Commit 10_03_2023: Ransomware as far as the eye can see

Matthew Ansley / Unsplash

Welcome to Commit 10_03_2023! README senior editor Nathaniel Mott here on my son’s birthday with the latest cybersecurity news, starting with a spree of ransomware attacks.

StateScoop: Ransomware attack delays payments for 4,500 in Pinal County, Arizona

StateScoop reported on Oct. 2 that “the paychecks of more than 4,500 employees across 14 school districts in Pinal County, Arizona, were delayed last week following a ransomware attack.” The incident reportedly interrupted direct deposits into the employees’ bank accounts; the superintendent’s office that oversees the affected districts reportedly printed off paper checks as a result.

This once again highlights the unexpected byproducts of an incident. Missing a paycheck, even if only for a day, can be a serious problem for many people. (Especially those who are already underpaid.) And while many students might appreciate the ransomware equivalent to a snow day, those who depend on their schools for access to food, water and other necessities don’t have the same privilege.

The Record: A ransomware attack couldn’t force this Virginia school district to close

Continuing with ransomware attacks on schools: The Record reported on Oct. 2 that Fauquier County Public Schools, which “runs 20 elementary, middle and high schools for more than 11,200 students,” has remained open despite a Sept. 12 ransomware attack carried out by the notorious LockBit criminal group.

LockBit reportedly gave Fauquier County Public Schools until Oct. 19 to pay an undisclosed ransom. The group is said to be planning to leak information from the school district if it refuses to pay up, but a district spokesperson told The Record that it doesn’t “believe that any personal student or staff information has been compromised” as a result of the incident. We should find out more as the deadline approaches. 

TechCrunch: Motel One details fallout of—you guessed it—a ransomware attack

Ransomware gangs aren’t just targeting schools. TechCrunch today reported that Motel One, “one of Europe’s largest hotel chains,” confirmed that it was targeted in a ransomware attack. ALPHV claimed responsibility for the attack and said that it made off with “several terabytes of data,” and Motel One confirmed that at least some “address data and the details of 150 credit cards” were compromised.

ALPHV has also been tied to the ransomware attacks on MGM Resorts and Caesars Entertainment—though there has been some dispute regarding the attribution of those attacks to ALPHV / Scattered Spider—so it seems the group is particularly interested in the hospitality industry at the moment. Other hotel operators might want to secure their networks with something a little sturdier than a “do not disturb” sign, lest they receive an unexpected and unwelcome wake-up call.

BC: Microsoft responds to libwebp, libvpx vulnerabilities

BleepingComputer today reported that Microsoft has updated its Edge browser, Teams communication platform and Skype chat service to address critical vulnerabilities in the libwebp (used to support the WebP image format) and libvpx (used for the VP8 and VP9 video formats) libraries that could be exploited to achieve remote code execution. 

Expect to see countless updates like this in the coming days, weeks and months. Both the libwebp and libvpx libraries are used in everything from web browsers to “native” applications made with Electron. Now all of that software needs to be updated to defend against vulnerabilities that are being actively exploited, and despite community efforts, many people probably won’t even know if a particular app is at risk or not.

Ars Technica: Arm GPU drivers are being exploited in attacks

Android smartphone owners might want to check for system updates. Arm revealed on Oct. 2 that attackers have been actively exploiting a zero-day vulnerability in the drivers used by its Mali line of GPUs, which can be found in a variety of devices, including the Google Pixel line and Samsung’s flagship devices. (Check out the advisory for additional information about the flaws and the devices they affect.)

The problem, as Ars Technica noted, is that Android device manufacturers aren’t particularly well-known for supporting their products long-term. “Sadly, many vulnerable Android devices receive patches months or even years after becoming available,” Ars said, “if at all.” People whose phones are susceptible to these vulnerabilities simply have to hope they receive a patch or start shopping for replacements.