Security Leftovers

posted by Roy Schestowitz on Jan 06, 2024

• LWN ☛ Security updates for Friday

  Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg).

• SQLite Security Notice: Urgent Action Needed for Ubuntu 22.04 LTS Users

  SQLite, the widely used database management system, has recently come under the scanner for two primary vulnerabilities affecting users of Ubuntu 22.04 LTS. The security notice issued for these flaws highlights the growing concerns over system stability and security, especially in an era where data protection is paramount.

• Looney Tunables: A Significant Cybersecurity Vulnerability Threatens Linux Systems [Ed: Is this chatbot-generated gibberish? Certainly seems like it, this is very old 'non-news'.]

• Hacker News ☛ Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners [Ed: The issue here is PyPi, not Linux, notably a lack of security audits and people downloading packages from a source that does not do quality assessment]

  Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.

• Medium ☛ How Three New Malicious PyPI Packages Transformed Linux Devices into Cryptocurrency Miners? [Ed: Let's all blame Linux for some people uploading malware and then some other fools downloading that malware and running it]

  These packages demonstrate a sophisticated multi-phase attack pattern that culminates in the deployment of a CoinMiner

• Security Week ☛ Google Patches Six Vulnerabilities With First Chrome Update of 2024

  Google has released a Chrome 120 update to resolve six vulnerabilities, including four reported by external researchers.

• Silicon Angle ☛ Google-owned cybersecurity firm Mandiant targeted in X account takeover

  An X Corp. account belonging to Surveillance Giant Google LLC-owned cybersecurity firm Mandiant was hacked on Wednesday and used to promote a cryptocurrency scam.

• Security Week ☛ Hacked Mandiant X Account Abused for Cryptocurrency Theft

  Mandiant’s account on X, formerly Twitter, was hacked and used to lure users to a cryptocurrency phishing site.

• Security Week ☛ RIPE Account Hacking Leads to Major Internet Outage at Orange Spain

  Orange Spain’s internet went down for several hours after its RIPE account was hacked, likely after malware stole the credentials.

• Pen Test Partners ☛ RAID Technology and the importance of disk encryption in data security

  Introduction Recently we were engaged by a client experiencing a potential data leak incident.

• JURIST ☛ Delhi High Court dismisses Parliament security breach petition seeking release from custody

  The Delhi High Court dismissed a petition by Neelam Azad on Wednesday seeking her release from detention by Delhi Police. Azad is one of the accused persons in the recent Indian Parliament security breach case.

• OpenSSF (Linux Foundation) ☛ OpenSSF Election Results for Technical Advisory Council and Representatives to the Governing Board

  We are excited to start 2024 by announcing several key election results. OpenSSF Associate Members and General Members and the Community elected their representatives to the Governing Board and we elected a new and expanded Technical Advisory Council (TAC). 

• Security Week ☛ Estes Express Lines Says Personal Data Stolen in Ransomware Attack

  Estes Express Lines is informing over 21,000 individuals that their personal information was stolen in a ransomware attack.

• Security Week ☛ 4.5 Million Individuals Affected by Data Breach at HealthEC

  HealthEC says personal information received from business partners was compromised in a July 2023 data breach.

• Major Us Museums Suffer Cyberattack Fallout

  Several US arts institutions were rendered unable to display their collections online after a cyberattack struck a tech service provider used by the museums, the New York Times reports. Among those affected by the breach targeting Gallery Systems, which aids cultural institutions in managing internal documents and displaying works digitally, were the Museum of Fine Arts Boston; the Rubin Museum of Art in New York; Frances Lehman Loeb Art Center at Vassar College in Arlington, New York; and the Crystal Bridges Museum of American Art in Bentonville, Arkansas.

  Gallery Systems is said to have first become aware of the problem on December 28, when computers running its software became encrypted and no longer operable.

• Bleeping Computer ☛ Online museum collections down after cyberattack on service provider

• Data Breaches ☛ Medical Device Cybersecurity: Agencies Need to Update Agreement to Ensure Effective Coordination — GAO

  According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits. Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity (see figure).

• Data Breaches ☛ “Pompompurin” taken into custody after violating conditions of pre-sentencing release on bond

  In what will likely come as no surprise to those who know Conor Brian Fitzpatrick aka “Pompompurin,” he allegedly violated the conditions of his pre-sentencing release on bond by using a VPN on the internet and without the necessary monitoring required by his release conditions. He was arrested on January 3 and detained until a hearing this morning. At the hearing this morning, he did not oppose the government’s request to detain him until the violation/revocation of bond hearing, which will be held at the same time as his sentencing hearing scheduled for January 19.

• USDOJ ☛ 19 Individuals Worldwide Charged In Transnational Cybercrime Investigation Of The xDedic Marketplace

  United States Attorney Roger B. Handberg announces the culmination of a transnational cybercrime investigation involving the xDedic Marketplace. According to court documents, the xDedic Marketplace was a website on the dark web that illegally sold login credentials (usernames and passwords) to servers located across the world and personally identifiable information—dates of birth and Social Security numbers—of U.S. residents. Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included tax fraud and ransomware attacks. The xDedic administrators practiced exceptional operational security, operating the website across a widely distributed international network, and utilizing cryptocurrency in order to hide the locations of the Marketplace’s underlying servers and the identities of its administrators, sellers, and buyers. In total, xDedic offered more than 700,000 compromised servers for sale, including at least 150,000 in the United States and at least 8,000 in Florida. Marketplace victims spanned the globe and industries, including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.

• Bleeping Computer ☛ Zeppelin ransomware source code sold for $500 on hacking forum

  A threat actor announced on a cybercrime forum that they sold the source code and a cracked version of the Zeppelin ransomware builder for just $500.

  The post was spotted by threat intelligence company KELA and while the legitimacy of the offer has not been validated, the screenshots from the seller indicate that the package is real.

• Area city’s cyber attack: Functions restored, $350,000 spent, personal data issue in limbo

  The city of Huber Heights remains under a state of emergency as officials work to finalize recovery operations nearly two months after a cyberattack took down multiple government systems and functions.

  According to City Manager Rick Dzik, all city services are functional, though “additional infrastructure work” is still underway.

• Data Breaches ☛ 23andMe Says Breach Victims Are to Blame, Legal Action is Futile

  As incident response and public relations go, blaming victims for your breach is generally not an impressive strategy.

• 23andMe Says Breach Victims Are to Blame, Legal Action is Futile

  Genetic testing platform 23andMe blames victims of October data breach, a new letter shows.

• Cyble Inc ☛ Republican Representatives Demand Accountability in Wake of DC Elections Voter Data Breach

  The DCBOE is under intense scrutiny regarding the October 2023 DC Election data breach. The two House Republicans, Representatives Bryan Steil (R-Wis.) and Laurel Lee (R-Fla.), have written a resolute letter demanding answers following the DC Election data breach.

  Unveiled just last week, the breach, which unfolded in October, exposed the personal information of some 400,000 voters. Steil and Lee, echoing a chorus of ‘deep concern,’ expressed their dismay in a missive that questioned not only the breach but also the tardy realization of its full impact—two weeks post-incident.

• Data Breaches ☛ A point worth considering

  The frequency with which I read folks asserting that ‘education’ and in particular ‘U.S. K-12 schools’ are the most frequent ransomware target is so frustrating. Of course, that’s a nonsense assertion – and not supported by any reasonable read of the data.

• Bloomberg ☛ Cyber Executive Who Spoke to FBI Due to be Sent to Russia

  Russia’s effort to bring its hackers back home is gaining traction.

  For years, the US and Russia have sparred over the fate of alleged cybercriminals. There was Yevgeniy Nikulin, a Russian man who broke into LinkedIn, Dropbox and Formspring a decade ago and eventually became the subject of competing extradition requests from the rival countries. (Nikulin was eventually arrested in the Czech Republic, which rebuffed his home country and sent him to the US.)

  […]

  Russia’s Prosecutor General’s Office announced on Dec. 21 that Kazakhstan had approved an extradition request for Nikita Kislitsin, an executive for a prominent Russian cybersecurity firm and former editor of Hacker magazine.

• Data Breaches ☛ Swedish Retail and Grocery Provider Coop Hit by Cactus Ransomware Gang

  Coop is one of the largest retail and grocery providers in Sweden, with approximately 800 stores across the country. The stores are co-owned by 3.5 million members in 29 consumer associations. All surplus that is created in the business goes back to the members or is reinvested in the business, which creates a circular cycle.

  The Cactus ransomware group claims to have hacked Coop and is threatening to disclose a huge amount of personal information, over 21 thousand directories.