Newsletters

Last week we wrote about a phishing campaign targeting Twilio that was leveraged to hijack a journalist's Signal account. The entirety of the campaign is coming into view and it has targeted, with limited success, hundreds of organisations. Brian Krebs has an excellent account of the affair.

The message is pretty clear — One Time Password-based MFA is not particularly effective any more. Cloudflare, one of the organisations targeted, was unaffected because it uses hardware security keys.

Recorded Future analyst and product manager Dmitry Smilyanets has an interview with prolific cybercriminal Mikhail Matveev (aka Wazawaka) at The Record.

Since the scandal has picked up steam in Greece, ruling officials, and especially Prime Minister Kyriakos Mitsotakis, whom Androulakis accused directly of ordering and orchestrating the surveillance operation, have been trying to downplay the incident as much as possible. Mitsotakis and his party have accused journalists Alexander Clapp and Nektaria Stamouli of working for the Greek opposition parties after they wrote scathing articles about government corruption and the degradation of press freedom in Greece in the New York Times and Politico Europe, respectively.

As of last week, Mitsotakis and his office switched to the narrative that it's actually "foreign forces are attempting to destabilize the nation" and not his government's abuse of power.

With pressure mounting from their own parliamentary investigation and the EU's newly established PEGA—a committee to investigate the use of Pegasus and equivalent surveillance spyware across Europe—the current Greek ruling regime has taken to attacking the EU itself.

START.ru hack: Meanwhile, in Russia, local companies continue to see large data leaks in the aftermath of the country's invasion of Ukraine. The latest company to see its data shared online is START, one of Russia's largest cinema theatre chains. Earlier this week, hackers leaked details for almost 44 million of the company's customers. The hackers claimed the data came from an exposed MongoDB server they found online, which contained the details of users who signed up on the site until September 22, last year, including names, emails, IP addresses, and even MD5-hashed passwords. In a message posted on Russian social media site VK, the company confirmed the security breach on Sunday.

US ISP geolocation collection: Ten of the top 15 mobile carriers in the US collect geolocation data and provide no way for consumers to opt out of this process, according to the answers the carriers provided to the FCC last week. In their responses, companies generally cited the need to comply with law enforcement requests as well as FCC rules as their reason for being unable to allow consumers to opt out of collection and retention, Cyberscoop reported.

New Microsoft UEFI specs: Microsoft has announced a new security requirement for software developers that want to build apps on top of UEFI-based systems.

OneTwoTrip leak: Ukrainian security researcher Bob Diachenko said he identified Elasticsearch servers belonging to OneTwoTrip, a Russian online travel service, that had leaked the company's data for several days last week. Leaked data included information on the company's customers and their trips.

Adorcam leak: The operators of Adorcam, an iOS and Android app that can let you connect to some IP security cameras, left an Elasticsearch server exposed online that leaked more than 124 million records from its customers.

Dominican Republic ransomware attack: A ransomware attack has encrypted the data of the Dominican Republic's Ministry of Agriculture, local media reported. According to BleepingComputer, the attack has been claimed by the Quantum gang, which has allegedly requested $650,000 for the state agency to decrypt its files.

Trustwave has published an overview of the malware and access vectors used by Russian forces to attack Ukraine. Most interestingly, the timeline they publish shows destructive wiper attacks occurred early in the war but stopped in April. Espionage operations weren't detected early in the war, but continue to this day.

Assuming this reflects reality rather than just the fog of war it's interesting to speculate about why this might be so. Does intelligence gathering just yield a better return on investment for the Russians? Or does the state of the conflict on the ground make destructive cyber operations less useful?

The CCO of cryptocurrency exchange Binance, Patrick Hillman, says that scammers used a video deepfake of him in an attempt to scam multiple cryptocurrency projects. He learned of the attempted scam when he:

Second, we all have Twitter accounts, and we've seen first-hand how the platform has declined in its moderation quality and has failed in recent months to address dis/misinformation campaigns, bot accounts, and abuse—a trend that at first glance appears to have taken off after Agrawal was named CEO last November.

For starters, Twitter's once-vaunted Transparency Center, where the company would name-and-shame state-backed bot networks and influence operations, has not published any new report since December 2021, three days after Agrawal's appointment as CEO.

But can you also recognize the following text?

Airplane Accelerates leak: CyberNews says it found 626GB of customer data in an unsecured Elasticsearch server belonging to Airplane Accelerates, a free VPN service advertised to Chinese users. The data contained a staggering of 5.7 billion entries, including user IDs, what IP addresses users were connecting to and from, domain names, and timestamps, the news outlet reported.

Failed crypto-heist: Cryptocurrency bridge project Celer said it successfully fended off a cyber-attack after a threat actor attempted a DNS hijacking account against its frontend infrastructure.

Warning about in-app browsers: Privacy expert Felix Krause has published two write-ups over the past week warning about the dangers of using a mobile app's built-in browser as compared to standalone browsers. In a first report, Krause said he found that the Facebook and Instagram in-app browsers were tracking users on all the sites they visited, while in a second, he said he found key-logging code in TikTok's in-app browser, although he did not find any evidence that it was being actively used.

But one thing that came out of yesterday's misunderstanding is that the Twitter thread also helped surface another section in next year's NDAA, namely that the DOD can now issue funding for open-source projects and help them improve their security posture.

According to section 323 (k), the DOD will soon be able to issue grants to sponsor security audits in open-source projects, fund developers to patch certain vulnerabilities in their projects, and even fund FOSS infrastructure and code overhauls, such as "rewrites of open source software components in memory-safe programming languages." 😎

WestJet app leak: Canadian airline WestJet suffered a glitch in its mobile app that logged in users into its mobile app into different profiles, allowing them to view other people's personal details.

There has been some pushback on the sanctioning of Tornado Cash. One argument is that the specific type of sanction used — adding Tornado Cash to Treasury's Specifically Designated Nationals and Blocked Persons List — is inappropriate because a smart contract isn't a person that can be sanctioned.

A second argument — one we are more sympathetic to — is that the sanction affects innocent people. US citizens can no longer send or receive money from Tornado Cash without violating sanctions laws. Blockchain analysis company Chainalysis reports that Tornado Cash receives a lot of currency from illicit sources (almost 30% of funds received are stolen or have come from sanctioned entities), but that still leaves 70% that may be legal.

We think, however, that in this case punishing innocent people is not really a bug so much as a feature. For a mixer to be effective at obfuscating transactions it ideally has a large number of users all mixing similar amounts of cryptocurrency. By discouraging legal users, the US government is effectively shrinking that pool and also making it more likely that any Tornado Cash transaction is actually illicit. Additionally, Chainalysis’s Grauer says "cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out".

Even if not a package repository in itself, GitHub is often used by the maintainers of various other libraries to host their code. GitHub knows this and the central role it plays in securing many open-source libraries and package repositories, many of which pull package releases straight off its platform.

Earlier this year, GitHub announced that all users who contribute code on any GitHub.com project will be required to enable one or more forms of MFA by the end of 2023.

Some developers might not be in the mood to solve MFA challenges when logging into their package accounts or when pushing some tiny code update via an API or CLI tool, but the writing is slowly starting to appear on the wall, and the writing says that MFA will soon become a de-facto login security standard for most package repositories and DevOps platforms.