Security Leftovers

posted by Roy Schestowitz on Apr 10, 2024

• Security updates for Tuesday

  Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

• Scoop News Group ☛ Extortion group threatens to sell Change Healthcare data

  The data reportedly includes personal information and health details for customers of a variety of companies linked to the payment processor.

• Rust Blog ☛ The Rust Programming Language Blog: Security advisory for the standard library (CVE-2024-24576) [Ed: Rust is all about security, just like "secure" boot was. They use "security" to blackmail people into compliance and any sceptic or critics is framed as "against security".]

  The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on backdoored Windows using the Command Hey Hi (AI) An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.

• Thunderbird ☛ Mozilla Thunderbird: Automated Testing: How We Catch Thunderbird Bugs Before You Do

  Since the release of Thunderbird 115, a big focus has been on improving the state of our automated testing. Automated testing increases the software quality by minimizing the number of bugs accidentally introduced by changes to the code. For each change made to Thunderbird, our testing machines run a set of tests across Windows, macOS, and GNU/Linux to detect mistakes and unintended consequences. For a single change (or a group of changes that land at the same time), 60 to 80 hours of machine time is used running tests.

  Our code is going to be under more pressure than ever before – with a bigger team making more changes, and monthly releases reducing the time code spends on testing channels before being released.

  We want to find the bugs before our users do.

• One month later, pathetic DDoSer keeps trying and failing (1)

  March 7 started out fairly normally – until DataBreaches.net was hit with about 11 million requests in less than an hour. Most of them were from Russia, but of course, that didn’t prove anything. But it seemed clear that DataBreaches had ticked someone or some group off. Again.

  Ticking off some ransomware groups or individuals is not exactly rare for this site or blogger. Then again, ticking off some victims is not exactly rare, either.

  Did AlphV get mad because DataBreaches reported on their exit scam and fake listings? Or did LockBitSupp get mad because DataBreaches reported on their repeated failures to leak data after threatening they would? Or was it some clown this site reported on recently?

• One year after breach, CCM Health notifies almost 29,000 patients

  CCM Health in Minnesota provides health services through public hospitals and healthcare facilities. In a notification letter dated March 12, 2024, they informed patients that protected health information (PHI) may have been accessed and exfiltrated during an attack that occurred between April 3 – April 10, 2023.

  They do not reveal when or how they first became aware of an incident, nor do they disclose whether there was ever any contact or demand by any threat actor. What they do claim in a submission to the Maine Attorney General’s Office is that they discovered the breach on February 12, 2024. But that is not when they discovered a breach. It is when they allegedly first discovered PHI was involved.

• Group Health Cooperative of South Central Wisconsin notifies 533,809 members of ransomware attack

  Group Health Cooperative of South Central Wisconsin (GHC-SCW) is a non-profit, member-owned health plan providing services to more than 80,000 members in Wisconsin. This week, they provided reports to HHS and the Maine Attorney General’s Office about a breach they previously disclosed in February.

  On January 25, GHC-SCW posted an announcement on its website that they had identified an intrusion in their network by an unknown attacker on January 24. On February 9, they updated their announcement. Now, they provide even more details, including that on January 24, they had promptly isolated and secured their network. As a result, the attacker’s attempt to encrypt their system was unsuccessful.