Security Leftovers

posted by Roy Schestowitz on Oct 06, 2023

• Qakbot Hackers Continue to Push Malware After Takedown Attempt

  Qakbot cybercriminals continue to push malware, which shows they are still operational after the recent takedown attempt.

• Prolific malware and botnet operator Qakbot still operating despite FBI takedown

  A little over a month since a multinational task force headed by the U.S. Federal Bureau of Investigation and Dutch police claimed to have taken down prolific malware and botnet operator Qakbot, the threat actors behind Qakbot are back, but in a surprising twist, it appears they never went away to begin with.

• Cisco Plugs Gaping Hole in Emergency Responder Software

  Cisco warns that unauthenticated, remote attackers can log into devices using root account, which has default, static credentials that cannot be changed or deleted.

  >

• CISA, NSA Publish Guidance on IAM Challenges for Developers, Vendors

  New US government guidance details the challenges that application developers and vendors face in identity and access management (IAM).

• NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

• Red Cross Publishes Rules of Engagement for Hacktivists During War

  ICRC is telling hacktivists involved in conflict during war to avoid targeting civilian objectives and hospitals, or making threats of violence.

• High-Severity Glibc Bug Impacts Major Linux Platforms | Decipher [Ed: This headline, for a change, is correct. High-Severity? Not so much... in relative terms not at all.]

  Researchers are urging security teams to prioritize the patching of a buffer overflow flaw in GNU C Library (glibc) that is what they call “a pressing concern” for numerous Linux distributions.

  Glibc, which is the C library implementation in the GNU system, defines system calls and other basic functionalities and exists in most systems running the Linux kernel. This flaw is severe due to both its impact and the extensive use of glibc across Linux distributions. If exploited, the flaw could allow local attackers to gain full root access on popular Linux platforms, and researchers with Qualys said they have identified the flaw on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.

  In a coordinated effort on Wednesday, multiple platforms released patches for the flaw, including Debian, Ubuntu and Red Hat. Qualys said it has held on publishing proof-of-concept (PoC) exploit code on the flaw, but several other security researchers have released their own exploit code.

• Exploits released for Linux flaw giving root on major distros [Ed: The patches have been out for days already]

  Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions.

• Cyber Security Headlines: Red Cross hacktivist rules, Looney Tunables hit Linux, CISA violates First Amendment

  The International Committee of the Red Cross published a set of rules regarding hacktivist activities in time of armed conflict in the European Journal of International Law. This noted the rise in cyber-attacks by civilians during war impacting non-military targets, including hospitals. The rules call for no direct cyber-attacks against civilian objects and not to use malware that spreads indiscriminately or automatically. It also calls for no cyber attacks on humanitarian facilities like hospitals. These rules come from cyber attacks from both pro-Russian groups and the IT Army of Ukraine escalated as part of the ongoing war in Ukraine.

• Nodle Joins Forces with Adobe and Linux Foundation to Spearhead Blockchain-Based Content Validation

  In a strategic move aimed at revolutionizing content validation, Nodle, a prominent player in the decentralized infrastructure sector, has forged partnerships with industry titans Adobe and the Linux Foundation. This collaboration seeks to harness the potential of blockchain technology to ensure the authenticity and integrity of real-world content captured on various devices.

• Vali Cyber: Linux Cybersecurity Solutions Provider Company Closes $15 Million

  Vali Cyber – a next-generation provider of Linux cybersecurity solutions – recently announced the successful completion of its seed funding round, raising $15 million. This funding round was co-led by Grotech Ventures and the 412 Venture Fund (412VF) and aided with strong support from Riverfront Ventures, Florida Funders, and additional strategic investors. This investment highlights the critical need to effectively address the specific security requirements of devices using the Linux operating system.

• 23andMe Cyberbreach Exposes DNA Data, Potential Family Ties

  23andMe, the popular DNA testing company, has launched an investigation after client information was listed for sale on a cybercrime forum this week.

  On Oct. 1, a post was published on the forum with a link to a sample of allegedly "20 million pieces of data" from the genetic testing company, claiming that it was "the most valuable data you'll ever see." The first leak included 1 million lines of data, but on Oct. 4, the threat actor began offering bulk data profiles ranging from $1 to $10 per account in batches of 100, 1,000, 10,000, and 100,000 profiles.

  The information leaked in the breach includes names, usernames, profile photos, gender, birthdays, geographical location, and genetic ancestry results.

• D.C. Board of Elections voter registration data up for sale on dark web (1)

  The listing links to a sample consisting of one registered voter’s data. That listing included a number of fields with, but not limited to VoterID, registration date, voter’s last name, middle name, and first name, partial SSN, driver’s license number, telephone number, date of birth, postal address, political party affiliation, email address, and polling place. DataBreaches was able to confirm that it accurately matched the DCBOE’s database for that voter by using the board of election’s verification process.

• PCSD network hacked; FBI investigating

  The Parkers Chapel School District has been hacked, and federal law enforcement agencies, in partnership with the State of Arkansas, are currently investigating the matter.

  John Gross, PCSD superintendent, said the district learned about the hack last Thursday, Sept. 29.

• INC Ransomware claims to have hit Federal Labor Relations Authority

  INC declined to reveal when they first gained access to FLRA or how they first gained access. They confirmed that the August 26 date in the file tree was the date exfiltration of data began and informed DataBreaches that they acquired 29 GB of files — all of the files listed in the filetree that they had provided DataBreaches.

• Ransomware gang QakBot resurfaces after feds’ botnet takedown | SC Media

  Evidence suggests the notorious Qakbot malware gang continued staging cyberattacks in August, even as authorities seized its infrastructure and dismantled the formidable botnet it had built up over several years.

  Before the FBI-led operation that took down the botnet, QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was the most common malware loader seen by ReliaQuest, accounting for 30% of all loaders its researchers observed in the first seven months of this year.

• Record Numbers of Ransomware Victims Named on Leak Sites [Ed: 95% of the time it is a Windows issue, according to surveys]

  The number of victims named on ransomware leak sites reached “unprecedented levels” in the four months from March to June 2023, according to Secureworks’ 2023 State of the Threat report.

• Data of 900 Hongkongers exposed after hackers breach WhatsApp accounts of social services and schools

  Hackers hit five social services and schools, compromising details, including names and mobile phone numbers of users, parents and pupils

• Charleston-based tech company settles data breach for nearly $50M

  A South Carolina software company has agreed to a multi-million dollar settlement for a 2020 ransomware event that exposed the personal information of millions of consumers in the United States.

  South Carolina Attorney General Alan Wilson announced that Blackbaud would pay $49.5 million to states settling allegations that the company violated state consumer protection laws, breach notification laws and HIPAA by not implementing reasonable data security.

  Blackbaud’s software connects nonprofit organizations with donors and manages data about their constituents. That data includes contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information.

• Security updates for Thursday

  Security updates have been issued by Debian (chromium, libx11, and libxpm), Fedora (ckeditor, drupal7, glibc, golang-github-cncf-xds, golang-github-envoyproxy-control-plane, golang-github-hashicorp-msgpack, golang-github-minio-highwayhash, golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, golang-github-protobuf, golang-google-protobuf, nats-server, and pgadmin4), Red Hat (firefox and thunderbird), SUSE (chromium, exim, ghostscript, kernel, poppler, python-gevent, and python-reportlab), and Ubuntu (binutils, exim4, jqueryui, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-kvm, linux-oem-6.1, nodejs, and python-django).

• Security updates for Friday

  "Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15).

• The end of the Red Hat security-announcements list

  Red Hat has announced that its longstanding "rhsa-announce" mailing list will be shut down on October 10. That is the list that receives security advisories for Red Hat Enterprise Linux and a whole slew of related products. Anybody who was counting on that list for Red Hat security advisories will need to find an alternative; a few options are listed in the announcement.