Commit 10_02_2023: Are we cyber-aware yet?

FLY:D / Unsplash

Welcome to Commit 10_02_2023! README senior editor Nathaniel Mott here a day into Cybersecurity Awareness Month—which, as I keep warning people, should not be called by its initialism—with the latest infosec news.

Ars Technica: Checking out RCE vulns in Exim

Revealed by the Zero Day Initiative last week, the vulnerabilities of the moment are a sextet of flaws in the open source mail transfer agent Exim, some of which can be exploited to enable remote code execution. Ars Technica reported on Sept. 29 that patches were prepared for three of the vulnerabilities. (With no word on when the patches would reach Exim users or when the other flaws would be addressed.)

A group of zero-day vulnerabilities in a popular open source project publicly disclosed before patches are available is never a good thing, but in its analysis of the vulns, Watchtowr said that “they boil down to a few admittedly dangerous bugs that require a very specific environment to be accessible.” Most of Exim’s users probably don’t have to worry all that much about being popped via these particular flaws.

TechCrunch: Step aside, MOVEit Transfer, another Progress Software project needs the spotlight

Progress Software—which sounds familiar because it’s the company behind the MOVEit Transfer software that’s been used to steal information from more than 2,000 organizations—disclosed last week several vulnerabilities in its WS_FTP file-transfer software. TechCrunch reported that two of the vulns are critically severe; one of them can be used to “execute remote commands on the underlying operating system.”

Rapid7 said it “has observed multiple instances of WS_FTP exploitation in the wild,” although there were indications that a single threat actor was responsible for all those attempts. (Which is unlikely to remain the case as more groups familiarize themselves with the vulnerabilities, develop their own exploits and attempt to use them against organizations that haven’t patched their WS_FTP installations.)

WSHU: How a cyberattack disrupted three Conn. hospitals

Hot on the heels of our report on how cyberattacks targeting healthcare facilities endanger lives, WSHU reported on how an incident disrupted three hospitals in Connecticut earlier this year. “The hospitals were unable to bill Medicaid for payment, forcing the state Department of Social Services to advance them about $7.5 million,” WSHU reported. “A review of the records shows the facilities had to cancel nearly half of their elective procedures and at times over the nearly six-week period couldn’t process X-rays or CT scans that are vital for treating potential stroke or heart attack victims.”

The hospitals still haven’t restored all of their systems, WSHU said, and it’s expected to take several months for them to fully recover from this incident. 

AP: The NSA’s starting an AI security center

Saying that folks seem concerned by the rapid popularization of increasingly capable AI-related services would be an understatement. See: The Associated Press reported on Sept. 28 that the NSA “is starting an artificial intelligence security center” that will be incorporated into the Cybersecurity Collaboration Center, “where [the agency] works with private industry and international partners to harden the U.S. defense-industrial base against threats from adversaries led by China and Russia.”

NSA head Gen. Paul Nakasone reportedly said that this AI center will be the agency’s “focal point for leveraging foreign intelligence insights, contributing to the development of best practices guidelines, principles, evaluation, methodology and risk frameworks.” In the meantime, well, I suspect many organizations will ask these AI services themselves how to use them securely.

BC: Amazon didn’t mean to make people think they’d been hacked

Criminals are so fond of gift cards that many banks, retailers and security organizations warn any would-be purchasers of these plastic money holders not to fall for common scams. So when Amazon customers received emails confirming the purchase of Mastercard, Google Play and gift cards on Sept. 30, well, it’s hard to blame them for thinking someone had compromised their accounts.

But fear not—the emails were sent out by mistake. Amazon told BleepingComputer that “an error in our email system” was responsible for the messages; nobody had purchased gift cards with the associated Amazon accounts. I’m sure that will be of some comfort to the people who received these emails… assuming they believe Amazon’s claim that the previous messages were truly sent in error.