Security Leftovers

posted by Roy Schestowitz on Aug 17, 2023

• Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics

  The Linux variant is also designed to tamper with the motd (aka message of the day) file to display the ransom note, employ AES-256-CTR encryption instead of Salsa20, and solely rely on the file size for its encryption process.

• Security updates for Wednesday

  Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk).

• Cleveland City Schools face ransomware attack

  Cleveland City Schools faced a ransomware attack this week, but it only affected a small number of devices.

  The school system said they became aware of the issue on Tuesday, August 15. An issue they say is affecting many other school districts as well. […]

  Sensitive information is secure offsite, and officials do not believe any of this data has been compromised.

• Ransomware Diaries: Volume 3 – LockBit’s Secrets

  In this volume of the Ransomware Diaries, I will share interesting, previously unknown details of the LockBit ransomware operation that LockBit has tried very hard to cover up. Until now, you have been lied to about LockBit’s true capability. Today, I will show you the actual current state of its criminal program and demonstrate with evidence-backed analysis that LockBit has several critical operational problems, which have gone unnoticed.

  This time, besides using fake personas, I have spoken directly with the gang and many of its affiliate partners. I also reached out to victims. I learned what happens behind the scenes during the ransom negotiations and the relationships LockBit has with its affiliate partners and competing rival gangs. LockBit has secrets it does not want either party to know. Now, I look forward to sharing them with you!

  Before I begin, I need to share a significant event that took place as I finalized this report. In August 2023, LockBit’s leadership vanished and was unreachable to fellow gang members, including its affiliate partners,

  for the first two weeks of August. During that time, several of LockBit’s close associates shared concerns that the gang’s leadership was on the run or dead. Then, on August 13, LockBit reappeared on private channels as if it never happened. Still, during the time LockBit was gone, LockBits data leak site and infrastructure were up, but no one was actively managing it.

  The question is: why? Fortunately, I have some answers.

• Hackers threaten publishing sensitive medical data on politicians, Haredi leaders

  The hacker group that has claimed responsibility for the breach at the Mayanei HaYeshua Medical Center in central Israel earlier this month has issued an ultimatum to the facility, threatening to reveal sensitive medical files that include the prime minister, MKs, senior rabbis, and other known figures in the Haredi word if its demands are not met.

  According to Israel Hayom sources, the hackers demand tens of millions of shekels. The group claims that it has obtained access to hundreds of thousands of digital files due to the breach, including psychiatric evaluations and various checkups that could reveal private medical conditions among Haredi wheelers and dealers. The concern is that this would become a ‘Haredi WikiLeaks’ that could jolt the community.

• Hospital Mergers Double the Risk of a Data Breach, Study Shows

  The healthcare sector is a prime target for data breaches. According to a summary by the HIPAA Journal, 32% of all data breaches between 2015 and 2022 were in the healthcare sector, “almost double the number recorded in the financial and manufacturing sectors.” Industry analysts cite to many reasons for this, including the sensitivity of health data and its value on the black market compared to other forms of data. Evidently, another driver of data breaches for healthcare entities is M&A activity.

• LinkedIn accounts hacked in widespread hijacking campaign

  LinkedIn is being targeted in a wave of account hacks resulting in many accounts being locked out for security reasons or ultimately hijacked by attackers.

  As reported today by Cyberint, many LinkedIn users have been complaining about the account takeovers or lockouts and an inability to resolve the problems through LinkedIn support.

  “Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts,” reports Cyberint’s researcher Coral Tayar.