Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Three individuals have been arrested for involvement in running a Phishing-as-a-Service platform called ‘16Shop’. These arrests were made by Interpol, as part of their successful operation to take down the 16Shop platform. The culprits were responsible for the compromise of more than 70,000 users before being busted this week, with attacks targeting services such as Apple, PayPal, American Express and more. One of the three arrested individuals was found to be the 16Shop site’s primary administrator, who is a 21-year-old Indonesian national. This is yet another example of a new proactive stance on cybersecurity, and it is great to see these active attempts to seek out and shut down cybercrime operations.
The Colorado Department of Higher Education reported on Friday that they have been victim to a ransomware attack during an 8-day period in mid-June. The attack was first detected on the 19th of June when an investigation discovered the attackers copied data from their systems. “CDHE took steps to secure the network and has been working with third-party specialists to conduct a thorough investigation into this incident,” the department stated, and it had “worked to restore systems and return to normal operations.” The data copied in the attack included names, Social Security numbers, student identification numbers, and “other educational records” that ranged from bank statements and bills, used for proof of address, to copies of government IDs, complaints, and police reports. The scope of the affected individuals included anyone that:
• Attended a Colorado public high school between 2004-2020
• Attended a public institution of higher education in Colorado between 2007-2020
• Obtained a Colorado K-12 public school educator license between 2010-2014
• Participated in the Dependent Tuition Assistance Program from 2009-2013
• Participated in the Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017
• Obtained a GED between 2007-2011
The CDHE has not clarified how many individuals were affected by the breach, or whether a ransom was paid.
Hospital Staffing Solutions, hospitality staffing services in the US, serving more than 1,000 properties. A letter distributed by HSS stated that malicious actors gained access to files containing personal information, “Our review identified files that included your name and one or more of the following: Social Security number, driver’s license number, and/or financial account number.” According to the Maine Attorney General, the data breach exposed 104,660 individuals' data to the hackers. HSS stated that they will be providing victims with free identity protection services for one year, an increasingly common sight with organisations that have had data breaches affecting individuals. Unfortunately for the data already stolen, it is likely to end up on hacking forums, to be sold to cybercriminals for nefarious purposes such as fraud, identity theft, phishing attacks, opening bank accounts, and similar actions with little chance of it even being taken down.
A series of zero-day vulnerabilities dubbed ‘BitForge’ have been found to affect various cryptographic protocols used by popular cryptocurrency wallet providers. The affected protocols, GG-18, GG-20, and Lindell 17 are all used by providers such as Coinbase, ZenGo, Binance, and more. If exploited, an attacker could steal currencies straight from a wallet, without any interaction from the owner.
The Fireblocks Cryptography Research Team discovered these vulnerabilities back in May 2023; however, these were not publicly disclosed until this week. It was confirmed in a recent statement that both Coinbase and ZenGo patched these flaws before the date of the public disclosure; despite this, there are still many wallet providers that are vulnerable, including Binance.
Details on the nature of these vulnerabilities can be found here, if you are interested.
On July 18th Citrix published a patch for a critical 9.8 CVSS zero-day vulnerability recorded as CVE-2023-3519. The vulnerability allows for unauthenticated remote code execution (RCE) in Citrix's NetScaler application delivery controller and gateway products. Many security researchers have since publicly disclosed attacks exploiting this vulnerability giving way to an increase in attackers exploiting the vulnerability themselves to install web shells inside of corporate networks and carrying out dozens of exploits already. "It's a complex case, given that Citrix is used in a lot of prominent organizations," says Piotr Kijewski, the CEO at Shadowserver. "We saw quite a few big names that were still vulnerable even a few days ago, including hospitals — these kinds of important institutions. So the potential consequences could be big if somebody attacks these organizations with ransomware a month from now." More compromises are expected to occur in the coming weeks as 7,000 impacted devices are awaiting to be patched. Anyone using these devices are recommended to patch their Citrix devices immediately to be protected from this critical flaw.
This flaw is being tracked as CVE-2023-3519, and details can be found here.
Patch Tuesday is here again with a whole host of patches for August. This month sees a reduction in patched vulnerabilities with only 76 being patched, a significant decrease from the 130 reported last month. A total of 6 critical, 68 important, and 2 moderate vulnerabilities were patched while 5 were publicly disclosed and 6 were seen exploited in the wild.
See here for our round-up of this month’s batch of Microsoft security updates!
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #246 – 11th August 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.