Copy
~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 17
 

THIS WEEK, TL;DR

ZecOps claims zero-click iPhone bug, Apple disputes findings
ZecOps: Security outfit ZecOps revealed this week what it called a zero-click vulnerability in iOS 13. The bug, says ZecOps, dates back to at least 2012. The bug can be triggered remotely by sending a specially crafted email to a victim, triggering a buffer overflow on the victim's Mail app. ZecOps said there was evidence to show the flaw was under active attack. But Apple had an entirely different spin, saying the bugs were not enough for a successful remote exploitation as described. That said, Apple said the bugs will still be fixed in an upcoming update. ZecOps said it'll release more details soon.
More: Motherboard | Ars Technica

Hackers target top officials at World Health Organization
Bloomberg ($): WHO's chief information security officer says the global health organization has seen an "increasing number" of attempted cyberattacks since mid-March. Lists of accounts were floating around the web this week of apparent credentials of WHO staff, as well as the Gates Foundation and others. But turns out they were mostly old and recycled credentials.
More: WHO | @rj_gallagher | @janelytv

Facebook says NSO Group used U.S. servers in operations against WhatsApp users
Cyberscoop: A new twist in the WhatsApp vs. NSO Group saga. Facebook (which owns WhatsApp) now claims NSO Group, the mobile surveillance maker, used U.S.-based servers against WhatsApp users. That's a major blow to the hacking outfit's claims it doesn't run operations in the United States. Some of the servers were hosted on Amazon Web Services, Facebook said in its court filing this week. The whole case came to be after WhatsApp discovered attackers using an exploit, likely developed by NSO Group, to target users on its platform. Citizen Lab's @jsrailton has a great thread on this, by the way.
More: New Statesman | @shanvav | @jsrailton
Hackers target oil producers as they struggle with a record glut of crude
Ars Technica: Oil producers were already hit hard this week because of negative crude prices. But a new campaign spotted in the wild by Bitdefender attempted to implant a notorious trojan to siphon off vast amounts of sensitive communications and data. Launched by a spearphishing campaign, the attack targeted about 150 oil and gas companies. The trojan in question is Agent Tesla, which has been active since 2014, can keylog and more.
More: Bitdefender

CFAA will soon have its day in court
Cyberscoop: This could be one of the most significant court rulings in U.S. history — at least for hackers and security researchers. The CFAA, the foundation of U.S. hacking laws, are widely known to be vague and widely interpreted. But now the Supreme Court will take up a case of a cop who used his computer to search a license plate database on behalf of an acquaintance. That case (and most other CFAA cases) comes down to "authorization." Obviously this could go either way for hackers and researchers who often find flaws without having been granted permission first. But there's hope this would effectively "legalize" security research.
More: EFF | @marciahofmann | @orinkerr

UK ministers plan to give more UK public bodies power to access phone data
The Guardian: Filed under the "what could go wrong" category. U.K. surveillance laws, or the so-called "snoopers charter," is set to expand to allow other public authorities access to vast databases of phone and computer records. Now the U.K. wants to give even more government departments access to the database — including, I kid you not, the pensions watchdog. What a great time to expand controversial surveillance powers, while everyone is at home distracted by a global pandemic. Classy.
More: @libertyhq
~ ~
SUPPORT THIS NEWSLETTER

A big thanks for reading this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for exclusive perks), it helps keep this newsletter going. You can contribute to the Patreon here.
~ ~

THE STUFF YOU MIGHT'VE MISSED

Nintendo shuts down NNID logins after 160,000 accounts breached
TechCrunch: A bad week for Nintendo after it confirmed (in Japanese) that 160,000 Nintendo Network ID accounts, used for accessing online services, were compromised. Nintendo has seen a massive boom in users thanks to the pandemic and the equally virality of Animal Crossing (weeks into this pandemic, there are still no Switch consoles within a 15 mile radius of me). Earlier in the week, Nintendo chalked up the activity to a wave of fraudulent attacks, and warned customers to use two-factor authentication.

Netflix now supports TLS 1.3 for faster, more secure streams
Netflix: Streaming giant Netflix has upgraded its systems to support TLS 1.3. That means Netflix is faster and safer. In its blog post, Netflix gave the run down on the decision, including over 7% improvement in media rebuffering.

Google sees state-sponsored hackers ramping up coronavirus attacks
Wired ($): New data from Google shows at least a dozen governments are using coronavirus as a platform to launch cyberattacks. Google says it's spotted 240 million COVID-19-related spam messages, including 18 million phishing and malware emails, each day. Google's post is here.

Israel's parliamentary oversight group stops phone location tracking effort
BBC News: A couple of weeks ago we looked at how Israel was using phone location tracking to trace positive coronavirus cases. Now an oversight group in the Israeli parliament has put a halt to it, saying the effort did more harm than good.
~ ~

OTHER NEWSY NUGGETS

Threat actor targeting Uyghurs resurfaces with iOS exploit and updated implant
Security firm Volexity says the same hackers (likely China) behind the targeting of oppressed Uyghur Muslims with sophisticated iOS malware last year are back with a new updated exploit and implant. No surprise, since Apple and Google nixed the attacks. But now it looks like they're up to their old tricks again. This post is super detailed. Great research.
Vietnamese hackers targeted Wuhan and Beijing in coronavirus espionage effort
FireEye said this week it spotted Vietnamese hackers, APT 32, targeting the Chinese Ministry of Emergency Management and the Wuhan government in an effort to steal coronavirus-related data. Interestingly, FireEye said the move was part of an effort in which the hackers were "desperately seeking solutions and nonpublic information" about the spread of the virus. APT 32 uses spearphishing loaded with malware to run malware.

You won't believe what this one line change did to the Chrome sandbox
When Microsoft modified the Windows kernel ever so slightly, it was enough to break not only Chrome's sandbox, but also Firefox and Edge, too, according to Google's elite bug hunting team. The bug was fixed earlier this month.
~ ~

THE HAPPY CORNER

Not much in the world of good news this week. But, as always, @iancoldwater graces us with an insightful (and at times hilarious) thread on things people wished they heard more in infosec. The balaclava preference was one of my favorites.
 
If you want to nominate some good news from the week, feel free to reach out.
~ ~

THIS WEEK'S CYBER CAT

This week's cyber cat is Puff. We first featured him last year. His human, @nofawkesgiven, told me this week that Puff went to the big farm upstate in the sky, and this was his last photo before he went. We love you Puff. 
Please send in your quarantine cyber cats. You can send them here
~ ~

SUGGESTION BOX

That's all for now. Thanks again for reading. If you have any feedback, drop it in the the suggestion box. Take care, and see you next Sunday. 

You can update your preferences or unsubscribe from this list.