Hackers gotta Hack. The IT Privacy and Security Weekly update for March 22nd. 2022

This week we dance from Taylor Swift to Arkady Volozh or probably more correctly, from New York to Moscow.

We learn about over-reactions at NPM, Facebook, and Microsoft. We share some amazing visuals from NASA, that once you see, you can never unsee, and find the US government reminding each and every one of us that the Ukraine war is now at our door.

Finally, we learn about the Securities and Exchange Commission (SEC) in the US considering the incorporation of climate risk into financial risk.

This is an action-packed update, hotter than ever, so leave your coats behind, slip on some comfy shoes and let’s start our journey in the newest class on the syllabus….

US: Taylor Swift Course Launched at New York University’s Clive Davis Institute

“Course Objectives:

  • Students will develop an understanding and appreciation for Taylor Swift as a creative music entrepreneur; Students will learn to deconstruct the way her creativity and songwriting have made her a durable presence in a quickly evolving music industry;
  • Students will learn about the legacy of pop and country songwriters that have influenced Swift as well as the discourses around “prodigies” in pop music history;
  • Students will gain an understanding of how discourses of youth and girlhood are often exploited in the media and music industries;
  • Students will learn about the politics of race in contemporary popular music, and to interrogate whiteness as it relates to Swift’s politics, songwriting, worldview, and interactions with the wider cultural world around her;
  • Students will develop greater sophistication in their artistic appreciation, critical thinking, research, and writing skills.”
  • Students will not learn what drove Taylor Swift to set up 2FA on her personal iPhoto account, but a little digging should provide insight.

Additional course offerings include ones that focus on Led Zeppelin, Aretha Franklin, Freddie Mercury, and many more iconic artists with Swift now making the list although we can’t attest to their security hygiene.

So what’s the upshot for you? Cause the hackers gonna hack, hack, hack, hack, hack…— Taylor Swift (@taylorswift13) January 27, 2015

***Global: Famous NPM Package Deletes Files To Protest Ukraine War ***

The packages appear to have been originally created by the developer as a means of peaceful protest, as they mainly add a “message of peace” on the Desktop of any user installing the packages. “This code serves as a non-destructive example of why controlling your node modules is important,” explains RIAEvangelis

Newer versions of the ‘node-ipc’ package began deleting all data and overwriting all files on developer’s machines, in addition to creating new text files with “peace” messages. With over a million weekly downloads, ‘node-ipc’ is a prominent package used by major libraries like Vue.js CLI.

Select versions (10.1.1 and 10.1.2) of the massively popular ‘node-ipc’ package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus.

These versions are tracked under CVE-2022-23812. On March 8th, developer Brandon Nozaki Miller, aka RIAEvangelist released open-source software packages called peacenotwar and oneday-test on both npm and GitHub.

So what’s the upshot for you? This caused such an uproar in the open-source community that the packages were removed.

Global: Facebook is Locking Out People Who Didn’t Activate Facebook Protect

Early in March, a bunch of Facebook users got a mysterious, spam-like email titled “Your account requires advanced security from Facebook Protect” and telling them that they were required to turn on the Facebook Protect feature (which they could do by hitting a link in the email) by a certain date, or they would be locked out of their account.

The program, according to Facebook, is a “security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials.”

It’s meant to do things like ensuring those accounts are monitored for hacking threats and that they are protected by two-factor authentication (2FA).

Unfortunately, the email that Facebook sent from the address security@facebookmail.com resembled a rather common form of spam, and so it’s probable that many people ignored it.

It actually wasn’t spam.

In fact, it was real.

The first deadline to hit for many people was Thursday, March 17th.

And now, they are locked out of their Facebook accounts – and are having trouble with the process that Facebook has provided to get them back in.

So what’s the upshot for you? Those who did not activate Facebook Protect before their deadline are apparently getting a message explaining why they can’t get into their accounts and offering to help them turn it on.

Global: Microsoft Defender Tags Office Updates As Ransomware

In one of that in-your-face irony or karmic debt, Bleeping Computer reports that Microsoft Defender tags Office updates as ransomware.

The article states: “Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.”

Further on, an explanation for the source of the karmic irony is: “The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts.” Couldn’t this have waited for April 1st?

The article goes on, “A Microsoft spokesperson was not available for comment when contacted by BleepingComputer mid-week last week.”

So what’s the upshot for you? Hopefully they have it sorted out by now, but we still can’t print.

Global: Hundreds of GoDaddy-Hosted Sites Backdoored In a Single Day

Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy’s Managed WordPress service, all featuring an identical backdoor payload.

The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress.

The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.

The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates that are used to inject malicious pages into search results. The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content.

The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors. Additionally, the actors can harm a website’s reputation by altering its content and making the breach evident, but this doesn’t seem to be the actors’ aim at this time.

The intrusion vector hasn’t been determined, so while this looks suspiciously close to a supply chain attack, it hasn’t been confirmed. […] In any case, if your website is hosted on GoDaddy’s Managed WordPress platform, make sure to scan your wp-config.php file to locate potential backdoor injections.

Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

So what’s the upshot for you? Wordfence does provide cleanup tips to their credit.

Global: Climate Spiral and Zonal Climate Anomalies. Once you see them, you can’t unsee them.

Visualizations by Mark SubbaRao were Released on March 7, 2022. This visualization presents monthly global temperature anomalies between the years 1880-2021. These temperatures are based on the GISS Surface Temperature Analysis (GISTEMP v4), an estimate of global surface temperature change. Anomalies are defined relative to a base period of 1951-1980.

The second visual presents zonal temperature anomalies between the years 1880-2021. The visualization illustrates that the Arctic is warming much faster than other regions of the Earth. These temperatures are based on the GISS Surface Temperature Analysis (GISTEMP v4), an estimate of global surface temperature change. Anomalies are defined relative to a base period of 1951-1980.

So what’s the upshot for you? Global temps are rising faster than anyone imagined. It seems IT Privacy and Security are not the only “hot” topics this week.

US: POTUS Urges American Firms To ‘Harden’ Cyber-Defenses Against Russia

“The Federal Government can’t defend against this threat alone,” Biden (President Of The United States) said in a lengthy statement released by the White House. He called on the private sector, as “critical infrastructure owners and operators,” to “accelerate efforts to lock their digital doors.” […]

“I urge our private sector partners to harden your cyber defenses immediately,” Biden said in the statement. In the lead-up to the invasion of Ukraine, the White House repeatedly publicized its intelligence about Moscow’s plans in an effort to deter them.

So what’s the upshot for you? “We need everyone to do their part to meet one of the defining threats of our time,” Biden concluded, calling directly on “private sector partners” that work with the federal government. “Your vigilance and urgency today can prevent or mitigate attacks tomorrow.” The Ukraine war has come to your door.

BR: Who needs a cyber attack from Russia when we have LAPSUS$

Yesterday, the Lapsus$ digital extortion gang published a series of increasingly shocking posts on its Telegram channel. First, the group dumped what it claims is extensive source code from Microsoft’s Bing search engine, Bing Maps, and Cortana virtual assistant software. A potential breach of an organization as big and security-conscious as Microsoft would be significant in itself, but the group followed the post with something even more alarming: screenshots apparently taken on January 21 that seem to show Lapsus$ in control of an Okta administrative or “superuser” account.

A Microsoft spokesperson said early Tuesday morning that the company is “aware of the claims and investigating.”

Okta is a near-ubiquitous identity management platform used by thousands of large organizations that want to make it easy—and, crucially, secure—for their employees or partners to log in to multiple services without juggling a dozen passwords. Past breaches, like 2020’s notorious Twitter meltdown, have stemmed from attackers taking over access to an administrative or support account that has the ability to modify customers’ accounts.

Lapsus$ has been on a tear since it emerged in December, stealing source code and other valuable data from increasingly prominent companies, including Nvidia, Samsung, and Ubisoft, and leaking it in apparent extortion attempts. But researchers had only found broadly that the attackers seemed to be using phishing to compromise their victims. It wasn’t clear how a previously unknown and seemingly amateur group had pulled off such monumental data heists. Now it seems possible that some of those high-profile breaches stemmed from the group’s Okta compromise.

So what’s the upshot for you? Questions remain about Lapsus$ itself and the group’s motivations. Researchers have consistently found that it is a loose, even disorganized collective that is likely based in South America and still getting its bearings. But the scale and scope of the organizations Lapsus$ has been able to compromise so far raise a chilling range of possibilities. Either the group is a more sophisticated organization than incident responders have realized or admitted, or the security of some of the world’s most critical companies is even more fragile and inadequate than previously thought.

Global: Browser-in-the-Browser Attack Can Trick Even Savvy Users

When we teach people how to avoid falling victim to phishing sites, we usually advise closely inspecting the address bar to make sure it does contain HTTPS and that it doesn’t contain suspicious domains such as google.evildomain.com or substitute letters such as g00gle.com. But what if someone found a way to phish passwords using a malicious site that didn’t contain these telltale signs?

One researcher has devised a technique to do just that. He calls it a BitB, short for “browser in the browser.” It uses a fake browser window inside a real browser window to spoof an OAuth page.

Hundreds of thousands of sites use the OAuth protocol to let visitors log in using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have—and the magic of OAuth does the rest.

The Browser-in-the-Browser (BitB) technique capitalizes on this scheme. Instead of opening a genuine second browser window that’s connected to the site facilitating the login or payment, BitB uses a series of HTML and cascading style sheets (CSS) tricks to convincingly spoof the second window.

The URL that appears there can show a valid address, complete with a padlock and HTTPS prefix. The layout and behavior of the window appear identical to the real thing.

While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss.

Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page.

That means a user can resize them and move them anywhere on the monitor, including outside the primary window.

BitB windows, by contrast, aren’t a separate browser instance at all. Instead, they’re images rendered by custom HTML and CSS and contained in the primary window.

So what’s the upshot for you? That means the fake pages can’t be resized, fully maximized, or dragged outside the primary window. All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right-click on the popup page and choose “inspect.” If the window is a BitB spawn, its URL will be hardcoded into the HTML.

And remember that you, the “target user”, would first need to land on the compromised website for the pop-up window to be displayed.

Global: Circle, BlockFi, and other crypto firms say they were hacked

Circle, BlockFi, Pantera Capital, NYDIG, and others suffered a data breach over the weekend through HubSpot, a vendor that stores users’ names, phone numbers, and email addresses for marketing purposes.

The incident happened last Friday and was “[believed] to be a targeted incident focused on customers in the cryptocurrency industry,” according to a statement by HubSpot.

A bad actor had reportedly hacked into a HubSpot employee account which had access to customer accounts.

An investigation by HubSpot suggested that about 30 corporate clients were affected by the hack, but the company did not disclose their names.

Several affected companies notified customers of the data leak by email. They sought to reassure customers that while some user information was leaked, passwords and other internal data like IDs and Social Security numbers were not.

So what’s the upshot for you? It is unclear what the attacker intended to do with the obtained contact information. Circle warned that the customer information could be used for phishing campaigns.

US: FTC Takes Action Against CafePress for Data Breach Cover-Up

CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security — and how the firm allegedly “failed to secure consumers’ sensitive personal data and covered up a major breach.”

On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC’s complaint, issued against the platform’s former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of “reasonable security measures” to prevent data breaches.

In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities.

“As a result of its shoddy security practices, CafePress’ network was breached multiple times,” the FTC says.

CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users.

This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers…

According to the FTC, CafePress was notified a month after the breach and did patch the security flaw — but did not investigate the breach properly “for several months.”

Customers were also not told.

Instead, CafePress implemented a forced password reset as part of its “policy” and only informed users in September 2019, once the data breach had been publicly reported.

In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed — and the shopkeepers, the victims, were then charged $25 account closure fees.

The FTC also claims that the company “misled” users by using consumer email addresses for marketing, despite promises to the contrary.

So what’s the upshot for you? It sounds like they got off easy. This lawsuit should go even further in sullying their already blighted reputation.

US: The Securities and Exchange Commission is considering incorporating Climate Risk

The proposed rules would require disclosures on Form 10-K about a company’s governance, risk management, and strategy with respect to climate-related risks.

Moreover, the proposal would require disclosure of any targets or commitments made by a company, as well as its plan to achieve those targets and its transition plan, if it has them.

So what’s the upshot for you? These days financial risk can also be attributed to climate risk.

RU: And Yandex quietly withers away.

Arkady Yurievich Volozh seemed to be in good spirits. It was February 11, his birthday, and the 58-year-old billionaire CEO and cofounder of Yandex, the Russian tech behemoth, was in the sort of open, engaging mood that could be called privetliviy, after the casual Russian word privet for hello.

He was speaking from his car in Tel Aviv, bragging about his father—an oil geologist in his eighties who had “discovered” oil in Israel, Volozh said—as we chatted about my upcoming trip to Tel Aviv to interview him for this story.

For more than 20 years, Yandex has been known as “Russia’s Google”: It began as a search engine in 1997 and still has a 60 percent share of the Russian search market. But for the past decade, this tag has understated the company’s inescapable ubiquity in Russians’ daily life.

Yandex Music is the country’s leader in paid music streaming, and Yandex Taxi is the top ride-hailing app. Millions of Russians use Yandex Navigator, Yandex Market, Yandex News, and Yoo Money (formerly Yandex Wallet) to get around, shop online, read, and spend money.

Most of Yandex’s 18,000 employees are still based at the company’s headquarters in Moscow. But Arkady, as everyone at Yandex calls him, now lives with his family in Israel. For several years, Israel has been an R&D hub for new products.

24 February 2022 Putin launched the military invasion of Ukraine and by noon that day, the price of Yandex shares had more than halved. As the doors to the West were slamming shut, Yandex was imploding at home.

On March 1, Lev Gershenzon, the former head of Yandex’s news division, posted an anguished note on Facebook addressed to his former coworkers.

“Yandex today is a key element in hiding information about war. At least 30 million Russian users” of Yandex’s home news page “see that there is no war, there are no thousands of dead Russian soldiers, there are no dozens of civilians killed under Russian bombings.”

As the invasion stretched on, the Russian economy began collapsing under the weight of Western sanctions. “I believe Yandex’s Russian business is dead, more or less,” Gershenzon said since that business is “all based on the ability of the Russian people to spend money.”

It had taken Volozh 20 plus years to demonstrate to the world that world-class technology, as good as anything created in the West, could come out of Russia. But now, as Russia laid siege to its neighbor, his life’s work and aspirations crumbled with each passing hour.

So what’s the upshot for you? As to whether Volozh’s apparent passivity in the face of the war in Ukraine amounts to a moral stain on his reputation, history and his own conscience will judge. As Dostoevsky wrote in Crime and Punishment: “It takes more than just intelligence to act intelligently.”

That’s it for this week. Stay safe, stay, secure, act intelligently, and we’ll see you in se7en.