The Unthinkable and the IT Privacy and Security Weekly Update for November 30th 2021


This week we start with that face in the mirror and end with an SUV.

In between we have hacks, tracks, and attacks on printers and boom boxes, we get a couple of serious cloud plays and a whole new malware variant aimed at the medicine men (and women).

Finally, we learn how one spy agency has had to “become more open to stay secret”.

No big boots for this adventure, no loud colors or clashing patterns, just smartly pressed tracksuits, a toned demeanor, and that cloak of anonymity.

Come on let’s roll!

UK/AU: Controversial face matchers Clearview set to be fined over $20m

The UK data protection regulator has announced its intention to issue a fine of £17m (about $23m) to controversial facial recognition company Clearview AI.

Clearview AI essentially pitches itself as a social network contact finding service with extraordinary reach, even though no one in its immense facial recognition database ever signed up to “belong” to the “service”.

The company crawls the web looking for facial images from what it calls “public-only sources, including news media, mugshot websites, public social media, and other open sources.”

The company claims to have a database of more than 10 billion facial images and pitches itself as a friend of law enforcement, able to search for matches against mug shots and scene-of-crime footage to help track down alleged offenders who might otherwise never be found.

“Uploaded images, no matter how publicly they may be displayed, don’t suddenly stop being personal information just because they’re published, and the terms and conditions applied to their ongoing use don’t magically evaporate as soon as they appear online.”

Clearview’s founder Hoan Ton-That suggested: " There is […] a First Amendment right to public information. So the way we have built our system is to only take publicly available information and index it that way."

What was the reaction of regulators?

  • For the UK the proposed intervention includes the aforementioned $17m ($23m) fine; a requirement not to touch UK residents’ data anymore; and a notice to delete all data on British people that Clearview already holds.

  • Australian regulators don’t seem to have proposed a financial penalty but also demanded that Clearview must not scrape Australian data in the future; must delete all data already collected from Australians; and must show in writing within 90 days that it has done both of those things.

So what’s the upshot for you? This company took something and pushed it out to the far end of “creepy”. Sure police love it, now they think they can identify anyone at any time from any angle.

Global: Worms in your HP printer? Eww. Don’t forget firmware patches there too.

Cybersecurity researchers disclosed multiple security flaws affecting 150 different multifunction printers (MFPs) from HP Inc that could be potentially abused by an adversary to take control of vulnerable devices, pilfer sensitive information, and infiltrate enterprise networks to mount other attacks.

The two weaknesses — collectively called Printing Shellz — were discovered and reported to HP by F-Secure Labs researchers, prompting the PC maker to issue patches earlier this month —

“The flaws are in the unit’s communications board and font parser. An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised printer as a beachhead for future attacks against an organization.”

So what’s the upshot for you? HP has released 2 patches, but remember, if you have an HP printer… you’ll have to apply the patches for them to work!

JP: Panasonic Breach

With “smart” TVs and whatnot collecting copious amounts of user data, it’s interesting to find out who’s getting hacked. This time it’s Panasonic.

So what’s the upshot for you? Panasonic isn’t sure what the intruders were able to get. A third-party investigator has been engaged, with a brief to figure out if any customer data or “sensitive information related to social infrastructure” was accessed. And then there is this: “Panasonic would like to express its sincerest apologies for any concern or inconvenience resulting from this incident,” concludes the company’s statement.

IL: NSO was about to sell hacking tools to France.

In July, accusations emerged that spyware from NSO Group had targeted French President Emmanuel Macron, causing a major controversy. At the exact same time, the MIT Technology Review learned, French government officials were in the final stages of contract negotiations to purchase Pegasus hacking tools from NSO. Sources familiar with the deal say that the process fell apart after the accusations that French politicians potentially were among those targeted by the NSO software.

Then the United States sanctioned NSO Group by adding it to its entity list, thereby imposing rigorous rules and restrictions on Americans buying from or selling to the Israeli company. The US made the move because it said NSO was building and selling “spyware to foreign governments” that used it for malicious purposes.

Fearing worse political callout, a day later Israel banned the sale of Hacking and Surveillance Tools to 65 Countries (with some omissions) and in the meantime, Apple piled in with a lawsuit against the NSO Group.

So what’s the story? NSO Group’s primary product is Pegasus, a spying tool that’s been the subject of both global criticism and global demand for a decade. The program enables the owner to break into a target’s phone to eavesdrop on the victim and gain access to everything on the device, including messages, contacts, and photos. Many democratic nations have purchased the product, including Germany, Spain, and Mexico: Officials in those countries say law enforcement and intelligence agencies need tools like Pegasus to surveil legitimate targets, such as members of organized criminal groups or terrorist networks. But critics say the tool gives carte blanche for spying without enough oversight and accountability—leading to regular abuse.

NSO has also sold Pegasus to multiple authoritarian nations, particularly across the Middle East and North Africa, and there are dozens of well-documented allegations of abusive behavior by its customers.

What’s happening over at NSO? Morale is low and things are looking bleak with Bloomberg reporting that Wall Street is shunning NSO and treating it as a distressed asset; it’s saddled with over $500 million in debt and a growing risk of insolvency; meanwhile, the company’s newly appointed CEO quit just a week after being appointed.

So what’s the upshot for you? NSO is more involved in the politics of Israel than anyone cares to admit. It’s been great for creating relationships with regimes that Israel had difficulty with previously, and it has political ties that no one wants to mention, but the US block listing certainly will hurt.

Global: Attackers don’t bother brute-forcing long passwords, Microsoft engineer says

According to data collected by Microsoft’s network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

“I analyzed the credentials entered from over >25 million brute force attacks against SSH. This is around 30 days of data in Microsoft’s sensor network,” said Ross Bevington, a security researcher at Microsoft.

“77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases." Bevington says that only 7% of the brute-force attempts he analyzed in the sample data included a special character. In addition, 39% actually had at least one number, and none of the brute-force attempts used passwords that included white space.

The researcher’s findings suggest that longer passwords that include special characters are most likely safe from the vast majority of brute-force attacks, as long as they haven’t been leaked online and are not part of attackers’ brute-forcing dictionaries.

So what’s the upshot for you? If you must have your servers accessible on the Internet, use strong passwords, managed identity, MFA,” the Microsoft manager said.

Global: Apple introduces “Threat Notifications”

If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users in two ways:

  1. A Threat Notification is displayed at the top of the page after the user signs in to

  2. Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

So what’s the upshot for you? Apple threat notifications will never ask you to click any links, open files, install apps or profiles, or provide your Apple ID password or verification code by email or on the phone. To verify that an Apple threat notification is genuine, sign in to If Apple sent you a threat notification, it will be clearly visible at the top of the page after you sign in.

Global: Observing Attacks Against Hundreds of Exposed Services in Public Clouds

Executive Summary: An insecurely exposed service is one of the most commonly seen misconfigurations in cloud environments. These services are discoverable on the internet and can pose a significant risk to cloud workloads in the same infrastructure. Notorious ransomware groups such as REvil and Mespinoza are known to exploit exposed services to gain initial access to victims’ environments. Using a honeypot infrastructure of 320 nodes deployed globally, researchers aim to better understand the attacks against exposed services in public clouds.

Researchers deployed multiple instances of remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and Postgres database in the honeypot infrastructure. Researchers found 80% of the 320 honeypots deployed between July and August 2021 compromised within 24 hours and all of the honeypots were compromised within a week.

Some findings that stand out are:

  • SSH was the most attacked application. The number of attackers and compromising events was much higher than for the other three applications. The results indicate that SSH services deployed in the APAC region are more likely to be attacked than those in other regions.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • On average, each SSH honeypot was compromised 26 times daily.
  • One threat actor compromised 96% of our 80 Postgres honeypots globally within 30 seconds.
  • 85% of the attacker IPs were observed only on a single day. This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks. A list of malicious IPs created today will likely become outdated tomorrow.

The speed of vulnerability management is usually measured in days or months. The fact that attackers could find and compromise our honeypots in minutes was shocking.

So what’s the upshot for you?

  • Create a guardrail to prevent privileged ports from being open.

  • Create audit rules to monitor all the open ports and exposed services.

  • Create automated response and remediation rules to fix misconfigurations automatically.

  • Deploy next-generation firewalls in front of the applications, such as VM-Series or WAF to block malicious traffic.

And never think that they won’t find a mistaken configuration. Take your time to get it right before you make it Internet-facing.

Global: URL allow-list bypass leaks the access token for the internal Google Cloud Platform (GCP) project “cxl-services.”

In March, David Schütz discovered that a URL allow-list bypass could be used to leak the access token for the internal Google Cloud Platform (GCP) project “cxl-services.”

A user in possession of the access token could elevate privileges on other internal Google Cloud projects, access Google Compute instances, resources on the affected GCP projects, view log files dating back years, (including sensitive user data), and even completely take over

  1. The researcher reported the vulnerability to Google in late March 2021 and, by mid-April, the Internet search giant told him he was eligible for a $4,133.70 bug bounty reward for his discovery.

In June, just as he was getting ready to publish information on the security hole, the researcher discovered that, while the original flaw had been patched, he was still able to leak the access token with a modified exploitation URL.

  1. Specifically, while he initially thought that using “@” was the security defect, he then discovered that the URL check bypass would work by placing any character between “\” and “@.” …Google, which addressed the second bypass within days after becoming aware of it, told the researcher he was eligible for a second bug bounty payout, of $3,133.70.

  2. In August, Schütz found out that the bug was still affecting the old iteration of the default service, albeit it had been addressed in the newer version, so he sent another report to Google, which issued a third bug bounty reward, in the amount of $3,133.70.

The issue appears to be completely fixed now, and the security researcher has released details and published a video documenting how he discovered the vulnerability.

So what’s the upshot for you? One of the most detailed “How I did it” reveals we have seen in a long time,

US: Tardigrade: An APT attack on vaccine manufacturing infrastructure

As the world scrambles to develop, produce, and distribute cutting-edge vaccines and medications to combat the Covid-19 pandemic, the importance of biomanufacturing has been put on full display.

When ransomware hit a biomanufacturing facility this spring, something didn’t sit right with the response team. The attackers left only a halfhearted ransom note and didn’t seem all that interested in actually collecting a payment. Then there was the malware they had used: a shockingly sophisticated strain dubbed Tardigrade.

“This almost certainly started with espionage, but it has hit on everything—disruption, destruction, espionage, all of the above,” says Charles Fracchia, BioBright’s CEO. “It’s by far the most sophisticated malware we’ve seen in this space. This is eerily similar to other attacks and campaigns by nation-state APTs targeting other industries.”

“This malware was designed to build itself differently in different environments, so the signature is constantly changing and it’s harder to detect,” says Callie Churchwell, a malware analyst at BioBright. “I tested it almost 100 times and every time it built itself in a different way and communicated differently. Additionally, if it’s not able to communicate with the command and control server, it has the capability to be more autonomous and self-sufficient, which was completely unexpected.”

So what’s the upshot for you? The most common actors in this space have worked consistently to grab intellectual property about enzymes, drugs, and manufacturing processes that could save those countries billions of dollars and years of research and development. The Covid-19 pandemic created additional incentives for nation-state attackers. Tardigrade may act as an important wake-up call in a sector that is more critical than ever right now.

UK: “C” names the top 3.

MI6 chief Richard Moore, in his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, named China, Russia, and Iran as its top three concerns.

Moore, speaking at the International Institute for Strategic Studies in London, said the disruptive potential of artificial intelligence and other rapidly developing technologies means the spy agency has to “become more open to stay secret” in a world of destabilizing technological change.

“According to some assessments, we may experience more technological progress in the next 10 years than in the last century, with a disruptive impact equal to the Industrial Revolution,” he said. “As a society, we have yet to internalize this stark fact and its potential impact on global geopolitics.”

“Our adversaries are pouring money and ambition into mastering artificial intelligence, quantum computing, and synthetic biology because they know that mastering these technologies will give them leverage,” Moore said.

To keep up, he said British spies “are now pursuing partnerships with the tech community to help develop world-class technologies to solve our biggest mission problems. Unlike Q in the Bond movies, we cannot do it all in-house."

So what’s the upshot for you? Until 1992, Britain’s government refused to confirm the existence of MI6, but things have changed for MI6 and “C”.

Oh and that James Bond actor was Roger Moore, not Richard Moore right? Life imitating art?

That’s it for this week Damlers! listen_tiny
They can replace lots of things, but trading Q for AI? That would be like Aston Martin building an SUV and Forbes doing a write-up of it that said it made sense!

Be kind, drive safe, stay secure and see you in se7en!

1 Like