Security Leftovers
-
Cilium 1.14 expands networking beyond Kubernetes, offers higher speeds
Cilium, an open-source networking, security and observability project, has released version 1.14 with an array of connectivity, security and observability updates. The Cilium 1.14 update also introduces new mesh capabilities, high-speed networking and security enhancements.
“Cilium is quickly growing beyond Kubernetes and beyond container networking,” Thomas Graf, founder of Cilium and CTO of Isovalent, told SDxCentral. “It is becoming an overall cloud-native connectivity platform meeting enterprise-grade standards.”
-
Unraveling the New WordPress Vulnerabilities: Safeguarding Your Digital Fortress
Thank you to Ruth Webb for contributing this article.WordPress stands tall as one of the most popular content management systems (CMS), empowering millions of websites worldwide in the ever-evolving digital landscape. Its flexibility and user-friendliness have made it a top choice for bloggers, businesses, and individuals. However, with great popularity comes great responsibility, and WordPress, like any other platform, is not immune to security vulnerabilities.
-
Cyber Security Headlines Week in Review: Stolen Microsoft key, government Maximus breach, Clop on clearweb
The private encryption key used by Chinese hackers to break into the email accounts of high-level U.S. government officials disclosed last week also gave them access to a vast array of other Microsoft products, according to new research from cloud security firm Wiz. In a blog post published Friday, Shir Tamari, head of research at Wiz, said further investigation has revealed the compromised key would have given the hacking group, which Microsoft calls Storm-0558, access to far more than Outlook, spanning many other Microsoft services that use the same authentication process, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the login with Microsoft functionality, and multi-tenant applications in certain conditions. Tamari wrote.Microsoft revoked the affected key, Wiz warned that a sophisticated APT could have used the access and time to build in backdoors or other forms of persistence into victim systems and accounts. Further, any applications that rely on local certificate stores or cached keys may still be using the corrupted key and would be vulnerable to continued exploitation. A link to the Wiz blog is included in the shownotes to this episode.
-
MAR-10454006-r2.v1 SEASPY Backdoor
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
[...]
CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).
-
MHMR Authority of Brazos Valley provides notice of ransomware attack last November
On December 22, 2022 DataBreaches added MHMR Authority of Brazos Valley to our non-public breach worksheet. Based on information at that time from Hive threat actors, it appeared that the non-profit Texas mental health and substance abuse treatment provider’s files had been locked on November 5. Their listing on Hive’s leak site was a sure sign that the provider had not paid Hive’s ransom demands.
But it wasn’t until July 28 of 2023 that MHMR Authority of Brazos Valley issued any press release. Based on their statement, on May 30, they learned that personal and protected health information of some employees and current and former patients may have been involved. They do not explain why it took them so many months to determine that. If Hive had been true to form, they would have emailed MHMR Authority of Brazos Valley at least several times and told them in the emails what kinds of data they had acquired. In a number of ransom emails DataBreaches had seen that were sent to other Hive victims, Hive would also indicate how many files or GB of data they had acquired. Was such info sent to this victim, and if so, did it help them determine what had been accessed or not?
-
Cyberattacks And Compromise of Attorney Client Confidences
In an underappreciated ruling, District of Columbia Judge Amit Mehta ruled that the multinational law firm Covington & Burling must comply with an SEC subpoena requiring the firm to give up the names of clients, publicly-traded corporations, in order for the SEC to investigate whether there was any trading on non-public information. This didn’t arise because of suspicious trades or other red flags on the corporate side of the ledger, but because hackers working for China launched a successful cyber attack on Microsoft which ultimately gave them access to the firm’s internal records.
-
School Accreditation Organization Data Breach Exposed Sensitive Information on Students, Parents, and Teachers Online
When contacted by DataBreaches, Fowler indicated that he did not know for how long the database had been publicly accessible and he spotted no logging records in the exposed database. Nor does he know whether they have notified affected individuals, although it is now more than two months since they secured the database.
-
Attacked by Black Basta, BankCard USA paid ransom.
Marco A. De Felice of SuspectFile (aka @amvinfe) reports that BankCard USA (BUSA) recently paid the Black Basta ransomware group $50,000 ransom. But if BUSA hoped to keep the breach and payment out of the public eye, they should sit down before they read SuspectFile’s reporting, because it is going to make them sad.
BankCard USA provides end-to-end electronic payment products and services to more than 100,000 American companies. As described by SuspectFile, for about a month, the merchant services provider and Black Basta went back and forth in their negotiations, with BUSA’s negotiator demanding a series of guarantees from Black Basta and offering the ransomware group payment of less than 10% than what was being demanded to delete what the threat actors claimed was 200 GB of files they had exfiltrated.
-
The Chattanooga Heart Institute to notify 170,450 about March “data security incident”
In May, DataBreaches dutifully noted The Chattanooga Heart Institute (CHI) on our non-public worksheets. At the time, all we knew was that Karakurt threat actors had claimed to have attacked them and to have exfiltrated 158 GB of data.
-
Arizona man who extorted Georgia Tech sentenced to prison
Ronald Bell has been sentenced to two years and nine months in prison for extorting Georgia Tech. Bell recruited a security guard to falsely claim that the guard witnessed an assault by its basketball coach in exchange for part of the extortion payout he expected to receive from the university.
“Ronald Bell tried to extort Georgia Tech and ruin the reputation of its basketball coach,” said U.S. Attorney Ryan K. Buchanan. “As federal prosecutors, we have a responsibility to the citizens of this district to pursue accountability and justice for crimes of sexual violence. But in this case Bell attempted to exploit the mission of our office, and law enforcement partners, to combat sexual assault through a brazen effort to enrich himself at the expense of Georgia Tech and a member of its staff. Bell has now been held accountable for his crime.”
“Bell sought to severely damage the reputation of the institution and their coach solely for his own financial gain,” said Keri Farley, Special Agent in Charge of FBI Atlanta. “This sentence proves that the FBI will not tolerate false allegations and will do everything in our power to seek the truth and hold individuals who commit these type of crimes accountable for their selfish actions.”
-
Preventing Web Application Access Control Abuse
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
-
Hobbs has questions about data breach that exposed ESA student info
A data breach exposed the personal information of thousands of Arizona students enrolled in the state’s school voucher program, according to Gov. Katie Hobbs, but the state’s top education official says it’s not a problem.
Earlier this month, ClassWallet, the online financial administration platform that handles payments for Arizona’s Empowerment Scholarship Account program, suffered a data breach that jeopardized the names and disability categories of thousands of Arizona students. The incident triggered an investigation by the Arizona Department of Homeland Security, according to a letter sent from Hobbs, a Democrat, to Superintendent of Public Instruction Tom Horne, a Republican, on Friday.
-
New Smartphone Vulnerability That Could Expose User Location to Hackers Found by Researchers
A recent discovery by a PhD student of Northeastern University has revealed a potential vulnerability in text messaging that could expose smartphone users’ location to hackers.
PhD student in cybersecurity at Northeastern Evangelos Bitsikas and his research group employed a sophisticated machine-learning program to analyze data from the traditional SMS system, which has been used since the early 1990s and identified this concerning flaw.
Bitsikas explained that the vulnerability lies in the automated delivery notification feature of SMS. When a text message is sent, the recipient’s phone automatically responds with a delivery notification.