Cyber Security Headlines: Royal ransoms Dallas, new PaperCut exploit, CISA’s Mirai warning

City of Dallas hit by Royal ransomware attack impacting IT services

The ninth largest city in the United States, with a population of approximately 2.6 million people, saw some of its IT systems shut down to prevent the attack’s spread. Local media reported that the City’s police communications and IT systems were shut down Monday morning due to a suspected ransomware attack, leading to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department’s website was also offline for part of the day due to the security incident but has since been restored. The City’s court system canceled all jury trials and jury duty from May 2nd into yesterday. According to numerous sources, network printers on the City of Dallas’ network began printing out ransom notes that taunted the City over its choice of cybersecurity procedures. A photo of the ransom note made it appear that the Royal ransomware operation conducted the attack.

(Bleeping Computer)

Researchers uncover new exploit for PaperCut vulnerability that can bypass detection

Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. VulnCheck has published a proof-of-concept exploit that sidesteps existing detection signatures by affecting the print management software’s “User/Group Sync” feature, which makes it possible to synchronize user and group information from Active Directory, LDAP, or a custom source.

(The Hacker News)

Mirai botnet loves exploiting unpatched TP-Link routers, CISA warns

CISA is adding three more flaws to its list of known-exploited vulnerabilities, including one involving TP-Link routers that is being targeted by the operators of the notorious Mirai botnet. Trend Micro’s Zero Day Initiative (ZDI) threat-hunting group stated in a report released last week that operators of the Mirai botnet were beginning to exploit the flaw primarily by attacking devices in Eastern Europe, though the campaign soon expanded beyond that region. Mirai malware rolls up infected Linux-based IoT devices into a botnet that can then be remotely controlled to perform large-scale network attacks, including DDoS assaults. The other two flaws placed on the CISA list this week involve versions of Oracle’s WebLogic Server software and the Apache Foundation’s Log4j Java logging library.

(The Register)

Drone goggles maker claims firmware sabotaged to ‘brick’ devices

Orqa, a maker of First Person View (FPV) drone racing goggles, claims that a contractor introduced code into its devices’ firmware that acted as a time bomb designed to brick them. On Saturday, Orqa started receiving reports from customers surprised to see their FPV.One V1 goggles enter bootloader mode and become unusable. The company said they found the ransomware time bomb, which had been secretly planted a few years ago “greedy former contractor,” with an intention to extract exorbitant ransom from the company.

(Bleeping Computer)

Thanks to this week’s episode sponsor, Trend Micro

Cybersecurity is not just about protection, it’s about foresight, agility, and resilience. Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks. Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind. Find the closest city to you and register today to take a leap towards a more resilient future. Head to

Cisco warns of critical vulnerability in EoL phone adapters

Cisco this week raised the alarm on a critical remote code execution vulnerability impacting SPA112 2-Port phone adapters, which have reached end-of-life (EoL) status. Tracked as CVE-2023-20126 (CVSS score of 9.8), the flaw impacts the web-based management interface of the phone adapters and can be exploited without authentication. As Cisco explains in its advisory, the vulnerability exists because of “a missing authentication process within the firmware upgrade function.” Given that the SPA112 2-Port phone adapters are no longer supported (they reached EoL on June 1, 2020), Cisco does not plan to release firmware updates to address the vulnerability.

(Security Week)

Hacked university warns of campus text alerts sent by ransomware group

Bluefield University – a private Baptist school in Bluefield, Virginia serving about 1,000 students, issued a warning about texts being sent through the school’s mass alert system after a ransomware group messaged the entire campus about an ongoing cyberattack. On Tuesday, the Avoslocker group used the school’s RamAlert system to send threatening messages out to all of Bluefield university’s students and employees, announcing that they had exfiltrated 1.2 TB of files consisting of admissions data. The school published its own message on Tuesday, acknowledging that the RamAlert system had been taken over by the hackers and warning students not to click on any links provided by the hackers.

(The Record)

9 out of 10 companies detected software supply chain security risks

Global research conducted by Dimensional Research and commissioned by ReversingLabs, revealed that nearly 90% of technology professionals detected significant risks in their software supply chain in the last year. More than 70% said that current application security solutions aren’t providing necessary protections. More than 300 global executives, technology and security professionals at all seniority levels directly responsible for software at enterprise companies, were surveyed for the study. Among the findings was the sentiment that a lack of proper tools may be exacerbating software supply chain risk. 

(Security Magazine)

Website promising jobs at the U.S. Postal Service leaks customer data

A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network’s chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS. Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card “registration deposits” to ensure that one’s application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources.

(Krebs on Security)