Lazarus Group exploits ManageEngine to drop new RATS on internet and healthcare
North Korea’s Lazarus Group has been observed exploiting a critical vulnerability in Zoho’s ManageEngine ServiceDesk in order to attack organizations in the U.S. and the U.K. Their targets have been internet companies as well as healthcare providers. The attacks involve the delivery of QuiteRAT malware, an improved version of MagicRAT, as well as a new remote access trojan that is being called CollectionRAT, which belongs to the EarlyRAT family. Researchers state these new approaches Helps Lazarus “leave fewer distinct traces behind and hence makes attribution, tracking, and the development of effective protective measures harder.”
Vulnerabilities in Rockwell ThinManager threaten industrial control systems
Researchers at Tenable discovered the flaws, now tracked as CVE-2023-2914, 2915 and 2917, in ThinManager ThinServer, a thin client and RDP server management software, used mostly for human-machine interfaces (HMIs) that control and monitor industrial equipment. Exploitation could lead to denial of service, file deletion, and file uploads. Tenable told SecurityWeek that “the only requirement for exploitation is access to the network hosting the vulnerable server…and that successful exploitation can allow complete attacker control of the ThinServer.” The vulnerabilities were reported to Rockwell who informed customers about patches on August 17.
Mississippi hospital system suffers cyberattack
Another day, another hospital system suffers, this time, it’s Singing River Health System, which runs three major hospitals and dozens of clinics and centers along the Gulf Coast near New Orleans. A spokesperson has declined to comment whether ransomware is involved, but states that “all systems are currently offline,” and is using workarounds, including paper and fax, to serve patients.
NIST publishes draft Post-Quantum Cryptography standards
These standards, published yesterday, are the result of a project that started in December 2016, when NIST invited public input into the post-quantum cryptography (PQC) process, in anticipation of Q-Day: that date when quantum computers will be able to break existing cryptographic algorithms. The three Federal Information Processing Standards (FIPS), numbered 203, 204, and 205 are now open for industry feedback with a deadline of November 22 of this year. A link to the NIST announcement is available in the show notes to this episode.
(InfoSecurity Magazine and NIST)
Thanks to this week’s episode sponsor, HyperProof
KittenSec threatens claims to pwn anything they see
This new hacktivist group claims numerous attacks on government and private sector organizations in NATO countries with its stated goal of exposing corruption. According to Cyberscoop, the group has attacked and then posted links to data stolen from targets in Romania, Greece, France, Chile, Panama, and Italy. Tom Hegel, a senior threat researcher at SentinelOne stated, “these groups are now tools in the hands of nation states, concealing their operations behind hacktivist facades,” but that also, many “seek public notoriety, and while they seek to achieve change, “their impact often falls short of their goals.”
Thousands of unpatched Openfire XMPP servers still exposed
A new report from VulnCheck states that thousands of Openfire XMPP servers remain unpatched against a CVE-2023-32315 and are susceptible to a new exploit. The vulnerability, which could permit unauthenticated access to restricted pages, affects all versions of the software released since April 2015, starting with version 3.10.0. Its developer, Ignite Realtime, fixed the issue earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0. A Shodan scan performed by VulnCheck revealed more than 6,300 internet-accessible Openfire servers, with half of these running the vulnerable versions.
Google Chrome to warn when downloaded extensions are declared malware
A new feature currently being tested in the Chrome browser will issue a warning for users who have installed an extension that has since been removed from the Chrome Web Store. This is intended as a kind of reactive warning, since users who downloaded scam extensions may not be aware of the fact that the app has been removed, given that the detection and removal of these scam extensions is a never ending activity for Google. The feature is intended to be installed in Chrome 117, but is available for testing in Chrome 116 enabling the ‘Extensions Module in Safety Check’ feature.
Parmesan producers fight fakes with microtransponders
The famous and ancient cheese officially called Parmigiano Reggiano is loved around the world for its distinctive flavor, and also holds PDO status, which means that like champagne from France and port wine from Portugal, only the cheese produced in the Italian provinces of Parma and Reggio Emilia can use this name. This has naturally given rise to a flourishing trade in counterfeit parmesan, whose $2Bn/year revenue matches that of the original. PDO producers are now inserting US-made microtransponders the size of a grain of salt into the QR labels found on the rind of the cheese wheels to act as anchors back to where the individual cheese wheel was made.