Newsletters

CafePress fine: The US FTC fined last week the CafePress t-shirt merchandise site $500,000 for trying to cover up the severity of its 2020 data breach. The FTC said CafePress had weak security measures in place, which eventually allowed a threat actor to break in and steal the personal data of 23 million customers.

Ransomware attacks in Japan: Two large Japanese companies—automotive component manufacturer TB Kawashima and automotive hose giant Nichirin—were hit by ransomware attacks last week.

XCarnival hack: XCarnival, a company that claims to be the first NFT assets management platform for the Metaverse, was hacked on Saturday by an unidentified threat actor who exploited its smart contracts to steal 3,087 ETH, estimated at roughly $3.8 million at the time of the heist. The company confirmed the incident in a statement on Twitter when it also paused its smart contracts. Additional details are available in this Twitter thread from blockchain security firm PeckShield, which was the one to stop the suspicious transactions:

New Instagram feature: Meta announced on Thursday that they are testing a new way for users to verify their age on the platform. "If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we'll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age," the company said.

Chrome 103 is out: Google has released v103 of its Chrome web browser this week. While the usual security fixes and dev/API-related changes shipped with this release, there were also loads of new features that went live for the Chrome for iOS release. Among the most important new feature was the news that Google's Enhanced Safe Browsing feature is now available for iPhone users, something that has been available for all the other Chrome users since last year.

7-Zip now supports MotW: 7-Zip v22, released last week, supports Mark-of-the-Web, a Windows security feature that has been long requested by security firms and antivirus makers. 7-Zip now becomes the fifth major file archiving software on Windows to support this feature, after WinRAR, WinZip, Eplzh, and Bandizip. [Coverage in Bleeping Computer]

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

A new Buzzfeed report claims that the user data of TikTok's US customers is accessible from China, despite ongoing efforts to ringfence US data into Oracle data centres. The story illustrates how difficult it will be to satisfactorily isolate US data, but TikTok's influence as a publisher may be an even bigger problem.

Concerns about TikTok stem from fears that ByteDance, its parent company, is beholden to the Chinese Communist Party (CCP) and could be forced to act against the interest of its users by the Party. Spoiler alert: these fears are entirely justified. In 2018 Zhang Yiming, ByteDance's CEO, published an open letter in which he apologised for failing to respect "socialist core values" and for "deviation from public opinion guidance". These particular phrases are Party terms for censorship and information control as a means of maintaining CCP control.

While several Israel-based security firms suggested the attack was carried out by Iranian hackers, government officials told the Jerusalem Post that it is still uncertain who was behind the intrusion.

Everyone seems to have rushed to attribute the incident to Iranian hackers in light of similar intrusions Iranian-linked groups orchestrated in the spring and summer of 2020 against Israeli water and wastewater management systems.

This is not the first time that hackers breach an air raid and public address system to sound false alarms. In previous years, hackers have also set off tornado sirens in Dallas (2017), DeSoto and Lancaster (2019), and Bastille also published research named SirenJack on how emergency alert systems manufactured by ATI Systems could be abused to set off false alarms.

New Windows 11 privacy feature: New versions of Windows 11 now come with a new privacy feature that will let users review which locally installed applications have recently accessed and used the camera and microphone. The feature is great for detecting if systems are infected with spyware that constantly accesses these devices without the user's specific approval. The feature is active in Windows 11 Preview and Dev builds.

Smart App Control: Another new feature coming to Windows 11 Insiders builds later this year is Smart App Control. This new feature works by trying to "predict" if a new app being installed on a Windows 11 system may be malicious or not. If the Windows 11 security service is unable to make a confident prediction, then Smart App Control checks to see if the app has a valid signature and allows the installation based on that check.

Smoother Exchange logins for Apple users: Microsoft said it worked together with Apple to improve the login experience for iOS and iPad users, who will soon be able to log into Exchange email servers using an OAuth token provided by their device instead of constantly having to re-type their usernames and passwords. Microsoft said it plans to notify all organizations which have iOS/iPad users still using its classic authentication scheme and prompt them to update server settings in the coming days.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Your correspondent participated in the Lowy Institute's Frontier Rules conference in Canberra this week, which is why this newsletter is a day late.

One interesting discussion at the conference concerned the Russian attack on Viasat's KA-SAT network. This newsletter previously wrote:

The researchers also looked at some of the reasons why, in 2022, so many popular websites still haven't learned anything from the hacks from the last decade.

One of the reasons they put forward was that companies are shifting their attention to multi-factor authentication, and many websites may not care to strengthen their password policies. Another was related to auditors.

"Websites need to pass security audits, and the firms who do these audits, such as Deloitte, recommend or mandate outdated practices," researchers said.

Whatever is going on at the Microsoft Security Response Center, it appears that's rubbing a lot of today's top researchers the wrong way, but also creating a lot of frustration for those who have to deal with the company’s technology on a daily basis, especially from a security posture.

Belarus leak: Belarusian hacktivist group Cyber Partisans released on Tuesday 1.5 TB of data they claim is phone calls secretly collected by the Belarusian Ministry of Internal Affairs from foreign embassies and consulates inside Belarus. The group claims they have more than 50,000 hours of recorded calls, according to Cyberscoop. Among the leaked audio are phone calls allegedly recorded inside the Russian embassy in Minsk.

Shoprite incident: Shoprite, one of the largest supermarket chains in South Africa, has been hit by the RansomHouse ransomware group, according to The Record.

SeaFlower group: Confiant said in a report last week that it detected a new threat actor—that it named SeaFlower—targeting cryptocurrency users. Since at least March this year, the group has operated websites cloned after legitimate cryptocurrency wallets. These websites, which target Chinese-speaking audiences, host backdoored wallet apps that steal users' private wallet seeds.

ASyncRAT stats: Malwarebytes reported this week that its telemetry indicated that ASyncRAT had become the most widespread malware payload delivered via email spam in the first half of 2022. ASyncRAT was ranked #3 throughout 2021, behind Dridex and TrickBot.

Finland arrest: An online scammer was detained in Finland last week after defrauding local car dealerships. Investigators said they were able to identify the suspect after they took a high-quality photo of a fake check where one of their fingertips was also visible, allowing them to identify them based on police records. (h/t @mikko)

Optimism hack: In one of the most facepalm-worthy crypto-hacks of all time, the Optimism cryptocurrency project said it lost $19 million worth of funds after one of its partners sent funds to an Ethereum wallet they didn't yet have full control of. The cringeworthy IR report is here, and, according to Motherboard, the Optimism project is now pleading with the person who spotted and hijacked the errant transfer to return some of the stolen funds.

Mobike leak: Bike-sharing service Mobike leaked the passports, driver's licenses, and identity documents of more than 120,000 customers. Almost all of the identity documents were for users in Latin America, including Argentina and Brazil, TechCrunch reported, which worked for months with the vendor to have the leaky server secured.

TheTruthSpy leak: TheTruthSpy, a quite popular stalkerware app, also left servers exposed on the internet. Per Motherboard, the company leaked data from smartphones where the app was installed. Leaked data included photos of children, pets, and others related to babies, per the news outlet.