absent from the list are the Israeli government, despite the country's significant share of the spyware market, nor were representatives at the summit from Egypt, Austria and North Macedonia, where plenty of spyware makers are located. Also, no journalists were allowed in — so this pinky promise between governments is largely meaningless with little enforcement. What's new then?
More: U.K. Government | The Record | The Register
~ ~
~ ~
THE STUFF YOU MIGHT'VE MISSED
WhatsApp chats will soon with with other encrypted messaging apps
Wired ($): New rules in the European Union mean that WhatsApp and Facebook Messenger will be interoperable with other encrypted messaging apps after EU authorities designated the apps' maker, Meta, as one of the "gatekeeper" companies that are now subject to the EU's Digital Markets Act. The short version is that Meta now has six-ish months to allow WhatsApp users to communicate with other apps, like Signal (whose protocol is used by WhatsApp for its E2EE). More details are set to be released in March.
New Ivanti VPN zero-day mass-exploited
Bleeping Computer: For those who are in Ivanti-hell right now, take note. Ivanti has patches for (at least) four recently discovered flaws, including zero-days that are being actively exploited. But the most recently discovered zero-day, a server-side forgery bug tracked as CVE-2024-21893, is being mass exploited by hundreds of unique IP addresses, security researchers have warned. The bug is particularly bad because it can be used to get data on a device (and access a company's wider network), rendering Ivanti's past mitigations moot. This comes in the same week that Ivanti "discovered" a new bug (not actively exploited)... except, it wasn't Ivanti who found it at all.
LastPass warned of spoofed app in Apple's App Store
LastPass: Spare a thought for LastPass (or don't, I'm not your dad), which this week warned about a fake app impersonating the password manager in Apple's App Store. Apple took down the app a full day after LastPass went public about the fake app. How the app snuck into Apple's walled garden is anybody's guess and only Apple's to answer — which it won't (and hasn't).
~ ~
OTHER NEWSY NUGGETS
Verizon data breach hits 63,000 employees: U.S. telecoms giant Verizon said it discovered in December 2023 — three months after the actual incident — that an employee gained access to a file containing sensitive data on 63,206 employees — about half of the company's staff, per a filing with Maine's attorney general's office. That information includes employee names, addresses, gender, DOB, compensation information, union affiliation, and Social Security numbers. One of the richest companies in the U.S., and it can't even keep its own employees' data secured. Go figure. (via Bleeping Computer)
U.S. studying 'liability regimes' for security bugs: U.S. national cyber director Harry Coker's office is looking at the possibility of "liability regimes" for software makers that "rush code to market." The U.S. has been on a big "secure-by-design" push of late because private software makers at large have been historically crap at securing their own products, leaving in some cases millions of customers vulnerable to cyberattacks and data theft. No specifics were given yet. Coker's office plans to publish a paper in the next few weeks that may shed more light. (via The Record)
Vol massif de données d’assurés sociaux: Almerys and Viamedis, two third-party payment providers that process payments for private health insurance in France, have experienced data breaches (though exactly how remains unknown). The CNIL said (en français) that it's opened an investigation after data on 33 million people was compromised, including personal information like names and Social Security numbers, though health-specific information is not believed to be affected. French security researcher @fs0c131y said how the attacks took place is unclear (perhaps an API leak?) but that individual breach notifications won't be going out for several weeks — so more to come then. (via CNIL, Le Parisien)
Canada blames Flipper Zero for poor car security: The Canadian government hinted that it plans to ban devices like the Flipper Zero, which can allegedly be "used to steal vehicles by copying the wireless signals for remote keyless entry," per a statement. Yes, technically that might be true (since Teslas, Hondas, and Hyundais and Kias have all seen keyfob vulnerabilities in recent years). But the blame seems misplaced, given the car makers who have billions of dollars should be investing in better keyfob security, no? (via Government of Canada)
~ ~
THE HAPPY CORNER
A warm welcome to the happy corner.
There was a lot of nonsense this week about a toothbrush DDoS that wasn't. (No, really, it wasn't a thing.) At least the folks at Malwarebytes saw the funny side.
Well, someone had to say it. Moving on...
DEF CON is canceled. Well, almost. Turns out the annual hacker conference won't be at Caesar's as usual this year, but a little further away at the Las Vegas Convention Center, per a note from the DEF CON staff. Adjust your plans accordingly.
And finally, this week. The FCC said it has banned AI-generated robocalls, which will surely make a difference to the remaining six Americans who still pick up the phone in this day and age.
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Fitzy, who is ever vigilant looking out for (cyber) crime. Don't go committing any cybercrime near here! Many thanks to Stacy S. for sending in!
Please send in your cyber cats! Drop me a photo of your cyber cat (or non-feline friend!) with their name and they will be featured in an upcoming newsletter!
~ ~
SUGGESTION BOX
And that's it for this week! Hope you'll join me again next with the usual round-up of news and cyber shenanigans. Have fun if you're watching the Super Bowl today. For those like me who're far more interested in Superb Owls, you're also in for a treat.
As for feedback or suggestions, feel free to get in touch with me by email any time.
Back next week,
@zackwhittaker