Security Leftovers
-
Security updates for Tuesday [LWN.net]
Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0).
-
North Korean APT Gets Around Macro-Blocking With LNK Switch-Up
APT37 is among a growing list of threat actors that have switched to Windows shortcut files after Microsoft blocked macros last year.
-
Ransomware cyberattack continues at Bluefield University
There are new developments on the cybersecurity attack that has crippled internet services at Bluefield University. We’ve learned through “RamAlert” texts sent to students, faculty and staff that the cyber attackers are now directly communicating with everyone on the alert system. They have identified themselves as “AvosLocker” and are demanding payment in return for not leaking students’ private information. The FBI considers AvosLocker to be ransomware. In March 2022, they released an advisory on it. They said avoslocker has “Targeted victims across multiple critical infrastructure sectors in the U.S. Including…The financial services, critical manufacturing, and government facilities sectors.”
-
Merck entitled to $1.4B in cyberattack case after court rejects insurers' 'warlike action' claim
Merck may finally be entitled to a hefty insurance payout from the high-profile NotPetya cyberattack—if an appeals court ruling stands.
A New Jersey appellate court on Monday ruled that a group of insurers can’t use war as an argument to deny Merck coverage from the notorious cyberattack that afflicted the company and others back in 2017.
Upholding a prior ruling, the appeals court said in an opinion (PDF) that the “hostile/warlike action” exclusion clause shouldn’t be applied to a cyberattack on a non-military company—even if it originated from a government or sovereign power. In this case, the hack was tied to Russia as part of its aggression against Ukraine, according to U.S. officials.
The Superior Court of New Jersey previously granted Merck a $1.4 billion payout after the pharma company sued its insurers who had denied coverage for the NotPetya attack. In appeal, eight insurers disputed nearly $700 million in coverage, or about 40% of the total Merck had in its property insurance program at the time.
-
288 dark web vendors arrested in major marketplace seizure
In an operation coordinated by Europol and involving nine countries, law enforcement have seized the illegal dark web marketplace “Monopoly Market” and arrested 288 suspects involved in buying or selling drugs on the dark web. More than EUR 50.8 million (USD 53.4 million) in cash and virtual currencies, 850 kg of drugs, and 117 firearms were seized. The seized drugs include over 258 kg of amphetamines, 43 kg of cocaine, 43 kg of MDMA and over 10 kg of LSD and ecstasy pills.
-
Wichita State restoring systems after cyber attack
Over the weekend, Wichita State University took proactive measures and disconnected several University systems to isolate an unauthorized attempt by a third party to access the University’s systems, according to a statement of the school's website.
Most of the University system access has been restored and there has been no indication that any of the University’s secure data or information has been compromised. The University will continue to engage its security protocols in restoring full availability of all networks and systems, prioritizing student needs.
-
PENNCREST School District dealing with ransomware attack
Over the weekend, the PENNCREST School District became aware of a situation, believed to be a ransomware event, which has disrupted certain aspects of our operations. We quickly took steps to implement our Cybersecurity Incident Response Plan. Following our plan, we shut down and disconnected the entire network and technology infrastructure. We are now working diligently with external cybersecurity specialists to conduct a thorough forensic investigation into the nature and scope of the event and to securely restore operations. At this time, we have not identified evidence of any data loss, data access, or data theft as a result of this event.
-
Montana State University update on “cyberattack” doesn’t disclose it’s ransomware
Threat and Risk Intelligence Services pointed out to DataBreaches that the university’s update does not mention that this is a ransomware attack by Royal that has been listed on Royal’s leak site (but without data as yet).
-
The Untold Story of the Boldest Supply-Chain Hack Ever
It was late 2019, and Adair, the president of the security firm Volexity, was investigating a digital security breach at an American think tank. The intrusion was nothing special. Adair figured he and his team would rout the attackers quickly and be done with the case—until they noticed something strange. A second group of hackers was active in the think tank’s network. They were going after email, making copies and sending them to an outside server. These intruders were much more skilled, and they were returning to the network several times a week to siphon correspondence from specific executives, policy wonks, and IT staff.
-
Suffolk, without a cyberattack recovery plan, hires chief to create one - Newsday
Kenneth Brancik will oversee development and enforcement of programs intended to protect the county's data, systems and technology, Suffolk County officials said.
-
Bitmarck shuts down systems, services after cyberattack • The Register
German IT services provider Bitmarck has shut down all of its customer and internal systems, including entire datacenters in some cases, following a cyberattack.
The company, one of the largest service providers for German health insurers, said no customer, patient, or insured individuals' data had been accessed in the security breach — at least not according to "the current state of knowledge," according to an April 30 update posted on its temporary website.
-
T-Mobile discloses second data breach since the start of 2023
T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.
Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.
-
"Passive" analysis of a phishing attachment, (Mon, May 1st)
When it comes to analysis of malicious code, one often has to weigh the potential benefits of a quick, dynamic analysis, which might cause the code to interact with infrastructure operated by a threat actor...
-
FBI cites risk of Chinese hackers in request for additional cybersecurity funding
The U.S. Federal Bureau of Investigation has requested a funding boost for its cybersecurity and related investigation services while highlighting that Chinese hackers outnumber FBI cyber staff by 50 to one. The request came at a congressional hearing late last week. -
‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations
The Iranian government has been using the BouldSpy Android malware to spy on minorities and traffickers.
/blockquote> -
CISA Asks for Public Opinion on Secure Software Attestation
CISA has opened proposed guidance for secure software development to public review and comment.
-
New ‘Lobshot’ hVNC Malware Used by Russian Cybercriminals
Russian cybercrime group TA505 has been observed using new hVNC malware called Lobshot in recent attacks.