The Bad Guys are on a losing streak

Earlier this week we saw a bunch of Russian hackers sentenced to prison, now we see Interpol execute a massive take down of multiple groups of Bad Guys:

Interpol is reporting a big win after a massive combined operation against online criminals made 41 arrests and seized hardware thought to be used for nefarious purposes.

Operation Synergia II – the follow up to the first Synergia raids that were announced in February – saw cops in 95 countries crack down on phishers, ransomware extortionists, and information thieves around the world. The operation was carried out in conjunction with the corporate world, specifically Group-IB, Trend Micro, Kaspersky and Team Cymru.

In addition to the arrests, Interpol revealed 65 people are still under investigation and claimed to have shuttered 22,000 IP addresses, taken control of 59 servers and 43 other computing devices.

Bravo Zulu, y'all.

Spasiba, tovarisch!

Wow:

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.

Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware.

...

REvil, which was once one of the most prolific ransomware groups, was dismantled after Russia's Federal Security Service (FSB) announced arrests against several members in an unprecedented takedown. 

They aren't just going to prison, they're going to a Russian prison.  More of this, please.

 

 

The good security news keeps rolling in

I don't remember a week of such good security news:

A 25-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday.

...

In a statement on Moucka’s arrest, Mandiant said UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024.

 Too bad we can't send him to a Russian prison, nyet?

KIA cars can be hacked with a smartphone

I hope you don't drive a KIA.  This is actually a failure of post manufacturing security processes, not that it makes things any better:

Sam Curry, who previously demonstrated remote takeover vulnerabilities in a range of brands – from Toyota to Rolls Royce – found this vulnerability in vehicles as old as model year 2014. The mess means the cars can be geolocated, turned on or off, locked or unlocked, have their horns honked and lights activated, and even have their cameras accessed – all remotely.

...

The issue originated in one of the Kia web portals used by dealerships. Long story short and a hefty bit of API abuse later, Curry and his band of far-more-capable Kia Boyz managed to register a fake dealer account to get a valid access token, which they were then able to use to call any backend dealer API command they wanted.

"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," Curry noted in his writeup. "An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk."

Security wags have long called this sort of architecture "broken by design" - it was intentionally set up to allow privileged access via a poorly authenticated system that has to scale through a big organization.  I don't have much confidence that KIA can fix this, or that they will likely want to.

And oh yeah - there's a smartphone app to help the Bad Guys.

All I can say is that 1968 Goat isn't vulnerable to this attack, and will never be.

 

What is this, 1990?

SolarWinds issues security patch to eliminate hard coded password:

SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data

The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.

[blink] [blink]

What makes this even more double-plus ungood is that SolarWinds is a security company.  They know that hard coded passwords are not just A Very Bad Thing Indeed, but considered harmful*.

I guess the only other possibility is that they don't know this, but I just don't believe that.  Heads should roll over this.

* Old computing graybeards will remember the ACM paper "GoTo Considered Harmful" which created such a furor that "considered harmful" is now considered harmful when used descriptively.

Except here, where it is 100% justified.

Is anyone using old D-Link DIR-859 WiFi routers?

If so, you need to replace it right away.  There is a critical vulnerability which allows a Bad Guy to dump user accounts and passwords - basically, this lets him take over the box.  Because the routers are End Of Life (EOL) there will never be a software update to fix this.

Fortunately, home WiFi routers are pretty cheap these days.

I used to run D-Link in the past (I'm pretty sure I had one at FOB Borepatch, back in the day) but those are long gone now.  If you have one then run, don't walk to get a replacement.

Details here for those who are interested.

I believe that this is the first BBQ security vulnerability

Oops:

Keen meatheads better hope they haven't angered any cybersecurity folk before allowing their Traeger grills to update because a new high-severity vulnerability could be used for all kinds of high jinks.

With summer in full swing in the northern hemisphere, it means BBQ season is upon us, and with Traeger being one of the most trusted brands in grilling and smoking, there's a good chance that many backyard cookouts could be ruined if crafty crims have their way.

Nick Cerne, security consultant at Bishop Fox, discovered a few weaknesses in certain Traeger grills, ones that have the Traeger Grill D2 Wi-Fi Controller installed – an embedded device allowing a grill to be controlled using a mobile app.

Successful exploits could allow a remote attacker to execute day-ruining commands such as temperature change controls or shutting down the grill altogether.

I think that we can all agree that the definition of a Black Hat hacker is someone who changes the temperature on your smoking briskit to 400 degrees ...

But put a computer in it, expect security bugs.

 

 

It's time to opt out of Windows Recall

Holy cow, what a nightmare:

Microsoft is not giving up on its controversial Windows Recall, though says it will give customers an option to opt in instead of having it on by default, and will beef up the security of any data the software stores.

Recall, for those who missed the dumpster fire, was announced on May 20 as a "feature" on forthcoming Copilot+ Windows PCs. It takes a snapshot of whatever is on the user's screen every few seconds. These images are stored on-device and analyzed locally by an AI model, using OCR to extract text from the screen, to make past work searchable and more accessible.

The ultimate goal for Recall is to record nearly everything the user does on their Windows PC, including conversations and app usage, as well as screenshots, and present that archive in a way that allows the user to remind themselves what they were doing at some point in the past and pull up relevant files and web pages to interact with again. The archive can be searched using text, or the user can drag a control along a timeline bar to recall activities.

But security testers have raised doubts about the safety of recorded information and have developed tools that can extract these snapshots and whatever sensitive information they contain. The data is for now stored as an easy to access non-encrypted SQLite database in the local file system.

"Dumpster fire" doesn't even begin to describe it.  It's easy to imagine all sorts of ways that this would violate laws (e.g. storing healthcare PII unencrypted is a HIPAA violation).

Never mind what sort of reindeer games hackers might get up to - after all, Windows has historically been so difficult for viruses and malware to invade, amirite? 

If you're still using Windows, you should configure it to opt out of Recall.  Or upgrade to Linux.  All the cool kids are.

This is getting out of hand

Someone is going to die if this keeps up:

England's NHS Blood and Transplant (NHSBT) has issued an urgent call to O Positive and O Negative blood donors to book appointments and donate after last week’s cyberattack on pathology provider Synnovis impacted multiple hospitals in London.

On June 4, operations at multiple large NHS hospitals in London were disrupted by the ransomware attack that the Russian cybercrime group Qilin (a.k.a. Agenda) launched on Synnovis.

The incident impacted blood transfusions, with many non-urgent procedures being canceled or redirected.

 And so for the lack of adequate backups, Blighty is running out of blood.

Is the Signal secure messaging platform actually secure?

A competitor claims that it's not:

Telegram CEO Pavel Durov issued a scathing criticism of Signal, alleging the messaging service is not secure and has ties to US intelligence agencies.

...

Durov made his remarks on his Telegram channel on Wednesday, pushing a variety of points against the rival messenger app, including alleging it has ongoing ties to the US government, casting doubt over its end-to-end encryption, and claiming a lack of software transparency, as well as describing Signal as "an allegedly "secure" messaging app.

...

The Register could not find public reports of Signal messages leaking due to faulty encryption. We also have reached out to the company and will update accordingly. 

I'm not sure what to think here, other than the US Intelligence Community is doing no favors for US tech businesses, and hasn't for a long, long time.  This sort of accusation will get some traction, whether it is true or not.

 

 

More info emerges on the UnitedHealth cyber incident

None of it is good for UnitedHealth.  Multiple rookie security failures - including no use of multi-factor authentication for remote login, no network segmentation, and no internal security threat hunting. 

I don't know if there will be lawsuits over this, but this is all basically indefensible.  After all, they are a healthcare provider, and HIPAA/HITECH mandates all of this.

Kaiser Permanente shares user data with Google, Microsoft, and others

Well, well, well:

Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant.

Kaiser told The Register it has started notifying 13.4 million current and former members and patients that "certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," when customers used its websites and mobile applications.

Kaiser has since removed that tech from its websites and apps, and said it is not aware of "any misuse of any member's or patient's personal information."

Yeah, I'll bet.

If you get Kaiser Permanente insurance at work, you might want to ask your HR department for an assessment of whether your data was included in this data sharing scheme.  It's hard to see how at the minimum HIPAA-adjacent data was not shared here.

 

Ring doorbell company fined millions of dollars for privacy violations

Well knock me over with a feather:

The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.

The windfall stems from allegations made by the US watchdog that folks could have been, and were, spied upon by cybercriminals and rogue Ring workers via their Ring home security cameras.

The regulator last year accused Ring of sloppy privacy protections that allowed the aforementioned spying to occur or potentially occur.

...
 

In the most egregious case, one employee went out of his way to view "thousands of video recordings belonging to at least 81 unique female users," according to the FTC. A coworker reported this behavior to her supervisor, who it's alleged initially said this snooping wasn't that strange until he realized the rogue employee was only reviewing videos of "pretty girls."

The fines work out to $50 per effected Ring customer.  Don't spend it all in one place.

Great

Just great:

AI agents, which combine large language models with automation software, can successfully exploit real world security vulnerabilities by reading security advisories, academics have claimed.

In a newly released paper, four University of Illinois Urbana-Champaign (UIUC) computer scientists – Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang – report that OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw.

"To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description," the US-based authors explain in their paper.

"When given the CVE description, GPT-4 is capable of exploiting 87 percent of these vulnerabilities compared to 0 percent for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit)."

A "Day Zero" vulnerability is a security bug for which there is no patch available.  "Day One" vulnerabilities are those where a patch is available but where it hasn't been applied yet.  It is considered industry best practice to patch high risk and critical security bugs within 30 days.  This may blow that out of the water.

This is pretty bad news.

 

Security is hard, vol CCLVI

Act the first: Web Security organization suffers data breach:

A misconfigured MediaWiki web server allowed digital snoops to access members' resumes containing their personal details at the Open Web Application Security Project (OWASP) Foundation.

...

"If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach," OWASP said in a Good Friday notification posted on its website.


"We recognize the significance of this breach, especially considering the OWASP Foundation's emphasis on cybersecurity," it added.

Yup.  This shows just how hard security is - OWASP is full to the brim with folks who (a) understand the importance of security, (b) know how to implement security (well, most of the time), and (c) have a lot of reputation at stake.  That reputation took a hit here.

Act the second: OPSEC is a bitch, even for secret squirrels:

Protecting your privacy online is hard. So hard, in fact, that even a top Israeli spy who managed to stay incognito for 20 years has found himself exposed after one basic error.

The spy is named Yossi Sariel allegedly heads Israel's Unit 8200 – a team of crack infosec experts comparable to the USA’s National Security Agency or the UK’s Government Communications Headquarters. Now he's been confirmed as the author of a 2021 book titled "The Human Machine Team" about the intelligence benefits of pairing human agents with advanced AI.

Sariel – who wrote the book under the oh-so-anonymous pen name “Brigadier General YS” – made a crucial mistake after an investigation by The Guardian which found an electronic copy of Sariel's book available on Amazon "included an anonymous email that can easily be traced to Sariel's name and Google account.”
...

Being outed after more than 20 years of anonymity isn't optimal for someone who's supposed to be a top spy

Yup.  And while it's tempting to roll your eyes and chorus Top. Men., remember that this is how they nabbed Ross Ulricht, a.k.a. The Dread Pirate Roberts from The Silk Road.

Yeah, OPSEC is a stone cold bitch of a problem.  You have to be right 100% of the time, and dropping that to 99.99% means that you lose.

Burglars using Wi-Fi jammers to disable security cameras

Well, of course:

Authorities with the Los Angeles Police Department are warning residents in Los Angeles’ Wilshire-area neighborhoods of a series of burglaries involving wifi-jamming technology that can disarm surveillance cameras and alarms using a wireless signal.

According to police, the burglaries typically involve three to four suspects who enter homes through a second story balcony.  

Once inside, the thieves target primary bedrooms in search of high-end jewelry, purses, U.S. currency and other valuables. 

Cat 5 is a pain to run but is hard to jam.

(via)

 

 

Cisco Webex call recording released by Russia

Wow:

The German Ministry of Defense (Bundeswehr) has confirmed that a recording of a call between high-ranking officials discussing war efforts in Ukraine, leaked by Russian media, is legitimate.

Senior government officials have also confirmed Russian reports that the call was hosted on and tapped via Cisco's WebEx video conferencing platform rather than any kind of secure, military-grade comms.

Roderich Kiesewetter, deputy chairman of the German parliament's oversight committee, said the Bundeswehr leak was possibly caused by a Russian agent inside the WebEx call or the Bundeswehr's implementation of it, but the country is still working on discovering how the intrusion took place.

As someone who worked at Cisco (in both their security and Webex business units) I can say that Cisco takes security very, very seriously.  Not knowing more than this article, it very well may be a mole.

More bad security news

This sounds pretty bad:

Abstract: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents.

In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand.

Highlighting is mine.  That bit is really, really bad.

This may be an inflection point, where Black Hat AI will fight it out with White Hat AI that companies use to find problems before the Black Hat ones do.  What a mess.

(via)

Stop using FaceID immediately

Assuming that you use it, of course.  It is a persistently bad idea:

Cybercriminals are targeting iOS users with malware that steals Face ID scans to break into and pilfer money from bank accounts – thought to be a world first.

A Chinese-speaking cybercrime group, dubbed GoldFactory by Group-IB's researchers, started distributing trojanized smartphone apps in June 2023, however, the latest GoldPickaxe version has been around since October.

...

Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim's face.

Attackers would download the target banking app onto their own devices and use the deepfake models, along with the stolen identity documents and intercepted SMS messages, to remotely break into victims' banks.

You can change a compromised password, but you cannot change your face.

Interesting Security News

Item the first: follow the money:

Trend Micro's Zero Day Initiative (ZDI) held its first-ever automotive-focused Pwn2Own event in Tokyo last week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities.

Researchers from French security outfit Synacktiv took home $450,000 after demonstrating six successful exploits, one of which saw the company’s crew gain root access to a Tesla Modem. Another effort found a sandbox escape in the Musk-mobiles’ infotainment system.

Other popular targets at the three day event included after-market infotainment systems and, more troublingly, a whole host of successful hacks on EV chargers.

This is a good strategy - show me the hack, I'll show you the money.  More, please.  Plus, good on them picking automotive computing as the target.  Long time readers will recall that this is something I've been harping on for quite some time.

Item the second: SEC gets pwned (same link as above): 

We had our suspicions when Twitter/X blamed the US Securities and Exchange Commission for the account takeover that led to the premature release of news the regulator would allow Bitcoin exchange-traded funds– and those suspicions have been confirmed.

"The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," the Commission admitted last week.

For those unfamiliar with this form of attack, SIM swaps involve convincing a telecom carrier to transfer a phone number to a new SIM card (a shift for which there are a variety of legitimate reasons), giving an attacker control over communications going to and from that number – like a second authentication factor.

That didn't matter, of course, because the SEC also admitted it disabled multi-factor authentication with Twitter support in July last year "due to issues accessing the account," but no one bothered to turn it back on.

"It made security too hard and then we forgot all about it" is an excuse that I suspect that SEC investigators wouldn't accept.  Top. Men.