Secret CISO #12: Florida Sheriff's office ransomware attack jail networks.
Welcome to the twelfth episode of The Secret CISO newsletter, where we bring you the latest news and insights from the world of cybersecurity. In this edition, we have gathered a range of valuable resources, including updates on data breaches, common vulnerabilities and exposures (CVEs), research studies, informative podcasts, and exciting job postings.
Our team of experienced CISOs has carefully curated this content with a focus on delivering relevant and actionable insights for fellow CISOs. Whether you are a seasoned cybersecurity professional or just starting in the field, our newsletter is designed to keep you informed and up-to-date with the latest developments in the industry. We hope you find this edition informative and valuable, and we encourage you to share it with your colleagues and peers.
Let's dive in!
1. Data Breaches
Canadian finance giant TMX's breach impacts 4.8 million people; LockBit ransomware disrupts Florida County Sheriff's Office; Dutch software provider Nebu's breach affects major clients; Ithaca College students' bank accounts hacked after ticketing software breach; and Israel's Technion University suffers a DarkBit ransomware attack.
Canadian Finance Giant TMX Suffers Massive Breach
TMX, a Canadian finance giant, discloses a data breach impacting 4.8 million people, with hackers breaching its systems in December 2022 but remaining undetected until February 2023.
Florida County Sheriff's Office Rocked by LockBit Ransomware Attack
Washington County Sheriff's Office experiences a ransomware attack, resulting in the disruption of its app, finance system, and jail networks between February and March 2023.
Read more: https://www.scmagazine.com/brief/ransomware/lockbit-exposes-florida-county-sheriffs-office-data
Dutch Customer Survey Software Provider Nebu Hit by Data Breach
Nebu, a customer survey software provider, suffers a data breach affecting major clients such as Nederlandse Spoorwegen, VodafoneZiggo, ArboNed, Heineken, International Film Festival Rotterdam, and more.
Students' Bank Accounts Hacked After Ticketing Software Breach
Ithaca College students' credit and debit card information is compromised and funds stolen due to a ticketing software breach following a concert at Cornell University.
Read more: https://theithacan.org/news/students-bank-accounts-hacked-because-of-ticketing-software-breach
DarkBit Ransomware Attack Affects Israel’s Technion University
Technion University in Israel is hit by a ransomware attack, with the cybercriminal group DarkBit demanding 80 bitcoins as ransom and putting the university's data for sale.
2. Top CVE
IntelliJ IDEA's unsandboxed Chromium (CVE-2022-48432); Nextcloud's permission escalation (CVE-2023-25817); Cal.com's account takeover (CVE-2023-1647); Apache InLong's deserialization vulnerability (CVE-2023-27296); and Infoline Project Management System's SSRF issue (CVE-2023-1725).
- IntelliJ IDEA Sandboxing Issue - CVE-2022-48432The bundled version of Chromium in JetBrains IntelliJ IDEA before 2023.1 wasn't sandboxed, potentially exposing users to security risks. Update to the latest version to mitigate the issue. Read more: https://www.jetbrains.com/privacy-security/issues-fixed/
- Nextcloud Permission Escalation - CVE-2023-25817Nextcloud server versions 24.0.0 to 24.0.9 have a vulnerability that allows users to escalate their permissions and delete files they shouldn't be able to. Update to version 24.0.9 to resolve the issue. Read more: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8v5c-f752-fgpv
- Cal.com Account Takeover - CVE-2023-1647Improper Access Control in the GitHub repository calcom/cal.com prior to 2.7 allows attackers to take over victim accounts by using their email addresses. Update to the latest version to avoid account takeover risks. Read more: https://huntr.dev/bounties/d6de3d6e-9551-47d1-b28c-7e965c1b82b6/
- Apache InLong Deserialization Vulnerability - CVE-2023-27296Apache InLong versions 1.1.0 to 1.5.0 have a Deserialization of Untrusted Data vulnerability, allowing authenticated users to exploit the issue. Update to the latest version or cherry-pick the provided solution to fix it. Read more: https://github.com/apache/inlong/pull/7422
- Infoline Project Management System SSRF - CVE-2023-1725Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System versions before 4.09.31.125 allows attackers to exploit the vulnerability. Update to a newer version to prevent SSRF attacks. Read more: https://www.usom.gov.tr/bildirim/tr-23-0187
3. Security Research
The 3CX VOIP client supply chain attack, "Smooth Operator," affected millions of users, while Socksprox uses AI and Kubernetes to optimize bug bounty hunting; a new patch improves CLOUD 3700 F reader compatibility with NFC libraries, a critical SNMP exploit in LibreNMS allows remote code execution, and Google's TAG discovers commercial spyware vendors exploiting 0-days and n-days on popular platforms.
The 3CX Supply Chain Debacle: Unraveling the 'Smooth Operator' Attack
The recent 3CX Voice Over Internet Protocol (VOIP) desktop client supply chain attack, dubbed "Smooth Operator," affected over 600,000 companies and 12 million users. North Korean-linked threat actor Labyrinth Chollima is the prime suspect. The attackers distributed a trojanized update, compromising both Windows and MacOS versions of the software, which then dropped an info-stealing payload. Despite early reports from users, 3CX's initial response was inadequate, dismissing the issue and instructing users to create security exceptions.
Research: https://opalsec.substack.com/p/the-defenders-guide-to-the-3cx-supply
Socksprox: Unleashing Bug Bounty Potential with AI and Kubernetes
Socksprox is a solution to common bug bounty hunting challenges, using a Kubernetes cluster with multiple Dante Socks Proxy nodes to bypass rate-limiting, avoid bans, and manage IP addresses. Developed with the help of ChatGPT, an AI language model, Socksprox demonstrates the potential of AI models to accelerate learning and development in technology. The scalable and cost-effective solution has great potential for enhancing bug bounty hunting and optimizing the experience for developers.
Research: https://blog.ceriksen.com/2023/04/01/leveraging-llms-for-solving-bounty-hunting-pain-points/
Reading SAK and ATQA values using the PC/SC driver with libnfc
The patch improves the compatibility of the CLOUD 3700 F reader with the NFC library by implementing additional functions and updating the code. This change enhances communication and allows the reader to better support various NFC card types.
Patch: https://paste.debian.net/1275841/
Beware the Trap: SNMP Exploit Leads to Remote Code Execution on LibreNMS
A critical security vulnerability has been discovered in LibreNMS, a popular open-source network monitoring solution. An unauthenticated attacker could exploit this vulnerability by sending a single SNMP trap, allowing them to execute arbitrary code remotely. The issue affects LibreNMS versions 22.10.0 and earlier, with a patch available in version 22.11.0. The article provides an in-depth explanation of SNMP, the vulnerability, and its impact, as well as key learnings and recommendations for securing SNMP configurations and using safer template engines.
Research: https://www.sonarsource.com/blog/it-s-a-snmp-trap-gaining-code-execution-on-librenms/
Commercial Spyware Vendors Exploit 0-days and n-days on Popular Platforms
Google's Threat Analysis Group (TAG) has discovered two campaigns using 0-day exploits against Android, iOS, and Chrome. These campaigns show that commercial spyware vendors have increased their capabilities and are enabling dangerous hacking tools to be utilized by governments. Both campaigns were limited and highly targeted, highlighting the importance of timely patching and keeping devices updated.
4. CISO Podcasts
Discover insights on a range of cybersecurity topics, including IRS tax scams, the 3CX supply chain attack, post-pandemic cyber threats, bug bounty programs, and the future of authentication, by tuning in to these five informative podcast episodes.
- The Virtual CISO Moment: A discussion on IRS tax scams, phishing emails, 3CX supply chain attack, and more. Listen: https://podcasts.apple.com/us/podcast/infosec-wrap-up-march-31-2023/id1608185823?i=1000606764452
- Cyber Week in Review: Highlights on the 3CX supply-chain attack, AI pause request, and WiFi protocol flaw. Listen: https://podcasts.apple.com/us/podcast/week-in-review-supply-chain-attack-on-3cx-ai-pause/id1527478719?i=1000606814917
- The Pandemic's Lasting Effects on Cybersecurity: Examining how organizations are coping with emerging cyber threats post Covid-19. Listen: https://soundcloud.com/user-305373143/the-pandemics-lasting-effects-on-cybersecurity-how-much-has-changed-ciso-talks
- How to Find a Good BBP: Tips on determining the quality of a bug bounty program, Acropalypse, and ZDI's Pwn2Own competition. Listen: https://rss.com/podcasts/ctbbpodcast/886550/
- Implementing Secure and Fast Authentication Processes: An insight into current and future authentication trends and low-code/no-code passwordless authentication solutions. Listen: https://www.dchatte.com/podcast/
5. CISO Jobs
Explore diverse CISO opportunities at West Virginia University, Crisis Prevention Institute, and Canonical, with remote options and various focuses on information security, policy standards, and Linux in Morgantown, Milwaukee, and Madison respectively.
Remote Chief Information Security Officer - ITS Information Security
West Virginia University is seeking a CISO with exceptional collaboration, communication, and leadership skills to join their team remotely.
Chief Information Security Officer (CISO)
The Crisis Prevention Institute is hiring a CISO with experience in global Information Security Management and policy standards creation in Milwaukee, WI.
Chief Information Security Officer - Canonical
Canonical is seeking a global cybersecurity leader with a passion for Linux and open source to help secure its corporate operations in Madison, WI.
Final Words
Thank you for reading Secret CISO #12!
If you enjoyed reading this, please consider sharing and recommending it to your colleagues. We hope you enjoyed our new format with 5 picks instead of 3 as it was before and a new CVE section we added recently.
As always, we are glad to share with you our digital token of appreciation, today it is a cyber parrot:
Thank you again for your time and interest in our weekly newsletter!
Always with you in all the cyber challenges, Secret CISO Team.