Security Leftovers

posted by Roy Schestowitz on Oct 04, 2023

• Security updates for Tuesday

  Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird).

• Against advice of board attorney and feds, David Archie reveals how much Hinds County paid hackers after cyberattack

  Hinds County Supervisor David Archie revealed how much officials paid hackers after a cyberattack crippled county services for weeks, against the advice of the board’s attorney and federal investigators, with Archie arguing taxpayers have a right to know what’s going on with their tax dollars.

  The information came out during Monday’s public meeting of the Hinds County Board of Supervisors.

  Four supervisors voted to approve more than $400,000 to a company to help repair the damage done to Hinds County’s computer systems.

• 8 rules for “civilian hackers” during war, and 4 obligations for states to restrain them

  As digital technology is changing how militaries conduct war, a worrying trend has emerged in which a growing number of civilians become involved in armed conflicts through digital means. Sitting at some distance from physical hostilities, including outside the countries at war, civilians – including hacktivists, to cyber security professionals, ‘white hat’, ‘black hat’ and ‘patriotic’ hackers – are conducting a range of cyber operations against their ‘enemy’. Some have described civilians as ‘first choice cyberwarriors’ because the ‘vast majority of expertise in cyber(defence) lies with the private (or civilian) sector’.

• Pathology Lab Has Most of Patient’s Data Breach Claims Dismissed

  A patient at a pathology laboratory who suffered a data breach can pursue his negligence claim against Molecular Pathology Laboratory Network, Inc., but all of his other claims were dismissed.

  Tri Thai said that the company was subject to a “massive and preventable cyberattack” that it discovered on Dec. 17, 2021. He said that the lab’s computer network was inadequately protected and its patients’ health and personal data were taken. He also said that although the lab knew that his information was impacted by the breach on July 6, 2022, he wasn’t informed until Aug. 4, 2022.

• Flagler School District Loses ‘Significant Amount of Money’ in Apparent Phishing Scheme Involving Vendor

  The Flagler County school district was the target of electronic fraud involving what Flagler County Sheriff Rick Staly described as a “pretty significant amount of money,” in a scheme having all the makings of phishing–a common method by fraudsters of impersonating familiar contacts either to induce a swindle or to make the recipient reveal sensitive financial information. […]

  FlaglerLive has learned, but has not confirmed, that the sum involved is around $700,000, and that the money was intended as payment to a contractor or a vendor involved in the ongoing expansion at Matanzas High School, a $22.6 million project on which it broke ground in late July. It did not reach its intended recipient, and the scheme may not have been uncovered promptly enough to enable recovery.

• Rock County Health Department in Wisconsin victim of cyberattack

• FBI most-wanted Russian hacker reveals why he burned his passport

  Russian hacker Mikhail Matveev, also known on the internet as “Wazawaka” and “Boriselcin,” is wanted by the FBI, which is offering a $10 million reward for information that could lead to his arrest, and has been put on a U.S. sanctions list. But, according to Matveev, his life hasn’t changed much since he was outed as an alleged cybercriminal and put on the FBI’s most wanted list.

  “We are Russian people, we are not afraid of the American government,” Matveev told TechCrunch in an online interview. “My life has changed for the better after the sanctions, I don’t feel them on me, as well as sanctions are a plus for my security, so sanctions help us.”

• HC3: Analyst Note: LokiBot Malware [Ed: This is Microsoft TCO, Microsoft Office]

  Active since 2015 and among the most prevalent and persistent strains of malware families since 2018, LokiBot has matured over time to target multi-sector industries. Despite its apolitical targeting of critical infrastructure, the malware’s adverse effect on the Healthcare and Public Health (HPH) sector shows its reach. In March 2020, a multi-threat actor spearphishing campaign to spread LokiBot malware with a false World Health Organization trademark image solidified its threat to the HPH sector. In addition to other malware analyses, HC3 reported on this specific cyberattack in a 2020 HC3 Sector Note on LokiBot. The malware has been widely used for years, and because of behavior changes, it takes a lot of effort to monitor. However, there are some best practices for protecting against LokiBot and managing its impact. What follows is an update to the previous HC3 analysis of LokiBot, a timeline of multi-sector targeted applications, detection strategies, sample MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the malware.

• Aretis Health LLC notifies patients of 50 entities about MOVEit breach

  The total number was submitted to HHS on September 29 but does not appear on that site as yet. We know from their submission to Texas that 294,233 Texans were among those affected.

  The types of information involved include: patient names, dates of birth, driver’s license or other state identification card numbers, addresses, Social Security numbers, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information.

• ECHN cyberattack compromised Social Security numbers, financial info and patients’ medical records

  The cyberattack against the Eastern Connecticut Health Network in August resulted in the theft of employee and patient names and Social Security numbers, as well as patients’ confidential health and financial information, according to an attorney representing Prospect Medical Holdings — ECHN’s parent company.

  In a letter to the Connecticut attorney general’s office on Friday, Sarah Goldstein, an attorney representing the California-based Prospect, provided an update on the attack.

• A local root vulnerability in glibc [Ed: More calm than the "Sensationalist Clickbait"

  Updates from distributors are beginning to appear and should be applied on any systems with untrusted users. The curious can see the fix applied to glibc in this patch series.

• Vulnerable Arm GPU drivers under active exploitation. Patches may not be available

  The most prevalent platform affected by the vulnerability is Google’s line of Pixels, which are one of the only Android models to receive security updates on a timely basis. Google patched Pixels in its September update against the vulnerability, which is tracked as CVE-2023-4211.