LockBit alleges it boarded Boeing, stole ‘sensitive data’

Security In Brief Notorious ransomware gang LockBit has reportedly exfiltrated “a tremendous amount of sensitive data from aerospace outfit Boeing.

VX underground published a screenshot of Lockbit’s announcement, and threat to expose data if Boeing does not engage with it by November 2nd.

Boeing has told US media it is investigating Lockbit’s claims.

If Lockbit has indeed stolen Boeing data the repercussions could be enormous as the company does plenty of work for military clients, and is even building the new pair of heavily—modified 747-8 planes that will serve as the next Air Force One US presidential transports.

“We are assessing this claim”, Boeing told The Register.

Lockbit has a long history of “success” with its attacks, and is thought to have earned around $90 million in the USA alone since 2020. The group is not shy and often publicises its exploits, and even its product development efforts.

Reports suggest a LockBit affiliate led this raid, using a zero-day exploit. The criminal gang’s track record means its claims can’t be dismissed, but its penchant for publicity means its claims also merit careful consideration.

– Simon Sharwood

What happens in Vegas …

Parents of students in Las Vegas’s Clark County School District (CCSD) are on edge after receiving emails filled with their children’s personal information following a breach at the school system earlier this month. 

Speaking to local outlet News 3 Las Vegas, one parent who received an email titled “CCSD leak” on Wednesday reported a warning that their child’s information had been released online, along with a trio of PDF files containing “my children’s pictures, all of their contact information, email addresses, student ID numbers, my information, our address,” the parent said. “That is so scary.” 

It wasn’t made clear in the report whether the sender demanded a ransom of any kind, but that might not be necessary. As we need not remind readers, PDF files are frequently used to smuggle malware to unsuspecting targets – and what better way to get someone to open a malicious document than threatening their children’s safety?

CCSD reported the breach to parents and staff on October 16, 11 days after it first detected an intrusion in its email environment. CCSD claimed the cyber criminal(s) behind the intrusion “accessed limited personal information related to a subset of students, parents, and employees,” and said it was in the process of notifying everyone affected. 

Technical details of CCSD’s email environment are not known, but the district locked down access to its Google Workspaces after reporting the intrusion, forcing password resets for all staff and students and restricting access to district Gmail and Google Drives from outside its own network. 

According to DataBreaches, extensive data from the district was published on a file sharing site this week, but has since been taken down. Along with personal email and demographic data on 25k district graduates, disciplinary records, health data, internal communications, district financial information and other data was all reportedly part of the leak, some of which DataBreaches was able to verify.

CCSD didn’t respond to questions from The Register, as it’s closed for a long weekend. 

Critical vulnerabilities of the week

Mozilla released patches for Firefox (desktop and iOS v.119 and ESR v.115.4) and Thunderbird were released this week to address a number of issues, including rendering queues allowing websites to clickjack users and a cross-site scripting vulnerability in reader mode for Firefox on iOS. 

Google also patched a pair of security issues in Chrome, including one rated as “high” without an accompanying CVSS number. CVE-2023-5472 affects Chrome versions prior to 118.0.5993.117 and allows a remote attacker to exploit heap corruption via a crafted HTML page thanks to a use after free vulnerability in Chrome profiles. 

Elsewhere:

  • CVSS 9.8 – Multiple CVEs: Cisco Catalyst SD-WAN Manager contains multiple independent vulnerabilities of varying severity that could allow an attacker to cause denial of service.
  • CVSS 9.8 – Multiple CVEs: Multiple models of Sielco PolyEco 1000, 500 and 300 FM transmitters are vulnerable to a series of issues allowing an attacker to escalate privileges and hijack sessions.
  • CVSS 9.8 – Multiple CVEs: Like the above, session hijacking vulnerabilities were also found in a series of analog FM transmitters and radio link equipment from Sielco. 
  • CVSS 8.2 – Multiple CVEs: Several components of BD’s Alaris infusion pump software are affected by a series of vulnerabilities that could allow an attacker to modify firmware, hijack sessions, steal data, and the like.
  • CVSS 8.1 – CVE-2023-46290: Rockwell Automation’s FactoryTalk Services Platform v.2.74 contains an improper authentication issue caused by “inadequate code logic” that could allow an attacker to gain access to vulnerable systems. 

CISA asks Congress not to cut its budget

The US Cybersecurity and Infrastructure Security Agency is in a good place right now, its executive assistant director for cybersecurity Eric Goldstein told congress this week, before warning a proposed 25 percent cut to its budget would be “catastrophic.” 

“Right now, we are at the point where we have reasonable confidence and our visibility into risks facing federal agencies,” Goldstein said. “We would not be able to sustain that visibility with that significant of a budget cut, and our adversaries would unequivocally exploit those gaps.”

The 25 percent gutting was submitted as an amendment [PDF] to the Department of Homeland Security budget proposal for 2024, and was ultimately rejected late last month – though the move could be attempted again.

CISA has become a bugbear for right-wing Republicans who’ve accused it of suppressing free speech due to its role in combating election misinformation – which allegedly involved it acting as a “switchboard” for moderation requests to social media platforms. CISA has since been barred from coordinating with social media sites by a court decision, which it has appealed.

Six princes – er, cyber criminals, arrested in Nigeria

The Nigerian Police Force (NPF) has dismantled a “sophisticated cyber crime syndicate” operating a recruiting and mentoring hub out of the nation’s capital of Abuja, complete with six arrests and just as many confessions. 

The accused confessed to varying degrees of involvement in identity theft, hacking and trading of compromised Facebook accounts, romance scams, computer-related forgery and other computer-related fraud punishable under Nigerian cyber crime laws, Nigerian police said in a press release published on X this week. 

Further intelligence reports indicate the group has “deep involvement” in higher-profile cyber crimes like business email compromise and high-yield investment fraud. The investigation is ongoing, NPF said, and the six arrested suspects won’t be charged until the investigation is complete. 

“Efforts to apprehend the fleeing members of this criminal network are underway,” according to NPF, suggesting the gang is bigger than its six imprisoned members – though it wouldn’t say how many people it’s still looking for. ®

READ MORE HERE