LabCorp ransomed, 18k routers rooted, a new EXIF menace, and more
Plus a new worry for enterprises over DNS flaws
Here's a few more bits of news.
Any large-scale data breach is bad news, but one that results in the loss of the health information of a quarter of the population is downright disastrous.
Such was the case in Singapore, where an estimated 1.5 million people (about 25 per cent of the population) had their records lifted from the health and information ministries' database.
Any Singaporeans worried this will get swept under the rug can rest easy(ish): Prime Minister Lee Hsien Loong was among those whose data got lifted in the heist. In fact, the nation's Cyber Security Agency believes that it was Loong who was the original target of the attack.
Authorities have yet to find any of the pilfered information online, so it's not clear whether this was the work of a nation-state sponsored operation or just an effort by cybercriminals to harvest valuable records.
Dear Uncle Sam, please come to your census
The US Census is coming up in just two years, and given the importance of the data for things like congressional seats and public assistance, getting the population data right is critical.
That's why a group of former government security experts are pressing the Census Bureau to assess and report just how it plans to secure the census and prevent outside groups from manipulating the data. They've issued an open letter [PDF] requesting a security report.
"Our country’s elected representatives and, indeed, the American people deserve to understand the technical protocols and systems being utilized by the Census Bureau to ensure that the electronic collection and storage of information about millions of Americans will be handled as securely as possible," the letter reads.
"This is especially important in an age in which new types and sources of cybersecurity threats seem to emerge almost weekly."
The group claims they've already tried to get the data from the Census Bureau, but have thus far been ignored. Hence the decision to issue an open letter.
Malware writers are now sullying the good name of Google (stop laughing) to infect users via image files.
Researchers with Sucuri explained how hackers have been using sites like Google+ or Blogger to upload image files that contain EXIF data within the "usercomment" data section. That EXIF code is where the magic happens, executing the script that actually attempts to infect the user with malware.
"In previous cases, hackers used EXIF data within images to hide malicious code inside files that are rarely scanned for malware," Sucuri explains.
"In this specific case, we see that the main goal is to host malicious scripts on a reliable and trusted server so that they are always available for downloading from any compromised sites."
DNS rebinding reloads for enterprise attacks
Last month we were alerted to the return of DNS rebinding attacks on consumer devices. Now, we're hearing that enterprise hardware could also be vulnerable to a flaw that has been known about for more than a decade.
Researchers with security outfit Armis say that as many as half a billion pieces of kit in use by just about every enterprise could also be remotely hijacked and added to botnets via the same DNS rebinding techniques.
Armis argues that things like printers and VoIP handsets are just as vulnerable as your Roku or home router when it comes to vulnerabilities, and if admins don't keep a close eye on all their hardware, those unattended items could become cogs in a massive new botnet.
"Armis has found that the issue impacts hundreds of millions of IoT and other unmanaged devices used inside almost every enterprise," notes Armis VP of research Ben Seri.
"From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack."
18,000 routers pwned in a day
We knew it was easier than ever to build a botnet, but who knew it was this easy?
Researcher Ankit Anubhav discovered and tracked down the creator of an 18,000 strong botnet made up entirely of vulnerable Huawei network routers. As it turns out, the person behind the botnet was able to put it together in under 24 hours and used just one exploit, for a flaw that has been known for more than half a year.
The motives are not clear as the attacker only told he is doing this "to make the biggest baddest botnet in town" . Probably DDoS.— Ankit Anubhav (@ankit_anubhav) July 18, 2018
CBE-2017-17215 related article https://t.co/5xiWKFynTY
Its painfully hilarious how attackers can construct big bot armies with known vulns. (3/3)
Let this be yet another reminder: make sure you regularly patch everything on your network regularly. Firmware updates for routers or printers can be an easy thing to forget, but if they get compromised things could get ugly very quickly.
LabCorp says 'it was ransomware what knocked over our network'
Earlier this week we shared the story of how a mystery attack had briefly taken down much of LabCorp's medical testing network.
At the time, there was no official word on what had caused the diagnostics service to go dark, and there were fears that the company might have lost some of the millions of medical records it keeps from its lab test facilities around the country.
As it turns out, the culprit was in fact a ransomware infection. El Reg received an update from LabCorp that contained the following clarification:
"The activity was subsequently determined to be a new variant of ransomware," the statement reads.
"LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system."
The good news is no data was taken, and your medical records are safe. LabCorp says it is working with authorities to investigate the incident.
Get VLC 3.0.3 ...Like right now
You will want to make sure your copy of VLC is up to date, after a high-severity security flaw was adapted for a popular metasploit exploit tool.
Researcher Davy Douhine broke the news on Twitter:
Update VLC ! Incoming #metasploit exploit targeting a UAF in VideoLAN VLC media player <= 2.2.8 ! CVE-2018-11529 discovered and exploited by Eugene Ng and module coded by Winston Ho. I guess sharing this on Torrent will pop a few shells ;) https://t.co/CiKuiAtK0q pic.twitter.com/p61iqjFdJF— Davy Douhine (@ddouhine) July 19, 2018
CVE-2018-11529 is a bug that can be exploited to allow remote code execution. It was discovered by Eugene Ng.
While a working Metasploit module ups the danger, there's a simple and very practical solution for this one: update your copy of VLC to version 3.0.3 and you'll have the bug all patched up.
File under: Good luck with that
The family of Silk Road boss Ross Ulbricht is still at it. The darknet drug market supremo was jailed for life without parole back in 2015, and while it's highly unlikely that the American judiciary and prosecution would backtrack on its decision, Ross' mother, isn't giving up the fight to have her son released from lockup in this lifetime.
A Change.org petition seeks a clemency grant for Ulbricht.
"Ross is condemned to die in prison, not for dealing drugs himself but for a website where others did. This is far harsher than the punishment for many murderers, pedophiles, rapists and other violent people," writes mother Ulbricht.
"Ross’s investigation, trial and sentencing were rife with abuse. This includes corrupt federal investigators (now in prison) who were hidden from the jury, as well as prosecutorial misconduct, constitutional violations and reliance on unproven allegations at sentencing. Ross did not get a fair trial and his sentence was draconian."
Right now, the petition has more than 18,000 signatures. Unfortunately, the petitions have no legal sway, and it's unlikely US Attorney General Jeff Sessions nor President Donald Trump will be moved to reverse their "tough on crime" stance for Ulbricht. ®