Plus: The FBI's baffling inaction on a ransomware group, a massive breach of Danish electric utilities, and more.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

For years, mercenary hacker companies like NSO Group and Hacking Team have repeatedly been the subject of scandal for selling their digital intrusion and cyberespionage services to clients worldwide. Far less well-known is an Indian startup called Appin that, from its offices in New Delhi, enabled customers worldwide to hack whistleblowers, activists, corporate competitors, lawyers, and celebrities on a giant scale.

In a sprawling investigation, Reuters reporters spoke to dozens of former Appin staff and hundreds of its hacking victims. It also obtained thousands of its internal documents—including 17 pitch documents advertising its “cyber spying” and “cyber warfare” offerings—as well as case files from law enforcement investigations into Appin launched from the US to Switzerland. The resulting story reveals in new depth how a small Indian company “hacked the world,” as Reuters writes, brazenly selling its hacking abilities to the highest bidder through an online portal called My Commando. Its victims, as well as those of copycat hacking companies founded by its alumni, have included Russian oligarch Boris Berezovsky, Malaysian politician Mohamed Azmin Ali, targets of a Dominican digital tabloid, and a member of a Native American tribe who tried to claim profits from a Long Island, New York, casino development on his reservation.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

The Startup That Transformed the Hack-for-Hire Industry

Beyond the blinding speeds and sharp turns on new terrain, the teams at this weekend’s big F1 race are preparing for another kind of danger.

Every Formula 1 race weekend is essentially a pop-up event in a different city around the world, bringing 10 teams, their cars, and their entire mobile infrastructure to Australia, Singapore, Monaco, and beyond. This weekend's Las Vegas Grand Prix is especially unscripted, though, because the event is Formula 1's debut in Sin City. Cold weather and a rogue drain cover on the track have already injected some chaos into the spectacle. But as they prepared for the event, cybersecurity specialists from McLaren Racing, the city of Las Vegas, and the security firm Darktrace told WIRED that they aren't deterred—their whole job is to expect the unexpected.

Major live sporting events are a prime target for hackers because they are prominent, highly visible, and draw international attention. Russia's notorious attempt to target the 2018 Winter Olympics in South Korea, for example, included both disruptive attacks and hacks for information gathering. All sports now incorporate advanced elements of digital analysis and quantified performance, but Formula 1 is a particularly data-heavy sport. Race cars are essentially giant sensor arrays that are hurtling around at more than 200 miles per hour, generating massive amounts of information. The quicker teams can crunch the numbers from the track, the sooner they can determine which strategies and modifications to employ in real time or in preparation for the final race of the weekend. But a denial of service attack on any of a team’s engineering systems, one that disrupts their real-time communications, or theft of intellectual property could be disastrous for an F1 team.

“We’re a very public sport,” says Ed Green, McLaren's head of commercial technology. “Our people are known and where we’re racing is known and what we do is known. And while there are lots of unknown things about our operation, lots of what we do is public so people can find out information and start to target us. So what we’re trying to do is make sure that security is part of the team and an additive part of what we do.”

Green describes McLaren's setup at each race as “an extension of the office for the weekend.” The infrastructure is a sort of mobile data center where, for example, the pit crew on the ground is working as a remote part of the garage back at headquarters. This means that a crucial component of the entire operation is reducing latency in the digital connection between the track and home base—a geographic and network distance that varies significantly from weekend to weekend as the season plays out around the world. Green says that during the Brazil race in Sao Paulo at the beginning of November, McLaren was connected to its HQ in England with just a 223-millisecond delay.

“We pull down 1.5 terabytes of data a weekend and run 50 million simulations over the course of a weekend. And I would break down the importance of cybersecurity in a few different buckets,” McLaren CEO Zak Brown says. “We have the design IP of our race car, and that is highly confidential trade secrets that we're moving around a lot. We're dealing with third parties and racing around the world. And then we have all the data that is going on at the race track, where we're literally making split-second decisions.”

Darktrace, which provides digital defense services for McLaren and has also worked with the city of Las Vegas on its cybersecurity for years, says that phishing, business email compromise, and other scams are the types of attacks its real-time, artificial-intelligence-based threat monitoring system detects and blocks most often related to Formula 1, both day to day and on race weekends.

“One of the things that I've learned from being a partner with McLaren is the car changes continuously, every race there are things that are changing, new elements being introduced based on the track conditions,” says Nicole Eagan, Darktrace's chief strategy and AI officer. “It's a continuous updating and changing of IP that's much more dynamic than in other industries that we protect.”

All of this change and quick communication both within an organization and with third parties creates potential opportunities for scammers. But McLaren's Brown also notes that Formula 1 teams need to be wary of their position on the global stage.

“It's one thing to lock down Fort Knox—we’re moving 24 times around the world into different countries, from China to Saudi Arabia to Las Vegas,” he says. “Each one has its own challenges. With the growth of the sport, how much technology we use and where we're racing, people will attempt to use our sport sometimes in a political nature. There are bad actors that can potentially come at us from every angle and for every reason, some of which aren't personal. So therefore cybersecurity is right at the top of the list when we go through our IT needs.”

While Darktrace chief information security officer Mike Beck agrees that geopolitics and hacktivism can pose a threat to a sport with as much global reach as F1, he adds that competitive racing's simple and straightforward goal is an advantage for defenders.

“The mission is so clear, get that car around the track as fast as possible and make sure no one steals your IP and you don’t get locked out,” he says. “When you get that sort of clarity on a mission you can articulate risk really, really well.”

While preparing for the Formula 1 race weekend has been a logistical challenge in many ways, Michael Sherwood, Las Vegas' chief innovation and technology officer, says that the city is well positioned to handle the cybersecurity component because it deals with so many high-profile events throughout the year. Las Vegas has also invested in smart city infrastructure and already defends a massive array of deployed sensors and other networked devices.

Recent cyberattacks that targeted some of Las Vegas' entertainment giants, including Caesar's and MGM Resorts, have put the city on even higher alert, Sherwood says. But he adds that whether he's working on digital defenses for the Grand Prix, New Year's Eve, or just a regular night of epic Vegas partying, “there’s no resting. This is the world we live in—you’re on guard all the time, preparing and prepping.”

Inside the Race to Secure the F1 Las Vegas Grand Prix

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.

**Cross-site Scripting in OpenCRX**

Moderate severity GitHub Reviewed Published Nov 18, 2023 to the GitHub Advisory Database • Updated Nov 20, 2023

GHSA-5phw-6g3r-55xx: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.

GHSA-hhcf-79pm-r8r9: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.

GHSA-96q4-7fwr-gmxh: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.

GHSA-chj5-8wxj-rxg8: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.

GHSA-qjmx-q5m4-xqf5: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.

GHSA-3g79-j8hq-r4xv: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.

GHSA-mfp5-vh58-3j3r: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.

Tag

#git