Changelog: A bleak start to the new year

Mehran Biabani / Unsplash

Welcome to Changelog for 1/4/2024, published by Synack! README senior editor Nathaniel Mott here with the first installment of the year.

The payload

Most people think webcam hacking is the province of technically gifted perverts looking to invade someone else’s privacy. That’s often true—and, when considered alongside concerns that global surveillance agencies will remotely snoop on people using similar methods, is responsible for a cottage industry of webcam covers—but compromising these cameras can also have more widespread effects than violating individual privacy.

The Security Service of Ukraine said on Jan. 2 that it “identified the addresses and dismantled the webcams that broadcast the operation of air defence systems and locations of Kyiv’s critical infrastructure” immediately after Russian forces used them to inform strikes on the country’s embattled capital. Both webcams were owned and operated by civilians before they were taken over by Russia-backed hackers.

The SSU said it “has blocked the operation of about 10,000 IP cameras that the enemy could have used to adjust missile attacks on Ukraine” since Russia invaded in February 2022. Now it’s “calling on the owners of street webcams to stop online broadcasts from their devices, and on citizens to report any streams from such cameras to the SSU’s official chatbot,” which is available via Telegram.

But how many people will hear (let alone heed) this plea? Of those, how many will be able to secure their devices? And will it even matter if they do? Webcams aren’t particularly well-known for their security; it wouldn’t be implausible to assume Russia could find vulnerabilities to exploit in these devices even if their owners can help the SSU remove the threat of webcam-informed strikes on Ukrainian soil.

We’ll have to hope Ukraine has collected enough webcam covers from cybersecurity conferences over the years. 

The week, compiled

Reuters today reported that “Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a ‘big warning’ to the West.” The hack—which “knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days”—was a carefully planned attack that wreaked havoc on Kyivstar’s infrastructure.

So that’s one end of the “major telecoms outage” spectrum. On the other end we can find Orange Spain. The outages that company suffered this week weren’t the result of a sophisticated attack conducted by nation-state threat actors. Instead, according to the Hudson Rock security firm and researcher Kevin Beaumont, those outages resulted from Orange Spain’s absolutely unconscionable security practices.

sahand-babali-3K8HDFIhkSY-unsplash


Sahand Babali / Unsplash

Hudson Rock said that infostealer malware was used to gain access to credentials used by Orange Spain to manage its account with RIPE, which The Register said is “the regional database that contains all IP addresses and their owners in Europe, the Middle East, and Central Asia.” The attacker used this account to disrupt Orange Spain’s operations and disrupt “around half of its network’s traffic.”

Using infostealer malware to cause that many problems for Spain’s second-most popular internet service provider would be bad enough… but it turns out the attacker probably wouldn’t have needed the malware anyway. The password used to secure the RIPE account was reportedly—and somewhat unfathomably in 2024—just “ripeadmin.” And, of course, the account wasn’t secured with multi-factor authentication.

We’re all doomed.

And now for some other stories from around the web:

404 Media: Amazon Web Services has officially pulled the plug on the free version of the Wickr encrypted messaging app it acquired in June 2021. 404 Media noted that the app was particularly popular among people in the drug trade, so it seems AWS decided to stop dealing with that headache so it could focus on supporting the paid version of the service, which is used by government agencies and contractors alike.

CyberScoop: The FBI is “increasing the number of agents deployed to American embassies abroad to focus on cyber-related crime,” CyberScoop reported on Jan. 3, as “part of the bureau’s latest effort to improve the way it combats international cybercrime.” The bureau is planning to add six new positions, which “brings the total number of cyber-focused FBI agents deployed to U.S. embassies to 22.”

Thurrott: Valve has dropped support for Windows 7 and 8.1 from its nigh-ubiquitous Steam video game marketplace in a bid to improve the security of its client software. The company plans to drop support for old releases of macOS, too, with Thurrott reporting that it’s because the embedded version of the Chrome browser used by Steam’s client will no longer work on those versions of Apple’s desktop operating system.

A message from Synack 

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

Jan. 3 marked an important milestone for cybercriminals around the world. Satoshi Nakamoto “minted” the first block of Bitcoin on Jan. 3, 2009 ahead of the cryptocurrency’s official debut less than a week later. That means it’s been 15 years since “crypto” started to refer to “cryptocurrency” instead of “cryptography.”

Bitcoin has since been joined by countless other cryptocurrencies—Monero, Ethereum, Dogecoin, etc. But it’s still the most valuable, with CoinMarketCap putting the exchange rate for a single BTC at nearly $44,000 at time of writing, and remains the most accessible to people curious about this crypto thing.

Criminals originally latched onto Bitcoin for use on dark web marketplaces, but the cryptocurrency’s popularity has also made it the payment method of choice for ransomware operators who don’t feel like explaining how their victims can acquire the more-private-but-less-known Monero. Thanks, Satoshi!

Local files

The Record: Massachusetts-based Transformative Healthcare said last week that the “names, addresses, Social Security numbers, medical information” and other personal information of some 912,000 people was compromised between Feb. 17 and April 22 of last year. The company said it would offer two years of identity protection services to people whose information was breached as part of this campaign. 

ABC: A ransomware attack on the court system in Victoria, Australia might also have led to the compromise of “the court system's audio-visual archive,” ABC reported, which means “recordings of hearings including witness testimony from highly sensitive cases may have been accessed or stolen.” The courts are reportedly contacting people who appeared in these recordings to inform them of the breach.

BleepingComputer: The Justice Department announced on Jan. 2 the arrest of a Nigerian man who allegedly embezzled $7.5 million from a U.S. charity using a combination of business email compromise (wherein he masqueraded as another charity requesting funds) and infostealer malware (used to collect the credentials that allowed him to approve the transactions) between June and August 2020.

Off-script

It’s been a while since I’ve agreed with someone as fervently as I agreed with The Verge’s Elizabeth Lopatto in her piece, “A New Year’s resolution for tech companies: knock it off with the CAPTCHAs,” which makes clear just how ridiculous companies’ efforts to make us prove our humanity have become.

nik-LUYD2b7MNrg-unsplash

Nik / Unsplash

CAPTCHAs themselves are irritating for all of the reasons Lopatto cites in her piece. But it’s even more annoying when companies decide they don’t like the cut of your jib—by which I mean there’s something about the device you’re using and the way you’re using it that raises their suspicions—and thus force CAPTCHA after CAPTCHA after CAPTCHA even if you solve all of them without any errors.

I’ve mostly encountered this problem when I visit sites with Firefox on a system running Linux, but sometimes they’re annoyed when I browse via Safari on my iPhone, too. So far as I can tell, there’s no way to escape this CAPTCHA loop once you’re in it. Find all the buses; select all the stop lights. Nothing will be enough to prove you’re a person who just wants to be able to browse the web.