CISA releases repository security framework
The recent wave of software supply chain attacks clearly shows that hardening the open-source ecosystem remains a tough nut to crack. That’s why it’s big news that CISA partnered with the Open Source Security Foundation Securing Software Repositories Working Group to release a framework. The Principles for Package Repository Security lays out four security maturity levels for package repositories across the categories of command-line tools, authorization, authentication, and general capabilities. These range from level 0 with very little maturity to level 3, which requires things like MFA for all maintainers. The researchers say all package management systems should work to at least level 1 right now.
(The Hacker News)
Ransomware takes down Romanian healthcare management system
The Romanian Ministry of Health disclosed that a ransomware attack took its Hipocrate Information System (HIS) offline, with many of its databases encrypted. This system manages medical activity and patient data. 21 hospitals saw a direct impact from the attack, with 79 others going offline as a precaution. The facilities remained operational using paper backups. The Romanian National Cyber Security Directorate said the attackers used a Phobos ransomware variant called Backmydata in the attack.
Ivanti flaw used to deploy backdoor
Stop me if you’re heard this one before, there’s an Ivanti zero-day under active exploitation. We’ve already covered the new zero-day impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways last week. Now Orange Cyberdefense confirms attackers began exploiting it, finding a group using the server-side request forgery to install a new DSLog backdoor. This appeared deployed earlier this month on machines with Ivanti mitigation enabled, but otherwise unpatched. Attackers use DSLog to execute commands with root access.
Russia reportedly using Starlink on the front lines
Ukraine’s GUR military intelligence unit announced on its Telegram channel that intercepted radio communications show Russia using Space X’s Starlink satellite internet in active combat areas. The GUR saw intermittent use of Starlink in the past, but described it now as “starting to take on a systemic nature.” SpaceX CEO Elon Musk denied selling Starlink terminals directly to Russia, although some Russian volunteer groups online claimed to purchase some for troop use. SpaceX previously supplied terminals to Ukraine for military use, but geofenced usage in contested areas. The Russian government says Starlink isn’t certified in the country and should not be used.
Huge thanks to our sponsor, Vanta
Hive snitches get 10 million wishes
The US is no stranger to putting a bounty on a threat actor’s head. Now the US Department of State updated its Transnational Organized Crime Rewards Program to offer up to $10 million for information on the leaders of the Hive ransomware group. It’s also targeting lower-level members of the group, offering up to $5 million for information that leads to the arrest of participating individuals outside of leadership. This comes after an international law enforcement effort took down Hive operations early last year, including distributing decryption keys to victims.
Azure accounts targeted in new campaign
Researchers at Proofpoint released an advisory stating that threat actors began targeting operational and executive roles in Microsoft Azure environments with spearphishing attacks since November 2023. These emails include shared documents which redirect users to a phishing site and install a malicious agent to target Microsoft 365 apps. Once compromised the attackers attempt to manipulate MFA, commit fraud, and obtain data. Proofpoint estimates the attacks targeted dozens of Azure environments, resulting in hundreds of compromised credentials.
(Infosecurity Magazine, Proofpoint)
Researchers exploit ransomware encryption flaw
A group of researchers from the Korean Internet & Security Agency, or KISA, disclosed a flaw in the ransomware encryption scheme used by the Rhysida threat group. Rhysida launched operations in mid 2023, targeting healthcare organizations with intermittent encryption. The researchers found the ransomware’s random number generator used a 32-bit seed value from a system’s current time. This limited scope allowed them to create a valid key to unencrypt data. KISA released an automated decryption tool for Windows as well as full technical documentation.
Sudo comes to Windows 11
Last week we covered that an Insider Windows Server build shows an option to enable the popular Unix elevated privilege command sudo. Now Microsoft confirmed an early preview of the feature will come to Windows 11. Microsoft Product Manager Jordi Adoumie called it an “ergonomic and familiar solution” to elevate privileges. The latest Insider Windows 11 build now offers the option to enable sudo in developer settings. Microsoft also plans to open source its work on sudo on GitHub.
(The Hacker News)