Air India hack covers ten years and three other airlines

The hack that is currently being attributed to Air India was apparently directed at Atlanta-based SITA Passenger Service System, a company that served Air India, airline representatives said in a statement Friday. The breach, which happened in February, gave attackers access to 10 years’ worth of data including names and passport and credit card information not just from Air India, but also from Singapore Airlines, New Zealand Air, and Lufthansa, potentially affecting 4.5 million passengers. Air India disclosed the scale of the breach nearly three months after it was first informed by the IT provider.

(Security Week)

Wormable Windows IIS vulnerability also affects WinRM on Windows 10 and server systems

Following up on a story from last week concerning Windows http.sys vulnerability CVE-2021-31166, it has been revealed that it is not only a threat to Windows built-in IIS server, but security researcher Jim DeVries has reported that the issue also impacts Windows 10 and Server devices running the Windows Remote Management (WinRM) service. This is an implementation of a firewall-friendly protocol that allows hardware and operating systems from different vendors, to interoperate. The WinRM service is enabled by default on Windows servers running versions 2004 or 20H2 and may pose a serious risk to corporate environments.

(Security Affairs)

Insurance giant CNA pays $40m to ransomware crooks

In March the business revealed it had been hit by an extensive Phoenix Locker infection, a strain of malware developed by Evil Corp. It paid $40m to decrypt its scrambled files. Representatives for the company said, “CNA followed all laws, regulations, and published guidance, including [US Treasury’s Office of Foreign Assets Control] OFAC’s 2020 ransomware guidance in its handling of this matter. Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any prohibited party list and is not a sanctioned entity.”

(The Register)

Google Chrome crashed worldwide on Windows 10 PCs

On Thursday, some users began reporting that Google Chrome extensions and tabs had suddenly begun crashing while using the browser. In some cases, users reported that Chrome was displaying a gray screen and could not open the Settings or Extensions pages of the browser in regular and Incognito browsing modes. Mitigation steps fixed the problems for some users, while having no effect for others. It is not clear what caused the crashes, but it is common for Google to push out configuration changes or new features to Google Chrome users in limited tests. One of these tests or configuration changes may have been the cause.

(Bleeping Computer)

Thanks to our episode sponsor, Sumo Logic

It’s time to rethink your security for digital transformation success. Register for Sumo Logic’s Modern SOC Summit June 8-9 to debate, discuss and share best practices for modernizing security operations for the rapidly evolving threat landscape. Reserve your spot for this virtual event at sumologic.com and click on the link at the top of the screen.

FBI analyst charged with stealing counterterrorism and cyberthreat info

The U.S. Department of Justice (DoJ) has charged Kendra Kingsbury, 48, with two counts of having unauthorized possession of documents relating to the national defense, according to an unsealed indictment that was made public on Friday. Kingsbury worked as an intelligence analyst in the FBI’s Kansas City Division for more than 12 years, until her suspension in 2017. Some of these documents involve specifics about open investigations, human sources, and intelligence gaps pertaining to hostile foreign intelligence services and terrorist outfits, and the technical capabilities the FBI possesses to neutralize counterterrorism targets.

(The Hacker News)

DarkSide getting taken to ‘Hackers’ Court’ for not paying affiliates

A shadow court system for hackers shows how professional ransomware gangs have become. DarkSide is suspected as being responsible for the Colonial Pipeline attack. Cybercriminals who have worked as affiliates with them, and who are now having a tough time getting paid for their work, have taken Darkside to Hacker’s Court. John Hammond, a senior security researcher with Huntress, told Threatpost, “cybercrime groups have to be selective and handpick members of their cohorts – they take their work seriously, and obviously it can be a lucrative gig.” To this end, their reputations set the bar of behavior and aggrieved parties can now put these reputations – and potential for future collaboration on trial in front of a jury. 

(ThreatPost)

WordPress statistics bug allows attackers to lift data easily

WP Statistics, a plugin installed on more than 600,000 WordPress websites, has an SQL-injection security vulnerability that could let site visitors make off with all kinds of sensitive information from web databases, including emails, credit-card data, passwords and more without having to be logged in. Wordfence researchers found the high-severity bug (tracked as CVE-2021-24340, rating 7.5 out of 10 on the CVSS scale) in the “Pages” function, which lets administrators see which pages have received the most traffic. It returns this data using SQL queries to a back-end database – but unauthenticated attackers can hijack the function to perform their own queries, in order to purloin sensitive information.

(ThreatPost)

SalesForce crash blamed on sole employee using emergency patch

The cause of global crash that affected Salesforce servers back on May 11 has now been pinned on a lone engineer who had been tasked with making a DNS configuration change to connect a new Salesforce Hyperforce environment in Australia. Rather than use a staggered rollout, the engineer instead decided to shortcut the normal procedures by using an Emergency Break-Fix (EBF) process. However the script used contained a bug which required a restart of the DNS servers which themselves were needed to implement the rollbacks and restarts, thus creating a circular dependency. Salesforce eventually got everything back online and has promised new safeguards for future changes. And the engineer in question? “We have taken action with that particular employee,” a representative said. 

(The Register)