Threat Source newsletter (March 30, 2023) — It’s impossible to tell if your home security camera or doorbell is truly safe

Welcome to this week's edition of the Threat Source newsletter.

Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the moment your dog takes off after that squirrel?

The world of security cameras and recording devices attached to one's home is becoming increasingly murky by the day. Law enforcement officials are finding ways to compel the companies that manufacture and manage these devices to turn over homeowners' footage, even if the homeowner doesn't consent to it.

And Amazon Ring, the biggest player in this space now, may or may not be the target of a ransomware attack.

So, while consumers might be purchasing these devices to ensure their physical security, the question about if these products are good for online security is a major question mark.

As Talos' own Joe Marshall wrote in a guest column at Dark Reading this week, "IoT vendors continue to fail us on implementing solid cybersecurity controls." This even goes for some of the largest tech companies in the world who would conceivably have the most money to invest in securing and testing these devices before they hit the market.

There are tons of budget options on the market that, unless you are an expert vulnerability researcher, are impossible to fully vet. I just went to Amazon's website this week and searched for "smart doorbell." Three of the best-selling items on the first page of results use nearly the exact same thumbnail art to advertise the product. Yet when you go to their product pages, each one is listed as being manufactured or sold by a different company.

If you're merely reading the reviews of these products to figure out what's right for you, or searching the internet for someone else's review, they may mention if the resolution quality is up to snuff or if the app works well, but I doubt the reviewer has the time to physically tear apart the device looking for vulnerabilities or combing through the API for security holes. And if we can't even trust the companies making these devices to differentiate their products based on appearance, there is no way to know how they may be prepared to respond to a data breach or what their stance is on sharing footage with law enforcement.

The same goes for security cameras. On Amazon's search page for "home security camera," the top five non-sponsored results are all made by different companies (Ring being one of them) and based on the features they offer, it's nearly impossible to differentiate them outside of a difference in form factor. Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

I certainly wouldn't stop anyone from buying a home security camera if they truly feel it improves their families' safety. But I think that, no matter what brand we buy, everyone just needs to assume now that they're taking a risk with their privacy and online security as a trade-off for catching possible package burglars.

The one big thing

Emotet is back from the dead once again. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Why do I care?

Emotet is arguably the most infamous botnet on the threat landscape, so it's notable any time it spins back up. This network is known to go through quiet periods and then pop back up, so this isn't particularly surprising, but it is noteworthy because Emotet's creators are switching up their tactics by switching to new types of lure documents to evade detection and recent changes Microsoft made to macros to try and stop attackers from using malicious Office attachments.

So now what?

Because Emotet has been around for so long now, Cisco Secure and Talos have an exhaustive list of ways to stay protected from Emotet spam. But as a good general reminder, always make sure you triple-check the "From" field in an email to make sure it's actually from who you think its from. And never open an attachment or click on a link in an email unless you're sure it's the correct destination.

Top security headlines of the week

Defenders and detractors of TikTok both seem unmoved after the popular social media app's CEO testified in front of a U.S. Congressional panel last week. Lawmakers who are in favor of a blanket ban on the app in the U.S. over data and privacy concerns were unimpressed with the answers the company's lead provided, while others mocked lawmakers for the types of questions they asked and instead advocated for broader data privacy laws. Republicans in Congress still plan to take up legislation to ban TikTok, with House Speaker Kevin McCarthy tweeting that, "It's very concerning that the CEO of TikTok can't be honest and admit what we already know to be true – China has access to TikTok user data." (Buzzfeed, The Hill, The New Yorker)

A bug in the popular ChatGPT AI tool exposed other users' message history and may have also leaked sensitive information like the payment information and emails of premium users. OpenAI, the company behind ChatGPT, took the tool offline last Tuesday for emergency maintenance after they became aware of the issue. The company confirmed the information was exposed during a nine-hour window on March 20, but it could have been exposed prior to that. The data leak exposes concerns that many users have around using tools like ChatGPT to share sensitive or potentially confidential information. (SecurityWeek, Engadget)

A data breach at Latitude Financial affects millions of people in New Zealand and Australia, potentially dating back to 2005. The personal lending company said attackers stole around 7.9 million driver's license numbers and 53,000 passport numbers. Names, addresses, phone numbers and dates of birth are also among the data stolen. When Latitude first announced the attack on March 16, it estimated that 300,000 customers had been affected, but the number has grown as the investigation continued, though the company stopped the breach prior to the disclosure. The breach has called into question why financial companies retain records for so long after a customer has applied for financing and how that data is stored. (The Guardian, Yahoo Finance)

Can't get enough Talos?

• Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine
• Graphic novel: Life inside the Talos Ukraine Task Unit
• How an incident response retainer can drive proactive security
• Threat Roundup for March 17 - 24
• If your Netgear Orbi router isn't patched, you'll want to change that pronto

Upcoming events where you can find Talos

RSA (April 24 - 27)

San Francisco, CA

Cisco Live U.S. (June 4 - 8)

Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product:**N/A Detection Name: Trojan.GenericKD.65065311

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423 **MD5: **954a5fc664c23a7a97e09850accdfe8e **Typical Filename:**teams15.exe **Claimed Product:**teams15 Detection Name: Gen:Variant.MSILHeracles.59885

SHA 256: c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1 **MD5:**2d16d0af6183803a79d9ef5c744286c4 **Typical Filename:**nano_download.php **Claimed Product:**Web Companion Installer Detection Name: W32.1C74E7421F-100.SBX.VIOC

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 **MD5:**3e10a74a7613d1cae4b9749d7ec93515 **Typical Filename:**IMG001.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Coinminer::1201