Security News and Fear, Uncertainty, Doubt (FUD) About "Linux"

posted by Roy Schestowitz on Feb 03, 2024

• LWN ☛ Security updates for Friday

  "Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland).

• IT News AU ☛ Containers inherit breakout bugs in Linux tools

  A number of container environments are vulnerable to container escape, due to bugs in two Linux-based container tools, runc and BuildKit.

  Runc is a command line interface (CLI) tool for spawning and running containers on Linux, and is in use in several environments, including Docker, AWS, Kubernetes and more.

  An advisory, posted to the OSS-Sec mailing list, states that CVE-2024-21626 is a high-severity “internal file descriptor leak” that has “several exploit methods which allow for full container breakouts”.

• ANY.RUN Sandbox Now Let SOC & DFIR Teams Analyze Sophisticated Linux Malware

  The ANY.RUN sandbox has now been updated with support for Linux, further enhancing its ability to provide an isolated and secure environment for malware analysis and threat hunting.

  This newly added feature will enable security analysts to investigate and simulate malicious activities in Linux-based systems, allowing for more comprehensive and effective threat detection and response.

  [...]

  Malware Sandboxing Leader ANY.RUN is a cloud malware sandbox that handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to investigate incidents and streamline threat analysis.

• IT Pro ☛ GNU C Library vulnerabilities could impact Linux systems, security company says

  Security company Qualys has warned of “significant” vulnerabilities it has discovered in the GNU C Library, a key building block of applications in Linux environments.

  The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as their kernel. Qualys explained that the GNU C Library – known as glibc – is an essential component of virtually every Linux-based system, serving as the core interface between applications and the Linux kernel.

• FritzFrog Botnet Attacking Linux Servers to Steal SSH Credentials [Ed: Bad site. This was patched more than 2 years ago!]

  The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.

• Federal Trade Commission ☛ FTC Order Will Require Blackbaud to Delete Unnecessary Data, Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach

  FTC says company’s poor security allowed hacker to steal sensitive data of millions of consumers, go undetected for months

• BISD phone system now back online with new vendor following ransomware attack

  The Beaumont ISD phone system is now back online with a new vendor following a nationwide ransomware attack on January 23 that impacted the district’s entire phone system, according to information Jackie Simien, BISD’s Director of Community and Media Relations, provided to KFDM/Fox4 News.

  The district has since changed phone vendors.

  The district says there’s absolutely no indication any district data was compromised, and the attack was not on any district-owned devices.

• Bleeping Computer ☛ Cloudflare hacked using auth tokens stolen in Okta attack

  Cloudflare disclosed today that its internal Atlassian server was breached by a suspected ‘nation state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system.

  The threat actor first gained access to Cloudflare’s self-hosted Atlassian server on November 14 and then accessed the company’s Confluence and Jira systems following a reconnaissance stage.

  “They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil,” said Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas,

• European Commission ☛ EU and United States enhance cooperation on cybersecurity

  During his visit to Washington D.C., Thierry Breton, Commissioner for Internal Market issued a joint statement with Alejandro N. Mayorkas, United States Secretary of Homeland Security, recalling the importance of cooperation between like-minded partners to address a constantly changing cyber threat landscape.

• Yahoo News ☛ Groton schools’ internet outage from ‘cyber-attack’ under investigation

  Groton Public Schools experienced a district-wide internet outage on Thursday that is under investigation.

  “Groton Public Schools was a victim of a cyber-attack on our main servers,” Clint Kennedy, the school district’s director of technology wrote in a message to the school community. “With the help of our technology advisors, we have identified where the attack came from and have ninety percent of our systems operational. We will continue to work through our disaster recovery process in conjunction with the local Police to investigate the situation. We will keep you informed as we learn more.”

• Data Breaches ☛ Was BrightStar Care attacked by two different groups — or was there only one breach?

  On January 24, DataBreaches was contacted by a spokesperson for AlphV (“BlackCat”) to see if this site would be interested in reporting on a breach involving BrightStar Care (“BrightStar”). BrightStar had been added to their dark web leak site that day but without any proof of claim. The spokesperson was offering to show DataBreaches data that was described as containing a lot of patient information. Given that BrightStar offers a range of services for different needs, and has locations in most (but not all) states, any breach might involve patient data. Before viewing any data, though, DataBreaches asked AlphV some questions, and learned that the attack was in early January, but it did not involve any encryption of files. AlphV’s spokesperson stated that they exfiltrated 24 GB of data from all of BrightStar Care’s four brands, obtaining “lots of confidential sensitive patient data.” They would later revise the claim about obtaining a lot of patient data.

• Bleeping Computer ☛ Lurie Children’s Hospital took systems offline after cyberattack [Ed: Windows kills children]

  Lurie Children’s Hospital in Chicago was forced to take IT systems offline after a cyberattack, disrupting normal operations and delaying medical care in some instances.

  Lurie Children’s is a Chicago-based pediatric acute care hospital with 360 beds, 1,665 physicians covering 70 sub-specialties, and 4,000 medical staff and employees. It is one of the most important pediatric hospitals in the country, providing care for over 200,000 children annually.