Security Leftovers

posted by Roy Schestowitz on Nov 03, 2023

• Security Week ☛ Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

  Thousands of Citrix NetScaler ADC and Gateway instances remain unpatched against a critical vulnerability that is being widely exploited, security researchers warn.

  The flaw, which had been exploited as a zero-day since August, is tracked as CVE-2023-4966 (CVSS score of 9.4) and is now referred to as ‘Citrix Bleed’. It allows unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or a gateway.

• Krebs On Security ☛ Russian Reshipping Service ‘SWAT USA Drop’ Exposed

  One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.

• Data Breaches ☛ HC3: Analyst Note: 8Base Ransomware

  While similarities exist between 8Base and other ransomware gangs, the group’s identity, methods, and motivations remain largely unknown. What follows is an overview of the group, possible connections to other threat actors, an analysis of their ransomware attacks, their target industries and victim countries, impacts to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the group.

• Exclusive: Virginia’s Fairfax Schools Expose Thousands of Sensitive Student Records

  Virginia’s Fairfax County Public Schools disclosed tens of thousands of sensitive, confidential student records, apparently by accident, to a parent advocate who has been an outspoken critic of its data privacy record.

  The documents identify current and former special education students by name and include letter grades, disability status and mental health data. In one particularly sensitive disclosure, a counselor identified over 60 students who’ve struggled with issues like depression, including those who have engaged in self-harm or been hospitalized.

• Australian Clinical Labs to face court over 2022 data breach

  The Office of the Australian Information Commissioner believes Australian Clinical Labs did not adequately protect personal data, leading to an increased risk of “identity theft, extortion and financial crime”.

  When MedLabs pathology was hacked in February 2022, 223,000 Australians had their personal information exposed on the darknet, including credit card details and passport information.

  However, that breach was not fully reported to the Office of the Australian Information Commissioner until July 2022. Now, the OIAC is taking Medlab’s owner, Australian Clinical Labs, to court over claims that the company did not do enough to protect the information in its care.

• [Repeat] Data Breaches ☛ It took an HHS complaint, but three years later, some Ventura Orthopedic patients are finally being notified of a ransomware attack

  In August 2020, DataBreaches reported that the Maze ransomware gang had added Ventura Orthopedics to their name-and-shame leak site. At the time, Ventura did not respond to inquiries about whether they would confirm or deny the claims. And they did not respond to other inquiries from DataBreaches when the Conti ransomware gang subsequently listed 1,850 Ventura Orthopedics on its leak site.

  On August 28, 2020, DataBreaches updated its post to report that this site was contacted by Chris Roberts, who was with HillBilly Hit Squad at the time. Roberts said he was contacting DataBreaches on behalf of Ventura Orthopedics who had asked him to help explain the incident and their then-current status. Roberts stated that he was still conducting forensics and asked if he could get back to DataBreaches shortly. DataBreaches agreed.

• Data Breaches ☛ Jeffco Public Schools hit by the same threat actors that hit Clark County School District — and via the same way

  DataBreaches contacted SingularityMD to ask them some preliminary questions. In response, they noted that the first gained access to Jeffco about six months ago — using exactly the same methods that they reported using for CCSD. Once again, a district’s policy of using students’ date of birth as their password enabled threat actors to relatively easily gain access to the network. In discussing the CCSD attack with DataBreaches, SingularityMD (SM) had stated:

• The Age AU ☛ ‘Curious’ pharmacist spied on patient records at The Alfred

  About 7000 Alfred Health patients are victims of a privacy breach after a pharmacist working at Victoria’s leading trauma hospital accessed personal medical records without authorisation.

  Alfred Health wrote to every patient affected in a letter sent on Monday, seen by The Age, which said the pharmacist was dismissed after an investigation, launched in June, found they had used the hospital’s electronic database to view records over four years without a clinical reason to do so.

• The Defense Post ☛ Boeing Confirms ‘Cyber Incident’ from LockBit Hacking Group

  Boeing has confirmed a “cyber incident” in its parts and distributions business days after a ransomware group published threats against the company.

  The acknowledgment came after LockBit hackers said on Friday they had tapped “a tremendous amount” of classified data from Boeing that would be leaked online if the company does not transfer payment by November 2.

  The statement was reportedly erased from the hacking website Wednesday morning, an update from Reuters said.

• Bloomberg ☛ NY Financial Regulator Rolls Out Updated Cybersecurity Standards

  New York regulators assigned heightened cybersecurity requirements to banks, insurers, and financial services providers based in the state with the release of finalized rule amendments Wednesday.

  Covered entities will have to use multifactor authentication, expand cybersecurity governance duties, and conduct consistent threat testing under the regulation updated by the New York Department of Financial Services.

  The New York agency is a national leader in cybersecurity regulation, with other state and federal regulators adopting its approach—the Federal Trade Commission notably said its newest breach reporting standards were “based primarily” on rules first established in New York.

• Bleeping Computer ☛ Okta hit by third-party data breach exposing employee information

  Okta is warning nearly 5,000 current and former employees that their personal information was exposed after a third-party vendor was breached.

• Bloomberg ☛ Wawa Data Breach Settlement’s $3 Million Lawyers Fee Rejected

  A federal appeals court has vacated over $3 million in attorneys’ fees awarded as part of a $12.2 million data breach settlement against Wawa Inc.

  The fee award issue now is remanded to the district court “to take a closer look at the reasonableness of the attorney’s fees in proportion to class benefit and to scrutinize the presence of side agreements,” said Judge Paul Matey, writing for the US Court of Appeals for the Third Circuit in an opinion released Thursday.

• The Straits Times ☛ Healthcare institutions’ websites outage did not disrupt critical service but it does shake confidence

  It might have come as a shock that the websites for all public sector healthcare institutions were unavailable for more than seven hours on Wednesday.

  Given today’s high dependency on the Internet, people here expect online access to public sector information to be always available. So the shock is greater when the disruptions did not affect just one institute, but the entire public healthcare system.

  Many people questioned why there wasn’t a back-up system. Checks by cyber security experts of the websites that were down showed they shared similar IP addresses, which suggests that the websites of all three public healthcare clusters were hosted on the same server.

• Data Breaches ☛ Town of Iowa in Louisiana victim of ransomware attack: ALPHV publishes a portion of the exfiltrated documents

  The ransomware group ALPHV (BlackCat) has published a first part of exfiltrated data from the Town of Iowa in the state of Louisiana.

• Data Breaches ☛ Exclusive: Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data

  Daixin Team is now claiming responsibility for — and leaking data from — an attack that has significantly impacted five Canadian hospitals in Ontario.

  TransForm Shared Service Organization provides IT, supply chain, and accounts payable services to Windsor Regional Hospital, Hotel Dieu Grace, Erie Shores Healthcare, Hospice of Windsor-Essex, and the Chatham-Kent Health Alliance. According to media coverage and news releases by TransForm, a ransomware attack disrupted the hospitals’ access to Wi-Fi, email, and patient information systems. Surgeries and appointments have reportedly been canceled or rescheduled in some cases, and patients could not be reached by phone to alert them to the interrupted services. Yesterday, CBC reported that radiation treatment for cancer patients was being transferred from Windsor and to other hospitals.

• Bleeping Computer ☛ Toronto Public Library outages caused by Black Basta ransomware attack

  The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack.

  The Toronto Public Library (TPL) is Canada’s largest public library system, giving access to 12 million books through 100 branch libraries across the city. The library system has 1,200,000 registered members and operates on a budget that surpasses $200M.

• Data Breaches ☛ Exclusive: Advarra hacked, threat actors threatening to leak data (1)

  Of note, the listing, which included a note written in Hebrew, claims that Advarra called the threat actors “digital terrorists” and one of the executives told them to “fuck off.” No data was leaked with the posting, but the threat to leak was posted if the company didn’t reach out.