This Week in Cyber 13th January 2023

Schools In the UK Targeted by Hacking Group

14 Schools within the UK have been victims of a cyber-attack which has led to highly confidential files being stolen and released online. The hacking group behind these attacks are called ‘Vice Society’ and have been ransoming schools in both the UK and the US. Their usual strategy is to infiltrate a school’s IT systems, lock down the files and demand a ransom; if the ransom is not paid then they leak the documents online. One grammar school in Gloucestershire had children's SEN information, child passport scans, staff pay scales and contract details all stolen and released online. The investigators had noted that the information was not especially well hidden with folders named as ‘passports’ and ‘contracts’ which makes the attackers task much easier.

Royal Mail Cyber Attack Cripples International Deliveries

Earlier in the week, the UK's postal service, Royal Mail, was hit by an unspecified cyber incident that has affected items being brought in and sent out of the country, resulting in a build-up of more than half a million packages and letters, but Royal Mail have said they are only suffering slight delays. On Thursday the 12th it was confirmed that Russian hackers had used the Lockbit ransomware to encrypt and exfiltrate data on key infrastructure that is used at 6 sites, including its Heathrow distribution centre. The ransom note was also reported to be constantly printed out at a distribution centre in Northern Ireland, stating if the ransom isn't paid, the data will be leaked on a TOR website. It's currently unknown what the ransom amount is. Royal Mail are currently working with The National Cyber Security Centre, a branch of GCHQ and The National Crime Agency on the investigation.

New security flaw found in JsonWebToken Public Library

This new security flaw is being tracked as CVE-2022-23529 and can allow the attackers remote code execution. A researcher at Palo Alto Networks Unit stated, ‘By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request’. JsonWebToken is a popular module which is used by over 22,000 projects and allows the users to decode, verify and generate JSON web tokens. The researchers have also stated ‘With that being said, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process’.

Data Accessed in Ransomware Attack on The Guardian

The UK newspaper / media firm The Guardian confirmed this week that they had been subject to a successful phishing attempt that led to a ransomware attack, first detected on the 20th of December 2022. Chief executive Anna Bateson and editor-in-chief Katharine Viner described the incident as a "highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network". They also confirmed that while their systems were accessed, they have no reason to believe personal data of staff or members was stolen, and there has so far been no evidence of data being leaked online, greatly reducing the likelihood of fraud. The attacker is currently unknown, and The Guardian are continuing to work alongside the police in this investigation.

Microsoft Patches 98 Security Flaws in First Patch Tuesday of 2023

Microsoft’s first Patch Tuesday of the year addresses 98 security flaws, including one which is being actively exploited. 11 of the 98 are rated at Critical, 87 are rated Important. The vulnerability being actively exploited is being tracked as CVE-2023-21674 which is a privilege escalation bug in Windows Advanced Local Procedure Call and could allow an attacker to obtain SYSTEM privileges.  Two privilege escalation vulnerabilities affecting Microsoft Exchange (CVE-2023-21763 and CVE-2023-21764) have also been addressed, both of which could allow code to be run with SYSTEM level privileges. A patch for Bitlocker has also been released, fixing a bug which would allow an attacker with physical access to a device to gain access to encrypted data (CVE-2023-21563).

Microsoft Windows 7, Windows 8.1, and Windows RT Reach End of Support

As of January 10th, 2023, Microsoft has ended support for Windows 7 (extended), 8.1 and 8 RT. This means that the company will no longer provide security updates, non-security related fixes or free/paid support packages. Any companies continuing to use those Operating Systems after that date may increase their exposure to security risks or compliance adherence. A comprehensive organisational software inventory and Vulnerability Assessment program is essential to keep on top of knowing what versions of software are deployed within your organisation and what risks they may pose. See our latest blog post here on the importance of combining threat hunting and Vulnerability Assessments to determine weaknesses and whether you have already been compromised.