Cyber Security Today, April 3, 2024 – New Linux vulnerability is found, and a must-read ransomware case study

A new Linux vulnerability is found and a must-read ransomware case study.

Welcome to Cyber Security Today. It’s Wednesday, April 3rd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Following on the shattering discovery of a backdoor hidden in an open-source Linux compression utility comes news of a new Linux vulnerability. It’s in the util-linux package, and it’s been around since 2013. Briefly, the vulnerability allows a users’ password to be leaked. So far, says the researcher who discovered the hole, Ubuntu 22.04 is affected. Linux administrators should check with their distribution creators to see if their servers are affected.

An organization dedicated to cybersecurity has admitted a misconfigured server led to a data breach. The Open Worldwide Application Security Project, more commonly known as OWASP, says the misconfiguration was in an old Wiki web server. Copied was a decade-old list of resumes of members who joined between 2006 and 2014. They gave their resume as part of their membership application, which included names, email addresses, physical addresses and phone numbers. OWASP no longer collects resumes when members join. The incident was discovered in late February.

You may not have realized, but Google has been collecting browsing activity when you switch into Incognito Mode. Now, to settle a class action lawsuit, it’s going to delete that data. The suit alleged browsing data was collected without the knowledge of users. According to Time, Google says it never associated this data with users who are in Incognito Mode. News that there would be a settlement was announced in December. The details were only released on Monday.

The Rhysida ransomware gang has taken credit for an attack on MarineMax, an American boat retailer with branches in 13 U.S. states. According to Security Week, the gang is auctioning allegedly stolen data.

A small Michigan school board temporarily closed its doors Monday after being hit by a cyber incident. Traverse City Area Public Schools said it disconnected access to the IT network and began a comprehensive investigation.

Finally, the authors behind the DFIR Report have produced a detailed case study of a ransomware attack in 2023 against an unnamed company that should be read. Briefly, it started with an employee clicking on an infected attachment that was hosted on a Microsoft OneNote server. Threat actors are using malicious OneNote attachments to get around email security gateways that would see OneNote as a legitimate source of messages. In this case the malicious document led to the download of a Windows dynamic link library, or DLL to maintain persistence. Interestingly, after that not much happened for 33 days. Then malware was launched, and the AnyDesk remote access software was installed so the attacker could browse through the network. Unfortunately for the victim organization the employee who inadvertently started the thing was a member of the domain administrator’s group, which helped the attacker gain access privileges. From there …. well, I’ll give away the ending: The attacker exfiltrated data, and only encrypted two of the organization’s servers: The file server and the backup server. There’s a lot more in the story. This article should be read by anyone in IT, or studying for a career in IT, on how a cyber attack is carried out. There’s a link to it — as well as to other stories mentioned in today’s episode — in the text version of this podcast at ITWorldCanada.com.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.