Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Largest NHS Trust Hit By Ransomware

The largest of the UK's National Health Service's trusts, Barts Health NHS Trust, which runs five London hospitals serving over 2.5 million patients, has been hit by a ransomware attack, according to TechCrunch. The Trust is the latest victim to appear on the dark web leak site of ALPHV, also known as BlackCat, with a claimed 70 TB of sensitive data stolen, including employee identification documents such as passports and driver licences, as well as internal emails labeled "confidential".

ALPHV has given the Trust three days to contact them in order to prevent publication of data, "most of it citizens [sic] confidential documents".

This is the second breach of NHS data in recent weeks - the first being the compromise of a dataset containing information on 1.1 million patients across 200 hospitals, which was being used at the University of Manchester for research purposes.

Page, Carly, UK battles hacking wave as ransomware gang claims ‘biggest ever’ NHS breach, TechCrunch, 10 July 2023. Available online at https://techcrunch.com/2023/07/10/uk-hacks-public-sector-nhs-ransomware/.

Exploit Code Available for VMware Aria Operations RCE Vuln

A critical vulnerability in the VMware Aria Operations for Logs analysis tool just became a lot more critical, with the company revealing that exploit code has been published, making exploitation much more likely. The vulnerability - CVE-2023-20864 - is a deserialization vulnerability which could allow an unauthenticated actor with network access to execute arbitrary code with root privileges, meriting a CVSS score of 9.8 (Critical).

VMware released a fix for this vulnerability back in April, so customers who have not yet applied the patch should do so urgently. The vulnerability is not present in Aria Operations for Logs version 8.12.

Uncredited, VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865), security advisory, updated 10 July 2023. Available online at https://www.vmware.com/security/advisories/VMSA-2023-0007.html.

New Infostealer Targets Macs

Yesterday we reported on how Iranian APT, Charming Kitten, quickly put together an infection chain in order to get a backdoor installed on the Macintosh of a specific cyber-espionage target. Now comes a report from Israeli security firm Guardz of a new infostealer which also targets MacOS devices.

The stealer, which they have dubbed 'ShadowVault', is being offered in the XSS dark web forum for a fee of $US500 per month. It offers extensive capabilities, including extraction of passwords, cookies, credit cards, wallets and extensions from Chromium-based and Firefox browsers, keychain database extraction, exfiltration of files, decryption of crypto wallets from all browsers, and more. For an additional fee, it can be signed with an Apple development key.

There's a moral here: while Windows systems remain the largest target for infostealers, cybercriminals and cyber-espionage groups are showing increasing interest in Macs, and Apple's customers cannot affort to be complacent about their security.

Goldman, Lauri, Guardz Uncovers A New Threat Targeting macOS – ‘ShadowVault’, blog post, 10 July 2023. Available online at https://guardz.com/blog/guardz-uncovers-a-new-threat-targeting-macos-shadowvault/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.