Cyber Security Headlines: HP’s bricked printers, PyPi repository attack, Samsung security flaw

HP rushes to fix bricked printers after faulty firmware update

A bad firmware update has been bricking HP Office Jet printers around the world since its release earlier this month. Some customers are reporting seeing a blue screen with “83C0000B” errors, on the built-in touchscreen and this has led to complaints and reports from the U.S., the U.K., Germany, the Netherlands, Australia, Poland, New Zealand, and France. The buggy update seems to install automatically onto Internet-connected printers, and HP customers are advised to disable their devices’ Internet connection and wait for a firmware update to fix the bricking issue.

(Bleeping Computer)

PyPI repository under attack: sign-ups and uploads temporarily halted

The Python Package Index (PyPI), the official third-party software repository for the Python programming language, has temporarily disabled sign up access for users as well as the ability to upload new packages until further notice. “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave,” the admins wrote in a statement published May 20. No further details about the malware or the threat actors involved were disclosed.

(The Hacker News)

New security flaw exposed in Samsung devices 

CISA is now warning of active exploitation of a medium-severity flaw affecting Samsung devices. Tracked as CVE-2023-21492 (CVSS score: 4.4), it impacts select Samsung devices running Android versions 11, 12, and 13. Samsung described the issue as an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization (ASLR) protections, a security technique designed to thwart memory corruption and code execution flaws by obscuring the location of an executable in a device’s memory. Little else is known about how the flaw may be exploited, but vulnerabilities in Samsung phones have been weaponized by commercial spyware vendors in the past to deploy malicious software.

(The Hacker News)

ASUS routers knocked offline worldwide by bad security update

A server-side security maintenance error that caused a number of router models to lose network connectivity has resulted in an apology from ASUS to its customers. The problem has been the subject of much discussion social on media platforms and forums and discussion platforms with some people puzzled by the simultaneous connectivity issues on multiple ASUS routers and others complaining about the lack of communication from the vendor. ASUS explained that the problem was caused by an error in the configuration of a server settings file.

(Bleeping Computer)

Thanks to this week’s episode sponsor, Sonrai Security

Did you know that 81% of breaches are due to compromised identities? It’s a sobering statistic and one that enterprise organizations cannot afford to ignore. Sonrai Security has made a name for itself by securing enterprise clouds from the inside out, securing every identity, access, and permission in the cloud. Download Sonrai Security’s new CIEM Buyer’s Guide to learn more about fortifying your cloud from the inside out at sonraisecurity.com.

Food distributor Sysco says cyberattack potentially leaked 125,000 Social Security numbers

Sysco, one of the world’s largest food distributors, suffered a cyberattack that gave hackers access to PII of more than 125,000 current and former employees. This is the result of an incident that happened in January. Hackers spent nearly three months in the company’s systems before IT teams discovered the incident on March 5. Sysco company did not confirm the incident as a ransomware attack or what group was involved.

(The Record)

Researchers tie FIN7 cybercrime family to Clop ransomware

Researchers from Microsoft’s security team said they have seen the cybercrime cartel FIN7, which has previously used REvil and Maze for its dirty work, deploying Clop ransomware. This occurred in April and represents its first ransomware campaign following after a hiatus that started in late 2021. Microsoft said FIN7, which, under its new naming convention it calls Sangria Tempest, was seen deploying several different tools that gave it a beachhead in its victims’ systems before deploying the Clop ransomware.

(The Record)

Last week in ransomware

A busy week in ransomware saw the emergence of new ransomware groups Cactus, Akira, and RA Group operations. Another relative newcomer, named Abyss hit the defense company L3Harris. We also learned about MalasLocker, a ransomware operation that has been targeting Zimbra servers since March, with the unusual extortion tactic of demanding victims donate to an approved charity to receive a decryptor and prevent a data leak. Also last week, a joint FBI and CISA report confirmed that the BianLian ransomware operation has switched to extortion-only attacks after Avast released a decryptor. Other events of note last week: UK outsourcing company Capita has started to confirm its customers to assume that their data has been stolen in the last month’s incident, PharMerica disclosed that a Money Message ransomware attack exposed the data for 5.8 million patients. French tech company LACROIX announced getting hit by a ransomware attack on May 12th. ScanSource finally confirmed that its multi-day outage was due to a ransomware attack. LockBit ransomware claimed an attack on the pharmaceutical network Farmalink, and Dish Networks paid a ransom, as they say they confirmed the attackers deleted all stolen data from February’s attack.

(Bleeping Computer and Cyber Security Headlines)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.