Cyber Security Headlines – November 5, 2021

Expired certificate breaks Windows 11 snipping tool, emoji panel, and more

The ghost of an expired certificate has been haunting Windows 11 users with the result being various built-in Windows programs not working properly or not at all for some users. This applies to at least Windows 11 version 21H2. The cert, which is part of the official shipped code, ran out at the end of October leading to failures in the snipping tool, the touch keyboard, voice typing, the emoji panel, and the Getting Started and Tips app. A patch is available to restore some of these issues, but not the snipping tool.

(The Register)

Iranian hacking group leaks patient and LGBTQ info

The Iranian Black Shadow hacking group has released highly sensitive personal information on hundreds of thousands of Israeli medical patients and members of an LGBTQ site, as a follow-up to their ransomware attack of Israeli hosted CyberServe, which has reportedly refused to pay a $1m ransom. Tuesday saw the release of medical records of 290,000 patients at Israel’s Machon Mor institute – including patients’ detailed medical treatments and results, and the group also published the full database from LGBTQ dating service Atraf, including members’ names, locations, and in some cases, their HIV status. Although it’s unclear how the hosting firm was compromised, Israel’s National Cyber Directorate reportedly warned it “several times” that its IT systems were vulnerable. Atraf members in particular will be fearing reprisals from ultra-conservative groups and online extortionists.

(InfoSecurity Magazine)

Popular ‘coa’ npm library hijacked to steal user passwords

The library for the command-line options parser for Node.js projects, which receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub, was hijacked yesterday with malicious code injected into it, ephemerally impacting React pipelines around the world. This incident follows last month’s hack of another popular npm library “ua-parser-js” that is used by Facebook, Microsoft, Amazon, reddit, and other big tech firms. Due to the widespread impact of this supply-chain attack, it is strongly advised that all users of the “coa” library check their projects for malicious software. This includes checking for the existence of either compile.js, compile.bat, sdd.dll and deleting the files if they are found.

(Bleeping Computer)

State Department offers $10 million reward for help in identifying DarkSide ringleaders

This announcement was made yesterday and also offers $5 million for information that leads to the arrest or conviction of any affiliates of the group. DarkSide was identified as behind the Colonial Pipeline incident in May of this year. BlackMatter, a group behind recent attacks on the agriculture industry, appears to be shutting down as we reported yesterday, but they are believed to be one such affiliate.

(Cyberscoop)

Thanks to our episode sponsor, Trend Micro

Reimage your Cloud! That’s the theme for CLOUDSEC 2021, a 3-day global event that will be held virtually starting on November 16th. Learn the latest trends in cloud and cybersecurity with global keynotes and session tracks tailored to your role’s unique challenges. Test your skills and win prizes in the 24-hr CLOUDSEC Challenge, a hands-on immersive experience that has something for everyone – from novice application coders to experienced security practitioners! Join for FREE on November 16th, for free. Sign up at cloudsec.com

Critical Linux kernel bug allows remote takeover

A critical heap-overflow security vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel could allow local exploitation and remote code execution, leading to full system compromise. According to SentinelOne’s SentinelLabs, the bug in question (CVE-2021-43267) specifically resides in a message type that allows nodes to send cryptographic keys to each other. When received, the keys can be used to decrypt further communications from the sending node. The bug affects Linux kernel versions between 5.10 and 5.15, and affected Linux users should apply the just-released patch.

(ThreatPost)

Cybercriminals sell access to international shipping, logistics giants

On Tuesday, Intel 471 published an analysis of current black market trends online, revealing instances of initial access brokers (IABs) offering access to international shipping and logistics companies across the ground, air, and sea. The researchers stated, “While already in a volatile and precarious position — especially as we head into winter — “a cybersecurity crisis at one of these logistics and shipping companies could have a calamitous impact on the global consumer economy.” Although the logistics industry is constantly targeted, big names like Conti and Five Hands are appearing in the IAB research along with many newcomers.

(ZDNet)

Alphabet has launched an artificial intelligence company to discover new drugs

The company will use artificial intelligence methods for drug discovery, said a statement from Google’s parent company on Thursday. It will build off of the work done by DeepMind, another Alphabet subsidiary that has done groundbreaking work using AI to predict the structure of proteins. The new company called Isomorphic Laboratories will leverage that success to build tools that can help identify new pharmaceuticals. Isomorphic will try to build models that can predict how drugs will interact with the body, Hassabis told Stat News. It could leverage DeepMind’s work on protein structure to figure out how multiple proteins might interact with each other. The company may not develop its own drugs but instead sell its models.

(The Verge)

“PlugWalkJoe” indicted for $784K SIM swap cryptocurrency theft

According to the unsealed indictment from the U.S. Department of Justice, Joseph James O’Connor – also known as “PlugWalkJoe” – conspired with others to steal the cryptocurrency from a Manhattan-based cryptocurrency company by hijacking control of three phone numbers belonging to executives of the targeted firm by way of a SIM swap. O’Connor was arrested earlier this year in relation to July 2020’s huge hack of celebrity Twitter accounts, a scheme that attempted to trick followers of the likes of Joe Biden, Kanye West, and Elon Musk into falling for a cryptocurrency scam. O’Connor is currently awaiting extradition from Spain, where he was apprehended earlier this year.

(Tripwire)