Security Leftovers

posted by Roy Schestowitz on Feb 11, 2023,
updated Feb 11, 2023

• OAuth ‘masterclass’ crowned top web hacking technique of 2022

  Single sign-on and request smuggling to the fore in another stellar year for web security research

• Radio silence from DMS vendor quartet over XSS zero-days

  No response or patch yet forthcoming from providers of vulnerable document management systems

• US and UK impose sanctions on operators of infamous TrickBot botnet [Ed: Microsoft Windows TCO]

  The U.S. and the U.K. have sanctioned seven Russian nationals for their alleged involvement in running the infamous TrickBot botnet. TrickBot dates back to 2016 and has a network of more than 1 million machines. Initially used to target banking credentials with malware of the same name, TrickBot evolved several times over the years.

• CISA Adds Three Known Exploited Vulnerabilities to Catalog [Ed: It says "Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability"]

  CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates.

• Microsoft says Intel driver bug crashes apps on Windows PCs

• After Hack, Reddit Urges You to Enable 2FA - CNET

  No user data was exposed, Reddit says, but the company encourages people to strengthen security by implementing two-factor authentication.

• City of Oakland Targeted by Ransomware Attack, Core Services Not Affected

  The City of Oakland has learned that it was recently subject to a ransomware attack that began on Wednesday night. The Information Technology Department is coordinating with law enforcement and actively investigating the scope and severity of the issue. Our core functions are intact. 911, financial data, and fire and emergency resources are not impacted.

• Penang government data leaked online

  The latest notable incident in December saw a Facebook user claim that personal information of nearly 13 million Malaysians had been leaked from Maybank, Astro and the Election Commission’s websites.

• Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day

  The security flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access.

• Employee personal data exposed in NJ school district cyber breach

  A New Jersey public school district’s data breach in December exposed personal data of employees — but those affected were not notified until the end of January.

  The breach occurred in the Bridgewater-Raritan Regional School District between Dec. 10 and 12 and exposed the names and Social Security numbers of district employees and others who are in the district’s insurance plan, according to a media release obtained by MyCentralJersey.com.

• Hack attack forces Modesto Police off computers, back onto radio, report says.

  Modesto Police officers are temporarily ditching computers for radios, pen, and paper while patrolling the city.

• Minneapolis Public Schools was nearly conned out of $500K

  At the height of the pandemic, one of Minnesota’s largest school districts fell victim to cyber fraud and nearly lost half a million dollars in the process. The previously unreported crime targeted Minneapolis Public Schools in April 2020, when schools and administration offices were vacant due to COVID-19.

• Dallas Central Appraisal District paid $170,000 to ransomware attackers

  Dallas County Chief Appraiser Ken Nolan told reporters that it was likely that the attack managed to infiltrate the organisation after an employee was tricked by a phishing email.

• The Center for Autism and Related Disorders notifies patients after vendor’s error caused HIPAA breach

  The Center for Autism and Related Disorders (“CARD”) has locations throughout the U.S. On January 24, it experienced a reportable breach when “as part of a recent update to its patient billing systems, the third-party vendor responsible for generating patient invoices incorrectly made a computer error which resulted in certain caregivers receiving an invoice for services for an unrelated patient.”