The hack exposed the data of 31 million users as the embattled Wayback Machine maker scrambles to stay online and contain the fallout of digital—and legal—attacks.

An illicit JavaScript pop-up on the Internet Archive proclaimed on Wednesday afternoon that the site had suffered a major data breach. Hours later, the organization confirmed the incident.

Longtime security researcher Troy Hunt, who runs the data-breach-notification website Have I Been Pwned (HIBP) also confirmed that the breach is legitimate. He said it occurred in September and that the stolen trove contains 31 million unique email addresses along with usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the validity of the data.

The Internet Archive did not return multiple requests for comment from WIRED.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?” the attackers wrote in Wednesday's Internet Archive pop-up message. “It just happened. See 31 million of you on HIBP!”

In addition to the breach and site defacement, the Internet Archive has been grappling with a wave of distributed denial-of-service attacks that have intermittently brought down its services.

Internet Archive founder Brewster Kahle provided a public update on Wednesday evening in a post on the social network X. “What we know: DDOS attack—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.” “Scrubbing systems” refer to services that offer DDoS attack protection by filtering malicious junk traffic so it can't deluge and disrupt a website.

The Internet Archive has faced aggressive DDoS attacks numerous times in the past, including in late May. As Kahle wrote on Wednesday: “Yesterday's DDoS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” The hacktivist group known as BlackMeta claimed responsibility for this week's DDoS attacks and said it plans to carry out more against the Internet Archive. Still, the perpetrator of the data breach is not yet known.

The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, the organization is also facing mounting legal challenges. It recently lost an appeal in _Hachette v. Internet Archive_, a lawsuit brought by book publishers, which argued that its digital lending library violated copyright law. Now it’s facing an existential threat in the form of another copyright lawsuit, this one from music labels, which may result in damages upwards of $621 million if the court rules against the archive.

HIBP's Hunt says that he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and warned the organization about it on October 6. He says the group confirmed the breach to him the next day and that he planned to load the data into HIBP and notify its subscribers about the breach on Wednesday. “They get defaced and DDoS'd, right as the data is loading into HIBP,” Hunt wrote. “The timing on the last point seems to be entirely coincidental.”

Hunt added, too, that while he encouraged the group to publicly disclose the data breach itself before the HIBP notifications went out, the extenuating circumstances may explain the delay.

“Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are, I think everyone should cut them some slack,” Hunt wrote. “They're a nonprofit doing great work and providing a service that so many of us rely heavily on.”

Internet Archive Breach Exposes 31 Million Users

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

Wednesday, October 9, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution. 

Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory corruption vulnerability that could allow an adversary to execute code on the targeted machine. 

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Foxit PDF Reader**

_Discovered by KPC._

A use-after-free vulnerability in Foxit PDF Reader could lead to memory corruption and eventually arbitrary code execution on the targeted machine.

TALOS-2024-1967 (CVE-2024-28888) can be triggered if an adversary tricks a user into opening a specially crafted PDF that contains malicious JavaScript. Exploitation could also occur if the targeted user visits an attacker-controlled website with the Foxit PDF Reader browser extension enabled.

**Multiple vulnerabilities in GNOME project library could lead to code execution**

Two vulnerabilities in the G Structured File Library (libgsf) could lead to arbitrary code execution. 

This GNOME project supports an abstraction layer around different structure file formats such as .tar and .zip. 

TALOS-2024-2068 (CVE-2024-36474) is an integer overflow vulnerability that could allow an out-of-bounds index to be used when reading and writing to an array. This could lead to arbitrary code execution if an adversary exploited it appropriately. 

TALOS-2024-2069 (CVE-2024-42415) works similarly, but in this case, it arises when the software processes the sector allocation table.

An adversary could exploit both these vulnerabilities by tricking the targeted user into opening a malicious, specially crafted file. 

**Three vulnerabilities in Veertu Anka Build**

_Discovered by KPC._

Veertu’s Anka Build software contains three vulnerabilities, two of which are directory traversal issues. 

Anka Build is a suite of software designed to test macOS and iOS applications in CI/CD environments. The suite is a centralized dashboard for managing nodes, VM instances, templates, tags and logs. 

This software contains two directory traversal vulnerabilities — TALOS-2024-2059 (CVE-2024-41163) and TALOS-2024-2061 (CVE-2024-41922) — that could lead to the disclosure of arbitrary files. An adversary could exploit these vulnerabilities by sending the target a specially crafted HTTP request. 

Another vulnerability, TALOS-2024-2060 (CVE-2024-39755), is a privilege escalation issue that could allow a low-privileged user to force the software to update, potentially raising their access to that of a root user.

Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project

Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret.
The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed Contagious Interview that Palo Alto Networks Unit 42 first disclosed in November 2023.
"The threat actor behind CL-STA-0240

Phishing Attack / Malware

Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret.

The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed **Contagious Interview** that Palo Alto Networks Unit 42 first disclosed in November 2023.

"The threat actor behind CL-STA-0240 contacts software developers through job search platforms by posing as a prospective employer," Unit 42 said in a new report.

"The attackers invite the victim to participate in an online interview, where the threat actor attempts to convince the victim to download and install malware."

The first stage of infection involves the BeaverTail downloader and information stealer that's designed for targeting both Windows and Apple macOS platforms. The malware acts as a conduit for the Python-based InvisibleFerret backdoor.

There is evidence to suggest that the activity remains active despite public disclosure, indicating that the threat actors behind the operation are continuing to taste success by enticing developers into executing malicious code under the pretext of a coding assignment.

Security researcher Patrick Wardle and cybersecurity company Group-IB, in two recent analyses, detailed an attack chain that leveraged fake Windows and maCOS video conferencing applications impersonating MiroTalk and FreeConference.com to infiltrate developer systems with BeaverTail and InvisibleFerret.

What makes it noteworthy is that the bogus application is developed using Qt, which supports cross-compilation for both Windows and macOS. The Qt-based version of BeaverTail is capable of stealing browser passwords and harvesting data from several cryptocurrency wallets.

BeaverTail, besides exfiltrating the data to an adversary-controlled server, is equipped to download and execute the InvisibleFerret backdoor, which includes two components of its own -

*   A main payload that enables fingerprinting of the infected host, remote control, keylogging, data exfiltration, and downloading of AnyDesk
*   A browser stealer that collects browser credentials and credit card information

"North Korean threat actors are known to conduct financial crimes for funds to support the DPRK regime," Unit 42 said. "This campaign may be financially motivated, since the BeaverTail malware has the capability of stealing 13 different cryptocurrency wallets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools.

**Microsoft** today released security updates to fix at least 117 security holes in **Windows** computers and other software, including two vulnerabilities that are already seeing active attacks. Also, **Adobe** plugged 52 security holes across a range of products, and **Apple** has addressed a bug in its new **macOS 15** “**Sequoia**” update that broke many cybersecurity tools.

One of the zero-day flaws — CVE-2024-43573 — stems from a security weakness in **MSHTML**, the proprietary engine of Microsoft’s **Internet Explorer** web browser. If that sounds familiar it’s because this is the fourth MSHTML vulnerability found to be exploited in the wild so far in 2024.

**Nikolas Cemerikic**, a cybersecurity engineer at **Immersive Labs**, said the vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate thanks to the way Windows handles certain web elements.

“Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services,” he said.

Cemerikic noted that while Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable.

“This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online,” he said.

Probably the more serious zero-day this month is CVE-2024-43572, a code execution bug in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system.

**Satnam Narang**, senior staff research engineer at **Tenable**, observed that the patch for CVE-2024-43572 arrived a few months after researchers at **Elastic Security Labs** disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges.

“Although Microsoft patched a different MMC vulnerability in September (CVE-2024-38259) that was neither exploited in the wild nor publicly disclosed,” Narang said. “Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system.”

Microsoft also patched **Office,** **Azure**, **.NET**, **OpenSSH for Windows**; **Power BI**; **Windows Hyper-V**; **Windows Mobile Broadband**, and **Visual Studio**. As usual, the **SANS Internet Storm Center** has a list of all Microsoft patches released today, indexed by severity and exploitability.

Late last month, Apple rolled out macOS 15, an operating system update called Sequoia that broke the functionality of security tools made by a number of vendors, including CrowdStrike, SentinelOne and Microsoft. On Oct. 7, Apple pushed an update to Sequoia users that addresses these compatibility issues.

Finally, Adobe has released security updates to plug a total of 52 vulnerabilities in a range of software, including **Adobe Substance 3D Painter**, **Commerce**, **Dimension**, **Animate**, **Lightroom**, **InCopy**, **InDesign**, **Substance 3D Stager**, and **Adobe FrameMaker**.

Please consider backing up important data before applying any updates. Zero-days aside, there’s generally little harm in waiting a few days to apply any pending patches, because not infrequently a security update introduces stability or compatibility issues. **AskWoody.com** usually has the skinny on any problematic patches.

And as always, if you run into any glitches after installing patches, leave a note in the comments; chances are someone else is stuck with the same issue and may have even found a solution.

Patch Tuesday, October 2024 Edition

Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Source: fadfebrian via Shutterstock

Microsoft's October security update addressed a substantial 117 vulnerabilities, including two actively exploited flaws and three publicly disclosed but as yet unexploited bugs.

The update is the third largest so far this year in terms of disclosed CVEs, after April's 147 CVEs and July's set of 139 flaws.

A plurality of the bugs (46) enables remote code execution (RCE), and 28 others give threat actors a way to elevate privileges. The remaining vulnerabilities include those that enable spoofing, denial of service, and other malicious outcomes. As always, the CVEs affected a wide range of Microsoft technologies, including the Windows operating system, Microsoft's Hyper-V virtualization technology, Windows Kerberos, Azure, Power BI, and .NET components.

**Actively Exploited Bugs**

The two vulnerabilities in the October update that attackers are actively exploiting are also the ones that merit immediate attention.

One of them is CVE-2024-43573, a spoofing vulnerability in MSHTML, or the Trident legacy browsing engine for Internet Explorer that Microsoft includes in modern versions to maintain backward compatibility. The bug is similar to CVE-2024-38112 and CVE-2024-43461 that Microsoft disclosed in MSHTML in July and September, respectively, which the Void Banshee group has been actively exploiting. Another unusual aspect of the bug: Microsoft has not credited anyone for reporting or discovering it.

Organizations should not allow Microsoft's moderate severity assessment for CVE-2024-43573 to lull them into thinking the bug does not merit immediate attention, researchers at Trend Micro's Zero Day Initiative wrote in a blog post. "There's no word from Microsoft on whether it's \[Void Banshee\], but considering there is no acknowledgment here, it makes me think the original patch was insufficient," the ZDI post noted. "Either way, don't ignore this based on the severity rating. Test and deploy this update quickly."

The other zero-day that attackers are currently exploiting is CVE-2024-43572, an RCE flaw in Microsoft Management Console (MMC). Microsoft said its patch prevents "untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability."

Earlier this year, researchers at Elastic Security reported observing threat actors using specially crafted MMC files, dubbed GrimResource for initial access and defense evasion purposes. However, it is not immediately clear if the attackers were exploiting CVE-2024-43572 in that campaign or some other bug. Microsoft didn't address the point in this most recent patch update.

**Publicly Known but Unexploited — for the Moment**

The three other zero-day bugs that Microsoft disclosed as part of its October security update — but which attackers have not exploited yet — are CVE-2024-6197, a remote code execution vulnerability in the open source cURLl command line tool; CVE-2024-20659, a moderate severity security bypass vulnerability in Windows Hyper-V; and CVE-2024-43583, a WinLogon elevation of privilege vulnerability.

Mike Walters, president and co-founder of Action 1, said organizations should prioritize patching CVE-2024-6197. Though Microsoft has assessed the vulnerability as something that attackers are less likely to exploit, Walters expects to see proof-of-concept code for the flaw become available soon. "This vulnerability is particularly concerning, because it impacts the fundamental architecture of memory management in cURL, a tool integral to data transfers across various network protocols," Walters wrote in a blog post. "The affected systems include those using cURL or libcurl, the underlying library that powers numerous applications on diverse platforms."

Meanwhile, organizations using third-party input method editors (IMEs) that allow users to type in different languages are at particular risk from CVE-2024-43583, which is the WinLogon elevation of privilege flaw, Walters added. "This vulnerability is particularly pertinent in diverse settings where multilingual support is crucial, such as in global enterprises or educational institutions," he said. Attackers could exploit the vulnerability as part of a broader attack chain to compromise affected environments he said.

**Other Critical Bugs that Need Attention Now**

Microsoft assessed just three of the 117 vulnerabilities it disclosed this week as being critical. All three are RCEs. They are CVE-2024-43468 in Microsoft Configuration Manager, CVE-2024-43582 in the Remote Desktop Protocol (RDP) server, and CVE-2024-43488 in Visual Studio Code extension for Arduino Remote.

CVE-2024-43468 highlights some memory safety concerns with Microsoft Configuration Manager, Cody Dietz, a researcher with Automox, wrote in a blog post. "Successful exploitation of this vulnerability can allow for lateral movement throughout a network and offers the potential to deploy malicious configurations to other systems." In addition to immediately patching the vulnerability, organizations should consider using an alternate service account to mitigate risk, Dietz said.

Automox also highlighted CVE-2024-43533, a high-severity bug in RDP. The bug is present in the RDP client and enables attackers to execute arbitrary code on a client machine. "Unlike typical RDP vulnerabilities targeting servers, this one flips the script, offering a unique attack vector against clients," Tom Bowyer, director of IT security at Automox, wrote in the company's blog post.

"This vulnerability opens the door for back-hacks," Boyer added, "where attackers set up rogue RDP servers to exploit scanning activities from entities like nation-states or security companies."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

5 Zero-Days in Microsoft's October Update to Patch Immediately

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Tuesday, October 8, 2024 15:04

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.  

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.   

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.  

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.  

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. 

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.  

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process. 

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution. 

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database. 

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.  

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet. 

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.  

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

*   CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel 
*   CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component     
*   CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port 
*   CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows  
*   CVE-2024-43609: Spoofing vulnerability in Microsoft Office 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

As healthcare organizations struggle against operational issues, two-thirds of the industry suffered ransomware attacks in the past year, and an increasing number are caving to extortion and paying up.

Source: Yuri A/PeopleImages via ShutterStock

The healthcare sector continues to grow, but without the proper focus on cybersecurity, the prognosis for the industry's resilience against ransomware and other attacks has only worsened.

Against a backdrop of non-IT disruptions — such as private equity failures, shortages of medicines, and the cutting of services — two-thirds (66%) of healthcare organizations also suffered ransomware attacks in the past year, up from 60% in the prior year, according to a report from cybersecurity firm Sophos. Major attacks on hospitals and medical-service providers have led to disruptions of services, significant financial outlay, and the exposure of sensitive patient data. In some cases, they also affected patient outcomes.

There are also new threats emerging all the time. The Trinity ransomware, for instance, first seen last May, poses a "significant threat" to the healthcare and public health sector, according to an alert this week from the US Department of Health and Human Services.  

Overall, more than 14 million US citizens — and an unknown number worldwide — have been affected by healthcare breaches in 2024, according to another data set from security firm SonicWall.

Healthcare suffers such a cyber malaise that Senate Finance Committee chair Ron Wyden (D-Ore.), and Sen. Mark Warner (D-Va.) last week announced legislation to attempt to patch up the system. The bill would require jail time for healthcare CEOs that lie to the government about their cybersecurity postures, offer federal resources to rural and underserved hospitals for cyber improvements, and introduce accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data. The bill would also remove the existing cap on fines for data mishandling under the Health Insurance Portability and Accountability Act (HIPAA).

"Mega-corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," Wyden said in a statement announcing the bill. "The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy."

**Healthcare Cyber-Profiles Are Ripe for Infection**

Healthcare organizations have three attributes that ensure ransomware gangs will continue to focus on the industry: Their operations are critical to society, their technology is often old and rife with vulnerabilities, and individual organizations are willing to pay ransoms, says Doug McKee, executive director of threat research of SonicWall.

"There's a lot of money in healthcare, \[and\] healthcare is not only notorious for having a lot of money, but they've been painted as an industry that's willing to pay the ransom," he says. "If we're going to keep paying the ransom, the attackers are going to keep ramping up in that industry. The math is that simple."

The cybersecurity problems plaguing the industry are not just affecting the business of healthcare. They're also having real impacts on patients and national health efforts. Attackers used stolen credentials, for example, to compromise UnitedHealth subsidiary Change Healthcare and infect its systems with ransomware in February, leading to stalled payments for doctors, pharmacies, and hospitals — and eventually a $22 million ransom paid to the criminals. In the United Kingdom, an attack on medical-services provider Synnovis in June led to delays in matching patient blood types and other pathology services. The same month, an attack on South Africa's National Health Laboratory Service (NHLS) disrupted the service provided by the government-run testing laboratories, while the nation found itself in the midst of an mpox outbreak.

"I can either pay the ransom, get back up and running, or I can try to rebuild it myself and pray that we get everything back set up running in a week — not an option," says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). "So now, we've got a sector who is more prevalent to pay, and I think the bad guys — cybercriminals, nation-states that are doing this — figured that out pretty quickly. I think it's getting worse, and I think that they've also figured out the weak spots in the sector."

**A Pound of Cure Typically Fails**

The weakest spot for healthcare entities is arguably the inter-reliance of hospitals and pharmacies on their third-party providers. When Change Healthcare suffered its weekslong outage, the incident demonstrated that efforts to shore up cyber resilience has to extend all the way to any third-party suppliers on which healthcare providers rely.

"Change Healthcare definitely rocked the sector and made us \[realize\] that it's a single point of failure for so many services," Weiss says. "We had thousands of patients across the US that couldn't get prescriptions filled because of that outage, and then ... we had hospitals that couldn't file claims."

Similarly, the attacks on Synnovis and NHLS slowed diagnostic services.

While their operational requirements — prioritizing human life, which means keeping open the access to needed data — pose challenging issues, healthcare organizations must gain oversight over their (often legacy) technology and the large variety of medical devices and equipment, which might not be kept totally up to date. Seven out of every eight breaches were caused by exploitable vulnerabilities, compromised credentials, and malicious emails — so focusing on those three areas could pay significant dividends for cybercriminals, says Christopher Budd, director of threat research for Sophos X-Ops.

"Healthcare — along with energy, oil/gas, and utilities — is challenged by higher levels of legacy technology, and infrastructure controls more than most other sectors, which likely makes it harder to secure devices, limit lateral movement, and prevent attacks from spreading," he says.

**Time for an Ounce of Prevention**

Yet, perhaps most telling is the industry's problems with backups.

In 95% of attacks targeting healthcare organizations, the attacker tried to compromise the backups. Unfortunately, they succeeded in 66%, putting healthcare organizations' defensive shortcomings behind that of only the energy, oil/gas, and utilities sector (79%) and the education sector (71%), according to Sophos' report.

While healthcare organizations continue to use backups to recover, many also pay ransoms. Source: Sophos

The loss of backups results in much worse — and more expensive — outcomes, the report stated. The value of the initial ransom demand more than tripled, to $4.4 million, compared with $1.3 million for organizations with backups, and the organizations were far more likely to pay the ransom, with 63% of organizations with a failed backup paying the ransom, compared with 27% of organizations with complete backups.

In its threat brief, SonicWall recommended the typical trio of cybersecurity best practices: patch management, strong access controls, and continuous monitoring. However, out of those three, monitoring is the most important capability for organizations to establish first, says SonicWall's McKee. Companies with good visibility can detect cybersecurity issues early and remediate them before they are attacked, he says.

While the outlook is currently messy, progress is being made, he added.

"I think that we've gotten better," McKee says. "Over the last five years, I've seen a huge improvement in healthcare, as far as being able to turn around cybersecurity best practices ... but \[technology\] has to get through all the regulatory requirements ... and that's simply going to take time ... probably years, for healthcare to get to a point that we're able to reduce some of the effectiveness of these attacks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Healthcare's Grim Cyber Prognosis Requires Security Booster

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work…

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected.

The cybersecurity researchers at Morphisec Threat Labs have uncovered and thwarted multiple variants of Lua malware specifically targeting the educational sector. These attacks exploit the popularity of **Lua-based gaming engine supplements**, which are widely used by student gamers. Even more concerning, the malware campaigns were observed targeting unsuspecting users globally including across North America, South America, Europe, Asia, and Australia.

The malware strain was first reported in March 2024 (do not confuse Lua malware with the infamous **Luabot DDoS malware** identified in 2016). Over the past months, the delivery methods of Lua malware have changed to become simpler, possibly to evade detection mechanisms. Instead of using compiled Lua bytecode, which can easily raise suspicion, the malware is now frequently delivered through obfuscated Lua scripts.

****Malicious ZIP Files****

The malware is typically distributed in the form of an installer or a ZIP archive and often disguised as game cheats or other gaming-related tools, making it particularly lucrative to students who are searching for ways to enhance their gaming experience.

According to Morphisec Threat Labs’ detailed technical **blog post** shared with Hackread.com ahead of publishing on Tuesday, when a user downloads the infected file, typically from platforms like GitHub, they receive a ZIP archive containing four key components: Lua51.dll: A runtime interpreter for Lua, Compiler.exe: A lightweight loader, Obfuscated Lua Script: The malicious code and Launcher.bat: A batch file that executes the Lua script.

Upon execution, the batch file runs the Compiler.exe, which loads the Lua51.dll and interprets the obfuscated Lua script. This script then establishes communication with a Command and Control (C2) server, sending detailed information about the infected machine. The C2 server responds with tasks, which can be categorized into two types: Lua Loader Tasks: Actions such as maintaining persistence or hiding processes. Task Payloads: Instructions to download and configure new payloads.

Attack flow (Via Morphisec Threat Labs)

****Lua Malware and SEO Poisoning****

The delivery techniques used in these attacks include **SEO poisoning**, where search engine results are manipulated to lead users to malicious websites. For instance, advertisements for popular cheating script engines like Solara and Electron, often associated with Roblox, have been found to direct users to GitHub repositories hosting various Lua malware variants. These repositories frequently use github.com/user-attachments push requests to distribute the malware.

****Additional InfoStealer Like Redline****

The infection chain does not end with Lua malware infection. The malware ultimately leads to the deployment of infostealers, notably Redline Infostealers. For your information, infostealers like **Redline, Vidar and Formbook** are gaining prominence as the harvested credentials are sold on the dark web **especially ChatGPT credentials**, opening the door to more attacks in the future.

SEO poisoning in action (Via Morphisec Threat Labs)

****Watch Out Students and Gamers****

Gamers, educational institutions, and students should be cautious of Lua and other malware threats by avoiding downloads from untrustworthy sources. Keeping security software up to date and informing users about the **cybersecurity risks of downloading game cheats** and unverified content can help reduce the chances of these attacks.

1.  **Fake League of Legends Download Ads Drop Lumma Stealer**
2.  **Global malspam targets hotels, spreading Redline, Vidar stealers**
3.  **Fake Windows site dropped Redline malware as Windows 11 upgrade**
4.  **Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware**
5.  **Ransomware Hidden as a Game: Kransom’s Attack Via DLL Side-Loading**

Lua Malware Targeting Student Gamers via Fake Game Cheats

This week on the Lock and Code podcast, we speak with Zach Hinkle and Pieter Arntz about the Facebook funeral livestream scam.

_This week on the Lock and Code podcast…_

Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends.

Cybercrime has never been a job of morals (calling it a “job” is already lending it too much credit), but, for many years, scams wavered between clever and brusque. Take the “Nigerian prince” email scam which has plagued victims for close to two decades. In it, would-be victims would receive a mysterious, unwanted message from alleged royalty, and, in exchange for a little help in moving funds across international borders, would be handsomely rewarded.

The scam was preposterous but effective—in fact, in 2019, CNBC reported that this very same “Nigerian prince” scam campaign resulted in $700,000 in losses for victims in the United States.

Since then, scams have evolved dramatically.

Cybercriminals today willl send deceptive emails claiming to come from Netflix, or Google, or Uber, tricking victims into “resetting” their passwords. Cybercriminals will leverage global crises, like the COVID-19 pandemic, and send fraudulent requests for donations to nonprofits and hospital funds. And, time and again, cybercriminals will find a way to play on our emotions—be they fear, or urgency, or even affection—to lure us into unsafe places online.

This summer, Malwarebytes social media manager Zach Hinkle encountered one such scam, and it happened while attending a funeral for a friend. In a campaign that Malwarebytes Labs is calling the “Facebook funeral live stream scam,” attendees at real funerals are being tricked into potentially signing up for a “live stream” service of the funerals they just attended.

Today on the Lock and Code podcast with host David Ruiz, we speak with Hinkle and Malwarebytes security researcher Pieter Arntz about the Facebook funeral live stream scam, what potential victims have to watch out for, and how cybercriminals are targeting actual, grieving family members with such foul deceit. Hinkle also describes what he felt in the moment of trying to not only take the scam down, but to protect his friends from falling for it.

> “You’re grieving… and you go through a service and you’re feeling all these emotions, and then the emotion you feel is anger because someone is trying to take advantage of friends and loved ones, of somebody who has just died. That’s so appalling”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Exposing the Facebook funeral livestream scam (Lock and Code S05E21) 

Apple Security Advisory 10-03-2024-1 - iOS 18.0.1 and iPadOS 18.0.1 addresses an audio capturing issue and a logic issue related to passwords being read aloud.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1

iOS 18.0.1 and iPadOS 18.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121373.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Media Session  
Available for: iPhone 16 (all models)  
Impact: Audio messages in Messages may be able to capture a few seconds  
of audio before the microphone indicator is activated  
Description: This issue was addressed with improved checks.  
CVE-2024-44207: Michael Jimenez and an anonymous researcher

Passwords  
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch  
3rd generation and later, iPad Pro 11-inch 1st generation and later,  
iPad Air 3rd generation and later, iPad 7th generation and later, and  
iPad mini 5th generation and later  
Impact: A user's saved passwords may be read aloud by VoiceOver  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44204: Bistrit Dahal

This update is available through iTunes and Software Update on your  
iOS device, and will not appear in your computer's Software Update  
application, or in the Apple Downloads site. Make sure you have an  
Internet connection and have installed the latest version of iTunes  
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check  
Apple's update server on its weekly schedule. When an update is  
detected, it is downloaded and the option to be installed is  
presented to the user when the iOS device is docked. We recommend  
applying the update immediately if possible. Selecting  
Don't Install will present the option the next time you connect  
your iOS device.

The automatic update process may take up to a week depending on  
the day that iTunes or the device checks for updates. You may  
manually obtain the update via the Check for Updates button  
within iTunes, or the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings  
* Select General  
* Select About. The version after applying this update will be  
"iOS 18.0.1 and iPadOS 18.0.1".

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmb/LLMACgkQX+5d1TXa  
Ivp/oBAAtCfF765M4s/Iwi15gaFUFbOe5Droq7gCJEvtwSsfYFESbM5eCiGZjn4y  
Na+d9SrlgymDhIz5j6ZDZdSHKjCLhlkYc+JxpjgUM7rPxJtpn1QBGdDcjUfhpesV  
sPxIaQk3lok4uLdBt9tbDT1a+pI67vKa2hm3FmZHsj5MZLSUJaR3d5rq2MWo3RjD  
dfVsDhdCvnhk0vSA7ro8/EXVX1W6Jq8UQRGMjXcZgTiSWIx4TLdx6cNGD53dPuzl  
ffP6M4XHi247tolr8gs0+EBBlnwUVF1DGgx5MZGuxO++MNLo0SF25HTZN6bmuEQy  
zcQjuOHUzEazRzs9lO6IqAoY+YFQKW/UN3+Fj0RNKl2OXloRf2DTgl1C53V+uVyB  
MdtJtYCJ1YxwKnhzGsmjclk5oqUrtEKL4Yeri1TxbfXBgoFflNLNRgRrwqkIoPKy  
XURcpZ7/yD62Y4uMDIXFWV6FlEPZ/lPnM9Yh7Nh3ocJwJFlsHItuhJrwgyjLkfCZ  
Lnerb7en4FbxEfewnjbdCh06P58e5c3XVVSVGNwIyIxeoTO7lT7E7V9tcaSi1L9s  
QYN5+zcssTumEdbns6mwivpES16Z+4LuQZfgcfynreLZA6B7LHgqXEmSDcujF8SC  
P4hiBFqyccXGrvTR47fGf8+6JPnErrFKOBEcfEu7NUYW8smtxM0=  
=n+NZ  
-----END PGP SIGNATURE-----

Tag

#mac