Security Leftovers

posted by Roy Schestowitz on May 17, 2023

• Security updates for Tuesday [LWN.net]

  Security updates have been issued by Debian (epiphany-browser, python-ipaddress, and sqlparse), Fedora (python-django3 and qemu), Red Hat (apr-util, autotrace, bind, bind9.16, container-tools:4.0, container-tools:rhel8, ctags, curl, device-mapper-multipath, dhcp, edk2, emacs, freeradius:3.0, freerdp, frr, gcc-toolset-12-binutils, git, git-lfs, go-toolset:rhel8, grafana, grafana-pcp, gssntlmssp, Image Builder, kernel, kernel-rt, libarchive, libreswan, libtar, libtiff, mingw-expat, mysql:8.0, net-snmp, pcs, php:7.4, poppler, postgresql-jdbc, python-mako, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, samba, sysstat, tigervnc, unbound, virt:rhel and virt-devel:rhel, wayland, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (dmidecode, postgresql13, prometheus-sap_host_exporter, python-cryptography, rekor, and thunderbird), and Ubuntu (firefox, matrix-synapse, and mysql-8.0).

• Ongoing Facebook phishing campaign without a sender and (almost) without links, (Mon, May 15th)

  At the Internet Storm Center, we often receive examples of current malspam and phishing e-mails from our readers. Most of them are fairly uninteresting, but some turn out to be notable for one reason or another. This was the case with several messages that Charlie, one of our readers, has submitted to us since the beginning of 2023.

• Man Pleads Guilty to Conspiracy to Sell Stolen Financial Information on Dark Web

  According to court documents, Michael D. Mihalo, aka Dale Michael Mihalo Jr., 40, of Naperville, was the founder of a darknet “carding” site called Skynet Market, which was used to sell stolen financial information on the internet. Operating under the moniker ggmccloud1, Mihalo and his co-conspirators were also prominent vendors on additional darknet markets, including AlphaBay Market, Wall Street Market, and Hansa Market. Each market required users to conduct transactions in digital currencies, including Bitcoin. Through these markets, Mihalo and his co-conspirators sold the stolen financial information, primarily the credit and debit card numbers and associated information, of tens of thousands of U.S. victims between Feb. 22, 2016, and Oct. 1, 2019.

• Patients concerned after local allergy clinic closes its doors because of alleged data breach

  A local asthma and allergy clinic has closed its doors because of an alleged security data breach.

  Patients are now concerned that their medical records may have been compromised.

  Several patients have told KOCO that they are in need of asthma medication from the Oklahoma Institute of Allergy Asthma and Immunology but have been turned away because of a sign on the door that claims a security data breach at the clinic happened nearly two weeks ago.

  “I went one day to get an allergy shot, and all of a sudden, like the door was locked, and there was a sign on the door,” said patient Kristen McMurray.

• New York audit: School districts unprepared for cyber attacks

  Student data, including names, birth dates and addresses, are not always kept secure by school districts or the state Education Department, the state Comptroller’s Office found in an audit issued Tuesday.

  The Education Department “has not taken the fundamental steps or improved the technical controls needed to secure its own critical systems,” the auditors said.

  Auditors also went to four school districts and scanned their systems for vulnerabilities. What they found was so concerning that the districts took immediate action, they said.

• HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000

  As background: this case began with Justin Shafer finding an unsecured FTP server owned by MedEvolve. He reported it to DataBreaches. This site first reported on the leak in 2018. This site also reported when MedEvolve issued a statement months later, and again two years later when HHS got them to notify patients.

• Justice Department Announces Five Cases as Part of Recently Launched Disruptive Technology Strike Force

  The Disruptive Technology Strike Force is co-led by the Departments of Justice and Commerce to counter efforts by hostile nation-states to illicitly acquire sensitive U.S. technology to advance their authoritarian regimes and facilitate human rights abuses. The Strike Force’s work has led to the unsealing of charges against multiple defendants in five cases accused of crimes including export violations, smuggling and theft of trade secrets.

• New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems [Ed: No, it targets proprietary software of VMware, not Linux]

  A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023.

• Windows TCO

  • #StopRansomware: BianLian Ransomware Group

    The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

  • Russian National Charged with Ransomware Attacks Against Critical Infrastructure

    The Justice Department today unsealed two indictments charging a Russian national and resident with using three different ransomware variants to attack numerous victims throughout the United States, including law enforcement agencies in Washington, D.C. and New Jersey, as well as victims in healthcare and other sectors nationwide.

  • Insured companies more likely to be ransomware victims, sometimes more than once

    Companies with cyber insurance are more likely to get hit by ransomware, more likely to be attacked multiple times, and more likely to pay ransoms, according to a recent survey of IT decision makers.

  • Ransomware Charges Unsealed Against Russian National

    An indictment was unsealed today in the District of Columbia charging a Russian national with participating in a global ransomware campaign which deployed ransomware variants against victims in the District of Columbia, the United States, and around the world. Mikhail Pavlovich Matveev, alleged to use the online monikers Wazawaka, m1x, Broriscelcin, and Uhodiransomwar, 30, of Kaliningrad, Russia, is charged with intentional damage to a protected computer and threats relating to a protected computer.

  • Franklin County Public Schools hit by ransomware attack

    Franklin County Public Schools were closed Monday following a ransomware attack that is still impacting the school division.

  • Introducing CS2BR pt. I – How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs

    If you know all about CS, BRC4 and BOFs you might want to skip this introduction and get right into the problem statement. You can also jump right to the solution. Introduction When we conduct Red Team assessments at NVISO, we employ a wide variety of proprietary and open source tools.