City of Dallas hit by Royal ransomware attack impacting IT services
The ninth largest city in the United States, with a population of approximately 2.6 million people, saw some of its IT systems shut down to prevent the attack’s spread. Local media reported that the City’s police communications and IT systems were shut down Monday morning due to a suspected ransomware attack, leading to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department’s website was also offline for part of the day due to the security incident but has since been restored. The City’s court system canceled all jury trials and jury duty from May 2nd into yesterday. According to numerous sources, network printers on the City of Dallas’ network began printing out ransom notes that taunted the City over its choice of cybersecurity procedures. A photo of the ransom note made it appear that the Royal ransomware operation conducted the attack.
Researchers uncover new exploit for PaperCut vulnerability that can bypass detection
Tracked as CVE-2023-27350 (CVSS score: 9.8), this affects PaperCut MF and NG installations that could be exploited by allowing SYSTEM privileges to unauthenticated people. VulnCheck has published a proof-of-concept exploit that sidesteps existing detection signatures by affecting the print management software’s “User/Group Sync” feature, which makes it possible to synchronize user and group information from Active Directory, LDAP, or a custom source.
Mirai botnet exploits unpatched TP-Link routers, CISA warns
CISA is adding three more flaws to its list of known-exploited vulnerabilities. One of these involves TP-Link routers that are being targeted by the Mirai botnet. Trend Micro’s threat-hunting group Zero Day Initiative (ZDI) stated in a report released last week that operators of the Mirai botnet were beginning to exploit the flaw primarily by first attacking devices in Eastern Europe, and then expanding outward. Mirai malware packages infected Linux-based IoT devices into a botnet that is remotely controlled to perform large-scale network attacks, including DDoS assaults. The other two flaws placed on the CISA list this week involve versions of Oracle’s WebLogic Server software and the Apache Foundation’s Log4j Java logging library.
Drone goggles maker claims firmware sabotaged to ‘brick’ devices
The clam is being made by Orqa, a company that designs and manufactures First Person View (FPV) drone racing goggles. Their statement says that “a contractor introduced code into its devices’ firmware that acted as a time bomb designed to brick them.” Orqa recently started receiving reports from customers stating that their FPV.One V1 goggles had entered bootloader mode and had become unusable. The company said they found the ransomware time bomb, which had been secretly planted a few years ago “greedy former contractor,” with an intention to extract exorbitant ransom from the company.
Thanks to this week’s episode sponsor, Trend Micro
Cisco warns of vulnerability in EoL phone adapters
Cisco is warning consumers about a critical remote code execution vulnerability impacting SPA112 2-Port phone adapters that have reached end-of-life (EoL) status. Tracked as CVE-2023-20126 (CVSS score of 9.8), this flaw affects the web-based management interface of the phone adapters. It can be exploited without authentication. As Cisco explains in its advisory, the vulnerability exists because of “a missing authentication process within the firmware upgrade function.” Given that the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), Cisco does not plan to release firmware updates to address the vulnerability.
Hacked university warns of campus text alerts sent by ransomware group
Bluefield University is a private Baptist school in Bluefield, Virginia that serves about 1,000 students. It recently sent out a warning about texts being sent through the school’s mass alert system after a ransomware group messaged the entire campus about an ongoing cyberattack. On Tuesday, the Avoslocker group used the school’s RamAlert system to send threatening messages out to all of Bluefield university’s students and employees, announcing that they had exfiltrated 1.2 TB of files consisting of admissions data. The school published its own message on Tuesday, acknowledging that the RamAlert system had been taken over by the hackers and warning students not to click on any links provided by the hackers.
9 out of 10 companies have detected software supply chain security risks
Dimensional Research had revealed that nearly 90% of technology professionals detected significant risks in their software supply chain in the last year. More than 70% said that current application security solutions aren’t providing necessary protections. More than 300 global executives, technology and security professionals at all seniority levels directly responsible for software at enterprise companies, were surveyed for the study. Among the findings was the sentiment that a lack of proper tools may be exacerbating software supply chain risk.
Website promising jobs at the U.S. Postal Service leaks customer data
In a recent post, Brian Krebs describes how an online company based in Georgia has made millions of dollars purporting to sell access to jobs at the United States Postal Service and has now exposed its internal IT operations and database of nearly 900,000 customers. He writes, “the leaked records indicate the network’s chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016.” His article shows that this long-running international operation had been emailing and text messaging people for years to sign up at websites promise to help visitors get jobs at the USPS. These sites also sell training, supposedly to help ace an interview with USPS human resources.