Security Leftovers
-
Bleeping Computer ☛ StripedFly malware framework infects 1 million Windows, Linux hosts
The StripedFly malware framework was first discovered after Kaspersky found the platform's shellcode injected in the WININIT.EXE process, a legitimate Windows OS process that handles the initialization of various subsystems.
[...]
For persistence on Windows systems, StripedFly adjusts its behavior based on the level of privileges it runs on and the presence of PowerShell.
Without PowerShell, it generates a hidden file in the %APPDATA% directory. In cases where PowerShell is available, it executes scripts for creating scheduled tasks or modifying Windows Registry keys.
-
LWN ☛ Security updates for Friday
Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk).
-
LWN ☛ Removing syscall() from OpenBSD
For a view into the OpenBSD approach to security, see this message from Theo de Raadt, where he describes a plan to remove the syscall() system call (which allows the invocation of any available system call by providing its number) from the kernel. The purpose, of course, is to make it harder for an attacker to invoke an arbitrary system call, even if they are able to run some code on the target system.
-
Data Breaches ☛ Six months after data security incident, Fredericksburg Foot & Ankle Center notifies patients
On October 24, the Fredericksburg Foot & Ankle Center (FFAC) in Virginia began mailing breach notification letters to almost 15,000 patients affected by a cyberattack. The letter’s “What Happened?” section simply stated, “As a result of a recent data security incident, an unauthorized person accessed our computer systems.” It did not mention ransomware or any extortion demand.
Later in the letter, recipients would read that the incident was on April 21. Was the delay due to files being encrypted? They do not explain, but their external counsel informed the Maine Attorney General’s Office that the breach was discovered on September 5. But it wasn’t first discovered on September 5. That’s just when they claim they discovered protected health information was involved. The breach should have been considered “discovered” on or about June 7 when LockBit3.0 added the medical practice to its leak site (if it hadn’t already been discovered by FFAC).
-
Data Breaches ☛ Inadequate security measures: the Guarantor sanctions an ASL. The healthcare facility had suffered a ransomware attack
Sanction by the Privacy Guarantor of 30,000 euros to a Neapolitan local health authority for failing to adequately protect the personal data and health data of 842,000 patients and employees from hacker attacks.
-
Data Breaches ☛ Hackers escalate: leak 200k CCSD students’ data; claim to still have access to CCSD email system
Clark County School District (CCSD) in Nevada informed parents and employees that they became aware of a “cybersecurity incident” on October 5. Three weeks later, the district had not fully recovered from the attack and parents were complaining about the district’s lack of transparency about what was stolen in the breach. Disturbingly, while the district has not disclosed the scope of the breach of student information, the hackers started disclosing it this week – and in the worst way possible — by leaking 200,000 students’ information and numerous other files with personal information. There may be more to come.
Yesterday, Tiffany Lane of News3LV and Julie Wooten of Las Vegas Review-Journal reported that parents were increasingly concerned about the breach after receiving emails purportedly from the hackers with their children’s personal information. One parent described the email they received as, “Warning me that my children’s information was released or hacked into and it had three PDF files. Each one had my children’s picture, all of their contact information, email addresses, student ID numbers, my information, our address.”