Archive for the ‘Uncategorized’ Category

Truckers' Medical Records Leaked

Truckers’ Medical Records Leaked

Medical records belonging to truck drivers and rail workers may have been exposed following an alleged cyber-attack on an occupational healthcare provider in Virginia. 



Data apparently belonging to employees of the United Parcel Service (UPS) and Norfolk Southern Railroad was published online to a leak site by the gang behind Conti ransomware. The cyber-criminals claimed to have obtained the data during a December cyber-attack on Taylor Made Diagnostics (TMD).



The HIPAA Journal reported that the leaked data includes full names, Social Security numbers, details of medical examinations, drug and alcohol testing reports, and scans of driver’s licenses.



With locations in Chesapeake and Newport News, TMD is an operator of occupational health clinics used by transportation companies and government agencies. The company provides services including drug testing, CPR training, fit-for-duty evaluations, vaccinations, and respirator fit testing.



According to their website, TMD clients include the US military, the US Secret Service, the navy special warfare development group, BAE systems, Old Dominion University, the Social Security Administration, and the Virginia Department of Military Affairs.  



While TMD has not verified the alleged attack, FreightWaves reported that among the more than 3,000 TMD files leaked on January 8 were multiple health records for employees at both UPS and Norfolk Southern dated as recently as December 2020. 



In addition, the trucking news source spotted records belonging to employees of US government agencies, defense contractors, and multiple smaller trucking companies.



Norfolk Southern Railroad, which employs nearly 25,000 people in 22 states, said that it was investigating the veracity of the cyber-criminals’ claims.



“The security of our employees’ data is a priority for Norfolk Southern and a requirement for our vendors,” Norfolk Southern spokesperson Jeff DeGraff wrote in an email to FreightWaves.



“Norfolk Southern is looking into the issue but has no further comment at this time.”



UPS, which employs 362,000 people in the US and an additional 82,000 internationally, said it was also looking into the possible data breach. 



According to the US Department of Health and Human Services, in December alone, 37 US healthcare providers reported hacking or unspecified information technology incidents that compromised nearly 1.5 million patients.


Source: Infosecurity
Truckers’ Medical Records Leaked

France Arrests 14 Over Online Child Sexual Abuse

France Arrests 14 Over Online Child Sexual Abuse

Fourteen people have been arrested in France as part of a nationwide sweep to combat the sexual exploitation of children online. 



The arrests were made by the French Gendarmerie (Gendarmerie nationale) with the support of Europol as part of an operation that was code-named Horus. All suspects were taken into custody between November 16 and November 20, 2020.



In a statement released yesterday, Europol said: “The alleged suspects used social media networks to approach minors aged between 12 and 13 and lured them into sharing intimate images and videos.” 



It is not believed that there were any links between the 14 arrested suspects, three of whom have already been convicted and sentenced. 



Operation Horus, which is still ongoing, has so far contributed to the identification of eight potential victims who are minors and resulted in the seizure of 1,058 illicit images.



Over 50 cyber-investigators were brought in to work on the operation to track the online activities of a large volume of users. The investigators’ efforts were coordinated by the French Gendarmerie’s cybercrime center, C3N.



Support provided by Europol included operational analysis and real-time database cross-checks to enable the identification of potential suspects and victims.



Europol said that the investigation was made more complex by the suspected users’ often swapping their online pseudonyms. 



Statistics published by Europol in June showed that the exchanging of child sexual abuse material (CSAM) had increased sharply during the COVID-19 pandemic. 



“With both children and sexual offenders confined at home, law enforcement authorities have seen in the past few months the amount of child sexual exploitation material shared online increasing globally,” said Europol.



“Sex offenders have increased their criminal activities in social media, via peer-to-peer networks and on the darkweb. Attempts to access websites featuring child sexual abuse material, calls to helplines and activities in dark net and surface web chats sharing child abuse material have all increased during the confinement period.”



Europol reported that the amount of webcam footage depicting CSAM had increased considerably in forums accessed by offenders. 



“This includes videos depicting forced or coerced children, videos produced by children for peers or for social media attention or others which were captured without their knowledge.”


Source: Infosecurity
France Arrests 14 Over Online Child Sexual Abuse

Cloud Jacking: The Bold New World of Enterprise Cybersecurity

Increased reliance on cloud computing puts more weight on robust authentication systems to protect data against hijackers.
Source: DarkReading
Cloud Jacking: The Bold New World of Enterprise Cybersecurity

7 Steps to Secure a WordPress Site

Many companies operate under the assumption that their WordPress sites are secure — and that couldn’t be anything further from the truth.
Source: DarkReading
7 Steps to Secure a WordPress Site

Exploit Allows Root Access to SAP

Exploit Allows Root Access to SAP

A team of enterprise resource planning security experts in Massachusetts have identified a functional exploit affecting SAP that is publicly available.



The exploit was discovered by Onapsis Research Labs on code-hosting platform GitHub, where it had been published by Russian researcher Dmitry Chastuhin on January 14. Researchers said the exploit can be used against SAP SolMan, the administrative system used in every SAP environment that is similar to Active Directory in Windows.



The fully functional exploit abuses United States’ National Vulnerability Database listing CVE-2020-6207, a vulnerability in which SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check, does not perform any authentication for a service. This vulnerability results in the complete compromise of all SMDAgents connected to the Solution Manager.



A successful attack exploiting this vulnerability could impact an organization’s cybersecurity and regulatory compliance by placing its mission-critical data, SAP applications, and business process at risk.



“While exploits are released regularly online, this hasn’t been the case for SAP vulnerabilities, for which publicly available exploits have been limited,” wrote Onapsis researchers. 



“The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.”



Because it was created to centralize the management of all SAP and non-SAP systems, SolMan has trusted connections with multiple systems. An attacker that could gain access to SolMan could potentially compromise any business system connected to it. 



“Unfortunately, since it doesn’t hold any business information, SAP SolMan is often overlooked in terms of security; in some companies, it does not follow the same patching policy as other systems,” noted researchers. 



An attacker with SAP SolMan control could shut down systems, access sensitive data, delete data, cause IT control deficiencies, and assign superuser privileges to any new or existing user. 



“It is not possible to list everything that can potentially be done in the systems if exploited, since having admin privileged control in the systems or running OS commands basically make it limitless for an attacker,” wrote researchers.


Source: Infosecurity
Exploit Allows Root Access to SAP

CVE-2020-8569

Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when:

– The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
– The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.
Source: NIST
CVE-2020-8569

CVE-2020-8570

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Source: NIST
CVE-2020-8570

CVE-2020-8567

Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
Source: NIST
CVE-2020-8567

CVE-2020-8568

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Source: NIST
CVE-2020-8568

CVE-2020-8554

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Source: NIST
CVE-2020-8554