Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Latitude Refuses to Pay Ransom
Back in mid-March, then in late March, we reported on the data breach affecting customers of consumer lender Latitude Financial (ASX:LFS). Today Latitude confirmed that it has received a ransom demand and, in line with advice from both government and cybercrime experts, will not pay a ransom. Said Latitude Financial CEO, Bob Belan:
"Latitude will not pay a ransom to criminals. Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.
"Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.
"In parallel, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations.
"I apologise personally and sincerely for the distress that this cyber-attack has caused and I hope that in time we are able to earn back the confidence of our customers."
The company believes that there has been no suspicious activity in their systems since Thursday, 16 March, and is now restoring its business operations.
Gardy, Mark, Cybercrime update, ASX announcement, 11 April 2023. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02652931.
Tasmanian Department of Education Fileshare Hacked; 16,000 Documents Leaked
A Russian ransomware gang has allegedly obtained over 16,000 documents from the Tasmanian Department for Education, Children and Young People via the third-party file transfer service GoAnywhere, and has released them on the dark web. The documents primarily related to current and historical financial information and may include:
- names
- addresses
- school name
- DECYP reference number (used for DECYP internal account purposes)
- child name
- homeroom
- year group
- Business names
- Bank Account (if the Department paid the affected individual)
- Learner's Date of Birth (TasTAFE only)
The Tasmanian Government has established a helpline number for affected individuals on 1800 567 567.
Uncredited, Hackers release personal data from Tasmanian Government data breach, Pulse Hobart, 7 April 2023. Available online at https://pulsehobart.com.au/news/hackers-release-personal-data-from-tasmanian-government-data-breach/.
DECYP, Cyber Investigation Update, web page, 11 April 2023. Available online at https://www.decyp.tas.gov.au/cyber-investigation-update/.
CISA Adds Five Known Exploited Vulnerabilities; Veritas Backup Exec Used for Ransomware
The US Cybersecurity & Infrastructure Security Agency has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog:
- CVE-2021-27876 Veritas Backup Exec Agent File Access Vulnerability
- CVE-2021-27877 Veritas Backup Exec Agent Improper Authentication Vulnerability
- CVE-2021-27878 Veritas Backup Exec Agent Command Execution Vulnerability
- CVE-2019-1388 Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
- CVE-2023-26083 Arm Mali GPU Kernel Driver Information Disclosure Vulnerability
The most significant of these is CVE-2021-27877, which NIST's National Vulnerability Database rates has having a CVSS 3.1 score of 9.8 (critical). Mandiant reports that this vulnerability has been used by the ALPHV/BlackCat ransomware gang to gain initial access to one of their victims' networks. However, Veritas released patches for these vulnerabilities back in March 2021 - over two years ago - so there really is no excuse, etc., etc.
CISA, CISA Adds Five Known Exploited Vulnerabilities to Catalog, alert, 7 April 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exploited-vulnerabilities-catalog.
Apple Device 0days Likely Used For Spyware Implants
Last week, Apple rushed out patches for macOS Ventura, iOS version 16 and iPadOS version 16 in response to the disclosure of two zero-day exploits. The first related to a remote code execution vulnerability in the WebKit HTML engine, while the second was a code execution vulnerability in the OS kernel, which would allow privilege escalation.
The vulnerabilities were jointly reported to Apple by the Amnesty International Security Lab and the Google Threat Analysis Group, which suggests that the exploits were first discovered by privacy and human rights activitists, then analysed by Google's researchers. If so, then they were probably being used to implant spyware on behalf of government agencies somewhere.
In fact, all supported versions of iOS, iPadOS and macOS contained these vulnerabilities, and patches have been released for them. Users should check for an install these updates as soon as possible.
Ducklin, Paul, Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads, blog post, 10 April 2023. Available online at https://nakedsecurity.sophos.com/2023/04/10/apple-zero-day-spyware-patches-extended-to-cover-older-macs-iphones-and-ipads/.
Western Digital My Cloud Pain Continues; Company Issues Workaround
The pain of last week's breach at storage drive manufacturer Western Digital continues for its customers. With the company's My Cloud service being taken down, customers had no way to access their files, even though their devices were on the customers' own networks, as even local access required a connection to the cloud service. In fact, the problem applied not just to My Cloud, but also My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, as well as their related apps.
However, the company has now released a workaround which will enable access to local devices on the LAN via network mapped drives, for up to 5 concurrent local users. The procedure is slightly involved, but most SME and home users should be able to follow it, with the aid of embedded videos to walk them through.
Western Digital Support, Instructions to Enable Local Network Access on a My Cloud Home, My Cloud Home Duo and SanDisk ibi, web page, 10 April 2023. Available online at https://support-en.wd.com/app/answers/detailweb/a_id/50626.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.