Cyber Briefing 2023.08.29

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.

In today’s edition:

MalDoc in PDF technique, Skype Security Flaw, Juniper SRX Firewalls, LockBit, Phishing Attack, Spain, Rust Libraries, Mom’s Meals, Prospect Medical Hospitals, Rhysida Ransomware, NoEscape Ransomware, Fiocruz, Akira Ransomware, Edmonds School District, ‘Text Pests’, Teen Cybercrime, Microsoft Exchange, Gmail, 2FA, Cl0p Ransomware, MOVEit.

🚨 Cyber Alerts

1. Novel MalDoc in PDF Technique Unveiled

An attack technique known as “MalDoc in PDF” was identified by Japan’s JPCERT, which involves embedding a malicious Word file within a PDF to evade detection. This technique allows a file created with MalDoc in PDF to be opened in Word while containing PDF magic numbers and file structure. By exploiting macros, the embedded Word file triggers malicious behaviors upon opening in Word, ultimately posing a significant threat to cybersecurity. Countermeasures like OLEVBA analysis tool and custom detection rules are suggested to mitigate the risk associated with this novel attack vector.

2. Skype Flaw Raises IP Exposure Concerns

A significant vulnerability in the Skype app has been discovered, enabling hackers to extract a user’s IP address without any interaction required from the target. This flaw could potentially unveil a user’s approximate physical location, posing a serious threat to various individuals including activists, journalists, and cybercrime targets. Despite initial dismissal from Microsoft, the company has now committed to addressing the issue following concerns raised by security researchers and media outreach.

3. Juniper SRX Firewall Vulnerabilities

A critical security concern arises as a proof-of-concept exploit code has been made public, targeting vulnerabilities in Juniper SRX firewalls. The discovered flaws, when combined, enable unauthenticated attackers to achieve remote code execution within Juniper’s JunOS on devices lacking patches. The vulnerabilities emerged in the PHP-based J-Web interface, which administrators utilize to manage and configure Juniper network devices. While Juniper released patches for these medium-severity bugs, the security experts who developed the exploit anticipate that unpatched Juniper devices might become targets for widescale attacks. It is vital for administrators to swiftly implement patches or take mitigation steps to avert potential threats to the integrity and security of their systems.

4. LockBit Ransomware Campaign Alert in Spain

The National Police of Spain has issued a warning about an ongoing ransomware campaign known as ‘LockBit Locker,’ targeting architecture companies in the country through well-crafted phishing emails. The police note the campaign’s high level of sophistication, as victims remain unaware until their systems are encrypted. The attackers, posing as a new photography store, engage in convincing communications with the targeted firms, ultimately delivering an archive with malicious contents that leads to the execution of the ‘LockBit Locker’ ransomware. The attackers’ tactics highlight the growing trend of ransomware gangs adopting more sophisticated and personalized approaches for initial compromise.

5. Malicious Rust Packages Target Developers

A stark reminder of the persistent threat to developers through software supply chain attacks has emerged with the detection of malicious packages on the Rust programming language’s crate registry. Authored by a user under the moniker “amaperf,” these packages, uploaded between August 14 and 16, 2023, bore names such as postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. Although removed, these packages harbored functionality designed to capture the operating system details, be it Windows, Linux, macOS, or Unknown, subsequently transmitting this data to a hard-coded Telegram channel using the messaging platform’s API.

💥 Cyber Incidents

6. Mom’s Meals Data Breach Affects 1.2M

Mom’s Meals, operating under the name PurFoods, has revealed a significant data breach in which personal information belonging to 1.2 million customers and employees was stolen in a ransomware attack. The company, known for its medical meal delivery services, caters to self-paying customers and those eligible for government assistance programs. The breach was discovered after suspicious activity was detected on the network in February 2023, leading to a comprehensive investigation that revealed the cyberattack occurred between January and February of the same year. The breached data includes highly sensitive information such as birthdates, financial details, health records, and Social Security Numbers for over 1% of the affected individuals.

7. Rhysida Ransomware Hits Prospect Medical

The Rhysida ransomware group has claimed responsibility for infiltrating Prospect Medical Holdings, affecting multiple hospitals across states like California, Texas, Connecticut, Rhode Island, and Pennsylvania. The cyberattack disrupted critical services, forcing emergency room closures and ambulance diversions. The group boasts stolen sensitive data, including social security numbers, corporate documents, and patient records, and is demanding a 50 Bitcoins ransom, posing a grave threat to Prospect Medical’s security and reputation.

8. Dutch Land Registry Data Breach

A data breach at the Dutch land registry Kadaster has led to the exposure of every homeowner’s address in the Netherlands. The breach, which came to light after an investigation, has raised significant privacy concerns. Although the Kadaster’s search facility was initially intended for use by real estate professionals, it has inadvertently become accessible to unauthorized users, including criminals and hackers. This lapse in security has prompted calls for immediate action from privacy watchdog AP to close the loophole and protect individuals from potential threats.

9. NoEscape Ransomware Hits Fiocruz

The renowned Oswaldo Cruz Foundation, also known as Fiocruz, has fallen victim to a devastating data breach caused by the NoEscape ransomware group. The breach has led to the encryption of Fiocruz’s primary servers, exposing a massive 500GB of sensitive organizational data. This breach has far-reaching implications, as Fiocruz plays a crucial role in advancing immunobiology research and addressing pressing health challenges. The breach, initially disputed by Fiocruz’s management, has put critical documents, backups, databases, and even sensitive human resources data at risk, posing serious threats to both data privacy and public health security.

10. Edmonds School District Faces Akira Ransomware

The Edmonds School District faces a distressing data breach caused by the Akira ransomware group. This notorious group, recognized for its advanced cyber attacks on small to midsize businesses, has now expanded its reach to target educational institutions. The district, encompassing multiple communities, has encountered a complex web of compromised data, potentially putting students, staff, and parents at risk. As the Edmonds School District grapples with the implications of this breach, the implications for cybersecurity in educational institutions become even more pronounced.

📢 Cyber News

11. Preventing Youth Cybercrime

A U.S. government advisory board has raised concerns about the growing involvement of teenagers in underground cybercrime activities. The Department of Homeland Security’s Cyber Safety Review Board has recommended that Congress consider funding programs to prevent juvenile cybercrime, aiming to divert young individuals away from illegal hacking and online offenses. This initiative comes in response to incidents involving groups like Lapsus$, a teenage hacking collective responsible for targeting major companies. Experts highlight the need for education and awareness to counter this trend, as many young people lack understanding of the legal boundaries in the digital realm.

12. ICO’s Initiative Against “Text Pests”

The UK Information Commissioner’s Office has called for individuals affected by “text pests” – those using personal information for unwelcome romantic or sexual advances – to share their experiences and contribute to the regulator’s efforts in combating this illegal behavior. A survey commissioned by the ICO showed that 29% of 18-34-year-olds reported unwanted contact following sharing their personal details with a business. While younger people are more likely to believe such behavior to be legal, the majority of the public and the ICO find it morally wrong. The ICO aims to raise awareness among customer-facing businesses about their responsibility to protect customer data and prevent misuse.

13. Microsoft Enhances Exchange Server Security

Microsoft has announced its decision to activate Windows Extended Protection as the default setting on servers running Exchange Server 2019. This change is scheduled to take effect in the coming fall after the installation of the 2023 H2 Cumulative Update. Extended Protection is designed to reinforce Windows Server authentication functionality, offering stronger defense against authentication relay and “man in the middle” attacks. While Exchange Server 2019 remains in Mainstream Support and is the sole version receiving Cumulative Updates, administrators will have the option to opt out of the Extended Protection feature during deployment using the command-line CU installer.

14. Gmail Implements 2FA for Sensitive Settings

Gmail is introducing changes that will require users to go through a two-factor authentication (2FA) challenge before accessing certain sensitive settings. Currently, Gmail only asks for user credentials during the initial login, which can leave accounts vulnerable for extended periods. The protected settings include filters, account forwarding, and IMAP access, and any attempt to modify these options will trigger a “Verify it’s you” 2FA prompt. This measure aims to thwart attackers who may compromise accounts and misuse settings like filters to hide suspicious activities or exfiltrate sensitive information.

15. MOVEit Campaign Impacts Organizations

A startling revelation emerges as the Cl0p ransomware gang launches an extensive campaign against the MOVEit Transfer platform, leaving a trail of destruction impacting over 1,000 organizations and an estimated 60 million individuals. The orchestrated attack, driven by a zero-day vulnerability, underscores the vulnerability of modern digital systems and the challenges they pose to cybersecurity. The fallout touches critical sectors such as finance, professional services, and education, ringing alarm bells across industries. The incident emphasizes the need for robust defenses and highlights the looming financial toll for organizations and their insurers in the wake of such breaches.