This Week's [in]Security - Issue 268

Welcome to This Week’s [in]Security. PCI and payments: e-com skimmers. New breaches: Malaysia. Kubernetes, TrustStamp. New Ransomware: Countries, Nikkei. Major outages. Follow-ups & Fall-out. Privacy: You for sale, ID.me. Laws & Regs - Canada: Huawei ban, C-11. US: CFAA abuse, AML settlement. World: cybersecurity reporting, platform liability, Standards: NIST 800-140C/D. Defense - Training & events: Tools: Supply chain framework, Browser password vaults. Vulnerabilities - Advisories: Initial access, CISA Vmware & A/D. Zerodays: what APTs know, Mac, iOS. Patching: partial protection, NVIDIA. Other: Spies in the workforce, e-voting, OAuth, SQL persistence, WordPress, Russian CA? Vulnerability research: Bluetooth relay attack, Tesla. Crypto-research: Post-quantum, Telegram. Cybercrime: MSP attacks. FaceStealer, MSSQL brute force, chatbots, exotic languages. Crime & Enforcement, Nation States & mercenaries. Other Risks: Cyber-insurance, Facebook e-com, CitizenLab on Bing. Health, Safety, & Environment. Disinformation, Economy. Russia v. Ukraine. Innovation and more.

PCI Compliance and Payments

• Payment skimmers/malware/fraud:
• Skimming for Sale: Commodity Skimming and Magecart Trends in Q1 2022 https://www.riskiq.com/blog/external-threat-management/magecart-skimming-trends/
• Other payment related:
• China reveals its top five sources of online fraud https://www.theregister.com/2022/05/17/china_internet_fraud_sources/

Breaches / Ransomware / Leaks

• New Breaches:
• Data leak containing info of 22.5 million Malaysians not from NRD, says Hamzah https://www.databreaches.net/data-leak-containing-info-of-22-5-million-malaysians-not-from-nrd-says-hamzah/
• 380K Kubernetes API Servers Exposed to Public Internet https://threatpost.com/380k-kubernetes-api-servers-exposed-to-public-internet/179679/
• Strapi Exposed Data, Password Reset To Unprivileged Users https://packetstormsecurity.com/news/view/33476/Strapi-Exposed-Data-Password-Reset-To-Unprivileged-Users.html
• Trust Stamp, a facial recognition company with a $7.2 million ICE contract, had dozens of peoples' data exposed in breach https://www.databreaches.net/trust-stamp-a-facial-recognition-company-with-a-7-2-million-ice-contract-had-dozens-of-peoples-data-exposed-in-breach/
• Update: More than 90,000 South Australian public servants now involved in payroll data breach https://www.databreaches.net/update-more-than-90000-south-australian-public-servants-now-involved-in-payroll-data-breach/
• Ca: Big data breach confirmed at Arnprior Regional Health https://www.databreaches.net/ca-big-data-breach-confirmed-at-arnprior-regional-health/
• Ca: Elgin data breach ‘devastating' for victims; county not transparent about incident – Cavoukian https://www.databreaches.net/ca-elgin-data-breach-devastating-for-victims-county-not-transparent-about-incident-cavoukian/
• UK: Cornwall Council Data Breach https://www.databreaches.net/uk-cornwall-council-data-breach/
• New Ransomware and "Incidents":
• Greenland hit by cyber attack, finds its health service crippled https://www.databreaches.net/greenland-hit-by-cyber-attack-finds-its-health-service-crippled/
• Exploratory study into ransomware attacks in Dutch government services and companies https://www.databreaches.net/exploratory-study-into-ransomware-attacks-in-dutch-government-services-and-companies/
• Media giant Nikkei's Asian unit hit by ransomware attack https://www.bleepingcomputer.com/news/security/media-giant-nikkei-s-asian-unit-hit-by-ransomware-attack/
• Ransomware attack exposes data of 500,000 Chicago students https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/
• Major outages/downs:
• Microsoft detects massive surge in Linux XorDDoS malware activity https://www.bleepingcomputer.com/news/security/microsoft-detects-massive-surge-in-linux-xorddos-malware-activity/
• Follow-ups and fall-out:
• Read Novel (unverified) - 22,424,472 breached accounts https://haveibeenpwned.com/PwnedWebsites#ReadNovel

Privacy

• Your data's auctioned off up to 987 times a day, NGO reports https://www.theregister.com/2022/05/18/advertisers_broadcast_pii_more_than/
• Senators Urge FTC to Probe ID.me Over Selfie Data https://krebsonsecurity.com/2022/05/senators-urge-ftc-to-probe-id-me-over-selfie-data/
• Senators Urge FTC to Investigate ID.me's Facial Recognition Claims https://epic.org/senators-urge-ftc-to-investigate-id-mes-facial-recognition-claims/
• New Surveillance Transparency Report Documents an Urgent Need for Change https://www.eff.org/deeplinks/2022/05/new-surveillance-transparency-report-documents-urgent-need-change
• Teen who tracks Elon Musk's jet says he's discovered Mark Zuckerberg's new aircraft https://www.businessinsider.com/elon-musk-jet-tracking-teen-claims-discovered-mark-zuckerberg-plane-2022-5

Laws, Regulations, Platforms, Standards, and Public Policy

• Canada:
• Canada to formally ban China's Huawei from 5G networks https://globalnews.ca/news/8849160/huawei-canada-ban-decision-5g/
• CRTC Chair Confirms Bill C-11 Captures User Content, Will Take Years to Implement https://www.michaelgeist.ca/2022/05/crtc-chair-confirms/
• Is There Anything Less Convincing than CRTC Chair Ian Scott's Empty Assurances on Bill C-11 User Content Regulation? https://www.michaelgeist.ca/2022/05/is-there-anything-less-convincing-than-crtc-chair-ian-scotts-empty-assurances-on-bill-c-11-user-content-regulation/
• No Comment: Government Moves to End Debate on Online News Bill Despite a No-Show from Canadian Heritage Minister Pablo Rodriguez https://www.michaelgeist.ca/2022/05/no-comment-government/
• US:
• Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act https://www.databreaches.net/department-of-justice-announces-new-policy-for-charging-cases-under-the-computer-fraud-and-abuse-act/
• US won't prosecute ‘good faith' security researchers under CFAA https://www.theregister.com/2022/05/20/cfaa_rule_change/
• Connecticut Enacts Privacy Law https://epic.org/connecticut-enacts-privacy-law/
• DOJ's New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers https://www.databreaches.net/dojs-new-cfaa-policy-is-a-good-start-but-does-not-go-far-enough-to-protect-security-researchers/
• A Tesla driver who had his car on Autopilot in a fatal crash faces manslaughter charges, report says https://www.businessinsider.com/driver-who-had-tesla-on-autopilot-in-crash-manslaughter-trial-2022-5
• Wells Fargo to Pay $7M to Settle SEC AML Allegations https://www.pymnts.com/aml/2022/wells-fargo-to-pay-7m-to-settle-sec-aml-allegations/
• World:
• Europe moves closer to stricter cybersecurity standards, reporting regs https://www.theregister.com/2022/05/17/europe_nis2_cybersecurity_regulations/
• Platform Liability Trends Around the Globe: From Safe Harbors to Increased Responsibility https://www.eff.org/deeplinks/2022/05/platform-liability-trends-around-globe-safe-harbors-increased-responsibility
• India slightly softens infosec incident reporting and data retention rules https://www.theregister.com/2022/05/20/cert_in_rules_faq/
• Standards News:
• NIST Revises Special Publications 800-140C and 800-140D for the CMVP Approved Security Functions and Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140c/rev-1/final

Defense / Techniques / Solutions

• Methods, Techniques, Tools, and Products:
  • MITRE Creates Framework for Supply Chain Security https://www.darkreading.com/application-security/mitre-creates-framework-for-supply-chain-security
  • Use Your Browser Internal Password Vault... or Not?, (Tue, May 17th) https://isc.sans.edu/diary/rss/28658
  • Closing the Gap Between Application Security and Observability https://threatpost.com/gap-application-security-and-observability/179684/
  • Downloading Pwned Passwords Hashes with the HIBP Downloader https://www.troyhunt.com/downloading-pwned-passwords-hashes-with-the-hibp-downloader/
  • Microsoft Defender for Endpoint gets new troubleshooting mode https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-gets-new-troubleshooting-mode/
  • In hot pursuit of ‘cryware': Defending hot wallets from attacks https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/

Bugs / Design Flaws / Vulnerabilities / Research

• Advisories:
• Alert (AA22-137A): Weak Security Controls and Practices Routinely Exploited for Initial Access https://www.databreaches.net/alert-aa22-137a-weak-security-controls-and-practices-routinely-exploited-for-initial-access/
• Cybersecurity agencies reveal top initial access attack vectors https://www.bleepingcomputer.com/news/security/cybersecurity-agencies-reveal-top-initial-access-attack-vectors/
• CISA warns admins to patch actively exploited VMware, Zyxel bugs https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-actively-exploited-vmware-zyxel-bugs/
• CISA: Hackers Will Quickly Start Exploiting Newly Patched VMware Vulnerabilities https://www.securityweek.com/cisa-hackers-will-quickly-start-exploiting-newly-patched-vmware-vulnerabilities
• CISA warns not to install May Windows updates on domain controllers https://www.bleepingcomputer.com/news/security/cisa-warns-not-to-install-may-windows-updates-on-domain-controllers/
• Zero-day news:
• APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days https://threatpost.com/apts-overwhelmingly-share-known-vulnerabilities-rather-than-attack-o-days/179657/
• Apple emergency update fixes zero-day used to hack Macs, Watches https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/
• Cisco urges admins to patch IOS XR zero-day exploited in attacks https://www.bleepingcomputer.com/news/security/cisco-urges-admins-to-patch-ios-xr-zero-day-exploited-in-attacks/
• Patching:
• Partial Patching Still Provides Strong Protection Against APTs https://www.darkreading.com/application-security/reactive-patching-is-not-significantly-riskier-than-planned-updates-study-shows
• Microsoft emergency updates fix Windows AD authentication issues https://www.bleepingcomputer.com/news/microsoft/microsoft-emergency-updates-fix-windows-ad-authentication-issues/
• NVIDIA fixes ten vulnerabilities in Windows GPU display drivers https://www.bleepingcomputer.com/news/security/nvidia-fixes-ten-vulnerabilities-in-windows-gpu-display-drivers/
• Other Vulnerabilities:
• North Korean IT Workers Are Infiltrating Tech Companies https://www.wired.com/story/north-korea-it-workers-security-roundup
• A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified https://freedom-to-tinker.com/2022/05/19/a-pdf-file-is-not-paper-so-pdf-ballots-cannot-be-verified/
• High-Severity Bug Reported in Google's OAuth Client Library for Java https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html
• Hackers Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility https://thehackernews.com/2022/05/hackers-gain-fileless-persistence-on.html
• Backdoor baked into premium school management plugin for WordPress https://www.bleepingcomputer.com/news/security/backdoor-baked-into-premium-school-management-plugin-for-wordpress/
• Critical Jupiter WordPress plugin flaws let hackers take over sites https://www.bleepingcomputer.com/news/security/critical-jupiter-wordpress-plugin-flaws-let-hackers-take-over-sites/
• Why is my Honeypot a Russian Certificate Authority?, (Mon, May 16th) https://isc.sans.edu/diary/rss/28652
• Research on new vulnerabilities:
• New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html
• Researchers Devise New Type of Bluetooth LE Relay Attacks https://www.securityweek.com/researchers-devise-new-type-bluetooth-le-relay-attacks
• Pentester pops open Tesla Model 3 using low-cost Bluetooth module https://www.theregister.com/2022/05/17/ble_vulnerability_lets_attackers_steal/
• Cryptography and Cryptographic Research:
• Protecting data now as the quantum era approaches https://www.theregister.com/2022/05/20/quantum-security-qusecure/
• The NSA Says that There are No Known Flaws in NIST's Quantum-Resistant Algorithms https://www.schneier.com/blog/archives/2022/05/the-nsa-says-that-there-are-no-known-flaws-in-nists-quantum-resistant-algorithms.html
• On the Cryptographic Fragility of the Telegram Ecosystem, by Theo von Arx and Kenneth G. Paterson https://eprint.iacr.org/2022/595

Hacking / Malware / Cybercrime / Exploitation

• Trends, Alerts, and Events (other than major breaches):
• Attacks on Managed Service Providers Expected to Increase https://www.schneier.com/blog/archives/2022/05/attacks-on-managed-service-providers-expected-to-increase.html
• This Russian botnet does far more than DDoS attacks - and on a massive scale https://www.zdnet.com/article/russian-fronton-botnet-spreads-misinformation-on-a-massive-scale
• 2 vulnerabilities with 9.8 severity ratings are under exploit. A 3rd looms https://arstechnica.com/information-technology/2022/05/2-vulnerabilities-with-9-8-severity-ratings-are-under-exploit-a-3rd-looms/
• 6 Scary Tactics Used in Mobile App Attacks https://www.darkreading.com/application-security/6-scary-tactics-used-in-mobile-app-attacks
• Global Food Supply Chain At Risk From Malicious Hackers https://packetstormsecurity.com/news/view/33477/Global-Food-Supply-Chain-At-Risk-From-Malicious-Hackers.html
• Phishing Attacks for Initial Access Surged 54% in Q1 https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1
• iPhone Malware that Operates Even When the Phone Is Turned Off https://www.schneier.com/blog/archives/2022/05/iphone-malware-that-operates-even-when-the-phone-is-turned-off.html
• Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer https://thehackernews.com/2022/05/over-200-apps-on-play-store-caught.html
• PDF smuggles Microsoft Word doc to drop Snake Keylogger malware https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/
• Microsoft warns of brute-force attacks targeting MSSQL servers https://www.bleepingcomputer.com/news/security/microsoft-warns-of-brute-force-attacks-targeting-mssql-servers/
• Phishing websites now use chatbots to steal your credentials https://www.bleepingcomputer.com/news/security/phishing-websites-now-use-chatbots-to-steal-your-credentials/
• Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines https://thehackernews.com/2022/05/researchers-uncover-rust-supply-chain.html
• UpdateAgent Returns with New macOS Malware Dropper Written in Swift https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html
• When Your Smart ID Card Reader Comes With Malware https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/
• Conti ransomware shuts down operation, rebrands into smaller units https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/
• Lazarus hackers target VMware servers with Log4Shell exploits https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmware-servers-with-log4shell-exploits/
• Crime & Arrests, etc.:
• Venezuelan cardiologist charged with 'designing and selling ransomware' https://www.theregister.com/2022/05/17/zagala_venezuelan_cardiologist_ransomware_charges/
• US Recovers $15 Million From Ad Fraud Group https://www.securityweek.com/us-recovers-15-million-ad-fraud-group
• Nation State Actors:
• Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html
• Spyware Vendors Target Android With Zero-Day Exploits https://www.wired.com/story/android-spyware-cytrox-predator-google-tag
• Mandiant Quietly Investigating Suspected Russian Intrusions https://www.databreaches.net/mandiant-quietly-investigating-suspected-russian-intrusions/
• Other:

Other Security / Risk

• General:
• Cyber Insurers Raise Rates Amid a Surge in Costly Hacks https://www.wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200
• Facebook rated least safe e-commerce option in government rankings https://www.theregister.com/2022/05/17/facebook_rated_least_safe_ecommerce/
• Bada Bing, Bada Boom: Microsoft Bing's Chinese Political Censorship of Autosuggestions in North America https://citizenlab.ca/2022/05/bada-bing-bada-boom-microsoft-bings-chinese-political-censorship-autosuggestions-north-america/
• Health:
• Monkeypox has Canadian researchers scrambling. Why, and how contagious is it? https://globalnews.ca/news/8847914/monkeypox-virus-outbreak-canada-explained/
• Monkeypox: Here are the treatments and what to do when infected https://globalnews.ca/news/8853838/monkeypox-treatments-vaccine-explainer/
• Adenovirus leading hypothesis for severe hepatitis in children, CDC says https://globalnews.ca/news/8852295/adenovirus-leading-hypothesis-severe-hepatitis-children-cdc/
• Fraser Valley turkeys to be put down as another case of ‘bird flu' confirmed in B.C. https://globalnews.ca/news/8852632/birds-put-down-bc-farm-avian-flu/
• Omicron COVID-19 variant likely to re-infect ‘over and over again,' experts say https://globalnews.ca/news/8861413/covid-reinfection-canada/
• BA.2.20 in Ontario doesn't warrant significant concern, experts say https://toronto.ctvnews.ca/ba-2-20-in-ontario-doesn-t-warrant-significant-concern-experts-say-1.5913049
• Safety:
• Giant Tonga Volcanic Eruption Was as Powerful as Krakatau in 1883, Scientists Reveal https://www.sciencealert.com/record-shattering-atmospheric-waves-burst-from-the-tonga-volcano-along-with-the-tsunamis
• Environment:
• Over 500 animals and birds lost or possibly extinct, new study shows https://globalnews.ca/news/8861771/animals-birds-lost-extinct-study/
• Water Levels in Lake Mead Reach Record Lows https://www.theatlantic.com/photo/2022/05/photos-water-levels-in-lake-mead-record-lows/629900/
• 'Reef Balls' Gain Traction for Shoreline Protection https://www.scientificamerican.com/article/reef-balls-gain-traction-for-shoreline-protection/
• New Kind of 'Solar' Cell Shows We Can Generate Electricity Even at Night https://www.sciencealert.com/engineers-measure-the-potential-of-a-new-kind-of-solar-cell-fueled-by-the-night
• Disinformation and misinformation
• Why is climate 'doomism' going viral – and who's fighting it? https://www.bbc.co.uk/news/blogs-trending-61495035
• University of Toronto Magazine/CitizenLab: The Extremism Machine https://magazine.utoronto.ca/research-ideas/culture-society/extremism-machine-online-disinformation-citizen-lab/
• Economy:
• Average gas price tops $2 a litre in Canada for the 1st time https://globalnews.ca/news/8841248/record-high-gas-prices-2-dollars/
• AI Can Predict People's Race From X-Ray Images, And Scientists Are Concerned https://www.sciencealert.com/ai-can-predict-people-s-race-from-medical-images-and-scientists-are-concerned
• Podcast Episode: An AI Hammer in Search of a Nail https://www.eff.org/deeplinks/2022/05/podcast-episode-ai-hammer-search-nail

Russia v. Ukraine

• The war:
• Mariupol defenders begin surrender as Ukraine declares them ‘heroes' https://globalnews.ca/news/8841178/mariupol-surrender-ukraine-russia-war/
• Mariupol: Russia declares complete victory at Azovstal plant https://www.bbc.co.uk/news/world-europe-61529877
• Ukraine rules out ceasefire as Russia intensifies push for Donbas region https://globalnews.ca/news/8861459/ukraine-rules-out-ceasefire-russia-donbas-region/
• A Whole Age of Warfare Sank With the Moskva https://www.theatlantic.com/ideas/archive/2022/05/ukraine-russia-moskva-military-marine-corps/629930/
• Russian soldier pleads guilty in 1st war crimes trial over Ukraine invasion https://globalnews.ca/news/8844452/russia-soldier-war-crime-trial-guilty-ukraine/
• Reaction and response:
• Zelensky: Only diplomacy can end Ukraine war https://www.bbc.co.uk/news/world-europe-61535353
• Putin said he invaded Ukraine to stop NATO expanding. He is achieving the opposite. https://www.businessinsider.com/putin-said-invaded-ukraine-stop-nato-expanding-has-achieved-opposite-2022-5
• Finland, Sweden apply to join NATO in ‘historic moment' amid Russia's Ukraine war https://globalnews.ca/news/8844419/finland-sweden-nato-application-russia-ukraine-war/
• Finland's parliament votes overwhelmingly for the country to join NATO after Russia's invasion of Ukraine https://www.businessinsider.com/finland-parliament-votes-overwhelmingly-to-join-nato-2022-5
• Map shows how Russia's border with NATO would more than double with Finland and Sweden as members https://www.businessinsider.com/map-how-russias-nato-border-expands-with-finaland-sweden-members-2022-5
• Russia orders CBC out of Moscow after Canada bans RT https://globalnews.ca/news/8844837/russia-cbc-moscow-bureau-closed/
• Sanctions & economic Impact:
• EU reveals its plans to stop using Russian gas https://www.bbc.co.uk/news/science-environment-61497315
• Russia cuts off gas supply to neighbouring Finland over payment dispute https://globalnews.ca/news/8853454/russia-cuts-off-gas-exports-to-finland/
• Information, Disinformation, and Propaganda:
• Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies https://www.securityweek.com/pro-russian-hackers-spread-hoaxes-divide-ukraine-allies
• Cyber-attacks and the potential for cyber-war:
• Cyberattacks quietly launched by Russia before its invasion of Ukraine may have been more damaging than intended https://www.databreaches.net/cyberattacks-quietly-launched-by-russia-before-its-invasion-of-ukraine-may-have-been-more-damaging-than-intended/
• Ukraine supporters in Germany targeted with PowerShell RAT malware https://www.bleepingcomputer.com/news/security/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware/
• Russian Sberbank says it's facing massive waves of DDoS attacks https://www.bleepingcomputer.com/news/security/russian-sberbank-says-it-s-facing-massive-waves-of-ddos-attacks/

Off-Topic / Science & Tech / Lighter Side

• Innovations & Inventions:
• Scientists Just Measured a Mechanical Quantum System Without Destroying It https://www.sciencealert.com/scientists-just-measured-a-mechanical-quantum-system-without-destroying-it
• Quatum Innovation.
• Boeing's Starliner successfully docks to the International Space Station for the first time https://www.theverge.com/2022/5/20/23132777/boeing-cst-100-starliner-nasa-iss-docking-success-oft-2
• Spinlaunch Hurled a Test Rocket Into the air. See What it Looked Like From the Payload's Point of View https://www.universetoday.com/155992/spinlaunch-hurled-a-test-rocket-into-the-air-see-what-it-looked-like-from-the-payloads-point-of-view/
• Other:
• The Onion on Google Map Surveillance https://www.schneier.com/blog/archives/2022/05/the-onion-on-google-map-surveillance.html
• Plants can grow in lunar regolith, but they're not happy about it https://www.universetoday.com/155984/plants-can-grow-in-lunar-regolith-but-theyre-not-happy-about-it/
• Over 1,000 New Asteroids Discovered Hidden in Hubble Archives https://www.sciencealert.com/over-1-000-new-asteroids-discovered-hiding-in-old-hubble-images
• NASA engineers trying to figure out strange readings from aging interstellar spacecraft https://www.theverge.com/2022/5/20/23132419/nasa-jpl-voyager-1-spacecraft-data-readings-interstellar-space