Top News

• Ransomware gang apologizes, gives SickKids hospital free decryptor

"The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization.
SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.
On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website.
While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.
On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays."

Link

TLP¹ : Green

• WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws

"​WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.
"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites."
The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Ukraine closes fraudulent call center that ripped off thousands

"Imposters operating out of a Ukrainian call center defrauded thousands of victims while pretending to be IT security employees at their banks. The scheme has now been closed down.
The fraudsters contacted the victims, told them their bank accounts had been accessed by attackers, and requested financial information. They said it was necessary to prevent fraud – instead, the victims’ bank accounts were emptied.
The scheme has now been uncovered by Ukraine’s Cyber Police Department, the Main Investigative Department of the National Police, the Prosecutor General's Office, and law enforcement officers in Kazakhstan.
The investigators found that 37 operators working out of a call center established by three Dnipro residents called people living in Kazakhstan while pretending to be IT security employees at their banks."

Link

TLP¹ : Green

• Google to Pay $29.5 Million to Settle Lawsuits Over User Location Tracking

"Google has agreed to pay a total of $29.5 million to settle two different lawsuits brought by Indiana and Washington, D.C., over its "deceptive" location tracking practices.
The search and advertising giant is required to pay $9.5 million to D.C. and $20 million to Indiana after the states sued the company for charges that the company tracked users' locations without their express consent.
The settlement adds to the $391.5 million Google agreed to pay to 40 states over similar allegations last month. The company is still facing two more location-tracking lawsuits in Texas and Washington."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Personal health information of 42M Americans leaked between 2016 and 2021

"Medical records of 42 million Americans are being sold on the dark web since 2016, this information comes from cyberattacks on healthcare providers.
Researchers from Jama Network analyzed trends in ransomware attacks on US hospitals, clinics, and health care delivery organizations between 2016 and 2021.
Common operational disruptions included canceled appointments/surgeries, electronic system downtime, and ambulance diversion. The researchers calculated the operational disruption duration and other data related to the attacks.
From 2016 to 2021, the annual number of ransomware attacks passed from 43 to 91. 
“In this cohort study of 374 ransomware attacks, the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients.” reads the report published by Jama Network. “During the study period, ransomware attacks exposed larger quantities of personal health information and grew more likely to affect large organizations with multiple facilities.”"

Link

TLP¹ : Green

• Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients

"Southwest Louisiana healthcare provider Lake Charles Memorial Health System (LCMHS) is informing roughly 270,000 patients that their personal and medical information was compromised in a data breach.
A regional community healthcare system consisting of several facilities, LCMHS identified the cyberattack on October 25 and started informing the impacted patients of the incident on December 23.
In a notification on its website, LCMHS says that ‘an unauthorized third party’ gained access to its network between October 20 and October 21.
The attackers accessed and likely exfiltrated certain files containing patient data, the healthcare provider says."

Link

TLP¹ : Green

• Ransomware gang cloned victim’s website to leak stolen data

"The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victim's site to publish stolen data on it.
It appears that ALPHV, also known as BlackCat ransomware, is known for testing new extortion tactics as a way to pressure and shame their victims into paying.
While these tactics may not be successful, they introduce an ever-increasing threat landscape that victims need to navigate."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• NETGEAR fixes a severe bug in its routers. Patch it asap!

"Netgear fixed a bug affecting multiple WiFi router models, including Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models.
The vendor only said that the flaw is a pre-authentication buffer overflow vulnerability and urged customers to address the firmware of their devices as soon as possible. An attacker can exploit this vulnerability without requiring permissions or user interaction.
Threat actors often exploit this kind of issue to trigger a DoS condition or to execute arbitrary code on vulnerable devices."

Link

TLP¹ : Green

• Researcher Uncovers Potential Wiretapping Bugs in Google Home Smart Speakers

"A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.
The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt Kunze, disclosed in a technical write-up published this week.
In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021."

Link

TLP¹ : Green

• CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks

"The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports flaws to its Known Exploited Vulnerabilities Catalog.
Tibco’s JasperReports Library is advertised as the world’s most popular open source reporting engine. The JasperReports Server software is designed to enable non-technical users to create reports, dashboards, and visualizations.
CISA has learned that two JasperReports vulnerabilities discovered in 2018 have been exploited in attacks.
One of them is CVE-2018-18809, a critical directory traversal issue in JasperReports Library that can allow webserver users to access data on the host system, which can include credentials for accessing other systems. The flaw was addressed in March 2019.
CVE-2018-18809 has been found to affect the products of major vendors that use the JasperReports Library, including IBM products."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Learn Python from scratch with this huge certified bootcamp

"If you head into the New Year on a high, learning a new skill is highly recommended. Python programming is useful in a range of different settings, and you can learn the language from scratch with The Premium Python Certification Bootcamp Bundle.
This 41-hour course collection is worth $2,585, but you can get it today for only $29.99 in a special event at BleepingComputer Deals."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• PyTorch discloses malicious dependency chain compromise over holidays

PyTorch has identified a malicious dependency with the same name as the framework's 'torchtriton' library. This has led to a successful compromise via the dependency confusion attack vector.
PyTorch admins are warning users who installed PyTorch-nightly over the holidays to uninstall the framework and the counterfeit 'torchtriton' dependency.
From computer vision to natural language processing, the open source machine learning framework PyTorch has gained prominence in both commercial and academic realms."

Link

TLP¹ : Green

• Phylum detects a series of suspicious publications on NPM…again

"On the morning on December 20th, Phylum’s automated risk detection platform alerted us to a series of suspicious publications on NPM. They are all published by the user yandex.pizda who claims in the description of each package to be "hackerone.com/homosec Bug Bounty Security Reseaarch [sic] White Hat"."

Link

TLP¹ : Green

• The Pig Butchers

"What do a woman in Indiana, a woman in California, a woman in Australia, and a man in Kentucky all have in common? They've all fallen victim to the same cryptocurrency scammer and had their drivers licenses and / or money stolen. Stick around as I dive into the specifics of how one person I had the chance to speak to was victimized by this scam, at the end of the post.
The scam I'm about to dive into is often referred to as a variant of a "Pig Butchering" scam. Namely, for the concept of fattening up a pig before sending them off for slaughter. In this case however, the scammers aren't fattening a pig, they're fattening their pockets. These scams take a few different forms, however I have seen this exact implementation so often that I believe it's becoming increasingly prevalent and decided to dive in to it."

Link

TLP¹ : Green

• RKE: How To Hack A Car

"I've always found cybersecurity to be more interesting when implications reflect in the "real world" and this is the reason hacking physical devices is fun to me. Well, it turns out that the more the hack is controversial, the funnier it is to carry out!  For this reason I got into remote controlled devices hacking, and in particular into car remotes hacking. A while ago I got all the hardware needed to attempt attacking these devices, so I could finally attempt some attacks.
In this article I want to share the theory of how these devices work, what are their weaknesses and how we can exploit them, both in theory and in practice."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp