Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A cyber attack on Thomas Hardye School in Dorchester has left it unable to use emails or accept payments. The attack on the school’s IT services saw ransomware take control, the school has reported they are unable to pay the ransom requested and are working with the National Cyber Security Centre and police in order to resolve the issue. The school is continuing to say open and student education will remain unaffected by the attack.
The National Cyber Security Centre has joined the US, Australia, Canada, and New Zealand in an advisory to help organisations detect China state-sponsored activity being carried out against critical national infrastructure networks. The advisory highlights recent activity targeting networks across critical infrastructure in the US and how the techniques could be used against other countries. The actor (Volt Typhoon) has been observed taking advantage of built-in network administration tools on targets’ systems to evade detection after an initial compromise. The advisory reports potential indicators of compromise to help security teams to identify malicious activity. “It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners. We strongly encourage providers of UK essential services to follow our guidance to help detect this malicious activity and prevent persistent compromise.” Stated Paul Chichester, NCSC Director of Operations.
In February 2018 Oxford Biomedica reported unauthorized access was gained to part of the organization's computer systems. This was part of a cyber attack that resulted in ransomware being uploaded to its IT systems. A payment of £300,000 in Bitcoin was requested to stop the ransomware attack by the hackers. Ashley Liles, a cyber security analyst at Oxford Biomedica investigated the attack alongside colleagues and the police. It was later discovered that he attempted to steal the ransomware payments meant for the hackers by using an almost identical email to the hackers and changing the payment details. A raid on his home led to the seizure of multiple devices and his arrest. Liles continued to deny any involvement, despite contradicting evidence to his claim. He has since admitted his involvement and will be sentenced at Reading Crown Court on July 11.
The Graph for Understanding Artificial Composition (GUAC) has been released in beta to help organisations secure their software supply chains. The open-source framework is available as an API for developers to integrate their own tools and policy engines. This will help aggregate software security metadata from multiple sources into a visual representation that maps relationships between software, allowing organisations to understand how different software interacts and affects one another. “Graph for Understanding Artifact Composition gives you organized and actionable insights into your software supply chain security position, GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position." Google reports. Ultimately this will tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.
GitLab is a web-based Git repository for developer teams that need to manage their code remotely. A severe flaw in GitLab Scoring the maximum CVSS of 10.0 and tracked as CVE-2023-2825 has received a patch in the latest update. A security researcher reported the vulnerability to the project's HackerOne bug bounty program and is understood to arise from a path traversal problem that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This could expose sensitive data such as custom software code, credentials, tokens, and files. "We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," reads GitLab's security bulletin. All users are advised to update to version 16.0.1 as soon as possible to stay protected from this critical flaw.
A flaw tracked as CVE-2023-21492 has been described by Samsung as a kernel pointer exposure issue related to log files. This has been reported to allow a privileged local attacker to bypass the Address Space Layout Randomization (ASLR) exploit mitigation technique. This vulnerability has since been patched in Samsung's May 2023 security update and said that certain devices running Android 11, 12, and 13 were affected. The US’s Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its known exploited vulnerabilities as Google’s Threat Analysis Group says that it has likely been exploited by a commercial spyware vendor since 2021.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #236 – 26th May 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
