Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6536.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat AMQ Streams 2.5.2 release and security update  
Advisory ID:        RHSA-2024:6536-03  
Product:            Streams for Apache Kafka  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6536  
Issue date:         2024-09-10  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):  
* Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)

* ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.  
(CVE-2024-23944)

* ZooKeeper: Authorization Bypass in Apache ZooKeeper [amq-st-2](CVE-2023-44981)

* Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)

* Kafka: snappy-java: Unchecked chunk length leads to DoS [amq-st-2](CVE-2023-34455), (CVE-2024-27309), (CVE-2024-31141)

* Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

* Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

 * Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)

* Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)

* Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)

 * Cruise Control: Bump snappy-java to fix (CVE-2023-43642)

* Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)

* Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)

* Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/ENTMQST-5366  
https://issues.redhat.com/browse/ENTMQST-5882  
https://issues.redhat.com/browse/ENTMQST-5885  
https://issues.redhat.com/browse/ENTMQST-5886  
https://issues.redhat.com/browse/ENTMQST-6235

Red Hat Security Advisory 2024-6536-03

The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack

Timestamp:

01/18/2022 04:16:28 PM (5 weeks ago)

wpdevart

Message:

new version  

Location:

coming-soon-page/trunk

Files:

  

*   coming\_soon.php (1 diff)
*   includes/admin\_menu.php (5 diffs)
*   readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **coming-soon-page/trunk/coming\_soon.php**
    
    r2655973
    
    r2659455
    
     
    
    6
    
    6
    
     \* Author URI: https://wpdevart.com
    
    7
    
    7
    
     \* Description: Coming soon and Maintenance mode plugin is awesome tool to show your users that you are working on your website to make it better. Our coming soon plugin is the best way to create better coming soon page. 
    
    8
    
     
    
     \* Version: 3.6.7
    
     
    
    8
    
     \* Version: 3.6.8
    
    9
    
    9
    
     \* Author: wpdevart
    
    10
    
    10
    
     \* License: GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
    
*   **coming-soon-page/trunk/includes/admin\_menu.php**
    
    r2655973
    
    r2659455
    
     
    
    1862
    
    1862
    
            if ($mailing\_lists == NULL)
    
    1863
    
    1863
    
                $mailing\_lists = array();
    
    1864
    
     
    
            if (isset($\_GET\['id'\]) && isset($\_GET\['task'\]) && $\_GET\['task'\] == 'remove\_user') {
    
     
    
    1864
    
            if (isset($\_GET\['id'\]) && isset($\_GET\['task'\]) && $\_GET\['task'\] == 'remove\_user' && wp\_verify\_nonce($\_POST\['wpda\_coming\_soon\_mail\_nonce'\], 'wpda\_coming\_soon\_mail\_nonce')) {
    
    1865
    
    1865
    
                $get\_id = intval($\_GET\['id'\]);
    
    1866
    
    1866
    
                unset($mailing\_lists\[$get\_id\]);
    
    …
    
    …
    
     
    
    1868
    
    1868
    
            }
    
    1869
    
    1869
    
        ?>
    
    1870
    
     
    
    1871
    
    1870
    
            <div class="wpdevart\_plugins\_header div-for-clear">
    
    1872
    
    1871
    
                <div class="wpdevart\_plugins\_get\_pro div-for-clear">
    
    …
    
    …
    
     
    
    1892
    
    1891
    
                <br /><br />
    
    1893
    
    1892
    
                <span class="error\_massage mailing\_list"></span>
    
     
    
    1893
    
                <?php wp\_nonce\_field('wpda\_coming\_soon\_mail\_nonce', 'wpda\_coming\_soon\_mail\_nonce'); ?>
    
    1894
    
    1894
    
            </form>
    
    1895
    
    1895
    
            <h2>The list of the subscribed users</h2> <?php $this->generete\_subscriber\_table\_lists($mailing\_lists); ?><h2>The list of the Subscribed users emails</h2><p><span style="color:#7052fb;font-weight:bold;">You can copy the emails list from the below and send emails using Gmail or other email services.</span></p><textarea readonly style="min-height:200px;width:95%">
    
    …
    
    …
    
     
    
    1911
    
    1911
    
                                massage\_from\_name: jQuery('#massage\_from\_name').val(),
    
    1912
    
    1912
    
                                massage\_description: jQuery('#massage\_description').val(),
    
    1913
    
     
    
                                massage\_title: jQuery('#massage\_title').val()
    
     
    
    1913
    
                                massage\_title: jQuery('#massage\_title').val(),
    
     
    
    1914
    
                                wpda\_coming\_soon\_mail\_nonce:jQuery('#wpda\_coming\_soon\_mail\_nonce').val()
    
    1914
    
    1915
    
                            },
    
    1915
    
    1916
    
                        }).done(function(date) {
    
    …
    
    …
    
     
    
    1969
    
    1970
    
                die();
    
    1970
    
    1971
    
            }
    
     
    
    1972
    
            if(wp\_verify\_nonce($\_POST\['wpda\_coming\_soon\_mail\_nonce'\], 'wpda\_coming\_soon\_mail\_nonce') === false){
    
     
    
    1973
    
                echo esc\_html($this->text\_parametrs\['authorize\_problem'\]);
    
     
    
    1974
    
                die();
    
     
    
    1975
    
            }
    
     
    
    1976
    
    1971
    
    1977
    
            $mailing\_lists = json\_decode(stripslashes(get\_option('users\_mailer', '')), true);
    
    1972
    
    1978
    
            if ($mailing\_lists == NULL)
    
*   **coming-soon-page/trunk/readme.txt**
    
    r2655973
    
    r2659455
    
     
    
    5
    
    5
    
    Requires at least: 3.4.0
    
    6
    
    6
    
    Tested up to: 5.8.3
    
    7
    
     
    
    Stable tag: 3.6.7
    
     
    
    7
    
    Stable tag: 3.6.8
    
    8
    
    8
    
    License: GPLv3
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-3.0.html
    
    …
    
    …
    
     
    
    781
    
    781
    
    \*  Bug fixed.
    
    782
    
    782
    
     
    
    783
    
    \= 3.6.8 ==
    
     
    
    784
    
     
    
    785
    
    \*  Bug fixed!
    
     
    
    786
    
    783
    
    787
    
    \==Step by step guide==
    
    784
    
    788
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0199: Changeset 2659455 – WordPress Plugin Repository

LuaTeX before 1.17.0 enables the socket library by default.

To find the state of this project's repository at the time of any of these versions, check out the tags.

CVE-2023-32668: source/texk/web2c/luatexdir/ChangeLog · b266ef076c96b382cd23a4c93204e247bb98626a · TeXLive / luatex · GitLab

PRESS RELEASE

CHICAGO, July 16, 2024 /PRNewswire/ -- Research from MxD (Manufacturing x Digital), the digital manufacturing institute and the National Center for Cybersecurity in Manufacturing supported by the Department of Defense, has revealed an urgent need for the U.S. manufacturing sector to strengthen its cybersecurity posture.

The report, titled Behind the Firewall, establishes the sector's cybersecurity preparedness and finds that manufacturers are overestimating their capabilities.  

Securing U.S. manufacturing has emerged as an economic and national security priority as the manufacturing sector remains the most targeted sector worldwide for cyber-attacks. Faced with unique challenges in securing business operations against geopolitical threats, the report shares insights and strategies for manufacturers to enhance their cyber resilience.

The survey found:

*   76% of manufacturers are confident their organization can prevent cyber risks and respond to cyber-attacks
    
*   Only 34% of manufacturers have comprehensive system security plans (SSPs) in place - a fundamental cybersecurity requirement and often required for compliance
    
*   Just 43% of all manufacturers have a dedicated cybersecurity leader, such as a Chief Information Security Officer (CISO) or Director of Cybersecurity
    
    *   The disparity is stark when compared by size: 88% of large manufacturers (500+ employees) have such leaders, compared to 35% of small- and medium-sized manufacturers (fewer than 500 employees)
        
    
*   Encouragingly, 82% of manufacturers are planning to raise cybersecurity spending in the upcoming budget cycle
    

"The supply chains which support U.S. manufacturing are only as strong as their weakest link. We must strengthen at every level to ensure a resilient domestic manufacturing capability, including within the defense industrial base," said MxD CEO Berardino Baratta. "We see a sense of overconfidence in our research results, which is concerning given that everyone is at risk, from the largest multinational to small- and medium-sized manufacturers who often lack the proper resources to protect themselves from cyber-attacks."

"Manufacturing sector cyber-attacks are no longer rare, one-off events," said MxD Director of Cybersecurity Michael Tanji. "The rise in incidents shows repeated and concerted efforts to steal IP or other company data, resulting in production shutdowns, logistical delays, and more. Our manufacturing sector must stay ahead of these growing threats – and we can only do that by updating and upgrading cyber capabilities across the industry."

This survey identifies key areas where manufacturers can benefit from additional resources to strengthen their cybersecurity infrastructure. Research results were segmented by vertical sector and manufacturer size, which allows for a deeper understanding of needs and insights at all levels of the manufacturing sector. In turn, this enables MxD to develop tools, like cyber playbooks and training guides, which more effectively address sector needs. 

This report launches as MxD reaches its 10-year anniversary and underscores the imperative for strengthening U.S. manufacturing competitiveness and resiliency. As a public-private partnership, MxD convenes and collaborates with manufacturers to prepare and protect domestic supply chains against cybersecurity threats.

About MxD  
MxD (Manufacturing x Digital) advances economic prosperity and national security by strengthening U.S. manufacturing competitiveness through technology innovation, workforce development, and cybersecurity preparedness. In partnership with the Department of Defense, we convene an ecosystem to solve critical manufacturing challenges by accelerating digital adoption, empowering a skilled workforce, and modernizing supply chains. MxD is also the National Center for Cybersecurity in Manufacturing as designated by DoD. Visit mxdusa.org to learn more.

You May Also Like

MxD Research Reveals Major Disconnect Between Perceived and Actual Cybersecurity Capabilities in US Manufacturing

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN.
The group "primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN.

The group "primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said.

PURPLEURCHIN first came to light in October 2022 when Sysdig disclosed that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation.

Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub.

More than 22,000 GitHub accounts are estimated to have been created between September and November 2022, three in September, 1,652 in October, and 20,725 in November. A total of 100,723 unique Heroku accounts have also been identified.

The cybersecurity company also termed the abuse of cloud resources as a "play and run" tactic designed to avoid paying the platform vendor's bill by making use of falsified or stolen credit cards to create premium accounts.

Its analysis of 250GB of data puts the earliest sign of the crypto campaign at least nearly 3.5 years ago in August 2019, identifying the use of more than 40 wallets and seven different cryptocurrencies.

The core idea that undergirds PURPLEURCHIN is the exploitation of computational resources allocated to free and premium accounts on cloud services in order to reap monetary profits on a massive scale before losing access for non-payment of dues.

Besides automating the account creation process by leveraging legitimate tools like xdotool and ImageMagick, the threat actor has also been found to take advantage of weakness within the CAPTCHA check on GitHub to further its illicit objectives.

This is accomplished by using ImageMagick's convert command to transform the CAPTCHA images to their RGB complements, followed by using the identify command to extract the skewness of the red channel and selecting the smallest value.

Once the account creation is successful, Automated Libra proceeds to create a GitHub repository and deploys workflows that make it possible to launch external Bash scripts and containers for initiating the crypto mining functions.

The findings illustrate how the freejacking campaign can be weaponized to maximize returns by increasing the number of accounts that can be created per minute on these platforms.

"It is important to note that Automated Libra designs their infrastructure to make the most use out of CD/CI tools," the researchers concluded.

"This is getting easier to achieve over time, as the traditional VSPs are diversifying their service portfolios to include cloud-related services. The availability of these cloud-related services makes it easier for threat actors, because they don't have to maintain infrastructure to deploy their applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.
Microsoft has attributed the threat actor to Iran's Ministry of

Ransomware / Endpoint Security

The Iranian threat actor known as **Agrius** is leveraging a new ransomware strain called **Moneybird** in its attacks targeting Israeli organizations.

Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.

Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It's known to be active since at least December 2020.

In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong.

These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.

"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.

The infection sequence begins with the exploitation of vulnerabilities within internet-exposed web servers, leading to the deployment of a web shell referred to as ASPXSpy.

In the subsequent steps, the web shell is used as a conduit to deliver publicly-known tools in order to perform reconnaissance of the victim environment, move laterally, harvest credentials, and exfiltrate data.

Also executed on the compromised host is the Moneybird ransomware, which is engineered to encrypt sensitive files in the "F:\\User Shares" folder and drop a ransom note urging the company to contact them within 24 hours or risk getting their stolen information leaked.

"The use of a new ransomware demonstrates the actor's additional efforts to enhance capabilities, as well as hardening attribution and detection efforts," the researchers said. "Despite these new 'covers,' the group continues to follow its usual behavior and utilize similar tools and techniques as before."

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Agrius is far from the only Iranian state-sponsored group to engage in cyber operations targeting Israel. A report from Microsoft last month uncovered MuddyWater's collaboration with another cluster dubbed Storm-1084 (aka DEV-1084) to deploy the DarkBit ransomware.

The findings also come as ClearSky disclosed that no fewer than eight websites associated with shipping, logistics, and financial services companies in Israel were compromised as part of a watering hole attack orchestrated by the Iran-linked Tortoiseshell group.

In a related development, Proofpoint revealed that regional managed service providers (MSPs) within Israel have been targeted by MuddyWater as part of a phishing campaign designed to initiate supply chain attacks against their downstream customers.

The enterprise security firm further highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups, which have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.
The findings come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted."
The intrusions have been attributed to an Iranian "psychological operation group" called Homeland

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called **No-Justice**.

The findings come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted."

The intrusions have been attributed to an Iranian "psychological operation group" called Homeland Justice, which has been operating since July 2022, specifically orchestrating destructive attacks against Albania.

On December 24, 2023, the adversary resurfaced after a hiatus, stating it's "back to destroy supporters of terrorists," describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People's Mojahedin Organization of Iran (MEK).

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that's designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer's RAM.

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

"Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks," Check Point disclosed last month.

"By opportunistically targeting U.S. entities using Israeli technology, these hacktivist proxies try to achieve a dual retaliation strategy – claiming to target both Israel and the U.S. in a single, orchestrated cyber assault."

Cyber Toufan, in particular, has been linked to a deluge of hack-and-leak operations targeting over 100 organizations, wiping infected hosts and releasing stolen data on their Telegram channel.

"They've caused so much damage that many of the orgs – almost a third, in fact, haven't been able to recover," security researcher Kevin Beaumont said. "Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities."

Last month, the Israel National Cyber Directorate (INCD) said it's currently tracking roughly 15 hacker groups associated with Iran, Hamas, and Hezbollah that are maliciously operating in Israeli cyberspace since the onset of the Israel-Hamas war in October 2023.

The agency further noted that the techniques and tactics employed share similarities with those used in the Ukraine-Russia war, leveraging psychological warfare and wiper malware to destroy information.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware

By Deeba Ahmed
From Background Checks to Bedroom Layouts: Data Leak Strips Bare School Security System.
This is a post from HackRead.com Read the original post: Texas School Safety Software Data Leak Endangers Student Safety

The data leak occurred due to a misconfigured database at Raptor Technologies, a Texas-based school safety software provider.

A data leak involving Raptor Technologies, a Texas-based school safety software provider, exposed millions of sensitive records about students, parents, and staff.

The leak, discovered by cybersecurity researcher Jeremiah Fowler, exposed personal information, incident response plans, infrastructure challenges, and documents about at-risk students, raising concerns about student privacy and school safety. The leak exposed around 4,024,001 records, exposing students to numerous security risks.

“I reviewed a limited sample of documents and log records that contained what appeared to be sensitive information related to students, teachers, parents, and school safety plans or procedures,” said Fowler.

I immediately sent a responsible disclosure notice and received confirmation that indeed the data belonged to Raptor Technologies,” Fowler wrote in the blog post published by VPNMentor on January 11th, 2024.

Part of the exposed records were school incident response plans, classroom layouts, infrastructure challenges, background check system details, and at-risk student documents, including their “personal and medical conditions, any mental health or legal problems they might be having, and the threats they pose to the school.”

In addition, it contained court-ordered protection orders, divorce decrees, and monthly drills. It also included scanned PDF files and images of legal documents. In summary, Fawler managed to analyse a treasure trove of records including the following:

1.  Testing documents: 1,326 files
2.  Testing logs: 332,409 / 23 GB
3.  Staging documents: 7,900 files
4.  Staging logs: 1,002,394 / 25 GB
5.  Production documents: 81,511 files
6.  Production logs: 2,598,461 blobs / 779 GB

Raptor Technologies secured the database and restricted public access. The duration of the exposure and potentially malicious access remains unknown, as only an internal forensic audit could identify potential threats.

It is worth noting that Raptor Technologies provides a visitor management system for schools to track and screen visitors, volunteers, and contractors, ensuring they are not on sex offender registries or watchlists. The software is used by over 60,000 schools worldwide, including 5,300 U.S. districts. The exposure could potentially impact nearly 40% of American schools.

The unprotected database exposed sensitive data such as school maps, camera locations, security vulnerabilities, meeting points, and emergency response plans. These could have real-world consequences if accessed by cybercriminals. Court records contained restraining orders, criminal offences, divorce agreements, and personal information, increasing the risk of identity theft or financial crimes. 

Moreover, health records revealed student health forms, compromising privacy and confidentiality. Incident reports and safety drill summary reports contained students’ names and detailed at-risk behaviour, which can threaten their well-being later in life. School maps identified classroom locations, room numbers, evacuation routes, and camera locations, posing additional privacy risks.

Fowler recommends proactive cybersecurity measures for schools and data management companies, including restricting access, conducting regular assessments, and encrypting sensitive information.

****_RELATED ARTICLES_****

1.  **900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data**
2.  **Schools Are the Most Targeted Industry by Ransomware Gangs**
3.  **Conti ransomware gang demanded $40m from US school district**
4.  **Data Leak Exposes 1.5B Real Estate Records, Including Kylie Jenner**
5.  **38 million records exposed in Microsoft Power apps misconfiguration**

Texas School Safety Software Data Leak Endangers Student Safety

By Waqas
Another day, another alleged data breach putting hundred of thousands of unsuspecting users at risk.
This is a post from HackRead.com Read the original post: Israeli LGBTQ App Atraf Faces Data Leak, 700,000 Users Affected

Atraf, a popular Israeli LGBTQ dating app, has suffered a major data breach exposing personal information of over half a million users – Leaked data includes clear text password and payment card data – Atraf users are advised to change their passwords immediately!

In November 2021, **Hackread.com reported** a ransom failure leading to the data leak of some Israeli LGBTQ dating app Atraf users. The group responsible for the attack, Black Shadow, originated from Iran. They demanded a ransom of $1 million after acquiring the app’s data by compromising an Israeli hosting service named CyberServe.

Now, a user on **Breach Forums**, apparently of Russian origin, claims to have leaked the Atraf database, containing the personal data of over 1.5 million users. However, Hackread.com has analyzed the 2.63 GB worth of data, which appears legitimate. After removing duplicates, the total number of leaked accounts decreases to over half a million, precisely 669,672.

It’s worth noting that the Atraf database was leaked twice in 2023 on the same forum. However, neither of these leaks contained clear text passwords or sensitive personal information like the latest one.

What the Breach Forums user posted on the forum (Credit: Hackread.com)

It’s important to note that the data breach remains alleged until official confirmation from the company. Meanwhile, our analysis reveals a treasure trove of personal and sensitive information, primarily from Israeli users. This information includes:

*   Full names
*   Nicknames
*   County
*   City
*   Age
*   Height
*   Religion
*   Address
*   Phone numbers
*   IP addresses
*   Data of birth
*   Interests and hobbies
*   Sex and Gender
*   Sexual orientation
*   Email addresses
*   Plain text passwords for some
*   Location coordinates
*   Type of smartphone and operating system
*   Conversations in direct messages (DMs)
*   Family details including if they have children or not
*   Payment card data excluding card numbers but including CVV codes, expiry dates, and card types (Master/Visa).
*   _And much more…_

Hackread.com can confirm that the leaked records date back to 2021, with no recent records. The timeline aligns with the claims made by Black Shadow in November 2021, suggesting that the data might be legitimate.

Screenshot from the leaked data (Credit: Hackread.com)

Nevertheless, this data breach poses a significant threat to the privacy and physical security of affected users. It can result in online harassment and the hacking of email accounts, as the breach includes clear text passwords.

If you are an Atraf user, you must immediately change the passwords for both your email and Atraf account. Additionally, exercise caution with emails purportedly from Atraf and double-check before clicking any links, as they could be attempts by cybercriminals to compromise your data further or infect your device with malware.

Hackread.com has notified Atraf about the breach, seeking their official response. If you have any concerns about your data, you can also contact Hackread.com at \[email protected\].

1.  Anonymous Sudan’s DDoS Attacks at Israeli BAZAN Group
2.  Hackers Target Israeli Rocket Alert App Users with Spyware
3.  Israeli El Al Sys Hackers Hit Flights in Mid-Air Hijack Attempt
4.  Hackers Defaces Israeli-Made Equipment at US Water Agency
5.  Iran’s MuddyWater Group Hit Israelis with Fake Memo Phishing
6.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware

Israeli LGBTQ App Atraf Faces Data Leak, 700,000 Users Affected

Daily operations at some 15,000 automotive dealers remain impacted as CDK works to restore its dealer management system, following what appears to be a ransomware attack last week.

Source: Jonathan Weiss via Shutterstock

The nationwide impact of a cyberattack on CDK Global last week has focused attention on the need for organizations to have robust contingency plans when they rely heavily on SaaS providers for critical business functions.

The attack disrupted operations at some 15,000 automotive dealers around the country, forcing many to go back to using paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK had informed them about requiring several days — but likely not weeks — to restore its systems. Companies that notified the SEC about being impacted by the CDK breach included Penske, Group I Automotive, and Lithia Motors.

**Ransomware Attack?**

CDK, which provides a suite of cloud software and services for the automotive retail industry, has not yet publicly disclosed the nature of the attack that crippled its systems. But some media outlets have attributed the attack to an East European ransomware group called BlackSuit. They have described the threat actor as demanding millions of dollars in ransom from CDK to unlock the company's systems.

CDK did not respond immediately to a Dark Reading request seeking an update on the status of the company's systems restoration efforts and whether it had been able to attribute the attack to the BlackSuit ransomware group.

Attacks like these underscore the critical need for organizations to extend their cybersecurity protections to their entire network of vendors and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. "For organizations in sectors heavily reliant on a limited number of software vendors or SaaS providers, mitigating exposure and containing disruptions via the software supply chain requires a multifaceted approach," he says. "Firstly, diversifying vendor relationships where possible can distribute risk and reduce dependency on single providers."

**Contingency Planning for SaaS Apps**

Organizations that use SaaS services should implement formal risk management frameworks that include stringent security assessments and contractual obligations for cybersecurity standards, Steinhauer says. Collaborative initiatives within industry sectors to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, head of engineering at Check Point Software, says the broader takeaway from attacks like this is for organizations to assume their infrastructure is a target wherever the resources — applications, servers, and users — might reside.

It's a good idea to determine the service providers and vendors that are most crucial to your business and identify what their measures are for protecting against an attack, and for mitigating and responding to one, if needed.

Ostrowski advises that organizations keep on top of what's going on in the immediate aftermath of a disruptive cyberattack. For instance, following the attack on CDK, threat actors have been calling customers, apparently with information related to the breach, in what would seem to be phishing attempts.

**The Rush to Repair**

There are lessons in CDK's apparent recovery struggles as well. Soon after the company began recovery efforts last week, it experienced a second attack, right in the midst of its recovery efforts. CDK has not disclosed much about the second attack beyond saying it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, perceives that as an indication of CDK attempting to restore its systems too quickly.

"Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time," Arntz said in an emailed comment. "Restoring systems from, say, a week ago is often not far enough."

The CDK attack also highlights the continued — and growing — exposure that organizations in all sectors face via the software supply chain. According to a study by Data Theorem, 91% of organizations have experienced some kind of security incident tied to their software suppliers and service providers over the past 12 months.

Attacks targeting major players like CDK reveal significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

"These incidents expose the potential for widespread disruption and economic impact when essential services and operations are compromised," he notes. "They highlight the need for stringent regulatory oversight, enhanced cybersecurity standards, and proactive defense measures to safeguard against targeted attacks on software supply chain leaders."

Strengthening cybersecurity resilience through continuous assessment, response readiness, and collaborative risk management efforts are also critical to mitigating the growing threat landscape posed by sophisticated cyber adversaries, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us