Security Leftovers

posted by Roy Schestowitz on Sep 13, 2023

• Security updates for Wednesday

  Security updates have been issued by Debian (e2guardian), Fedora (libeconf), Red Hat (dmidecode, kernel, kernel-rt, keylime, kpatch-patch, libcap, librsvg2, linux-firmware, and qemu-kvm), Slackware (mozilla), SUSE (chromium and shadow), and Ubuntu (cups, dotnet6, dotnet7, file, flac, and ruby-redcloth).

• Free Download Manager site redirected Linux users to malware for years [Ed: With Windows, the supply chain is always compromised, even by design and by intention]

  A reported Free Download Manager supply chain attack redirected Linux users to a malicious Debian package repository that installed information-stealing malware.

  The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.

• Free Download Manager backdoored – a possible supply chain attack on Linux machines

  Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023. As we will demonstrate in this article, campaigns targeting Linux can operate for years without being noticed by the cybersecurity community.

• Kaspersky reveals three-year long suspected supply chain attack targeting Linux

  Kaspersky unveiled a malicious campaign in which an installer of the Free Download Manager software had been employed to disseminate a Linux backdoor for a minimum of three years. Researchers discovered that victims were infected when they downloaded the software from the official website, indicating that this is a possible supply chain attack. Variants of the malware used in this campaign were first identified in 2013. Victims are based in various countries, including Brazil, China, Saudi Arabia, and Russia.

• Password-stealing Linux malware served for 3 years and no one noticed

  Ars Technica reports on a credential-stealing Trojan horse that would infect only some of those who installed the "Free Download Manager". The article is based on a Kaspersky report that details the malicious payload offered up at that site from 2020 to 2022.

• Password-stealing Linux malware served for 3 years and no one noticed

  The site, freedownloadmanager[.]org, offered a benign version of a Linux offering known as the Free Download Manager. Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.

• MITRE ATT&CK in 2023: Focus on Mobile, Linux and ICS

  Cyberattacks are a constant fact of life today. The increasing volume and sophistication of cybercrime means that managed security services providers (MSSPs) should strongly consider taking advantage of resources such as MITRE’s Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) framework.

• Microsoft Teams down: Ongoing outage behind message failures, delays

• A GCC -fstack-protector vulnerability on arm64

  The GCC stack-protector feature detects stack-based buffer overruns by putting a canary value on the stack and noticing if that value is changed. It turns out, though, that dynamically allocated local variables (such as variable-length arrays and space obtained with alloca()) are placed beyond the canary, so overflows of those variables will not be detected. As a result, arm64 binaries built with vulnerable versions of GCC are not as protected as they should be and need to be rebuilt.

• Texas Medical Liability Trust updates its data breach notification; now provides notification on behalf of almost 60,000 individuals

  In March, Texas Medical Liability Trust on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group (collectively “TMLT”) filed a breach notification with the Maine Attorney General’s Office. That submission indicated that 625 individuals had been affected by a breach that occurred between October 2, 2022 and October 13, 2022.

• Facebook Messenger phishing wave targets 100K business accounts per week

  Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware.

  The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim’s browser.

• Rachel Anderton

  A former family intervention officer at St Helens Borough Council has been sentenced for unlawfully accessing social services records.

  Rachel Anderton was prosecuted for viewing records on the council’s case management system between 17 January 2019 and 17 October 2019 without having a business need to do so.

  An internal council audit found the defendant unlawfully looked at the records of 145 people whilst employed in the social services department. Anderton resigned from the council before disciplinary proceedings commenced.

• Conti member indicted for role in 2021 Scripps Health ransomware attack

  On September 7, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with the United Kingdom, sanctioned 11 individuals who are alleged to be part of the Russia-based Trickbot cybercrime group. At the same time, the U.S. Department of Justice (DOJ) unsealed indictments against nine individuals in connection with the Trickbot malware and Conti ransomware schemes, including seven of the 11 individuals designated that day.

• Cyberattack causes multiple court systems to shut down some public safety computer servers

  A cyberattack caused St. Louis County to shut down some computer systems used to look up court cases, issue charges and process people in custody at the jail, County Executive Sam Page said Tuesday.

  Police officers, jail officials, the county counselor, municipal court officials and the prosecuting attorney’s office all use the Regional Justice Information System, or REJIS. The county was alerted to the problem Monday afternoon, said Doug Moore, a spokesman for Page.

• Come Clean About Data Breaches And Get Lower Fines, Says UK's ICO

  British businesses could face lower fines if they proactively report data breaches, thanks to an agreement between the UK’s data protection regulator and cybersecurity agency.

  The Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) say they plan to encourage engagement with the NCSC in the event of a breach, and allow meaningful engagement with the NCSC to lead to reduced regulatory penalties.

  "We already work closely with the NCSC to offer the right tools, advice and support to businesses and organisations on how to improve their cyber security and stay secure," says information commissioner John Edwards.

• County Experiences Security Breach With Jail Employee Email

  A cyber event last month may have affected the security of some information maintained by Butler County.

  County officials say they found out August 8th that an email account related to the County jail was sending unauthorized spam emails.

• MGM Resorts incident: social engineering strikes again?

  All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.

• Chambersburg Area School District answers some questions about ransomware attack, won’t say if they paid hackers

  Did CASD pay ransom?

  On the advice of our counsel, in order to protect the integrity of the various ongoing investigations, we are not answering this question at this time. We assure you that, CASD is working closely with counsel and law enforcement and taking appropriate action in response to this event.