Security Leftovers
-
Pen Test Partners ☛ OSINT. What can you find from a domain or company name
We carry out lots of attack surface assessments, parts of which involve investigating information that has been unintentionally disclosed.
-
Security Week ☛ New Relic Says Hackers Accessed Internal Environment Using Stolen Credentials
New Relic said hackers gained access to an environment using social engineering and stolen credentials for an employee account.
-
Security Week ☛ ICS at Multiple US Water Facilities Targeted by Hackers Affiliated With Iranian Government [Ed: The issue here is Windows]
Security agencies say the Cyber Av3ngers group targeting ICS at multiple water facilities is affiliated with the Iranian government.
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4).
-
23andMe data breach: Hackers accessed data of 6.9 million users
23andMe, a company that does genetic testing and traces ancestry through shared DNA, confirmed to FOX TV Stations on Monday that hackers accessed personal data of about 0.1% of customers, which amounts to roughly 14,000 people who have used 23andMe.
Hackers were able to breach those accounts because the customers had used the same username and password on 23andMe as they had on other websites that had been previously compromised.
Because the “threat actor” was able to access the personal data of those 14,000 customers, the hackers were also able to access information of about 5.5 million DNA Relatives profile files, as well as 1.4 million Family Tree profiles, a company spokesperson told FOX.
-
Firstpost ☛ Britain dismisses report claiming Sellafield nuclear site hacking, says no malware exists on our system
Hours after The Guardian report claimed that UK’s most hazardous nuclear site Sellafield has been hacked into by cyber groups closely linked to Russia and China, Britain on Monday said that it has no records or evidence to suggest that networks were compromised.
“Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system,” Reuters quoted the government as saying.
“This was confirmed to the Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting,” the government added.
-
Bleeping Computer ☛ Russian hackers exploiting Outlook bug to hijack Exchange accounts [Ed: The Russia straw man; the issue isn't Russians, the issue is lots of holes in Microsoft products, which it isn't even patching (even when fully informed about that months prior)]
Microsoft’s Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 (aka “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.
The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East.
The tech giant also highlighted the exploitation of other vulnerabilities with publicly available exploits in the same attacks, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.
CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Outlook on Windows, which Microsoft fixed as a zero-day on the March 2023 Path Tuesday.
-
Data Breaches ☛ East River Medical Imaging notifies 605,809 patients of breach
The documents involved in this incident contained information that varied by individual. For any patient. it might have included name, contact information, health insurance information, exam and/or procedure information, referring physician, imaging results, and/or Social Security number.
For employees, the information included names, contact information, financial account information, Social Security number, and/or driver’s license number.
-
Data Breaches ☛ Seeking clarification on Maine’s data breach notification statute
If you can’t get an interpretation of a state breach notification statute from the state’s attorney general, where can you get it?