Subscribe to this bi-weekly newsletter here!
Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.
Two contrasting developments unfolded in the US and Germany last week.
While the US Senate voted to reauthorize the USA Freedom Act, allowing law enforcement to collect Americans’ browsing and internet search records without a warrant, Germany’s constitutional court ruled that the country’s intelligence agency, the Bundesnachrichtendienst (BND), can no longer spy on the world’s internet traffic without any restrictions.
The bill takes aim at Section 215, a sweeping surveillance law in the Patriot Act, which was signed into law in the aftermath of 9/11. It basically allows the government to collect any “tangible thing” (such as books, records, papers, documents, and other items) so long as it’s in the interest of national security.
But Edward Snowden’s disclosures about the vast scope of the US’ bulk data collection programs in 2013 prompted a congressional reform, and thus came into being the USA Freedom Act of 2015. The act, however, places no limit on amassing phone metadata or internet data of its citizens.
The amendment, which would have forbid warrantless surveillance by federal agencies, failed by just one vote on the Senate floor. Now all that remains is for the House of Representatives to approve the amended version of the bill before sending it to the president’s desk.
On the other end, after it was revealed that the BND was tapping web traffic flowing through the DE-CIX Internet exchange point in Frankfurt since 2009, the German chapter of Reporters Without Borders (RSF), along with the Berlin-based Society for Civil Rights (GFF), filed a case, stating they don’t want German spies identifying their sources there and sharing that information with other countries.
“For the first time, Germany’s Federal Government will be legally obliged to protect the confidential communications of journalists from mass surveillance,” the RSF said. “The BND will no longer be able to monitor foreign media workers at will. Tough criteria will also be set for the transfer of data to foreign intelligence services.”
If the Germany ruling is any indication, more independent oversight before authorizing government surveillance programs is the way to go.
What’s trending in security?
Ransomware gangs targeted hospitals and law firms, the Ukrainian Secret Service arrested a hacker known as Sanix, who’s responsible for selling billions of hacked credentials on hacking forums and Telegram channels, and EasyJet said a cyberattack exposed email addresses and travel details of around 9 million of its customers.
- WIRED’s Andy Greenberg looks at the life of Marcus Hutchins, one of the heroes who helped stop the WannaCry ransomware attacks, which turned three last week. [WIRED]
- COVID-19 themed lures are still being used in phishing campaigns to steal credentials and trick users into downloading malware by spoofing legitimate websites such as the World Health Organization. In the meanwhile, Romanian authorities disrupted a cybercriminal group that planned to conduct ransomware attacks on hospitals in the country. [Microsoft Security Intelligence / Trend Micro]
- A new Android spyware, called WolfRAT, targets Thai users to gather device data, take photos and videos, and record screen activity to steal LINE, WhatsApp, and Messenger chats. [Cisco Talos]
- Credit card skimmers are now hiding in plain sight in the form of favicon files, a technique called steganography, to steal payment card data from hacked websites. [Malwarebytes]
- Privacy-focussed messaging app Signal launched profile PINs as part of its first step towards moving away from using phone numbers as profile identifiers and help users migrate account data between devices. [Signal]
- The US cybersecurity agency released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019. [CISA]
- Google removed 813 ‘creepware‘ apps from the Play Store after they were caught accessing users’ SMS messages, location, and other sensitive data to stalk, harass, and defraud others. [ZDNet]
- The FBI and Department of Homeland Security formally accused China of hacking US entities working on COVID-19 research. [CISA / FBI]
- The US Secret Service warned that a crime ring is targeting state unemployment insurance programs to commit fraud by using data belonging to identity theft victims. Some of the actors behind the operation have been traced to Scattered Canary, a Nigerian cybercrime group. [Krebs on Security / Agari]
- Multiple supercomputer clusters, including University of Edinburgh’s ARCHER, across Europe were infected with cryptocurrency mining malware. [Archer / bwHPC / Leibniz Computing Center]
- Israeli surveillance vendor NSO Group made a site appearing to belong to Facebook’s security team to entice targets into installing Pegasus spyware. Facebook later got ownership of the domain to shut it down. [Motherboard]
- Ars Technica’s Dan Goodin went into details about Thunderspy attack that can be used to break into a person’s computer through their Thunderbolt port. But there’s no cause to panic. You’re most likely safe. [Ars Technica]
- Microsoft and Intel developed a new approach to detect malware by first converting its binary form into a grayscale image, and then applying deep learning methods. [Microsoft]
- Cryptocurrency hardware wallets, such as those from Coinkite, Shapeshift and Coldcard, could be hacked to allow an attacker to figure out the PIN that protects those wallets by “monitoring voltage output changes as the chip received PIN inputs to determine the PIN itself.” The flaws have since been fixed. [WIRED]
- Cybersecurity researchers detailed the tactics of Mandrake Android malware capable of controlling infected devices. It can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, and even carry out money transfers. [Bitdefender]
- The fortnight in breaches and leaks: EasyJet, Elexon, Home Chef, Mercedes-Benz, and Wishbone.
The 2020 Verizon Data Breach Investigations Report — based on an analysis of 32,002 incidents across 81 contributing organizations in 81 countries — found that unsecured databases and web applications are hot targets for attackers. Not only 86% of the breaches were financially motivated, 43% of them involved web applications. Cloud assets were involved in about 22% of breaches in 2019, and Phishing emerged as the top form of social-driven breaches.
Takeaway: “Organizations need to understand the importance of knowing their infrastructure because web applications provide easy entry points for cybercriminals,” says Casey Ellis, founder and CTO of vulnerability disclosure platform Bugcrowd.
“Web applications are what we interact with as users, but it’s more than that: The technologies and infrastructure which powers the businesses we rely on are ever increasingly built on top of web technologies. With cybercriminals utilizing hacking techniques to exploit web applications, whitehat hacking can be an advantageous way to mitigate exploits and improve organizations’ cyber postures,” he added.
Tweet of the Week
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
That’s it. See you all in two weeks. Stay safe!
Ravie x TNW (ravie[at]thenextweb[dot]com)