Plenty of interesting news this week. Also scary news. I guess the two usually go hand in hand in this industry. The water treatment thing really had me stumped, even with years of well-honed security cynicism.
Scary stuff aside, I hope you enjoy the newsletter!
Breaches and leaks
- Brazilian authorities start probe as 102 million consumers are exposed in new leak: link.
- Singtel hit by third-party vendor's security breach, customer data may be leaked: link.
- French MNH health insurance company hit by RansomExx ransomware: link.
- Hackers publish patient data stolen from two US hospital chains: link.
- Android barcode scanner app went bad, infection 10 million devices: link.
- Leading Canadian rental car company hit by DarkSide ransomware: link.
- Yandex said it caught an employee selling access to users' inboxes: link.
- After hackers blackmailed their clients, Finnish therapy firm declares bankruptcy: link.
This is insane enough to warrant a separate item. The attacker took control of a system that allows for remote control of water treatment operations (because hell, what can go wrong with that, right?). They then bumped the sodium hydroxide levels from 100 ppm to 11,100 ppm. The intrusion was detected because .. an operator saw the mouse cursor move across the screen.
I'm starting to wonder why countries bother with conventional militaries anymore. Why would you need tanks at this point.
This is about a very interesting type of attack dubbed "dependency confusion". Lot's of projects depend on privately hosted packages. But when you publish a public package with the same name, that public one actually gets priority, and gets pulled in instead. Absolutely worth looking in to. Here's the blogpost of the researcher who discovered it.
This was a big one this week. The creator of The Witcher 3 and Cyberpunk 2077 had files and source code stolen, which was later put up for auction. The data dump ended up being bought, but we don't know by whom. It's always possible that it was CD Projekt Red themselves.
I've been stuck with "Another one bites the dust" since I read this. And now you are too, you are welcome. Musical themes aside, it doesn't seem like Egregor is fully out of the picture yet, but it's a great step forward.
There seems to be new information on the Chinese government installing backdoor chips on motherboards. I'm not sure why this isn't getting more press. Probably because the last time Bloomberg reported on these issues, most didn't believe it. I haven't dug deep enough into this to have an opinion of my own, although I can definitely see it being real.
You can use Snyk for free and have it scan all your open source repositories for vulnerabilities. It can even create PR's to fix them. This article walks you through setting that up. (Sponsored)
Not exactly a surprise, but I was surprised by the size of the jump. According to the research, attacks on RDP have grown by 768% in 2020.
They hijacked the SIM cards of well known sport stars, musicians and their families. They are also believed to have stolen more than $100 million in cryptocurrency.
This is about domain names like facbook-login.com, facbook-login.net, instagrarn.ai, etc. Facebook wants to confiscate these, but Proofpoint feels they are fair game and wants to use them in phishing simulations. I suppose I can see both sides of the argument, but hey, if the bad guys can do it, maybe let the good guys do it too but for good reason.
First of all: please use a password manager. Since you're a subscriber here I'm pretty sure you already do, but just in case. Second: if you're not using 1Password yet, give them a try. I've been using them for many years professionally and migrated my personal Vault over two years ago. The experience was super smooth, and I haven't looked back ever since. (Sponsored)