Security Leftovers and Windows TCO

posted by Roy Schestowitz on Oct 19, 2023

• Scoop News Group ☛ Russian hackers offered phony drone training to exploit WinRAR vulnerability

  Despite an August patch, Russian and Chinese state-backed hackers are using a vulnerability in the popular software to carry out espionage.

• New York Times ☛ Allied Spy Chiefs Warn of Chinese Espionage Targeting Tech Firms

  F.B.I. officials say more than half of Chinese spying efforts aimed at stealing technology occurs in Silicon Valley.

• Bruce Schneier ☛ Analysis of Intellexa’s Predator Spyware

  Amnesty International has published a comprehensive analysis of the Predator government spyware products.

  These technologies used to be the exclusive purview of organizations like the NSA. Now they’re available to every country on the planet—democratic, nondemocratic, authoritarian, whatever—for a price. This is the legacy of not securing the Internet when we could have.

• Krebs On Security ☛ The Fake Browser Update Scam Gets a Makeover

  One of the oldest malware tricks in the book -- hacked websites claiming visitors need to update their Web browser before they can view any content -- has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

• SANS ☛ Hiding in Hex, (Wed, Oct 18th)

  There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal.

• Silicon Angle ☛ GitGuardian debuts new way to manage software encryption keys and secrets

  Managing various encryption keys and other secrets has always been painful for enterprise security managers. A new service from GitGuardian called Has My Secret Leaked attempts to bring some clarity in a market that is typically overlooked by many corporate application developers. Ignorance brings peril, as can be most recently seen with Microsoft’s Storm-0558 breach [...]

• LWN ☛ Security updates for Wednesday

  Security updates have been issued by Debian (slurm-wlm), Fedora (icecat and python-configobj), Oracle (dotnet6.0, kernel-container, nginx, nginx:1.20, nginx:1.22, and python3.9), Red Hat (bind9.16, curl, dotnet6.0, kernel-rt, kpatch-patch, nghttp2, nodejs, python-reportlab, and virt:rhel), Slackware (util), SUSE (buildah, conmon, erlang, glibc, kernel, nghttp2, opensc, python-urllib3, samba, slurm, and suse-module-tools), and Ubuntu (frr, linux-azure, and pmix).

• LWN ☛ Remote execution in the GNOME tracker

  While the vulnerability itself is pretty run-of-the-mill, the recently disclosed GNOME vulnerability has a number of interesting facets. The problem lies in a library that reads files in a fairly obscure format, but it turns out that files in that format are routinely—automatically—processed by GNOME if they are downloaded to the local system. That turns a vulnerability in a largely unknown library into a one-click remote-code-execution flaw for the GNOME desktop.

• LWN ☛ GCC features to help harden the kernel

  Hardening the Linux kernel is an endless task, with work required on multiple fronts. Sometimes, that work is not done in the kernel itself; other tools, including compilers, can have a significant role to play. At the 2023 GNU Tools Cauldron, Qing Zhao covered some of the work that has been done in the GCC compiler to help with the hardening of the kernel — along with work that still needs to be done.

  The Kernel self-protection project is the home for much of the kernel-hardening work, she began. Hardening can be done in a number of ways, starting with the fixing of known security bugs, which may be found by static checkers, fuzzers, or code inspection. Fixing bugs is a never-ending task, though; it is far better, when possible, to eliminate whole classes of bugs entirely. Thus, much of the work in the kernel has focused on getting rid of problems like stack and heap overflows, integer overflows, format-string injection, pointer leaks, use of uninitialized variables, use-after-free bugs, and more. Effort is also going into blocking methods of exploitation, including the ability to overwrite kernel text or function pointers.

• Rock County refusing to pay bad actors who launched ransomware attack

  Rock County officials are refusing to pay the $1.9 million hackers are seeking to unlock files that were encrypted during a recent ransomware attack.

  […] Smith says fortunately all critical systems are back online, while some less important systems are still being worked on.

• Data Breaches ☛ Personal Touch Holding settles NY Attorney General’s lawsuit stemming from 2021 ransomware incident: will pay $350k, improve security

  This is another example of a state attorney general litigating under both HIPAA and state law. HHS’s own closing comments from its own investigation did not suggest any penalty or that it had really imposed any specific requirements on the firm: [...]

• Zimbabwe ☛ Of the man who hacked Liquid customers’ accounts and stole their data, allegedly

  I remember a time when people could use Econet data for free. I may or may not have partaked. Some claim they can still use NetOne data for free today. The hacks that allowed/(allow?) for that involve tricking Econet/NetOne systems into believing one has an active bundle.

• Security Week ☛ Former Navy IT Manager Sentenced to Prison for Hacking, Selling PII

  Former Navy IT manager Marquis Hooper was sentenced to prison for stealing PII and selling it on the dark web.

• Data Breaches ☛ UPDATE: D.C. Board of Elections data breach contained fewer than 4,000 D.C. voters’ data

  On October 6, DataBreaches reported a breach allegedly containing more than 600,000 lines of data on registered voters in D.C., where, according to the threat actors who listed it, each line represented one voter’s records.

  Although there may have been 600k lines of data as previously reported, the D.C. Board of Elections released a statement on October 16 stating that so far, their preliminary forensic investigation in conjunction with the Multi-State Information Sharing and Analysis Center (MS-ISAC) indicates that there were fewer than 4,000 registered voters from D.C.. The data records are from August 9, 2019 to January 25, 2022 and contain information from voters who participated in DCBOE’s canvass process, which is conducted every oddnumbered year to ensure the voter roll is up-to-date.

• Data Breaches ☛ Inmediata settles multi-state litigation for $1.14 million; will improve data security and breach notification practices

  In January 2019, HHS OCR alerted Inmediata that protected health information (PHI) maintained by Inmediata was available online and had been indexed by search engines.

  In April, 2019, Inmediata first issued a press release about the incident. The dozens of comments on DataBreaches responding to their press release included reports that people were getting notification letters with other people’s names on them, suggesting that Inmediata really did a poor job of breach notification and may have had HIPAA privacy breach in the process of notifying people of the data security breach. The information potentially involved in the original incident may have included patients’ names, addresses, dates of birth, gender, and medical claim information.

• CISA ☛ Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks

  The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.

• Bleeping Computer ☛ KwikTrip all but says IT outage was caused by a cyberattack

  Kwik Trip has released another statement on an ongoing outage, all but confirming it suffered a cyberattack that has led to IT system disruptions.

  Kwik Trip is a US chain of over 800 convenience stores and gas stations in Michigan, Minnesota, and Wisconsin, also operating under the name Kwik Star in Illinois, Iowa, and South Dakota. The company employs over 35,000 people.

• Henry Schein Inc. discloses cyberattack

  Henry Schein Inc., Long Island’s largest publicly traded company, said that a “cybersecurity incident” it discovered Saturday affected some of its manufacturing and distribution businesses.

  “Henry Schein promptly took precautionary action, including taking certain systems offline and other steps intended to contain the incident, which has led to temporary disruption of some of Henry Schein’s business operations. The company is working to resolve the situation as soon as possible,” the Melville-based company, a distributor of dental and medical products and services to healthcare providers, said in a statement Sunday.

• Security Week ☛ Lost and Stolen Devices: A Gateway to Data Breaches and Leaks

  By implementing strong security practices,, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.

• Oklahoma City University data breach lawsuit dismissed

  Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

• Security Week ☛ D-Link Says Hacker Exaggerated Data Breach Claims

  Hacker claims to have breached D-Link’s network in Taiwan and is offering to sell stolen data, but the company says the claims are exaggerated.

• The Strategist ☛ The impact of artificial intelligence on cyber offence and defence

  To make cyberspace more defensible—a goal championed by Columbia University and called for in the 2023 US National Cybersecurity Strategy—innovations must not just strengthen defences, but give a sustained advantage to defenders relative to attackers.

• The Strategist ☛ Shields beyond the horizon: landing Australia’s 2023 cybersecurity strategy

  Australia’s new cybersecurity strategy is all but released. .

• Bleeping Computer ☛ D-Link confirms data breach after employee phishing attack

  Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month.

  The attacker claims to have stolen source code for D-Link’s D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company’s CEO.

  […]

  While it confirmed the breach, D-Link specified that the intruder accessed a product registration system within what it described as a “test lab environment,” operating on an outdated D-View 6 system that reached the end of life in 2015.

• Security Week ☛ Oracle Patches 185 Vulnerabilities With October 2023 CPU

  Oracle on Tuesday released 387 new security patches that address 185 vulnerabilities in its code and third-party components.

• Security Week ☛ Tens of Thousands of Cisco Devices Hacked via Zero-Day Vulnerability

  Tens of thousands of Cisco devices have reportedly been hacked via the exploitation of the zero-day vulnerability CVE-2023-20198.

• Security Week ☛ Recent NetScaler Vulnerability Exploited as Zero-Day Since August

  Mandiant says the recently patched Citrix NetScaler vulnerability CVE-2023-4966 had been exploited as zero-day since August.

• Windows TCO

  • FBI warns of extortion groups targeting plastic surgery offices

  • Microsoft disables bad spam rule flagging all sent emails as junk