Security Leftovers
-
LWN ☛ Security updates for Thursday
Security updates have been issued by Debian (cacti and chromium), Fedora (CuraEngine, podman, and rubygem-rmagick), Mageia (gnome-shell, openssl, and zlib), SUSE (salt), and Ubuntu (xrdp).
-
Help Net Security ☛ MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246) [Ed: Windows TCO]
A critical zero-day vulnerability (CVE-2023-47246) in the SysAid IT support and management software solution is being exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware.
-
Data Breaches ☛ Paging regulators to Aisle 4 to look at Pacific Union College’s data security and breach disclosure
On November 8, Pacific Union College in California notified the Maine Attorney General’s Office of a breach in March 2023 that impacted 56,041 people. Their notification, submitted by external counsel at McDonald Hopkins, indicates that the breach occurred between March 5 and March 19, 2023 and was discovered on October 9, 2023.
-
USDOJ ☛ Leader of $70M Cryptocurrency and Binary Options Fraud Schemes Extradited to the U.S.
A Serbian man has been extradited to the United States, where he faces charges in two separate federal indictments in the Northern District of Texas and Eastern District of New York for his alleged participation in coordinated cryptocurrency and binary options schemes.
On Feb. 3, pursuant to a request for provisional arrest followed by a request for extradition, Georgian authorities arrested Kristijan Krstic, 48, in Batumi, Georgia. The U.S. Marshals Service (USMS) completed the removal of Krstic on Oct. 30 from Georgia to the Northern District of Texas.
-
Windows TCO
-
Silicon Angle ☛ Mandiant: Russian hackers caused a power outage in Ukraine with 2022 cyberattack
The cyberattack began around June 2022, when Sandworm gained access to the utility’s network by breaching an internet-facing server. A month later, the hackers used the compromised machine to install a malicious networking program. That program established a connection to a command and control server, a system used by hackers to remotely carry out malicious actions.
-
Mandiant ☛ Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
Sandworm deployed CADDYWIPER in this operation via two Group Policy Objects (GPO) from a Domain Controller using TANKTRAP. TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spread and launch a wiper. We have observed TANKTRAP being used with other disruptive tools including NEARMISS, SDELETE, PARTYTICKET, and CADDYWIPER. These group policies contained instructions to copy a file from a server to the local hard drive and to schedule a task to run the copied file at a particular time.
-
Wired ☛ Sandworm Hackers Caused Another Blackout in Ukraine—During a Missile Strike
This speed is a sign that the group's newer "living off the land" tactics may not just be stealthier than the carefully built custom malware used in the past, but nimbler too. "Especially during a time of war, you need to be agile and adjust based on your target," says Brubaker. "This gives them a much better ability to do that than having to prep for years ahead."
-
Silicon Angle ☛ Ransomware attack on China’s largest bank disrupts US Treasury markets
First reported by the Financial Times, the news that ICBC had been targeted in a ransomware attack came from the Securities Industry and Financial Markets Association on Wednesday. The attack prevented ICBC from settling Treasury trades on behalf of other market participants, with some equity trades also affected.
-
TechCrunch ☛ SysAid warns customers to patch after ransomware gang caught exploiting new zero-day flaw
Software maker SysAid is warning customers that hackers linked to a notorious ransomware gang are exploiting a newly discovered vulnerability in its widely used IT service automation software.
SysAid chief technology officer Sasha Shapirov confirmed in a blog post Wednesday that attackers are exploiting a zero-day flaw affecting its on-premises software. A vulnerability is considered a zero-day when the vendor — in this case SysAid — has zero time to fix the bug before it is exploited by attackers.
-
The Record ☛ Ransomware gang behind MOEVit attacks are targeting new zero-day, Microsoft says
SysAid published an advisory about the vulnerability — tracked as CVE-2023-47246. The company said it was informed of the issue on November 2 and hired security company Profero to investigate the problem. They have been reaching out to customers about the issue and urged everyone to update their systems to the latest version.
The company provided detailed information about how the hackers are exploiting the vulnerability and what actions they take after gaining entry into a system.
-
The Register UK ☛ Russia's Sandworm – not just missile strikes – to blame for Ukrainian power blackouts
Mandiant says it can't determine Sandworm's initial means of intrusion. But somehow the crew – which Western government agencies and private-sector security researchers have previously linked to Russia's GRU military intelligence unit – successfully gained access to the operational technology (OT) environment of the power station via a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance for the plant's substations.
-
[Old] The Register UK ☛ The Windows malware on Ukraine CERT's radar
If the victim downloaded and ran the fake antivirus update, they would see a screen that told them to install a Windows Update package. Rather than upgrade the operating system, though, the code would fetch and run additional binaries from Discord. These would eventually run Cobalt Strike Beacon on the PC.
-
Tom's Hardware ☛ Latest Windows 2022 Server Update Causes BSODs on AMD EPYC With VBS Enabled
From this information, it's likely that Microsoft's October 2023 update conflicts with the virtualization and Windows Defender firmware protection mechanism on systems running EPYC processors. Sadly, this isn't surprising to see. Stability issues surrounding Windows' virtualization features have been problematic ever since Microsoft first released Virtualization Based Security with Windows 10 (and its Windows Server counterpart).
-