Task #154872
open
this week in security — january 19 edition
0%
Description
- this week in security
------------------------------------------------------------
a cybersecurity newsletter by @zackwhittaker (https://mastodon.social/@zackwhittaker)
volume 8, issue 3
View this email in your browser (https://mailchi.mp/weekinsecurity/this-week-in-security-january-19-2025-edition?e=9d10de3b61) | RSS (https://us18.campaign-archive.com/feed?u=e1ad6038c994abec17dafb116&id=a2457dc8ad)
~ ~
- THIS WEEK, TL;DR
------------------------------------------------------------
PowerSchool breach may affect millions of students; no MFA on hacked account (https://techcrunch.com/2025/01/15/powerschool-data-breach-victims-say-hackers-stole-all-historical-student-and-teacher-data/)
TechCrunch: Bear with me, there's a lot this week. Let's start with one of the biggest hacks of the year (already, I know): PowerSchool, used by 18,000 schools and 60+ million students, was breached. In absence of information from the company, affected school districts helped each other (https://techcrunch.com/2025/01/18/how-victims-of-powerschools-data-breach-helped-each-other-investigate-massive-hack/) to investigate, while some districts say "all" historical staff and student (https://techcrunch.com/2025/01/15/powerschool-data-breach-victims-say-hackers-stole-all-historical-student-and-teacher-data/) data was stolen. Turns out PowerSchool wasn't using MFA (https://techcrunch.com/2025/01/17/malware-stole-internal-powerschool-passwords-from-engineers-hacked-computer/) on one of its support accounts, which granted the hackers access to steal gobs of data. A lot of highly sensitive student data was taken; including grades, medical data, SSNs, and more. Many schools have already notified
their students of the breach, so stay on alert for more. My team at TechCrunch did incredible reporting on this story this week (disclosure: obvious bias alert!). Keep a close eye on this!
More: PowerSchool (https://www.powerschool.com/security/sis-incident/) | TechCrunch (https://techcrunch.com/2025/01/17/malware-stole-internal-powerschool-passwords-from-engineers-hacked-computer/) | K12TechPro (https://k12techpro.com/one-week-later-and-we-still-have-questions-about-the-powerschool-breach/) | USA Today (https://www.usatoday.com/story/news/education/2025/01/13/powerschool-data-breach-what-to-know-students/77667159007/) | @malwarejake (https://infosec.exchange/@malwarejake/113845139843736751)
https://infosec.exchange/@malwarejake/113845139843736751
Treasury names and sanctions Salt Typhoon, and the hacker targeting Treasury (https://home.treasury.gov/news/press-releases/jy2792)
U.S. Treasury: In its final days, the Biden administration's cyber team has named, shamed, and sanctioned the group known as Salt Typhoon, the China-backed hackers behind the biggest breach of U.S. phone and internet giants; as well as the hacker behind the recent Treasury hacks. Look at that; things can happen at speed when they want to get done... Per the Treasury, Salt Typhoon is linked to a Sichuan-based cybersecurity company called Sichuan Juxinhe, and has "direct involvement" with the hacking group. Meanwhile, the U.S. Treasury is sanctioning Yin Kecheng, a Shanghai-based cyber actor affiliated with the Chinese MSS, the ministry for foreign intelligence, with the hack of the Treasury itself. Bloomberg ($) (https://www.bloomberg.com/news/articles/2025-01-16/treasury-hackers-focused-on-sanctions-intelligence-report-says) revealed that the scope of the Treasury hack includes the breach of 400+ computers and the theft of more than 3,000 files from the department. All this comes in the
same week that the feds unsealed action (https://arstechnica.com/tech-policy/2025/01/fbi-forces-chinese-malware-to-delete-itself-from-thousands-of-us-computers/) they took to force-remove the China-linked PluxX malware from thousands of U.S. computers. Departing CISA chief Jen Easterly posted some words (https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats) on the threat from China; and the outgoing FBI director (https://bsky.app/profile/kimzetter.bsky.social/post/3lfmznfaj2k2u) also shared his views.
More: Washington Post ($) (https://www.washingtonpost.com/national-security/2025/01/13/salt-typhoon-china-sanctions-biden/) | CBS News (https://www.cbsnews.com/news/fbi-director-christopher-wray-on-threats-america-faces-decision-to-step-down-60-minutes-transcript/) | Ars Technica (https://arstechnica.com/tech-policy/2025/01/fbi-forces-chinese-malware-to-delete-itself-from-thousands-of-us-computers/) | @argvee (https://x.com/argvee/status/1879926597815504948) | @dnvolz (https://x.com/dnvolz/status/1878822293817971074)
Biden admin goes all out on final cyber executive order (https://www.csoonline.com/article/3802476/biden-white-house-to-go-all-out-in-final-sweeping-cybersecurity-order.html)
CSO Online: Relatedly... it's the Biden cyber team's swan song with their final executive order. Rushed out in the last days of the administration, outgoing top cyber official Anne Neuberger set out the order as setting up the next administration on the best possible footing. But as it was her last briefing, Neuberger said it wasn't clear to her who was doing what in cyber under Trump — since she won't be around to see it. Much of the order was patching issues the government had worked on over the past few years. It's unclear if the Trump admin will accept or rescind the order, details of which you can read here (https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) and Wired ($) (https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/) has a breakdown, too. Much of the Trump admin's public rhetoric has been on cyber-offense, which only really seems like a smart
idea if you've got an incredibly strong defense base at home — which... we don't.
More: White House (https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) | Cyberscoop (https://cyberscoop.com/aggressive-cyber-offense-trump-administration-us-strategy-debate/) | CNBC (https://www.cnbc.com/2025/01/16/biden-administration-launches-cybersecurity-executive-order.html) | Axios (https://www.axios.com/2025/01/16/biden-executive-order-ai-cyber-security-trump)
Fortinet warns of auth. bypass zero-day under attack to hijack firewalls (https://www.bleepingcomputer.com/news/security/fortinet-warns-of-auth-bypass-zero-day-exploited-to-hijack-firewalls/)
Bleeping Computer: It's a day ending in "y," so of course there's yet another major bug in a widely used enterprise security edge device that allows hackers to break into the network ostensibly protected by the product. This week it's Fortinet, whose firewalls are vulnerable to CVE-2024-55591 (https://www.fortiguard.com/psirt/FG-IR-24-535) , which Fortinet says is under active exploitation in the wild. Arctic Wolf (https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/) says the bug was first exploited back in November, so... that's probably a fair number of organizations pwned so far. This lands in the same week that a hacking group released config files and VPN credentials on over 15,000 Fortinet devices, which @GossiTheDog (https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-configs-somebody-just-released-them-a7a74e0b0c7f?gi=06d38535bbd7) has a good blog post with more details.
More: Fortinet (https://www.fortiguard.com/psirt/FG-IR-24-535) | TechCrunch (https://techcrunch.com/2025/01/14/hackers-are-exploiting-a-new-fortinet-firewall-bug-to-breach-company-networks/) | The Register (https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/)
Microsoft's first Patch Tuesday of 2025 patches 161 bugs (https://krebsonsecurity.com/2025/01/microsoft-happy-2025-heres-161-security-updates/)
Krebs on Security: Speaking of bugs, get your fill of flaws in this month's Patch Tuesday. Krebs has your run-down of the 161 updates from Microsoft, including three privilege escalation zero-days in Hyper-V, but little is known about the bugs under attack in the wild just yet. The monthly bug patch includes six kernel address leak fixes, all submitted by @yarden_shafir (https://x.com/yarden_shafir/status/1879340852654551053) . That's incredible work! And thanks as always to Krebs for pulling these reports together!
More: CrowdStrike (https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-january-2025/) | Cyberscoop (https://cyberscoop.com/microsoft-patch-tuesday-january-2025/) | @screaminggoat (https://infosec.exchange/@screaminggoat/113826625290043358)
https://x.com/yarden_shafir/status/1879340852654551053
~ ~
- THE STUFF YOU MIGHT'VE MISSED
------------------------------------------------------------
Texas sues Allstate for violating privacy rights of 45 million Americans (https://therecord.media/texas-sues-allstate-data-privacy-cars)
The Record: Texas' attorney general is suing Allstate and its subsidiary Arity for allegedly collecting, using and selling cellphone location data and customers' movements of more than 45 million Americans without their knowledge, per a presser (https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-allstate-and-arity-unlawfully-collecting-using-and-selling-over-45) . (Ars Technica (https://arstechnica.com/gadgets/2025/01/allstate-sued-for-allegedly-tracking-drivers-behavior-through-third-party-apps/) has some good yarn, too.) Allstate and other insurers would "use that consumer’s data to justify increasing their car insurance premium." Yuck, gross. Damn, if only they'd do something about this kind of invasive data collection and not say, oh I don't know, not focus on some nebulous threat from TikTok?
At least 8 Americans wrongly arrested after AI face matches (https://www.washingtonpost.com/business/interactive/2025/police-artificial-intelligence-facial-recognition/)
Washington Post ($): Get yourself a pot of coffee and riled up for this weekend long-read. This infuriating story (the piece itself is very well done) looks at deficiencies in policing standards across the U.S. resulting in overconfidence by police that AI and facial recognition was working — when it absolutely wasn't. The effect that these arrests had on their lives can't be understated.
How Barcelona became an unlikely hub for spyware makers (https://techcrunch.com/2025/01/13/how-barcelona-became-an-unlikely-hub-for-spyware-startups/)
TechCrunch: Sun, seafood, beautiful beaches... and spyware? That's Barcelona, Europe's newest spyware hub, according to multiple people involved in the spyware and exploit making business, who spoke with @lorenzofb (https://bsky.app/profile/lorenzofb.bsky.social/post/3lfpkfzkucc2r) . The piece follows a would-be hire at a shadowy, secretive spyware maker starting out in Barcelona. Sure, Barcelona sounds fun and the city clearly has incentives to move there, but it's actually easier for spyware makers to export their products to Europe from Europe than it is from Israel, where many of these companies started out. At least for one person, moving to Spain was because of "expulsion" over emigration. This story got an important shoutout by Citizen Lab's @jsrailton (https://bsky.app/profile/jsrailton.bsky.social) at the U.N. Security Council, which saw governments this week call for regulations
(https://techcrunch.com/2025/01/15/governments-call-for-spyware-regulations-in-un-security-council-meeting/) on the use of spyware.
Millions of 'failed' accounts vulnerable due to Google's OAuth Flaw (https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw)
Truffle Security: OAuth, the login feature that lets you sign in with an online account (think the "sign in with Google" login option) can have its benefits, but you're putting your account access in the hands of someone else; in this case, Google. If you lose access to your account (or Google bans you), you're stuffed. This same issue happens with expired or lost domains, such as when a startup collapses; you can re-access any account that's connected to the newly revived domain (like Zoom, HR systems, and more). Truffle Security has a good post on what happens if you buy these expired domains and what access you can get to defunct Google accounts. The research was presented at ShmooCon; you can watch the talk from the blog.
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
Russian FSB campaign aims to exploit WhatsApp accounts (https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)
Microsoft: Hackers believed to be associated with Russia's FSB are behind a new campaign targeting access to WhatsApp users. Microsoft's new research shows (https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/) the hackers are using fake QR codes to gain access to WhatsApp accounts — which, let's not forget, are widely used across governments (and in the U.K. (https://www.politico.eu/article/the-british-governments-disappearing-whatsapps/) ). The Guardian (https://www.theguardian.com/technology/2025/jan/17/russian-hackers-star-blizzard-whatsapp-accounts-ministers-officials) has a good tl;dr.
~ ~
THANKS FOR READING!
this week in security is my free weekly cybersecurity newsletter supported entirely by donations from readers like you. As a working journalist (https://techcrunch.com/author/zack-whittaker/) , I don't run ads or accept sponsors for this newsletter. Donations help reduce the costs of sending this newsletter while keeping it free, weekly, and without tracking.
To support this newsletter, check out my Ko-fi (https://ko-fi.com/thisweekinsecurity) to drop a one-time donation, or sign up from $10/monthly to get cool swag (https://ko-fi.com/thisweekinsecurity/tiers) shipped worldwide.
~ ~
- OTHER NEWSY NUGGETS
------------------------------------------------------------
Clop claims hacked Cleo customers: The Clop ransomware gang's latest mass-hack campaign targeting customers of Cleo Software seemed to return little, if anything, on the ransom front and appears to have been a bust. Clop named dozens of companies that it claimed to have hacked in recent weeks by way of exploiting a zero-day in the Cleo software used by its customers, but actually, many of the companies said they had no evidence they were hacked (https://techcrunch.com/2025/01/16/clop-ransomware-gang-names-dozens-of-victims-hit-by-cleo-mass-hack-but-several-firms-dispute-breaches/) (which of course doesn't mean they weren't), but several said they weren't even Cleo customers! (via TechCrunch (https://techcrunch.com/2025/01/16/clop-ransomware-gang-names-dozens-of-victims-hit-by-cleo-mass-hack-but-several-firms-dispute-breaches/) )
Gov't websites awash with scams and porn: Reports this week show both U.S. federal (https://theintercept.com/2025/01/14/government-websites-porn-spam-hack/) and Indian government websites (https://techcrunch.com/2025/01/07/indian-government-websites-are-still-redirecting-users-to-scam-sites/) are full of spam, scams, and sometimes porn, for reasons that aren't completely clear, but somehow, somewhere, hackers are breaking in and dropping pages and redirects to their own sites, which are getting cached in Google and other search engines. It's not a new issue by any means... and yet, nevertheless, it persists. (via The Intercept ($) (https://theintercept.com/2025/01/14/government-websites-porn-spam-hack/) , @dell (https://bsky.app/profile/dell.bsky.social/post/3lfqntcqbis2v) )
https://bsky.app/profile/dell.bsky.social/post/3lfqntcqbis2v
British ban busts bad bods' business: The U.K. government says it's going to — probably, maybe, someday — ban itself and other public sector organizations, including schools and local councils, from paying any hacker ransoms following a cyberattack. The U.K.'s security minister says it's only a proposal for now (details within (https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime) ), but comes after a series of major hacks at NHS trusts across the U.K. over the past year, including the Synnovis lab hack, which Bloomberg ($) (https://www.bloomberg.com/news/articles/2025-01-14/nhs-ransomware-hack-caused-patient-harm-in-uk-data-shows) reports that a post-mortem of the incident shows it had real-world harm on patients. (via U.K. government (https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime) , Home Office
(https://www.gov.uk/government/consultations/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals) )
Otelier breach exposes millions of hotel goers: Well, this ain't good: Otelier, a hotel management platform, was hit by a data breach after threat actors broke into the company's AWS S3 cloud storage and stole millions of guests' information and reservations from well-known hotel chains like Marriott, Hilton, and Hyatt. Otelier confirmed it was hacked, and apparently it was due to stolen credentials (through info-stealing malware, no less — a common theme!). It's unclear if MFA was used; but either way, that's an eye-wateringly big breach for such a simple, basic security issue. (via Bleeping Computer (https://www.bleepingcomputer.com/news/security/otelier-data-breach-exposes-info-hotel-reservations-of-millions/) )
CISA to get new leadership: Politico reports that with leadership at CISA (and the rest of the Biden administration's political appointments) leaving on January 20 ahead of the Trump admin's inauguration, the CISA top job may end up going to former Dept. of Energy and NSC staffer Sean Plankey. I guess we'll find out in, checks notes, a day or two or whenever. (via Politico (https://www.politico.com/live-updates/2025/01/15/congress/sean-plankey-likely-to-lead-u-s-cyber-agency-00198382) )
TikTok and others disappear after U.S. ban: We can't not talk about the TikTok ban that went into effect overnight. I have a lot of opinions on this, but suffice to say, it's clearly a First Amendment issue (https://constitution.congress.gov/constitution/amendment-1/) to ban an app (ie. Congress created a law that prohibits free expression), and that the national security concerns aren't that much different from the U.S. tech giants that exploit their users the same way, just at home where that data, and algorithms that handle that data, can also be used against them. If TikTok is a national security threat, so is Meta, so is X, and so are data brokers that collect all of this data and share it with others. And please, don't try to use a shady VPN to get around the ban; not least, you can't, but also it's just very, very bad for your security to hand your network traffic to an entity you cannot trust any more than your ISP. (via BBC News (https://www.bbc.com/news/articles/cz6p1g54q85o) ,
Associated Press (https://apnews.com/article/tiktok-ban-trump-biden-china-bdc79b7ce741a81761f67ea56d410103) , Wired ($) (https://www.wired.com/story/how-to-get-around-the-us-tiktok-ban/) )
https://x.com/ShyBucketGetter/status/1879400978946097448
~ ~
- THE HAPPY CORNER
------------------------------------------------------------
There's no time to wait. Happy corner, commence!
Next time you hear that a large enterprise or corporate giant was hit by a "sophisticated attacker," remember that it was probably just a fat cat (https://x.com/vxunderground/status/1878184456340615458) and not the mountain lion you might be picturing.
https://x.com/vxunderground/status/1878184456340615458
Moving on. Not even Harry Potter can escape the corporate phishing test (https://hachyderm.io/@forrestbrazeal/113829121978374399) .
https://hachyderm.io/@forrestbrazeal/113829121978374399
Now, in obscure science news (https://www.bbc.com/news/videos/cly9vl9jjkvo) . Imagine you're a piece of interstellar rock, hurtling through space at absolutely ridiculous speeds. You're whizzing past asteroids, stars, and through the dust of the occasional comet trail. Then, out of nowhere, you see this bright, blue, beautiful planet in the distance... and as you get nearer, you see that it's this round, gorgeous oasis in space, and you can't wait to get even closer. As you approach, you feel like you're speeding up, as you dodge your way through a cluster of orbiting satellites... you're getting hotter and hotter, but closer and closer... and you're nearly there and...
https://www.bbc.com/news/videos/cly9vl9jjkvo
...whoops? Well, by catching this footage on a doorbell camera (https://www.bbc.com/news/videos/cly9vl9jjkvo) , it's a historic first since these sorts of events don't happen very often, scientists say (https://www.livescience.com/space/doorbell-camera-captures-1st-ever-video-of-the-sound-and-sight-of-a-meteorite-crash-landing) .
And before we go: bonus cybercat (https://infosec.exchange/@hal_pomeranz/113851892936658346) , because why not?
If you have good news you want to share, get in touch at: this@weekinsecurity.com (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) .
~ ~
- CYBER CATS & FRIENDS
------------------------------------------------------------
Meet Shane, this week's cyber cat. If you think companies take your security and privacy seriously, you'd be right to be suspicious. Shane, on the other hand, really does want you to take your security and privacy seriously. You're a great advocate, Shane! (ba-dum tssk.) Thanks so much to Rob S. for sending in!
Shane is a very handsome, green-eyed tabby cat who's looking directly into the camera with a serious (but cute!) expression on his face.
Keep sending in your cyber cats! (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) (or a non-feline friend). Drop me an email at any time with their name and a photo, and they'll be featured in an upcoming newsletter!
~ ~
- SUGGESTION BOX
------------------------------------------------------------
Thanks for reading this edition! I'll be back as usual with the roundup next Sunday. I'm sure it'll be a busy one. For all those who are leaving the federal government on Monday, especially those who worked in cyber, thank you for your service.
As always, if you have any feedback you want to share my way, please drop me an email (mailto:this@weekinsecurity.com) — or anything else for the newsletter. Cyber cat or friend? Send 'em along!
All my best,
@zackwhittaker (http://mastodon.social/@zackwhittaker)
============================================================
You are receiving this email because you opted in.
this week in security doesn't track email opens or clicks.
($) indicate sites with paywalls or logins. Please support journalism!
Our mailing address is: this week in security
Zack Whittaker
PO Box 415
Jersey City, NJ 07303-0415
USA
You can * update your preferences (https://social.us18.list-manage.com/profile?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&e=9d10de3b61&c=7689afb4b2)
or * unsubscribe from this list (https://social.us18.list-manage.com/unsubscribe?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&t=b&e=9d10de3b61&c=7689afb4b2)
.
No data to display
Also available in: Atom PDF Tracking page
.