Security Leftovers (UPDATED)

posted by Roy Schestowitz on Jun 03, 2023,
updated Jun 04, 2023

• Invisible data exfiltration: New security issue found in Google Workspace [Ed: No, the moment you outsource to Google Workspace it is already a data breach as regimes can access, tamper with, and destroy anything; this issue is about yet more parties having such capabilities. True security means control. It means no regimes can exercise control over you, no matter if they're "good regimes" or "bad regime" (that can change over time), plus they too can have breaches, so there's a chain of compromise.]

  A previously unknown security issue in Google LLC's Workspace could allow an attacker to exfiltrate data from Google Drive without being traced. Detailed Tuesday by researchers at Mitiga Security Inc., the vulnerability is the result of a forensic deficiency that allows a user to exfiltrate data without generating any record of the activity.

• Adobe Inviting Researchers to Private Bug Bounty Program [Ed: Adobe: we don't want to hire people to identity our bug doors; will y'all volunteer?]

  Adobe is inviting security researchers to join its private bug bounty program on the HackerOne platform.

• Critical Remotely Exploitable Django Vuln Fixed | LinuxSecurity.com

  It was discovered that Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1 incorrectly handled uploading multiple files using one form field (CVE-2023-31047). With a low attack complexity, no privileges required to exploit, and a high confidentiality, integrity and availability impact, this vulnerability has been rated as “Critical” by the National Vulnerability Database (NVD).

• Critical Vulnerabilities Found in Faronics Education Software

  Faronics patches critical-severity remote code execution (RCE) vulnerabilities in the Insight education software.

• Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information [Ed: "The clown" is a security breach; it's proprietary software, remotely controlled]

  Salesforce ghost sites — domains that are no longer maintained but still accessible — can expose personal information and business data.

• Russia Blames US Intelligence for iOS Zero-Click Attacks [Ed: It should blame itself for buying Apple despite all that is known about Apple and the NSA et al]

  Kaspersky said its corporate network has been targeted with a zero-click iOS exploit, just as Russia's FSB said iPhones have been targeted by US intelligence.

• Russian FSB Accuses U.S. of Hacking Thousands of iPhones in Russia

  The announcement is related to a blog post written by researchers from Kaspersky who said someone had targeted them with iPhone malware.

• Russian Security Service Claims Thousands Of Diplomats' iPhones Hacked; Moscow-Based Kaspersky Also Hit

  Russia's Federal Security Service (FSB) claims thousands of iPhones belonging to the country's diplomats have suffered a massive hacking attack.

• Russia says US hacked thousands of Apple phones in spy plot

  Russia’s Federal Security Service (FSB) said on Thursday it had uncovered an American espionage operation that compromised thousands of iPhones using sophisticated surveillance software.

  Moscow-based Kaspersky Lab said dozens of its employees’ devices were compromised in the operation.

  The FSB, the main successor to the Soviet-era KGB, said in a statement that several thousand Apple Inc devices had been infected, including those of domestic Russian subscribers as well as foreign diplomats based in Russia and the former Soviet Union.

  “The FSB has uncovered an intelligence action of the American special services using Apple mobile devices,” the FSB said in a statement.

• Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks

  Critical authentication bypass and high-severity command injection vulnerabilities have been patched in Moxa’s MXsecurity product.

• Google Temporarily Offering $180,000 for Full Chain Chrome Exploit

  Google is offering a bug bounty reward of up to $180,000 for a full chain exploit leading to a sandbox escape in the Chrome browser.

• Toyota Discloses New Data Breach Involving Vehicle, Customer Information [Ed: The problem here is that people tolerate and buy cars that collect data they must not and need not have]

  Toyota says improper cloud configurations exposed vehicle and customer information in Japan and overseas for years.

• Security updates for Friday [LWN.net]

  Security updates have been issued by Debian (cups and netatalk), SUSE (cups, ImageMagick, installation-images, libvirt, openvswitch, and qemu), and Ubuntu (avahi, cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws-5.4, linux-bluefield, linux-intel-iotg, and linux-intel-iotg-5.15).

• Major data breach at UL Hospitals Group exposes patient info - Gript

  UL Hospitals Group, responsible for managing six hospitals in the midwest region, announced a significant data breach resulting in the inadvertent sharing of personal and medical information belonging to over 1,000 patients with an unknown third party.

  The breach occurred in January when a staff member mistakenly sent the data to an unidentified recipient.

  The affected patients received gastroenterology services at University Hospital Limerick, Ennis Hospital, and Nenagh Hospital between 2018 and January 2023. The breach involved an email attachment containing “patient names, dates of birth, medical chart numbers, and limited medical information,” according to ULHG in a statement. However, no personal contact details like phone numbers or email addresses were compromised.

• Orbiter Finance Discord Server Hacked

  A decentralized cross-rollup layer-2 bridge, Orbiter Finance’s Discord server was compromised by bad actors, who have shared a link to a fraudulent airdrop program. This incident marks the latest targeting of Orbiter Finance.

• Middlesex Co. Public Schools confirms ransomware attack

  The superintendent for Middlesex County Public Schools confirmed Thursday that the school division was the subject of a recent ransomware attack.

  “We can confirm that Middlesex County Public Schools recently suffered a ransomware attack,” said Superintendent Dr. Tracy Seitz in a statement to 10 On Your Side. “We took immediate action to begin an internal investigation, creating an incident response team led by our talented IT professionals along with some of the country’s leading experts in cybersecurity. Fortunately, the impact on our daily operations has been minimal.

  The cybersecurity organization BetterCyber said earlier Thursday that the Akira ransomware group claimed to have hacked the Middlesex County Public Schools website, allegedly stealing 543 GB of its data.

• Update on GLBA Safeguards Rule in Higher Education

  On February 9, 2023, the Department of Education Office of Federal Student Aid (“FSA”) issued an electronic notice regarding the Federal Trade Commission’s Final Rule amending the Standards for Safeguarding Customer Information (“Safeguards Rule”) under the Gramm-Leach-Bliley Act (“GLBA”). The amendments to the Safeguards Rule, which go into effect on June 9, 2023, include updated data security requirements for financial institutions, including all Title IV institutions of higher education and servicers.

UPDATE

Similar to the above:

• Middlesex Co. Public Schools confirms ransomware attack

  The superintendent for Middlesex County Public Schools confirmed Thursday that the school division was the subject of a recent ransomware attack.