Security Leftovers

posted by Roy Schestowitz on Mar 17, 2023

• Security updates for Thursday [LWN.net]

  Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2).

• Security updates for Wednesday [LWN.net]

  Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).

• Latitude Financial hacked as 300,000 customer identification documents stolen

  Financial lender, Latitude Finance, has warned customers of a major cyberattack in which more than 300,000 customer identification documents were stolen.

  A spokesperson for the company said unusual activity was detected on its systems over the last few days, and it appeared the company’s records had been hacked.

  They said hackers stole employee login details to access personal customer information held by two other service providers before the company was able to isolate the incident.

• Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server [Ed: US regime paying a steep price for "choosing" Microsoft]

  From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]

• New threat group hacked EU healthcare agency and embassies, researchers say

  A new hacking group is targeting European countries and organizations in an espionage campaign that began in June 2022, according to new research.

  Cisco’s Talos cybersecurity team calls the new group “YoroTrooper” and said it has already successfully compromised accounts connected to a “critical” European Union healthcare agency and the World Intellectual Property Organization (WIPO). The researchers also found that it attacked several embassies.

  “Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the CIS [Commonwealth of Independent States],” which includes countries like Azerbaijan, Kyrgyzstan and Turkmenistan, the researchers said.

• Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer ChipMixer

  The Justice Department announced today a coordinated international takedown of ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency, between 2017 and the present, in furtherance of, among other activities, ransomware, darknet market, fraud, cryptocurrency heists and other hacking schemes. The operation involved U.S. federal law enforcement’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency.

• Independent Living Systems updates its breach disclosure; notifying more than 4.2 million patients

  In September 2022, Independent Living Systems LLC (ILS), a business associate in Florida, notified HHS and regulators of a network incident that affected 501 patients. They also provided public notice, but were unable to identify and notify all individuals who had been affected. The “501” was simply a marker to indicate “more than 500.” The HHS entry hasn’t been updated since then, and HHS hasn’t yet closed its investigation. But thanks to ILS’s notification to the Maine Attorney General’s Office, we now know that the breach affected a total of 4,226,508 people. HHS may update its entry in the near future with the number reported to them.

  This week, ILS issued a press release about the incident on behalf of its covered entity subsidiaries Florida Community Care LLC and HPMP of Florida Inc. d/b/a Florida Complete Care. ILS also issued the notification as a direct provider of services and on behalf of certain data owner clients and covered entity health plans.

• Plaintiff Wins Case Against [Cr]ackers After Serving Court Papers via NFT

  A federal judge in Florida has ruled in favor of a plaintiff who sued anonymous hackers and issued formal notice of the legal action via NFT, according to recent court filings.

  The ruling, a default judgment from Judge Beth Bloom of the United States District Court Southern District of Florida, declares that the unidentified hackers are on the hook for the $971,291 worth of USDT (Tether) that they stole from plaintiff Rangan Bandyopadhyay’s Coinbase wallet in December 2021.

• AllCare Plus Pharmacy notifies 5,971 patients of phishing incident last year

  According to their notification, on June 21, 2022, AllCare discovered that some employees had received phishing emails. Their investigation revealed that some of the employees’ accounts had been compromised, and the attacker accessed certain accounts containing patient information. The types of information in those email accounts included name, address, date of birth, Social Security number, other types of identity information, financial information, and health information such as health insurance information about prescription and treatment information.

• Beaver Medical Group notifying patients whose information was accessed in phishing incident

  Beaver Medical Group (BMG) in California is part of Optum Health. On January 24, BMG discovered unusual activity in an employee’s workstation. Their investigation revealed that an unauthorized actor had launched a targeted phishing attack that gave them access to the employee’s email account.

• N.L. says Hive ransomware group was behind 2021 cyberattack on health systems [Ed: Microsoft Windows TCO]

  The Newfoundland and Labrador government says the Hive ransomware group was behind a cyberattack that paralyzed the province's health-care system a year and a half ago.

  But top government officials still won't say whether they paid a ransom.

  "We can't disclose anything about a request for a ransom, for security purposes," Justice Minister John Hogan told reporters Tuesday afternoon.

• NorthStar Emergency Medical Services notifies 82,450 patients of September hacking incident

  According to a notification letter and press release by NorthStar, on September 16, 2022, NorthStar detected abnormal activity in their network. Investigation subsequently revealed that an unauthorized actor had accessed files containing protected health information. The types of information in the files included names, Social Security numbers, dates of birth, patient ID number, treatment information, Medicare/Medicaid number, and/or health insurance information.

• Lawsuit: Cop pulled over driver for TikTok livestream—and shared driver’s ID

  A Dallas County Sheriff's Department deputy, Francisco Castillo, was briefly suspended after livestreaming a traffic stop, allegedly just to gain TikTok clout, in 2021. Now, the Texas motorist that he pulled over, Torry Osby, is suing, saying that the deputy exposed Osby to risks of identity theft and break-ins at his home by flashing Osby's driver's license and sharing his personal information to more than 100 followers tuned into Castillo's livestream.

  Osby’s lawyer, James P. Roberts, told Ars that it’s unlikely that their client was the only victim of Castillo’s alleged privacy-invading social media abuse. The complaint documents a seeming pattern of Castillo sharing videos while on duty that seemed to get more engagement than his other videos, making it appear likely to Osby's lawyers that Castillo was increasingly motivated to create videos of his police activity in hopes of boosting his likes and followers.

• Romanian entities issued monetary penalties for infosecurity and data protection failures

  Regulators in Romania have issued monetary penalties to six Romanian entities for insufficient technical and organizational measures to ensure information security. Two other entities were issued fines for other GDPR violations.

• Current Turmoil and Future Risks in Resolving Data Breach Class Actions

  Data incident lawsuits, especially class actions, have the potential to create significant business disruption, loss of marketplace credibility, civil liability or regulatory exposure. Consequently, companies that experience a data incident often want the issues resolved quickly and at minimal cost. In terms of litigation, an early settlement of civil lawsuits in a class action resolution to sweep up all potential claims may be a good strategy. Class action settlements can be structured in a variety of ways, with any number of different terms, to effectuate the desired result.

• BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

  The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It's also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.

  BianLian, first discovered last July, hasn't deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.

  However, the swiftness with which the group's command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.