In today’s cybersecurity news…
UK’s Legal Aid Agency breached
On April 23rd, the UK’s Legal Aid Agency, a part of the Ministry of Justice, discovered a threat actors had breached its systems. It immediately coordinated with the National Crime Agency “to bolster the security of our systems,” according to CEO Jane Harbottle. On Friday, May 16th, it was discovered that the attack was more extensive than originally understood, with threat actors accessing a “significant’ amount of data on applicants for legal aid, including criminal records, addresses, national ID numbers, and financial data. Citing a need for “radical action” to safeguard users, the Agency took its service offline while it recovers. The Ministry of Justice has contingency plans in place for legal support. No word on who orchestrated the attack or how they gained access.
(Reuters)
NHS patients are at risk from cyberattacks
Recorded Future News acquired data from Britain’s National Health Service under a Freedom of Information Act request showing that two cyberattacks last year caused what was categorized as potential clinical harm to over 50 patients, stemming from a lack of available medical care. This category falls below the two most critical categories, excess fatalities and excess casualties. While the data doesn’t name the specific attack, it could have likely stemmed from the attack on the pathology services provider Synnovis, which resulted in delayed and cancelled medical appointments.
23andMe has a buyer
When the DNA-testing company 23andMe declared bankruptcy, there were obvious privacy concerns raised about the implications for its genetic data. Now Regeneron Pharmaceuticals agreed to buy the company out of bankruptcy for $256 million, with the acquisition expected to close in Q3. 23andMe services will continue uninterrupted, and Regeneron will need to tell a court-appointed ombudsman how to plans to use the genetic data, as well as detail security and privacy controls. Regeneron said it will maintain 23andMe’s existing privacy policies after the acquisition.
(WSJ)
Bipartisan bill for federal cyber workforce training
Representatives Pat Fallon and Marcy Kaptur introduced the Federal Cyber Workforce Training Act in the House. This bill calls on the National Cyber Director to plan for the creation of a centralized training center for federal cyber workforce development. This center would focus on setting cybersecurity standards for new Federal employees at the start of onboarding, specifically for entry-level workers with role-specific training developed in cooperation with relevant federal agencies. The bill also proposes the idea of specialized training for federal HR officials to better recruit personnel for the federal cyber workforce.
Huge thanks to our sponsor, Conveyor
Conveyor’s got you.
Our browser extension completes questionnaires in the most tedious portals for you by auto-importing all the questions and generating AI answers. For popular portals, it can go full autopilot and fill in reviewed answers into the portal on one click. You shouldn’t have to fight a portal just to prove your security posture.
Learn more at www.conveyor.com.
Ransomware operators turning to Skitnet
Researchers at PRODAFT report that the malware Skitnet, also known as Bossnet, is becoming increasingly popular in the post-exploitation toolkit of ransomware actors. Skitnet first appeared for sale on underground forums in April 2024, but was most recently seen used by Black Basta last month. Skitnet offers a lightweight package with fully automated installation. Initial executables are written in Rust, which then decrypts and runs its payload compiled in Nim, ultimately to establish a reverse shell connection to a C2 server, communicating over DNS. It uses PowerShell-based commands to obtain persistence at startup and deploys the legitimate tools AnyDesk and rutserv for remote access.
Arla Foods confirms cyberattack
The Danish food coop giant confirmed it suffered a cyberattack that disrupted production at its dairy site in Upahl, Germany. It expects this will lead to product delays or order cancellations in the near future. It hopes to restore production at the facility by the end of the week. Arla was mum when asked if this was a ransomware attack. Arla’s products are used in brands across 140 countries, including Starbucks, Castello, Puck, and Lurpak. No threat actor has taken credit for the disruption yet.
Threat actors find a way to make printer software worse
On a tip from tech writer Cameron Coward, an analysis by the security firm GData found that software downloads from the printer company Procolored contained malware. Coward notified Procolored, only to be told these were likely false positives. GData found that the company hosted software on mega.nz and had 39 software downloads infected with a crypto stealer and the wormable backdoor XRed. This could log keystrokes, download payloads, and copy cryptocurrency wallet information when installed. Despite the initial denial, Procolored eventually removed software downloads, telling GData that it initially transferred its software to the host through a flash drive, which might have been where the malware was introduced.
Pwn2Own aftermath
We already discussed some of the vulnerabilities discovered at Pwn2Own Berlin last week. Now that the event is over, we know security researchers pocketed $1,078,750 in bounties, exploiting 29 zero-days. The STAR Labs SG team took home the most money with $320,000. Vendors have 90 days from Pwn2Own to patch vulnerabilities before TrendMicro’s Zero Day Initiative publishes technical details. Over the weekend, Mozilla wasted no time patching two critical out-of-bounds read/write issues in JavaScript in Firefox.