this week in security — september 16 edition

U.K. arrests teenager for alleged Transport for London hack
National Crime Agency: Happy Sunday and welcome once again. This week we start with the absolute fustercluck left behind by the hack at Transport for London, the U.K. capital’s public transit authority. While the Tube and buses remain untouched by the hack, TfL’s corporate offices remain largely offline. It comes in the same week that TfL quietly conceded that customer data had in fact been compromised, days after enthusiastically claiming it had “no evidence” (well, of course you didn’t at the time). Save a thought for the 30,000 TfL employees who have to be verified in-person before they can be allowed back onto the IT network. (I hope staff are being compensated for having to come into work and queue for hours.) U.K. cyber plods have made an arrest of a 17-year-old boy, but it’s just that so far — no charges yet, so expect more news to drop soon.
More: TFL Employee Hub | BBC News | TechCrunch | The Register

Actively exploited bug can crash SonicWall firewalls
Cyberscoop: CISA has added three known-exploited bugs to its catalog, including a SonicWall vulnerability (tracked as CVE-2024-40766). The bug is especially gnarly because, if exploited, it can cause SonicWall firewalls to crash (we don’t want that). SonicWall said the bug is under active attack and “exploited in the wild,” but details on who, exactly, are scarce. Cyberscoop says ransomware gangs have targeted SonicWall appliances in the past (since they’re edge devices, they can be compromised to access a victim’s network), but no public word yet on recent attacks. Since CISA caught a whiff of the bug being exploited, it’s now mandated all civilian federal agencies to patch ASAP, given the risk to the federal enterprise.
More: SonicWall | Rapid7 | SecurityWeek | @gregotto

In wake of Durov arrest, some cybercriminals ditch Telegram
404 Media ($): Telegram, the not-very-private messaging app, is hemorrhaging criminals, who just can’t leave the platform fast enough following the arrest of Telegram CEO Pavel Durov in France a few weeks ago. Durov remains in France awaiting trial, but 404 Media ($) reports droves of criminals are moving their comms from Telegram to other platforms. That could make visibility into criminal activities trickier, since Telegram has been a hotbed of criminal activity (but also a trove of intelligence). I’ve seen some of this, too: One crime crew behind a one-time password stealing bot also moved away from Telegram in recent days, citing Durov’s recent arrest. “Telegram can’t be trusted anymore,” they wrote. (Was it ever?) Meanwhile: KrebsonSecurity dives into The Com, the loose description of the online underworld where cybercriminals use violence and threats to get their means.
More: KrebsonSecurity | @zackwhittaker

Thousands of Avis car rental customers had personal data stolen in cyberattack
TechCrunch: Car rental giant Avis said it was hacked and more than 299,000 people had their personal information, credit card numbers, and driver’s license numbers stolen in a recent data breach. Avis, which owns Budget and Zipcar, said little else about the incident, or why this data was stored in a way that allowed the data to be compromised. Texas had the most number of affected customers, a total of 34,592 people notified. Let’s not forget that Avis made some $12 billion in revenue last year, and its CEO Joe​ Ferraro made over $10.2M in executive compensation — yet the company would not say who at Avis (if anyone!) oversees cybersecurity, and a spokesperson didn’t respond to a request for comment. (Disclosure: I wrote this!)
More: Bleeping Computer | Maine Attorney General

THE STUFF YOU MIGHT’VE MISSED

Stop blaming your employees for your company’s data breach
@gabsmashh: Here’s some good advice for the CISO crowd out there. If you don’t want your employees loading their work laptops with unapproved software — or accidental malware — then don’t let them. So many companies of late (including this week) have blamed their data breaches on their employees. Bzzzzzt! Nope. Don’t fall for the con. If an employee was able to install malware that’s capable of compromising the entire company, that’s the company’s fault (and financial responsibility to bear). Remember: any personal apps on your work laptop can often also be accessed by your company. It goes both ways!

Bug lets anyone bypass WhatsApp’s ‘View Once’ feature
TechCrunch: Turns out when you use WhatsApp to send a “View Once” message, which expires and deletes after the recipient views the image or video once (as the name suggests), anyone can grab and save the content for later — defeating the very point of the privacy feature. WhatsApp said it’s planning to fix the issue soon. More by Tal Be’ery, who found the bug.

How $20 was used to hijack .mobi domains
watchTowr Labs: How can $20 end up hijacking any .mobi domain? By registering the since-expired domain name that once controlled the WHOIS server. Yes, the folks at watchTowr found the expired domain name and snapped it up as soon as possible, allowing the researchers to effectively take over the TLD and issue TLS/SSL certificates (which the researchers didn’t do, but could have). Top quality meme game, aside, this was excellent research and shows that sometimes the smallest thing can snowball into a full takeover. More from Ars Technica.

Microsoft’s security summit was mostly talk, little action
Thurrott: Microsoft journalist Paul Thurrott dove into the security summit that Microsoft held this week with CrowdStrike and other vendors following CrowdStrike (and Microsoft’s) dualling meltdowns, and found it was… mostly talk and little in terms of actionable takeaways. Press were reportedly not invited and the summit wasn’t live streamed, but in a blog post Microsoft said a lot without really saying that much. Thurrott says, “it doesn’t seem that much will come out of it, as there are very few specifics for a way forward,” and certainly no timelines, either.

Ex-CrowdStrike staff say ‘quality control was not part of our process’
Semafor: Wild reporting here from ex-CrowdStrike employees, who spoke on the record as saying that quality control was “not part” of CrowdStrike’s internal processes or conversations. Some two dozen former software engineers and managers “described a workplace where executives prioritized speed over quality,” and warned of insufficient training and rising mistakes. CrowdStrike, of course, disputes this, per an unnamed spokesperson, who blamed much of the reporting on “disgruntled former employees.” Hmm… and yet 14 of the people who spoke with Semafor left on their own accord. (Didn’t we just go over blaming your employees for corporate problems?) Great reporting here.

Alarm sounded over iPhone 16 visual search: The newest batch of iPhones are expected out imminently, and feature a new feature called Visual Intelligence, which lets people take photos of things (or anything) and have Apple’s new online search feature. It uses Google’s search engine and allows for “third-party integrations,” like ChatGPT. Sure, you can pull out your phone and find out what species a dog is, but clearly there could be risks present with third-party apps. Apple says (vaguely), “you’re always in control of when third-party tools are used,” but crucially doesn’t say how. Straight to @RachelTobac for threat modeling guidance. (via TechCrunch)

Researchers map $900M in ransom payments: Incredible new research classifies some $700 million in unreported ransomware payments over 1,000 addresses (out of a dataset of $900M) that shows the average ransom payments increased steadily between 2019 and 2022. The average payout was about $900,000 — which is a huge amount and goes to show how big of the ransomware problem is. (via Arxiv, @mikko)

Gaze(ploit) into my eyes: Eye-tracking technology is great for accessibility, and it’s increasingly found in mixed-reality headsets like Apple’s Vision Pro. Now, computer scientists say they have found an attack that lets them decipher — for the most part! — what people enter on the device’s virtual keyboard. That includes PINs and passwords with between 77%-92% accuracy. (via GAZEploit, Wired ($))

Congress must act to reimburse SNAP skimming victims: Low-income families that rely on SNAP, a federal nutrition assistance program (previously known as food stamps), who are robbed of their grocery funds because of cybercrime or card skimming attacks, may no longer be reimbursed unless Congress acts by September 30. This federally funded and state administered program is a vital lifeline for more than 40 million people in America. SNAP card skimming is a major problem affecting some of the country’s most in need. Congress, for once get your collective arses in gear, for crying out loud. (via NBC News)

Fortinet admits hacked: Security giant Fortinet had a “recent” (but doesn’t say when) data breach, with data on some 0.3% of Fortinet customers stolen from a third-party cloud shared storage drive. A threat actor claimed on a cybercrime forum that they took 400+ gigabytes from Fortinet’s SharePoint instance. Since Fortinet has “well over” half a million customers, 0.3% affected translates to at least 1,500 corporate customers. Fortinet declined to comment, but did not dispute the number of customers affected. Welp. (via Fortinet)

ChatGPT spits out bomb making instructions: Not a good look for OpenAI’s ChatGPT, which after billions of investment continues to spit out instructions for making homemade explosives (and not for the first time). This latest “jailbreak” of the generative AI model involves tricking the hapless chatbot into thinking it’s in a fictional sci-fi world where its guardrails don’t apply. An explosives expert told @lorenzofb that the instructions were largely accurate and were “TMI” to be released. (via TechCrunch)

At last, it’s the happy corner. Leave your heavy baggage at the door.

First up, on expiring domain names and certificates… yes, this is the point!

And for the folks whose kids are going back to school, this tweet is pretty spot on:

And finally, this week, over a hundred people in the security community are rallying behind Connor Goodwolf (aka David Ross), a security researcher who disproved false claims by the Columbus, Ohio mayor that a recent ransomware attack on the city did not affect city residents. The full letter (PDF) is online (via @caseyjohnellis). The letter calls on the city to drop its lawsuit as it diverts attention from the “real threat,” which “harms public safety efforts by reinforcing a chilling effect.”

If you have good news you want to share, get in touch at: [email protected].

Meet Eazy, this week’s cyber-cat dog, whose human tells me can be seen here on his perennial perimeter patrol for threat actors. (Or, y’know, lizards.) Eazy is a very good boy. Many thanks to @jjdavis for sending in!

Keep sending in your cyber cats (or a non-feline friend!). You can email any time with a photo with their name, and they’ll be featured in an upcoming newsletter!

Well, that was a busy one — thanks so much for reading! As a programming note, I will be away next week and therefore not newslettering, but I will be back the week following with a brand new freshly autumn edition of ~this week in security~ (which will be available as a freshly spring edition to folks below the equator.)

Terrible jokes aside, remember you can get in touch by email any time, and your cyber-cats (or friends) are always welcome!

Catch you in a fortnight,
@zackwhittaker