11 min read

This Week's [in]Security - Issue 248

Picture of CG Blogger CG Blogger : Jan 3, 2022 7:59:00 AM

[in]security MFA TLS Log4J COVID-19 SHA MD5 Alexa

Welcome to This Week’s [in]Security. Big-Hacks: Log4J, new RCE, the long road. New breaches: T-Mobile, Redline Stealer, Lastpass. New Ransomware: Saskatchewan, Norway, Shutterfly, Law Enforcement. Major outages: Backup Failure. Privacy: Spying toys, EFF's 2021. Laws & Regs - US: Missouri, Morgan Stanley. World: India. Defense: Krebs, TLS deprecates SHA1 & MD5. Vulnerabilities, Netgear, MS Exchange Y2K22 bug. Cybercrime: Trends: 2fa interception, Galaxy store, SSDs, Online courses. Nation States: Hackers-4-hire, Poland. Crime & Enforcement: Butter? Other Risks: Science, Cyber-due-diligence, ANOM, Blackberry EOL, Double Fake NFTs. Health, Safety & Environment: Alexa lethal challenge. Fireworks, winter driving, recall, 5G, Satellites. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Learned; Impact; Covid Compliance. And more.

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

Major incidents:
- Another Remote Code Execution Vulnerability Patched in Log4j https://www.securityweek.com/another-remote-code-execution-vulnerability-patched-log4j
- Log4j 2.17.1 out now, fixes new remote code execution bug https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/
- The Log4j Flaw Will Take Years to be Fully Addressed https://www.darkreading.com/tech-trends/the-log4j-flaw-will-take-years-to-be-fully-addressed
- How to Discover Log4Shell Vulnerabilities in Running Containers & Images https://blog.qualys.com/vulnerabilities-threat-research/2021/12/27/how-to-discover-log4shell-vulnerabilities-in-running-containers-images
New Breaches:
- Another T-Mobile cyberattack reportedly exposed customer info and SIMs https://www.databreaches.net/another-t-mobile-cyberattack-reportedly-exposed-customer-info-and-sims/
- T-Mobile says new data breach caused by SIM swap attacks https://www.bleepingcomputer.com/news/security/t-mobile-says-new-data-breach-caused-by-sim-swap-attacks/
- RedLine Stealer - 441,657 breached accounts https://haveibeenpwned.com/PwnedWebsites#RedLineStealer
- RedLine malware shows why passwords shouldn't be saved in browsers https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
- LastPass users warned their master passwords are compromised https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/
- LastPass says no passwords were compromised following breach scare https://www.theverge.com/2021/12/28/22857485/lastpass-compromised-breach-scare
- UVA Health notified patients after Ciox Health data breach https://www.databreaches.net/uva-health-notified-patients-after-ciox-health-data-breach/
New Ransomware and "Incidents":
- Fintech firm hit by log4j hack refuses to pay $5 million ransom https://www.databreaches.net/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/
- Saskatchewan Liquor and Gaming Authority investigating Christmas Day cybersecurity incident https://www.databreaches.net/saskatchewan-liquor-and-gaming-authority-investigating-christmas-day-cybersecurity-incident/
- Cyberattack on one of Norway's largest media companies shuts down presses https://www.databreaches.net/cyberattack-on-one-of-norways-largest-media-companies-shuts-down-presses/
- Shutterfly services disrupted by Conti ransomware attack https://www.databreaches.net/shutterfly-services-disrupted-by-conti-ransomware-attack/
- AvosLocker ransomware gives free decryptor to US police dept https://www.bleepingcomputer.com/news/security/avoslocker-ransomware-gives-free-decryptor-to-us-police-dept/
Major outages/downs:
- University loses 77TB of research data due to backup error https://www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/

Privacy

Articles about privacy related news, risks, and trends.

That Toy You Got for Christmas Could Be Spying on You https://threatpost.com/toy-christmas-spying/177288/
DtSR Episode 481 - Spies In Your Tech http://podcast.wh1t3rabbit.net/dtsr-episode-481-spies-in-your-tech
EFF Year in review:
- Fighting For A More Open, Balanced Patent System: 2021 in Review https://www.eff.org/deeplinks/2021/12/2021-we-fought-more-open-balanced-patent-system
- In 2021, the Police Took a Page Out of the NSA's Playbook: 2021 in Review https://www.eff.org/deeplinks/2021/12/2021-police-took-page-out-nsas-playbook
- Police Use of Artificial Intelligence: 2021 in Review https://www.eff.org/deeplinks/2021/12/police-use-artificial-intelligence-2021-review
- Shining a Light on Black Box Technology Used to Send People to Jail: 2021 Year in Review https://www.eff.org/deeplinks/2021/12/shining-light-black-box-technology-used-send-people-jail-2021-year-review
- In 2021, We Told Apple: Don't Scan Our Phones https://www.eff.org/deeplinks/2021/12/2021-we-told-apple-dont-scan-our-phones
- Where Net Neutrality Is Today and What Comes Next: 2021 in Review https://www.eff.org/deeplinks/2021/12/where-net-neutrality-today-and-what-comes-next-2021-review
- The Battle for Communications Privacy in Latin America: 2021 in Review https://www.eff.org/deeplinks/2021/12/battle-communications-privacy-latin-america-2021-review
- Vaccine Passports: 2021 in Review https://www.eff.org/deeplinks/2021/12/vaccine-passports-2021-review

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

US:
- The governor of Missouri still doesn't know how websites work https://www.theverge.com/2021/12/31/22861188/missouri-governor-mike-parson-hack-website-source-code
- Morgan Stanley to pay $60 million to resolve data security lawsuit https://www.databreaches.net/morgan-stanley-to-pay-60-million-to-resolve-data-security-lawsuit/
World:
- Indian authorities set to tighten data breach laws in 2022 https://www.databreaches.net/indian-authorities-set-to-tighten-data-breach-laws-in-2022/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

Happy 12th Birthday, KrebsOnSecurity.com! https://krebsonsecurity.com/2021/12/happy-12th-birthday-krebsonsecurity-com/
Bulletproof TLS Newsletter #84 MD5 and SHA-1 TLS handshake message signatures (not HMACs) deprecated, and other stories https://www.feistyduck.com/bulletproof-tls-newsletter/issue_84_rfc_9155_deprecates_md5_and_sha-1_signatures_in_tls_handshake_messages
Assetfinder - Find Related Domains and Subdomains https://github.com/tomnomnom/assetfinder and https://www.darknet.org.uk/2021/12/assetfinder-find-related-domains-and-subdomains/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

Netgear leaves vulnerabilities unpatched in Nighthawk router https://www.bleepingcomputer.com/news/security/netgear-leaves-vulnerabilities-unpatched-in-nighthawk-router/
Microsoft releases emergency fix for Exchange stuck email year-2022-bug https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fix-for-exchange-year-2022-bug/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

Trends, Alerts, and Events (other than major breaches):
- More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild https://www.databreaches.net/more-than-1200-phishing-toolkits-capable-of-intercepting-2fa-detected-in-the-wild/
- Riskware Android streaming apps found on Samsung's Galaxy store https://www.bleepingcomputer.com/news/security/riskware-android-streaming-apps-found-on-samsungs-galaxy-store/
- Firmware attack can drop persistent malware in hidden SSD area https://www.bleepingcomputer.com/news/security/firmware-attack-can-drop-persistent-malware-in-hidden-ssd-area/
- 'Unique hackers' arrested in Indore used to hack IDs of online classes https://www.databreaches.net/unique-hackers-arrested-in-indore-used-to-hack-ids-of-online-classes/
- Portuguese newspaper is hacked by group that attacked Ministry of Health https://www.databreaches.net/portuguese-newspaper-is-hacked-by-group-that-attacked-ministry-of-health/
- New iLOBleed Rootkit Targeting HP Enterprise Servers with Data Wiping Attacks https://thehackernews.com/2021/12/new-ilobleed-rootkit-targeting-hp.html
Nation State Actors:
- The hacker-for-hire industry is now too big to fail https://www.technologyreview.com/2021/12/28/1043029/the-hacker-for-hire-industry-is-now-too-big-to-fail/
- Spyware scandal rocks Polish government https://www.theverge.com/2021/12/27/22855390/poland-pegasus-spyware-opposition-brejza-nso
- APT 'Aquatic Panda' Targets Universities with Log4Shell Exploit Tools https://threatpost.com/aquatic-panda-log4shell-exploit-tools/177312/
- New Flagpro malware linked to Chinese state-backed hackers https://www.bleepingcomputer.com/news/security/new-flagpro-malware-linked-to-chinese-state-backed-hackers/
- Researchers Dive Into Equation Group Tool 'DoubleFeature' https://www.securityweek.com/researchers-dive-equation-group-tool-doublefeature
Crime & Arrests, etc.:
- Ontario police investigating alleged theft of two truckloads of butter worth $200K https://toronto.ctvnews.ca/ontario-police-investigating-alleged-theft-of-two-truckloads-of-butter-worth-200k-1.5722681

Other Security / Risk

Articles covering other types of risks.

Sometimes Science Is Wrong (but it is eventually self-correcting) https://www.scientificamerican.com/article/sometimes-science-is-wrong/
A Weird Paper Tests The Limits of Science by Claiming Octopuses Came From Space https://www.sciencealert.com/a-weird-paper-tests-the-limits-of-science-by-claiming-octopuses-came-from-space
Hollywood Can Take On Science Denial; Don't Look Up Is a Great Example https://www.scientificamerican.com/article/hollywood-can-take-on-science-denial-dont-look-up-is-a-great-example/
Why Cyber Due Diligence Is Essential to the M&A Process https://www.darkreading.com/vulnerabilities-threats/why-cyber-due-diligence-is-essential-to-the-m-a-process
Twitter account of FBI's fake chat app, ANOM seen trolling today https://www.bleepingcomputer.com/news/security/twitter-account-of-fbis-fake-chat-app-anom-seen-trolling-today/
Fireworks could fizzle out as drones rise in popularity for new year https://www.theguardian.com/uk-news/2021/dec/30/fireworks-could-fizzle-out-drones-rise-popularity-new-year
End of the line finally coming for BlackBerry devices https://arstechnica.com/information-technology/2021/12/end-of-the-line-finally-coming-for-blackberry-devices/
Two NFT copycats are fighting over which is the real fake Bored Ape Yacht Club https://www.theverge.com/2021/12/30/22860010/bored-ape-yacht-club-payc-phayc-copycat-nft
Health, Safety & Environment:
- The Cost of Engaging With the Miserable https://www.theatlantic.com/ideas/archive/2021/12/twitter-facebook-misery-misinformation/621073/
- We May Finally Have The Basis of a Dog Allergy Vaccine https://www.sciencealert.com/we-may-have-the-start-of-what-could-be-a-vaccine-against-dog-allergies
- Intestine 'organoid' grown in lab to see why bats live with viruses but don't get sick https://scienmag.com/intestine-organoid-grown-in-lab-to-see-why-bats-live-with-viruses-but-dont-get-sick/
- Why Aren't All Calories Created Equal? A Dietitian Explains https://www.sciencealert.com/why-aren-t-all-calories-created-equal-a-dietitian-explains
- Amazon Alexa slammed for giving lethal challenge to 10-year-old girl https://www.bleepingcomputer.com/news/technology/amazon-alexa-slammed-for-giving-lethal-challenge-to-10-year-old-girl/
- New Year's Eve fireworks kill and injure in Europe despite bans https://www.bbc.co.uk/news/world-europe-59848648
- Winter driving tips: How to stay safe on icy Okanagan roads https://globalnews.ca/news/8477398/winter-driving-okanagan-roads/
- Tesla recalls over 475K cars from U.S. markets over safety concerns https://globalnews.ca/news/8480205/tesla-recalls-model-3-model-s-safety-concern/
- AT&T and Verizon may have to delay 5G deployments another two weeks over airline safety fears https://www.theverge.com/2022/1/1/22862481/buttigieg-faa-request-two-week-5g-delay-aircraft-safety
- China Accuses US of Unsafe Space Conduct After Near-Miss With Elon Musk's Starlink https://www.sciencealert.com/china-accuses-us-of-unsafe-conduct-in-space-after-close-encounter-with-starlink
- Alaska 'Icemageddon' warning follows heat record https://www.bbc.co.uk/news/world-us-canada-59820999
- How a great white shark altered an N.S. underwater researcher's diving plans for 2022 https://halifax.citynews.ca/local-news/how-a-great-white-shark-altered-an-ns-underwater-researchers-diving-plans-for-2022-4899459

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

The spread, curves, spikes, waves, reinfection, and variant strains:
- Covid-19: WHO chief optimistic disease will be beaten in 2022 https://www.bbc.co.uk/news/world-59840513
- Russia's COVID-19 death toll crosses 650K, second highest in the world https://globalnews.ca/news/8480308/russias-covid-19-death-toll-second-highest/
- As Omicron becomes the dominant variant, the US is averaging 200,000 new COVID-19 cases a day https://www.businessinsider.com/omicron-variant-percent-new-covid-19-cases-cdc-2021-12
- Nearly a fifth of all NYC COVID-19 cases were recorded in December 2021 amid the rapid spread of the Omicron variant https://www.businessinsider.com/new-york-city-covid-cases-december-winter-omicron-surge-coronavirus-2021-12
- Canada surpasses 2 million COVID-19 cases as Omicron variant continues surge https://globalnews.ca/news/8476350/canada-2-million-covid-19-cases-as-omicron-variant/
- Nearly every province sets new record for COVID-19 cases as Omicron sweeps Canada https://globalnews.ca/news/8479373/covid-canada-omicron-christmas/
- Covid: Omicron and Delta driving tsunami of cases - WHO https://www.bbc.co.uk/news/world-59822209
- Ontario posts record 16,713 new COVID-19 infections as new testing guidelines take effect https://toronto.ctvnews.ca/ontario-posts-record-16-713-new-covid-19-infections-as-new-testing-guidelines-take-effect-1.5724312
- Quebec reports 17,122 new COVID-19 cases, 8 deaths, as hospitalizations rise by 98 https://globalnews.ca/news/8483342/quebec-covid-jan-1-2022-curfew/
- B.C. confirms 4,383 new cases as Omicron surge pushes COVID-19 to record heights https://globalnews.ca/news/8481123/bc-covid-19-update-dec-30-2021/
- COVID-19: Nova Scotia reporting 1,893 new cases over the weekend https://globalnews.ca/news/8484129/ns-covid-19-update-jan-2-2022/
Guidance, Response, and Recovery:
- Toronto to redeploy hundreds of staff in order to protect essential services from threat posed by Omicron https://toronto.ctvnews.ca/toronto-to-redeploy-hundreds-of-staff-in-order-to-protect-essential-services-from-threat-posed-by-omicron-1.5722224
- Dozens of U.S. colleges switching back to online classes as COVID-19 cases soar https://globalnews.ca/news/8483197/covid-us-colleges-online-classes/
- Ontario considers delaying return to in-class learning for 2 weeks amid COVID-19 spike https://globalnews.ca/news/8484921/ontario-covid-in-class-learning-delay/
- CDC now recommends those with COVID-19 isolate for 5 days, down from 10 https://globalnews.ca/news/8475800/cdc-covid-19-isolation-recommendation/
- Fauci says that the shortened COVID-19 isolation guidelines were designed to 'get people back to jobs' https://www.businessinsider.com/covid-isolation-fauci-shortened-cdc-work-jobs-economy-coronavirus-economy-2021-12
- Former Surgeon General Jerome Adams says CDC officials wouldn't follow the new guidance 'for their own family' https://www.businessinsider.com/jerome-adams-criticizes-cdc-guidance-isolation-covid-19-antigen-tests-2021-12
- President of flight attendants' union slams CDC for shortening the quarantine period: "It was all about the staffing issues" https://www.businessinsider.com/flight-attendant-union-president-slams-cdc-over-new-quarantine-period-2021-12
- Michigan won't implement the CDC's new COVID-19 isolation guidelines, saying it needs to 'review the supporting evidence' first https://www.businessinsider.com/michigan-cdc-covid-19-isolation-guidelines-reveiwing-evidence-2021-12
- Should Canada cut COVID-19 isolation times? Business, labour groups divided https://globalnews.ca/news/8479105/canada-covid-19-isolation-times-businesses/
- Multiple provinces considering allowing COVID positive healthcare staff to work https://globalnews.ca/news/8477772/provinces-covid-positive-healthcare-staff-work/
- Ontario introduces shortened isolation periods, new testing guidelines https://toronto.ctvnews.ca/ontario-introduces-shortened-isolation-periods-new-testing-guidelines-1.5723606
- Ontario's return to in-person learning must include better masks, more tests, stronger COVID-19 protocols https://toronto.ctvnews.ca/ontario-s-return-to-in-person-learning-must-include-better-masks-more-tests-stronger-covid-19-protocols-1.5723343
- Ontario reducing capacity limits at large spectator venues to 1,000 people https://toronto.ctvnews.ca/ontario-reducing-capacity-limits-at-large-spectator-venues-to-1-000-people-1.5723604
- 'Confusing': Toronto doctors voice concern over capacity limits at large venues as COVID-19 cases soar https://toronto.ctvnews.ca/confusing-toronto-doctors-voice-concern-over-capacity-limits-at-large-venues-as-covid-19-cases-soar-1.5721893
- COVID-19: Quebec brings back nightly curfew, private gatherings prohibited, as cases soar https://globalnews.ca/news/8480611/covid-19-quebec-brings-back-nightly-curfew-private-gatherings-prohibited-as-cases-soar/
- National civil liberties association condemns Quebec COVID-19 curfew, private gathering ban https://globalnews.ca/news/8484345/civil-liberties-association-condemns-quebec-covid-19-curfew/
- Canadian cities cancel New Year's Eve parties as celebrations move online https://globalnews.ca/news/8481789/canadian-cancel-new-years-eve-parties-celebrations-online/
- Toronto goes virtual with 2022 New Year's Eve show online, followed by fireworks https://globalnews.ca/news/8478310/toronto-new-years-eve-2022-virtual-covid/
- CDC says all travelers, fully vaccinated or not, should avoid going on cruise ships https://www.businessinsider.com/cdc-covid-vaccine-travelers-avoid-going-on-cruises-2021-12
- Covid: Woman isolates in toilet for five hours after positive mid-flight test https://www.bbc.co.uk/news/world-us-canada-59833262
- Attempt to improve COVID Alert app stalls for lack of interest by provinces https://globalnews.ca/news/8478550/attempts-improve-covid-alert-stall-lack-of-interest-provinces/
Treatments, Testing, Triage, Trials, and things we Learned:
- FYI, Rapid Antigen Tests May Give More False Negatives With Omciron https://www.sciencealert.com/fyi-rapid-antigen-tests-appear-to-give-more-false-negatives-with-omciron
- The Atlantic Daily: What Rapid Tests Miss https://www.theatlantic.com/newsletters/archive/2021/12/how-to-use-rapid-tests/621086/
- HSE biologists prepare strategy for universal COVID test https://scienmag.com/hse-biologists-prepare-strategy-for-universal-covid-test/
- Pfizer's antiviral COVID-19 pill approved by U.K. regulators https://globalnews.ca/news/8481802/pfizer-antiviral-covid-19-pill-approved-u-k/
Immunity and Vaccinations:
- What went wrong with vaccinating the world? https://www.bbc.co.uk/news/health-59755743
- A COVID Vaccine for All https://www.scientificamerican.com/article/a-covid-vaccine-for-all/
- Ontario offering fourth COVID-19 vaccine dose to long-term care residents, mandating booster for staff https://toronto.ctvnews.ca/ontario-offering-fourth-covid-19-vaccine-dose-to-long-term-care-residents-mandating-booster-for-staff-1.5723637
- Israel OKs 4th COVID-19 vaccine shot for most vulnerable https://globalnews.ca/news/8480509/israel-oks-4th-covid-vaccine-immunocompromised/
- Things we learned:
- CDC boss says COVID-19 hospitalizations are 'comparatively low' as US records most ever cases in a single day https://www.businessinsider.com/cdc-hospitalizations-comparatively-low-as-us-cases-hit-record-highs-2021-12
- Omicron hospitalization risk roughly one third of Delta variant, U.K. data shows https://globalnews.ca/news/8481935/omicron-hospitalization-risk-delta-variant-u-k-data/
- Ontario study of COVID-19 cases suggests Omicron not as severe as Delta https://toronto.ctvnews.ca/ontario-study-of-covid-19-cases-suggests-omicron-not-as-severe-as-delta-1.5723473
- Kidney damage as a result of coronavirus infection https://scienmag.com/kidney-damage-as-a-result-of-coronavirus-infection/
Impact:
- Travellers 'out of luck' as they seek refunds for COVID cancellations https://www.cbc.ca/news/canada/ottawa/travellers-facing-resistance-vacation-refunds-1.6300747
Masks, anti-maskers, distancing, compliance, and repercussions:

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

The Largest Known Flying Animal Was Even Weirder Than We Thought https://www.sciencealert.com/the-largest-ever-flying-animal-was-a-condor-in-the-skies-and-a-heron-on-the-ground
Book: Build Your Own Programming Language https://www.amazon.com/Build-Your-Own-Programming-Language/dp/1800204809/ or https://www.amazon.ca/Build-Your-Own-Programming-Language/dp/1800204809/
Here's DART's First Picture From Space. We Are Already Looking Forward to its Last Image https://www.universetoday.com/153840/heres-darts-first-picture-from-space-we-are-already-looking-forward-to-its-last-image/
There Was a Major Unexpected Benefit to James Webb's Christmas Launch https://www.sciencealert.com/there-was-a-major-unexpected-benefit-to-james-webb-s-christmas-launch
MIT engineers develop 'flying saucer' that could hover across the moon https://www.independent.co.uk/life-style/gadgets-and-tech/space/mit-flying-saucer-moon-rover-b1983666.html
2029 Will be the Perfect Year to Launch a Mission to Sedna https://www.universetoday.com/153879/2029-will-be-the-perfect-year-to-launch-a-mission-to-sedna/
The Tiny Dots in This Image Aren't Stars or Galaxies. They're Black Holes https://www.sciencealert.com/the-tiny-dots-in-this-image-aren-t-stars-or-galaxies-they-re-black-holes

This Week's [in]Security - Issue 247

CG Blogger : Dec 26, 2021 7:59:00 AM

Welcome to This Week’s [in]Security. Big-Hacks: More log4shell. New breaches: Azure, Hellman. New Ransomware: terrorism? Inetum. Major outages:...

1 min read

This Week's [in]Security - Issue 245

CG Blogger : Dec 12, 2021 10:07:00 PM

Welcome to This Week’s [in]Security. Log4J/Log4shell! PCI and payments: PCI updates: PIN, SSF. Non-Compliance Lesson No.3. Magecart, Supply-Chain...

[in]security Magecart Log4J COVID-19 SSF Log4shell Smishing

This Week's [in]Security - Issue 212

CG Blogger : Apr 25, 2021 10:07:00 PM

Welcome to This Week’s [in]Security. P2PE Solution Aid. More on 8-digit BINs. Supply-Chain Backdoors: CodeCov, Passwordstate, Solarwinds. New...

[in]security NIST Bill C11 COVID-19 IoT Bill S-210

This Week's [in]Security - Issue 248

This Week's [in]Security - Issue 247

This Week's [in]Security - Issue 245

This Week's [in]Security - Issue 212

Services

About Us

Knowledge Base

Contact