Cyber Weekly Digest - 2023 Week #1
In our first Cyber Weekly Digest of the year, we take a look at the biggest cyber security stories from the first week of 2023, including a ransomware attack on a children's healthcare provider and how owners of some of the most popular car manufacturers could be at risk. Keep reading to stay up to date on the latest cyber security news.
1. LockBit gang apologizes and gives SickKids hospital free decryptor after ransomware attack.
The LockBit ransomware gang has given out a free ransomware decryptor for the Hospital for Sick Children (SickKids), claiming one of its affiliates violated their rules by attacking the healthcare organisation. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children. Last month, SickKids suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and their website. Only a few of the hospital’s internal systems were encrypted, however, this still caused delays in receiving lab and imaging results and resulted in longer patient wait times. Since then, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. The LockBit ransomware gang “formally” apologised and gave back the decryptor for free, and confirmed that one of their affiliates was responsible for the attack. However, it has been reported multiple times before that the LockBit ransomware has been detected in many healthcare organisations targeted ransomware attacks, contradicting LockBit’s “Terms of Service” for their Ransomware-as-a-service.
2. Over 60,000 Microsoft Exchange servers vulnerable to ProxyNotShell attacks.
There are reportedly over 60,000 Microsoft Exchange servers exposed online, that are yet to be patched against the CVE-2022-41082 remote code execution (RCE) vulnerability, which is one of the two security flaws targeted by ProxyNotShell exploits. According to a recent tweet from security researchers, almost 70,000 Microsoft Exchange servers were found to be vulnerable to ProxyNotShell attacks according to the server’s version information on the x_owa_version header. Fortunately, the number of vulnerable Exchange servers has dropped from ~85,000 to ~61,000 since mid-December. The two security bugs tracked as CVE-2022-41082 and CVE-2022-41040 are collectively known as ProxyNotShell, affecting Exchange Server 2013, 2016, and 2019. FIN7 is a financially motivated cybercrime gang that has developed a custom auto-attack platform known as Checkmarks and designed to breach Exchange Servers. Their platform has already been used to infiltrate 8,147 companies, primarily located in the US, after scanning over 1.8 million targets.
3. Toyota, Mercedes, BMW API flaws exposed owner’s personal info.
API security vulnerabilities in almost twenty car manufacturers and services could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customer’s personal information. The security flaws impacted well-known brands, including BMW, Rolls Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, and Toyota. The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM. The discovery of these API flaws comes from a team of researchers, who previously disclosed a multitude of car manufacturer vulnerabilities in November 2022. The report in question led to all impacted vendors fixing their issues in the report, so they are not exploitable now. The most severe API flaws could give adversaries access to user accounts, unlock and lock cars, track cars with GPS, and even report the cars as stolen which automatically reports to the authorities. It is extremely important to set up 2FA and limit the amount of personal data that you add to your car’s company account to stop adversaries from stealing your information.
4. Rackspace confirms Play ransomware was behind recent cyberattack, taking down services.
Cloud computing provider Rackspace, based in Texas, has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company’s hosted Microsoft Exchange environments. This follows a report last month, which detailed a new exploit used by the ransomware group to compromise Microsoft Exchange servers and gain access to a victim’s networks. The exploit, dubbed OWASSRF, allowed the attackers to bypass ProxyNotShell URL rewrite mitigations provided by Microsoft by likely targeting a critical flaw (CVE-2022-41080) that allows remote privilege escalation on Exchange servers. Since the report, Rackspace officials have revealed in recent local media interviews that the OWASSRF exploit was found on its network, and Play ransomware was behind last month’s ransomware attack. Unlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims with a link to a Tor negotiations page within ransom notes dropped on encrypted systems. However, they are stealing data from their victim’s networks before deploying ransomware payloads and will threaten to leak data online if the ransom is not paid.
5. Slack’s private GitHub code repositories stolen over holidays.
Over the Christmas holidays, Slack suffered from a security incident affecting some of its private GitHub code repositories. The incredibly popular IM app is used by an estimated 18 million users at workplaces and digital communities around the world. Slack came out with a security incident notice on New Year’s Eve. The incident involves threat actors gaining access to Slack’s externally hosted GitHub repositories via a “limited” number of Slack employee tokens that were stolen. While some of Slack’s private code repositories were breached, Slack’s primary codebase and customer data remains unaffected. Slack has since invalidated the stolen tokens of employees and says it’s investigating “potential impact” to customers. Strangely, the security update that Slack announced has some interesting attributes to it. It doesn’t appear on the “international news” blog aside other articles (at this time of writing). It also has an HTML feature that is used to exclude a webpage from search engine results, thereby making it harder to discover the page. So far though, there is no current action that needs to be taken by customers, for now.
©2025 Cyber Vigilance
Powered by Disruptive
Naggs Stable, Old Portsmouth Road, Guildford, Surrey, England, GU3 1LP