Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Google’s latest patch rollout for Android is a notable one, with fixes for multiple security flaws including an actively exploited zero-day. This zero-day, tracked as CVE-2023-35674, has been classified as a high-severity privilege escalation flaw that exists in the Android Framework.
In addition to this flaw, there are three other privilege escalation flaws that were present in Android Framework; all of these were patched as part of this batch of updates and, if exploited, “could lead to local escalation of privilege with no additional execution privileges needed.”.
Full details for this month’s batch of updates can be found here in the Android Security Bulletin for September.
In August, the Electoral Commission announced that the data of 40 million voters had been exposed to “hostile actors”, who were able to gain access to their email systems and databases. This news come shortly after the commission was given an automatic fail on their Cyber Essentials audit.
Cyber Essentials is a cybersecurity certification that requires your organisation to pass a basic test. While this is a voluntary audit, it is an effective way of showing your customers that you are following the “minimum best practice” in cybersecurity. Receiving an automatic fail in this audit shows that the Electoral Commission is severely lacking in security, and it is no surprise that they have now suffered a data breach.
Some of the reasons for the automatic fail were:
- 200 Staff Laptops Running Obsolete and Insecure Software
- Corporate Mobile Phones Were Old Unsupported iPhones That No Longer Receive Security Updates
It is unclear if these vulnerable devices were the cause of this attack, but the news of their failed audit almost certainly paints a target on their back for other cybercriminals.
While the majority of the stolen data was already public, a large portion of it belonged to individuals who had opted out of the public list.
Back in November 2022, the LastPass password manager service suffered a breach in which the encrypted and plaintext passwords of more than 25 million vaults were leaked. Since this occurred, there have been concerns over the encrypted passwords being cracked; experts fear that this is now starting to happen almost one year on from the attack. It is believed that criminals are using offline attacks to perform uninterrupted brute force attacks on these master passwords, which means it is only a matter of time before they are revealed.
Though it has been 10 months since the attack, it is likely that users are still using the same password; we urge all LastPass users to update their vault’s master password and enable multi-factor authentication. This is best practice for protecting against account compromises, especially in the event of your password potentially being exposed.
Just Kids Dental alerted authorities due to a security breach on August 8th. This security breach affected a total number of 129,623 potential victims. The targeted data of this breach included names, email addresses, phone numbers, dates of birth, social security numbers, medical records, and health insurance; JKD also stated that “no patient banking or credit card account information was obtained.”. Fortunately, no future misuse of the data is expected but healthcare providers have told the victims and their guardians to remain vigilant against identify theft and fraud.
A company that provides high-security fencing for military bases have been attacked by the well-known LockBit ransomware gang, who stole 10 GB of data from the firm. On August 5-6 hackers were seen exploiting a Windows 7 PC to gain access to the company servers and steal data which has now been published on the dark web. It is believed that no classified documents were stored on the system, and the stolen data is not considered high risk.
Staff and Students at the University of Michigan were warned on Tuesday that they must reset their passwords after a recent security breach. If passwords are not changed by September 12th, UMICH will begin restricting access to accounts. This was communicated to all staff and students in an email sent out by the CISO and CIO; the email stated:
"If you do not change your password, you will not be able to use your UMICH password, including services that use the U-M Weblogin and U-M managed devices. Alumni, retirees and other groups can change their passwords now. Additional information for these groups will be coming soon."
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #250 – 8th September 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.