Thank you for the kind "welcome back" messages, they were really heartwarming. It feels good to be back, and I hope you all enjoy each issue!
Breaches and leaks
- Definitely the lowpoint in infosec news this week: because of a ransomware infection in a hospital a critical patient needed to be diverted elsewhere, and they died because they didn't receive help in time. A strong reminder that for some in our line of work it's not about saving data, but about saving lives: link.
- The Department of VA had an online app breached. The attackers diverted healthcare payments of 46.000 Veterans. Personal data might also be stolen: link.
- Ransomware infections were reported at IPG Photonics, a laser manufacturer: link, and a Californian school district: link.
- Mailfire, a marketing company, had an unsecured Elasticsearch instance with 320 million records related to dating sites: link.
- Staples had a bug in their order tracking system that meant you could get detailed customer data on every order: link.
- Close to 2000 Magento webshops were infected with card skimmers in a single weekend: link.
Granted, an attacker needs to have some kind of small foothold in the network first. But once they do, this is the one latteral move to rule them all. It doesn't happen often that a second-stage exploit gets a 10/10 CVSS score. There is exploit code in the wild, so patching is a must, and the US gov has even made that an order.
Another week, another Bluetooth vulnerability. This one has to do with the reconnection process between two devices. If I understand correctly, the Bluetooth spec doesn't describe clearly enough how reconnection authentication needs to be handled. As a result some implementations are vulnerable to authentication bypasses.
There's some good stuff there. Clear indication of microphone and camera being used, a notification when something accesses the clipboard, share general location instead of precise location, see when an app requests local network access and randomised MAC addresses to stop Wifi tracking.
US charges foreign hackers
There's quite a few charges being put up lately, and they are often an interesting read:
- US brings charges against a number of Iranian nationals for hacking aerospace and satellite companies. One charged individual is said to lead a double life between white-hat researcher and OWASP member on one side, and black-hat working for Iranian intelligence on the other: link.
- US brings charges to several Chinese nationals as part of the APT41 state-sponsored hacking group. They seem to be responsible for the CCleaner and ShadowPad hacks, and worked through a legit looking cybersecurity firm as a front: link.
Not the first time this technique is used, but very interesting to highlight. To try and bypass security measures the ransomware runs inside a virtual machine that mounts the hosts's disks as shares.
This is pretty cool. MITRE, known from the ATT&CK framework that maps out common steps that attackers take, are starting a library where they'll document how certain hacker groups run their attacks. This way you can put your defenses to the test and see if you'd be able to detect them. The linked article is their announcement, but if you just want to skip to what such a plan looks like, I got ya: link.
Related, although from a higher level, here's a fascinating write-up of how the FIN7 cybercrime group operates: link.
Quite an unorthodox approach for an IRS. They really must have a lot of trouble with people hiding and transfering assets through Monero currency.
I hadn't heard of this one yet, and it's a good "con" to be aware off. Potential investors approach your company with a lot of interest and goodwill, but expect you to bear the cost of the due dilligence. Once those have been paid to the legal firm they "prefer to work with", they bail out.
It's really just a document, but a good one at that. It describes how one could tackle vulnerability disclosure. It even provides a response plan for XSS and subdomain takeovers, because those were the most reported issues for them. You can go to the document directly here.
This is hands down the greatest write-up I have ever read, I was in tears from laughing halfway through. It's a very long read though, so make sure to set some time aside.