Security Leftovers

posted by Roy Schestowitz on Sep 02, 2023

• Mitigations for Important Vim Code Execution, DoS Vulns Released

  Several denial of service (DoS) and code execution vulnerabilities have been discovered in the Vim enhanced vi editor.

• Potential Weaponizing of Honeypot Logs [Guest Diary], (Thu, Aug 31st)

  [This is a Guest Diary by James Turner, an ISC intern as part of the SANS.edu BACS program]

• The low, low cost of (committing) cybercrime, (Thu, Aug 31st)

• Security updates for Friday

  Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git).

• Za: Enforcement Notice Issued To Dis-Chem For Violating POPIA

  On the 31st of August 2023, the Information Regulator took action by issuing an Enforcement Notice against Dis-Chem, due to their non-compliance with several provisions of the Protection of Personal Information Act (POPIA).

  In the timeline of events, it was revealed that during the months of April and May in 2022, a brute force attack was launched against Grapevine, a third-party service provider engaged by Dis-Chem. A brute force attack involves repeated attempts to guess a password until the correct combination is discovered. It wasn’t until the 1st of May 2022 that Dis-Chem became aware of this security breach when certain employees received SMS notifications.

• NPS tells media, families it will strive to communicate better

  In August's board meeting, Norman Public Schools announced it would improve its relationship with media outlets and parents.

  "We are always wanting to make sure we have ongoing transparent easily-accessible communication, not only internally, but externally as well," said Holly Nevels, the associate superintendent and chief human resource officer, at the meeting.

  "We want our internal staff, teachers, and students to feel informed, and we certainly want our community to feel informed and connect to our schools," she added.

  The district has adjusted language in its 2022-2027 Strategic Plan to bolster its commitment to open communication, said Chelsey Kraft, the director of communications, public relations, and public information officer for the district, in an interview with The Transcript.

• Norman Public Schools tells media, families it will strive to communicate better

  Well, it seems one school district has seen the light and will try to be more transparent and timely in the event of security incidents. Norman Public Schools in Oklahoma experienced a ransomware attack in November 2022. At the time, DataBreaches was revealing more details about the breach by the Hive ransomware gang and the leaked data than the district had revealed and noted the district had not responded to this site’s inquiries.

• Education Sector Heavily Targeted as the School Year Begins

  As the 2023 school year begins, threat actors are poised to launch various types of cyberattacks ranging from direct deposit scams to ransomware. The education sector is often targeted during holiday breaks. Threat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends, or before the end of a marking period when final grades are due. Within the last few weeks, publicly announced ransomware attacks sharply increased and included Cleveland City Schools in Tennessee, the Prince George’s County Public Schools – one of the largest US school districts with approximately 130,000 students in the Washington D.C. area – and the University of Michigan, just three weeks after the MOVEit data theft attack impacted Michigan State University.

• At some point, SNAtch Team stopped being the Snatch ransomware gang. Were journalists the last to know?

  In December 2019, Sophos published an analysis of Snatch ransomware. In June 2020, DFIR Report provided a case study, and in July 2020, LIFARS wrote an article about Snatch ransomware having been detected in attacks in June.

  Since then, the Snatch leak site has continued to add victims and the media (including DataBreaches) has continued to report on their attacks, but somehow, none of us reporting on Snatch seemed to know that there had been a seismic shift in their operations. On some date unknown to DataBreaches, the gang that took its name as fans of the movie “Snatch” was no longer a ransomware gang. To say that DataBreaches was surprised to realize that we might have been misreporting them as a ransomware gang would be an understatement.

• United States v Alexander Pakhtusov

  Alexander Pakhtusov was a seller on both Slilpp and Paysell (now called Blackpass) using the moniker “Mrtikov.” His overall involvement spanned from at least April 2016 through September 2019 and included listing for sale over 17 million economically valuable accounts of individuals held at various companies and banks. He actually sold over 14,000 sets of login credentials. The people who purchased those login credentials used those credentials to steal money from victim accounts.