Task #154458
open
this week in security — january 12 edition
0%
Description
Huge breach of location data, PowerSchool data breach, China hack of Treasury deepens, and more.
- this week in security
------------------------------------------------------------
a cybersecurity newsletter by @zackwhittaker (https://mastodon.social/@zackwhittaker)
volume 8, issue 2
View this email in your browser (https://mailchi.mp/weekinsecurity/this-week-in-security-january-12-2025-edition?e=9d10de3b61) | RSS (https://us18.campaign-archive.com/feed?u=e1ad6038c994abec17dafb116&id=a2457dc8ad)
~ ~
- THIS WEEK, TL;DR
------------------------------------------------------------
Hackers claim massive breach of location data from Gravy Analytics (https://www.404media.co/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data/)
404 Media: Well, it happened — and it looks like this could be a big one. A major broker of location data, Gravy Analytics, had a data breach that lost an eye-watering amount of location data to hackers who raided its AWS account. A sample published on a hacking forum this week saw somewhere in the region of tens of millions of location data points across the world from ordinary users whose phone apps track where they go. This is all thanks to real-time bidding (https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how) , a process that exploits the ads industry to power the surveillance industry. (Ad-blockers are your friend!) There are thousands of apps — and very popular apps, like Tinder, Candy Crush, and others — that use bits of code (like SDKs) to display ads in their apps, which have a side-effect of allowing brokers to listen in and acquire users' real-time location data, which the apps themselves might not even explicitly know about
themselves. (The WSJ (https://www.wsj.com/tech/cybersecurity/how-ads-on-your-phone-can-aid-government-surveillance-943bde04) has a good primer on how this works.) This data is highly trackable and is a nightmare for privacy; Forbes ($) (https://www.forbes.com/sites/thomasbrewster/2025/01/10/gravy-analytics-massive-mobile-location-data-hack-may-have-risked-gay-peoples-safety/) also has a look inside the hacked data. Little word yet from the company, Gravy, except a brief notification via Norwegian media (https://www.nrk.no/norge/oppdaget-datainnbrudd-da-hackeren-tok-kontakt-1.17201694) – because the law there requires a breach notification. The U.S., meanwhile, has no such law. The hackers behind the breach have threatened to post more, but deleted their forum post... either way, this will be a major story to keep a close eye on.
More: 404 Media (https://www.404media.co/candy-crush-tinder-myfitnesspal-see-the-thousands-of-apps-hijacked-to-spy-on-your-location/) | NRK.no (https://www.nrk.no/norge/oppdaget-datainnbrudd-da-hackeren-tok-kontakt-1.17201694) | Reuters ($) (https://www.reuters.com/technology/cybersecurity/location-tracking-company-unacast-tells-norway-its-data-was-hacked-broadcaster-2025-01-11/) | EFF (https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how) | @fs0c131y (https://x.com/fs0c131y/status/1877128999240962290) | @josephcox (https://infosec.exchange/@josephcox/113800439776792443)
https://x.com/fs0c131y/status/1876983147503513800
PowerSchool hack exposes K-12 student and teachers' personal data (https://www.bleepingcomputer.com/news/security/powerschool-hack-exposes-student-teacher-data-from-k-12-districts/)
Bleeping Computer: A major data breach at edtech provider PowerSchool saw a hacker steal a ton of sensitive data on students and teachers in K-12 districts across North America. PowerSchool is a major provider of school software, used by some 50 million students. The stolen data includes personal information — names and addresses — but also Social Security numbers, some medical data and grades, according to a leaked FAQ (https://techcrunch.com/2025/01/09/powerschool-says-hackers-stole-students-sensitive-data-including-social-security-numbers-in-data-breach/) . The company admitted that the hacker broke in with a "stolen credential" (sigh!). Looks like the company paid the hacker to delete the data, but really, come on, nobody can trust that! DataBreaches.net (https://databreaches.net/2025/01/10/powerschool-incident-a-few-resources-for-teachers-parents-and-former-students/) has resources for students and affected teachers and parents alike. Expect data breach disclosures (well, at least in
the U.S. states that require them) to drop in the next few weeks and months, and there will probably be a fair number of them.
More: TechCrunch (https://techcrunch.com/2025/01/09/powerschool-says-hackers-stole-students-sensitive-data-including-social-security-numbers-in-data-breach/) | Reddit /r/k12sysadmin (https://old.reddit.com/r/k12sysadmin/comments/1hw1m3x/so_powerschool_had_a_breach/)
Japan links Chinese hacker MirrorFace to dozens of cyberattacks (https://apnews.com/article/japan-police-cyberattack-china-government-68adcb293b2931da4c30ca0279720124)
Associated Press: Japan blamed a China-backed hacking group called MirrorFace for being behind dozens of cyberattacks targeting the Japanese government and tech companies across the country in a multi-year hacking spree since 2019. MirrorFace sent emails with malware and targeted VPNs to get access to internal networks. It's the latest warning about Japan's cybersecurity posture of late; in 2023, @ellenwapo (https://bsky.app/profile/ellenwapo.bsky.social) reported that China hacked (https://www.washingtonpost.com/national-security/2023/08/07/china-japan-hack-pentagon/) some of Japan's most sensitive networks — to a point where the U.S., a major ally of Japan, was getting reeeeally concerned with its own secrets.
More: NPA.go.jp (https://www.npa.go.jp/bureau/cyber/koho/caution/caution20250108.html) | Kyodo News (https://english.kyodonews.net/news/2025/01/3de655117007-210-hacks-made-on-jaxa-other-japan-targets-by-china-group-since-2019.html) | TechCrunch (https://techcrunch.com/2025/01/08/japan-says-chinese-hackers-targeted-its-government-and-tech-companies-for-years/)
China hackers targeted Treasury's CFIUS office in December breach (https://www.cnn.com/2025/01/10/politics/chinese-hackers-breach-committee-on-foreign-investment-in-the-us/index.html)
CNN: Speaking of China... looks like we have another member of the Typhoon family (https://techcrunch.com/2024/10/13/meet-the-chinese-typhoon-hackers-preparing-for-war/) to add to our bingo card. Silk Typhoon (previously Hafnium — yes — of that mass email hacking fame (https://techcrunch.com/2021/03/10/america-small-business-hafnium-exchange-hacks/) ) is back with a new campaign (https://www.bloomberg.com/news/articles/2025-01-08/white-house-rushes-to-finish-cyber-order-after-china-hacks) targeting the U.S. Treasury. It started with a December breach of a BeyondTrust private key that allowed remote access to Treasury employee workstations and unclassified documents. Then, the Treasury's OFAC office (https://www.washingtonpost.com/national-security/2025/01/01/treasury-hack-china/) for imposing financial sanctions was hacked; and now CNN reports that CFIUS — in more acronym salad — the committee that assesses foreign investments and transactions for national security risks, was also targeted
by the Chinese hackers. CISA also said (https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3cafdc4) this week it doesn't think there's any other department, other than the Treasury, affected by this particular campaign... but didn't say how it came to that conclusion.
More: CISA (https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3cafdc4) | Bloomberg ($) (https://www.bloomberg.com/news/articles/2025-01-08/white-house-rushes-to-finish-cyber-order-after-china-hacks) | The Register (https://www.theregister.com/2025/01/10/china_treasury_foreign_investment/)
~ ~
- THE STUFF YOU MIGHT'VE MISSED
------------------------------------------------------------
New Ivanti VPN bug exploited to hack into companies (https://techcrunch.com/2025/01/09/hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks/)
TechCrunch: New year, new Ivanti bug exploited in the wild (and almost exactly to the year (https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US) since its last major flaw). This time it's CVE-2025-0282 (https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US) in Ivanti's Connect Secure (VPN product), which is being actively exploited to break into company networks. The folks at Mandiant said, per its investigation, that it looks like China-nexus actors (https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?e=48754805) are behind the hacks and that "multiple" organizations were compromised. So, patch today! This is likely to be an ongoing issue for a bit; watchTowr Labs, which investigated
(https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/) (also: A+ meme game), said exploitation has already seen "widespread impact." More from @screaminggoat (https://infosec.exchange/@screaminggoat/113795412892601309) .
White House unveils Cyber Trust Mark labeling program (https://www.nextgov.com/cybersecurity/2025/01/white-house-unveils-cyber-trust-mark-program-consumer-devices/401991/)
Nextgov/FCW: The Biden administration unveiled — in its penultimate week — its long-awaited Cyber Trust Mark program, its cybersecurity labeling program for consumer internet-connected devices. This labeling system is designed to certify that smart devices are sold with certain security standards (as defined by NIST), such as no default passwords and the ability to patch security updates. "Have your IoT devices as part of a healthy, balanced security diet" — at least that's the goal. Certified devices will hit the shelves in 2025.
DEF CON's hacker-in-chief faces fortune in medical bills after paralyzing neck injury (https://www.theregister.com/2025/01/07/def_con_security_chief_injured/)
The Register: Marc Rogers, the head of security for the DEF CON hacker con, faces tens of thousands of dollars in medical bills after an accident left him with a broken neck. Speaking with the folks at The Register, Rogers says the prognosis is good and that he's doing better; but, of course, this is America and Rogers couldn't rely on his health insurance provider doing the right thing in time before the injury got worse. Rogers' GoFundMe is online (https://www.gofundme.com/f/support-marc-rogers-road-to-recovery) for anyone who can spare a few. All the best for a speedy and full recovery, Marc!
https://x.com/k8em0/status/1876671646968557875
Corellium founder's mystery pardon involved spam and fish (https://www.semafor.com/article/01/10/2025/citizen-wade-the-life-of-a-legendary-hacker-to-receive-a-rare-presidential-pardon)
Semafor: First of all, no, this doesn't involve some obscure British food (I would know). For years, reporters have been trying to figure out (https://daringfireball.net/linked/2020/12/29/wade-pardon) why Chistopher Wade, the co-founder of mobile security research firm Corellium, was granted a pardon (https://www.businessinsider.com/donald-trump-pardon-chris-wade-cybersecurity-secret-crime-unsealed-documents-2025-1) by President Trump on his way out of office the first time around. Was it to do with government contracts? Or was it to do with a spam operation he ran in the 2010s and was ultimately granted a legal lifeline through chance encounters over his personal fish obsession? Perhaps...
Voice phishing groups found abusing Apple 'account confirmation' prompts (https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/)
Krebs on Security: Brian Krebs (https://infosec.exchange/@briankrebs/113789749211433022) is back with an important story revealing how voice phishing hackers are abusing Apple's own processes to trick unsuspecting victims into granting access to their Apple accounts. It's the same hack that targeted Mark Cuban not so long ago. Cuban spoke with Krebs and explained how the hackers obtained access to some of Cuban's crypto wallets.
~ ~
THANKS FOR READING!
this week in security is my free weekly cybersecurity newsletter supported entirely by donations from readers like you. As a working journalist (https://techcrunch.com/author/zack-whittaker/) , I don't run ads or accept sponsors for this newsletter. Donations help reduce the costs of sending this newsletter while keeping it free, weekly, and without tracking.
To support this newsletter, check out my Ko-fi (https://ko-fi.com/thisweekinsecurity) to drop a one-time donation, or sign up from $10/monthly to get cool swag (https://ko-fi.com/thisweekinsecurity/tiers) shipped worldwide.
~ ~
- OTHER NEWSY NUGGETS
------------------------------------------------------------
Telegram hands over user data to authorities: Turns out when authorities arrest a company's CEO for failing to help the authorities investigate serious crimes, things can change at that company pretty quickly. Months after Telegram CEO's arrest, the app's transparency bot (which isn't very transparent) now shows a spike in government demands for Telegram users' data in the months that followed. India, Germany and the U.S. are the top requesting countries, per a global breakdown (https://te-k.github.io/telegram-transparency/) of the data. Meanwhile, E2EE messaging apps like Signal data can't give over data (https://signal.org/bigbrother/santa-clara-county/) it doesn't have to begin with. (via 404 Media ($) (https://www.404media.co/telegram-hands-u-s-authorities-data-on-thousands-of-users/) , Forbes ($) (https://www.forbes.com/sites/thomasbrewster/2025/01/07/telegram-hands-data-on-thousands-of-users-to-law-enforcement/) )
China hacks Philippines: Hackers backed by China have penetrated the executive branch of the Philippines government over a years-long campaign, per @jamietarabay (https://bsky.app/profile/jamietarabay.bsky.social/post/3lf4poos5z222) . The hack also included the president's office. The Philippines government was more tightly lipped in a later press conference, not confirming a breach, but said that the attacks were "persistent." China appears to be continuing to try to hack its way out of international disputes, including over land and territory. (via Bloomberg ($) (https://www.bloomberg.com/news/articles/2025-01-07/chinese-hackers-target-philippine-president-steal-military-data) )
Nyet, nyet! Boom, pszzzt: That's the sound of a Russian internet provider in St. Petersburg having its digital systems obliterated in a destructive cyberattack, claimed by Ukrainian hacktivists. The ISP, Nodex, said in a post on Russian social networking site VK that its systems were "destroyed" in the breach, in which the hackers posted screenshots (https://t.me/UCAgroup/38) of the ISP's internal network and its backup systems. (via The Record (https://therecord.media/russian-internet-provider-says-network-destroyed-cyberattack) , TechCrunch (https://techcrunch.com/2025/01/08/ukrainian-hackers-take-credit-for-hacking-russian-isp-that-wiped-out-servers-and-caused-internet-outages/) )
https://techcrunch.com/2025/01/08/ukrainian-hackers-take-credit-for-hacking-russian-isp-that-wiped-out-servers-and-caused-internet-outages/
UN aviation agency confirms breach: The United Nations' civil aviation agency, ICAO, confirmed a breach this week affecting 42,000 recruitment-related records stolen from the agency, affecting some 12,000 people. In a brief update (https://www.icao.int/Newsroom/Pages/ICAO-statement-on-reported-security-incident.aspx) , ICAO said names, email addresses, dates of birth, and employment history were stolen (and later published on a known hacking forum) in the breach. (via ICAO (https://www.icao.int/Newsroom/Pages/ICAO-statement-on-reported-security-incident.aspx) , Reuters ($) (https://www.reuters.com/business/aerospace-defense/un-aviation-agency-says-almost-12000-people-affected-by-release-data-2025-01-10/) )
DNC may have had phone snooping tech: Newly analyzed radio wave data collected by Wired reporters walking around the Democratic National Convention found that there is in fact evidence that the DNC had a cell-site simulator in its presence, potentially capable of spying on devices that were within its geographical range. These so-called "stingray" devices can intercept sensitive data from most devices in its range. The new data analysis — carried out by the EFF — wasn't conclusive but all signs point to a stingray in use. (via Wired ($) (https://www.wired.com/story/2024-dnc-cell-site-simulator-phone-surveillance/) , @dmehro (https://x.com/dmehro/status/1877739997391949956) )
~ ~
- THE HAPPY CORNER
------------------------------------------------------------
He says with gusto this week: This is the happy corner! And I think we can start with what everyone else is thinking, too. It has been a very trying couple of weeks.
https://infosec.exchange/@Lockdownyourlife/113808084251374793
But let's try to make the best of it. After all, it's the only 2025 we'll ever get. So maybe that impulse purchase — like this adorable crocheted dumpster fire — isn't such a bad thing, especially if it's going to bring you joy.
https://bsky.app/profile/maggieastor.bsky.social/post/3lfgr5k3etc27
Meanwhile, sometimes it really is worth it to meet your heroes, like @iwriteok (https://bsky.app/profile/iwriteok.bsky.social/post/3lfg4xc4pic2y) did this week when meeting the developers of the VLC media player at CES. VLC was one of the first pieces of software I downloaded from the internet when I got my first Windows computer back in the early '00s. Long live VLC! This interaction is wholesome a.f.
https://bsky.app/profile/iwriteok.bsky.social/post/3lfg4xc4pic2y
Absolutely amazing work from @mspecter (https://bsky.app/profile/mspecter.bsky.social/post/3lfgf547jls24) and @stellars (https://bsky.app/profile/sellars.bsky.social) , who reverse-engineered dozens of FTC privacy and security rulings over the years and identified how these investigations were put together and from what sources. This is a real public service; and it's been a huge pet peeve of mine that the FTC has brought action against various firms but seldom credits the people — often reporters — who do the work that identifies the issue to begin with. The FTC and Independent Reverse Engineering project (https://ftcreverse.engineering/) , which was presented at ShmooCon (https://bsky.app/profile/sellars.bsky.social/post/3lfggwmh7ts2z) this weekend, aims to solve that.
And on that note... I am consumed with FOMO, as I can't be at ShmooCon this year (it's final year, no less). For those there, have an amazing time. There's plenty to do and see (https://x.com/dakacki/status/1878080347663134958) , hijinks (https://bsky.app/profile/rgblights.bsky.social/post/3lfitgzxmac26) and happy memories (https://bsky.app/profile/k8em0.bsky.social/post/3lfhwlc6tas2q) going round!
If you have good news you want to share, get in touch at: this@weekinsecurity.com (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) .
~ ~
- CYBER CATS & FRIENDS
------------------------------------------------------------
Ssssshhhhhh.... Zzzz.. zzz... Zzz.... this week's cyber cat.... is... Sweetpea... Zzzzz... clearly fast asleep ... thanks so much to Eden K... Zzzzz.... for sending in! .... Zzzzzz
Sweetpea is a very cute, very fluffy grey Russian blue kitty curled up on an office chair on top of a copy of The New York Times.
Keep sending in your cyber cats! (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) (or a non-feline friend). Drop me an email at any time with their name and a photo, and they'll be featured in an upcoming newsletter!
~ ~
- SUGGESTION BOX
------------------------------------------------------------
I won't keep you any longer — this has already been the longest newsletter of the year — go and enjoy your weekend and have a great rest of your week.
As always, please do drop me an email with any feedback (mailto:this@weekinsecurity.com) or anything for the happy corner. And if you have a cyber-cat update, I'd love to hear from you!
Catch you next,
@zackwhittaker (http://mastodon.social/@zackwhittaker)
============================================================
You are receiving this email because you opted in.
this week in security doesn't track email opens or clicks.
($) indicate sites with paywalls or logins. Please support journalism!
Our mailing address is: this week in security
Zack Whittaker
PO Box 415
Jersey City, NJ 07303-0415
USA
You can * update your preferences (https://social.us18.list-manage.com/profile?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&e=9d10de3b61&c=383b87a85b)
or * unsubscribe from this list (https://social.us18.list-manage.com/unsubscribe?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&t=b&e=9d10de3b61&c=383b87a85b)
.
No data to display
Also available in: Atom PDF Tracking page
.