Cyber Security Headlines: Sigstore opens free service, Medibank hacked, 20-year old SQLite bug

Sigstore opens free software signing service

At the SigstoreCon in Detroit, the open source project announced general availability of a free software signing service for any open source project. It says it can offer 99.5% uptime and pager support for projects. Sigstore already receives high usage in the open source community, signing releases from both Kubernetes and Python communities. Npm plans to integrate Sigstore signing for its packages as well. If you’re not familiar, Sigstore receives funding under the Open Source Security Foundation, with support from Google, GitHub, Chainguard and RedHat. 

(TechCrunch)

Australian health insurer hacked

Australia’s biggest health insurer, Medibank, revealed that a cyber attack compromised data on virtually all its customers, just under four million people, or about 1 in 6 Australians. Medibank disclosed that all personal and large amounts of medical claims data leaked in the breach. The company reiterated that its systems were not encrypted with ransomware in the attack. CEO David Koczkar apologized for the breach, saying it was “designed to cause maximum harm to the most vulnerable members of our community.”  This comes in the wake of the breach at the telco Optus, which impacted over 10 million Australians. 

(Reuters)

Researcher details 20-year old SQLite bug

Trail of Bits researcher Andreas Kellas published details on a high-severity vulnerability in the popular database library, first introduced with a code change in October 2000. The vulnerability could allow for a denial of service attack or arbitrary code execution when presented with extremely large string inputs of 1GB or more. Given that at the time SQLite was 32-bit, the bug couldn’t have been exploited at the time, likely why it escaped notice at the time. SQLite is included by default by most popular OSes and web browsers. The flaw received a patch in version 3.39.2 released in July. 

(Hacker News)

Phishing attacks surge in 2022

According to a new report from SlashNext, overall phishing attacks detected increased 61% in 2022 to over 255 million. If the rate of attacks tracks with past years, this would put 2022 total phishing attacks just under 300 million, triple the number detected in 2020. The vast majority of detected attacks, 76%, were based around credential harvesting. The majority of attacks represented zero-hour attacks. More troublingly, these phishing threats increasingly originate from accounts on trusted services like Microsoft, AWS, or Google. 32% of phishing threats in 2022 came from a trusted service, up 80% on the year. 

(VentureBeat)

Thanks to today’s episode sponsor, Votiro

UFOs are everywhere.They’re in your applications, cloud storage, endpoints, and emails.

That’s right – UFOs – Unidentified File Objects – are hiding in files across your organization. UFOs can contain malware that exfiltrates data or deploys ransomware. And 70% of UFOs can’t be detected by traditional scanning solutions like Anti-Virus and Sandboxing. That’s where Votiro comes in. Votiro prevents UFOs before they hitch a ride in on files – without detection, and without slowing down business.

Do you believe? Learn more at Votiro.com/UFOs

Industrial ransomware attacks rise in North America

According to a new analysis by Dragos, in Q3 36% of all industrial ransomware cases hit North American organizations, from 25% in Q2. Overall the rate of attacks remained virtually flat, with 128 incidents in the quarter, up 2.4%. The manufacturing sector remains a popular target for industrial ransomware, representing 68% of attacks in Q3. Within this group, metal production and food and beverage sectors were the most commonly hit. LockBit operated 35% of all these attacks. Other groups targeted more specific industries, with the Ragnar Locker group hitting the energy sector specifically.  

(Dark Reading)

Microsoft fixes driver blocklist sync

Microsoft uses the Windows kernel vulnerable driver blocklist to block threat actors from dropping vulnerable, but otherwise legitimate, drivers onto Windows machines. Threat actors use old drivers for privilege escalation attacks in the Windows kernel. Last month, security analyst Will Dormann discovered that Windows 10 and Windows Server machines did not properly sync the blocklist. Instead it used a list from December 2019. Microsoft confirmed that it resolved the issue in the October 2022 preview update, and that Windows 10 and 11 will have the same blocklist across devices. 

(Bleeping Computer)

Meta breaches antitrust order in Turkey

 The Turkish competition authority ruled that Meta’s practice of combining data collected across its platforms Facebook, Instagram, and WhatsApp deteriorated competition. It argued such aggregation creates barriers to entry in the online display ad market. It fined the company 346.72 million lira, about $18.6 million USD. While a trivial sum for Meta and below fines its received in other markets, the ruling does challenge Meta’s core microtargeting ad model. More significantly, the Turkish case largely mirrors an ongoing concern of German regulators. The German FCO and Meta continue to wrangle over a data separation order that dates back to February 2019.

(TechCrunch)

Vice Society targets education with ransomware

Microsoft’s Threat Intelligence Team reported observing the group since June 2021, targeting education, government, and retail sectors since that time. It differentiates from other groups by focusing “​​on getting into the victim system to deploy ransomware binaries sold on Dark web forums.” Vice Society also changed payloads over time, moving from BlackCat to Zeppelin, and now using a custom variant. A financially motivated ransomware actor, it focuses on organizations with weaker security controls and a high likelihood of payout, making education a prime target. Microsoft says it shows active ties in the cybercriminal economy, and seems to be testing payload efficacy for the best post-extorsion payouts. 

(Hacker News)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.