In today’s cybersecurity news…
Seattle Airport issues travelers’ advisory for Labor Day travel
The cyberattack that hit Seattle-Tacoma International Airport last week has forced the airport to warn passengers to pack extra patience as they travel today. Baggage systems and information screens are either down or are partially operational, and airport personnel are using handwritten boarding passes and dry erase boards for flight information. The airport said Frontier, Spirit, Sun Country, JetBlue and international airlines are specifically affected.
SQL injection able to bypass airport TSA security checks
Two security researchers have identified a vulnerability in a security system that according to BleepingComputer, “allowed unauthorized individuals to potentially bypass airport security screenings and gain access to aircraft cockpits.” The researchers, Ian Carroll and Sam Curry, found the vulnerability within a third-party web-based service called FlyCASS which stands for Cockpit Access Security System (CASS). Some airlines use it to manage their Known Crewmember (KCM) program, which itself is a TSA initiative that “allows pilots and flight attendants to skip security screening, and also allows authorized pilots to use jump seats in cockpits when traveling.” The researchers saw that the FlyCASS login system was susceptible to SQL injection, which allowed them to log in as an administrator for a participating airline, and manipulate employee data within the system.
North Korea uses FudModule Rootkit in Chrome zero-day exploit
The high severity flaw in in Google Chrome and other Chromium web browsers that we reported on in late August as having been patched by Google, has been exploited as a zero-day by a North Korean operation affiliated with the Lazarus Group. The group has been using it to deliver the FudModule rootkit, which is used to “establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform direct kernel object manipulation.”
Voldemort malware implants itself on Google Sheets
A new report from Proofpoint describes a new malware that is being distributed by email appearing to be from tax agencies from the U.S., Europe, and Asia, mostly to organizations in the insurance, aerospace, transportation, and education sectors. Once the phishing process is successfully followed, Voldemort uses Google Sheets as a command and control server, “pinging it to get new commands to execute on the infected device and as a repository for stolen data.” According to BleepingComputer, this technique reduces the likelihood of network communication being flagged by security tools. As Google Sheets is commonly used in the enterprise, it also makes blocking the service impractical.”
Thanks to today’s episode sponsor, Scrut Automation
Toronto school board confirms students’ info stolen in June attack
Following up on a story we covered in June, the Toronto District School Board, Canada’s largest school board and the fourth largest school board in North America, confirmed last week that student information was accessed in a ransomware attack discovered in June. At the time, Board officials stated the attack was on a technology testing environment separate from the board’s official networks. An update now says that an unstated number of students from the 2023/2024 school year did have information in that test environment, including name, school attended, student number and date of birth. The LockBit ransomware gang has claimed credit for the attack. Their leak site post is giving the TDSB 13 days to pay an undisclosed ransom.
GitHub comments push malware masked as fixes
The Lumma Stealer information-stealing malware is being distributed via comments being posted in GitHub, disguised as solutions to users’ project questions. The solution, which according to one researcher was sent out 29,000 times over a three day period, tells people to “download a password-protected archive from a specific website and run the executable within it. The password is supplied in the message. The downloaded malware aims to steal “cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers,” as well as cryptocurrency wallets, private keys, and text files.
CISA co- hosts election security tabletop exercise
For the seventh year in a row, CISA, along with the National Association of Secretaries of State, and the National Association of State Election Directors, has hosted a tabletop security exercise to improve election security. Named Tabletop the Vote. Its purpose is to “unite private sector partners as well as federal, state and local officials to enhance election security efforts. Participants in the exercise shared best practices for incident planning, preparation, identification, response and recovery for both cyber and physical incidents.”
RansomHub continues to gain strength
According to a joint security advisory from CISA and the FBI, the United States Department of Health and Human Service , and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the RansomHub ransomware gang has claimed at least 210 victims since starting up in February, and is emerging as a successor to LockBit and ALPHV/BlackCat. As a suspected rebrand of the Knight ransomware gang, it has become the partner of choice for sophisticated groups such as Scattered Spider, and its affiliates do not discriminate, willing to victimize any organization, including critical infrastructure and emergency services. CISA’s advisory is intended to inform security specialists as to the group’s TTPs.