this week in security — november 3 2024 edition
Ahh, it's good to be back! There's an autumnal crisp in the air. The leaves have turned. There's a pot of coffee on the stove. It's so nice to start today's newsletter after a refreshing two weeks awa... oh no.
...alright, let's get to it. Welcome back to ~this week in security~
~ ~
THIS WEEK, TL;DR
Inside Sophos' five-year war with Chinese hackers targeting its firewalls
Wired ($): Let's start several timezones away in Chengdu, China, where a network of hackers carried out years-long hacks against customers of Sophos firewalls. By targeting these network-edge devices, these hackers can gain a foothold inside a victim's organization. After five years of chasing the hackers, Sophos finally revealed this week its collective effort, and how it caught the hackers' red handed. In some cases, Sophos discreetly installed "implants" on the Chinese hackers' own Sophos devices to monitor their attempts to exploit the company's firewalls, which led to the unmasking of the long-running espionage operation. The full breadth of the research is pretty staggering, but good to see the company take on the security of its own products, raising awareness about the "cybersecurity industry's awkward silence around the larger issue of vulnerabilities in security appliances serving as entry points for hackers," per Wired's write-up. More by Sophos here.
More: Sophos | Bleeping Computer | @threatresearch | @a_greenberg | @gossithedog
U.S. and international partners take down Redline and Meta password stealers
Justice Department: In what increasingly feels like the "DOJ's weekly corner," the feds and its international partners this week announced the unveiling of an indictment against a Russian national for allegedly creating the Redline (and Meta) password stealing malware (which the feds said were largely the same operation). These were malware-as-a-service operations, which allow other cybercriminals to access reams of usernames and password combinations stolen directly from millions of victims' computers. Maxim Rudometov, whose arrest status (if any?) isn't yet known, could face 35 years in prison if caught. Redline is a notorious infostealer, and found used in a series of hacking campaigns, including the Uber hack in 2022. Password stealers were also the way that so many Snowflake customers were hacked earlier this year (remember that?). Turns out the DOJ found Rudometov in part because the hapless hacker's opsec was so bad that he used his hacker handle in his profile on at least one Russian dating site.
More: Eurojust | TechCrunch | The Register
Okta warns of 'long username' authentication bypass bug
Okta: And what feels more and more like "Okta-corner..." (well, maybe stop releasing bad security news on a Friday night?)... Okta dropped the ball (again) and took to the most inconvenient time to announce it — and folks clearly aren't happy about Okta's handling of this new authentication bypass bug (which given the company's past incidents, this tracks). Get ready for this one: In certain cases, accounts with usernames of 52 characters or more "could allow users to authenticate by providing only the username, regardless of the password entered." You can read the full advisory online, since it's not easily findable on Okta's website or Trust homepage (which makes you wonder why). Pour one out to the countless Okta customers who had to work Friday into the weekend.
More: The Verge | @mattjay | @SecureOwl | @k8em0 | @dcuthbert
Chinese hackers stole phone audio from both Harris and Trump campaigns
Wall Street Journal ($): And since we have a few minutes, let's check in on the Volt Typhoo... oh no, it's worse than it was. Looks like the Chinese hackers behind a series of intrusions into U.S. wiretap systems (yes, these are required by law) are still in those systems, and as such are able to listen to any unencrypted call and read any unencrypted text message of potentially anyone in the United States. The hackers, per the WSJ, have been accessing the audio from both presidential campaigns. There's still a lot up in the air and plenty remains uncertain. What is clear, though, is that backdoors evidently can — and will — be abused to spy on people. That's the point! Maybe we shouldn't have them to begin with?
More: Washington Post ($) | @RonDeibert
~ ~
THE STUFF YOU MIGHT'VE MISSED
Senators warn of U.N. Cyber Convention consequences
Sen. Ron Wyden: A group of Democratic U.S. senators, led by Ron Wyden, are sounding the alarm over the new U.N. Cyber Convention, which they say could be used by some countries to justify censorship, surveillance and human rights abuses. The lawmakers also warn that the convention doesn't do enough to protect journalists or security researchers from reporting on or advocating against authoritarian abuses. More via @magmill95 or The Record, take your pick.
Colorado voting passwords accidentally posted online
9News: Here's a line you don't want to read a week before the election: "The Colorado Secretary of State’s Office inadvertently posted a spreadsheet to its website with a hidden tab that included voting system passwords." On the bright side, at least there were passwords to begin with, the issue was quickly fixed, and officials said there was no breach of voting machines. That's good news. In reality, the bigger problem are deepfakes, which use AI to make fake but convincing audio or video content, with the goal of influencing the vote or sowing discord about the integrity of the election. Some of it's already been linked back to Russian disinformation units, per the FBI.
Hacking-for-hire scandal rocks Italy, implicates Vatican
Politico: Incredible news out of Italy, where a hacking-for-hire scandal is unraveling. Politico reported this week that prosecutors accuse an IT consultant of being behind a multi-year breach of a national security database, which allowed the downloading of reams of private data belonging to thousands of Italians (including the president and prime minister!) of which some of the data was used for blackmail and intimidation. Some four people have been arrested so far, and prosecutors are scrambling to investigate dozens more. So far, the Vatican(!) and Israel have both been found seeking information from the hacking network, for reasons yet to be ascertained. A very, very curious story, indeed. More via @Bing_Chris.
Russia's SVR using RDP files to hack networks
Microsoft: Keep an eye on rogue RDP configuration files flying around, it could well be Russia's SVR trying to hack into your networks, according to Microsoft. The SVR hackers (think Russia's foreign intelligence service), known as Midnight Blizzard or APT29, are highly capable and skilled (and also hacked into Microsoft, no less!). Watch out for this new attack method. Microsoft has some IOCs for you to check out.
~ ~
OTHER NEWSY NUGGETS
U.S. hacked Venezuela in failed overthrow attempt: The CIA reluctantly but successfully hacked Venezuela's military payroll system some time around or after 2019, as part of a wider effort by the then-Trump administration to destabilize the Maduro administration. The hack succeeded, but the effort to oust the Venezuelan strongman ultimately failed. The inside story finally comes to light. (via Wired ($), @zachsdorfman)
Wiz CEO says company targeted by deepfake: Assaf Rappaport, the CEO behind cloud security juggernaut Wiz, said his company was recently targeted by a deepfake of his voice. "Dozens of my employees got a voice message from me," Rappaport said this week. "The attack tried to get their credentials." The attack failed because the deepfake didn't sound like the CEO, in part because he has public speaking anxiety (which helped in this case!). Good to know that anyone, even security companies, can be targeted by this AI-generated trickery. (via TechCrunch, Forbes ($))
India using cyber tech to spy on separatists: A warning from the Canadian government for folks in the Indian diaspora that India is using spy and surveillance tech to track separatists and critics overseas. The Canadian government linked the intimidation efforts and attacks on Indians living abroad, including in Vancouver, to a top Indian government official called Amit Shah. This all comes amid the backdrop of India using spyware and hackers-for-hire, which — as a reminder, Reuters' ($) blockbuster story about Appin is back online after an Indian court lifted its takedown order. (via The Guardian)
No clicks needed for this Synology bug: Home backup stans, make sure your Synology systems are up-to-date, as there's a new vulnerability that could allow "zero-click" (as in, interactioness) access to your storage drive. The bug, found in the photo engine, was patched, but the researchers warned that the bug is easy to exploit and can be exploited over the internet. More from @kimzetter in the tweets, and with more from @adamshostack. (via Wired ($))
~ ~
~ ~
THE HAPPY CORNER
Woooooof, and we're done with the news. Leave all your stress behind; it's time for the happy corner.
First up, a major congrats to all the winners and those recognized in the Cyberscoop 50, some of the finest minds in cybersecurity as tallied by some 800,000 votes. From CISOs and CISA to security researchers and threat intelligence, these are all well deserved.
This week for the Day Job™ (disclosure alert!), I sat down with Marqeta's Heather Gantt-Evans and MongoDB's Darren Gruber at TechCrunch Disrupt to talk, among other things, about advanced persistent teenagers — the groups like Lapsus$ and Scattered Spider — and why the industry has underestimated the threat.
Moving on to brighter news... *drumroll please* Yes, it's time for an update to our long-running series, What Can We Run Doom On?, and this time it's... it's the new Nintendo Alarmo, the interactive alarm clock. Why run Doom? Why not? Full details from @GaryOderNichts in the tweets (+ source code, too!).
In excellent (and frankly, well timed) news, the U.S. election system is secure and we should be confident in it. Houston Public Radio has a good story on how federal cybersecurity and election officials plan for all eventualities, including addressing distrust and disinformation. This is an excellent read. "No matter who you vote for, you can have confidence that your vote will be counted as cast," says top U.S. cyber official @CISAJen.
And with that, a personal note from me...
Last year, after more than a decade living and working as a U.K. expat in the United States, I made the decision to become a U.S citizen, so that my voice — and vote — in this election would count. I felt it was my duty to give back to a country that has given me so much. America welcomed me, gave me opportunities, and the people are some of the finest in the world. In things I didn't think I'd have to say or qualify in the year of 2024, I stand on the side of human rights, peace, freedom, and democracy. This is not a controversial opinion! Let love win, it's all we have. If you can, please vote on November 5 (or sooner).
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Ravioli (great name, by the way), who can be seen here conducting a live wiretap. Can you hear what's being said on the line? "More treats, more treats..." I believe you, Ravioli! Thanks so much to Tristan for sending in!
Send in your cyber cats! (or a non-feline friend). You can email any time with a photo with their name, and they'll be featured in an upcoming newsletter!
~ ~
SUGGESTION BOX
And that's it for this week — my deepest thank you for reading (or subscribing, wherever you get this!). I hope you have a great week — and I'll catch you next Sunday with your usual dispatch from the past seven days.
As always, please do reach out if you have any feedback, or want to submit something for the newsletter! Your cybercats (and their friends) are always welcome.
Love and peace,
@zackwhittaker