Direct link to report which has the decryptor written in Python:

Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang (blog.eclecticiq.com)

I guess we just can't have nice things.

The dumb part was relying on ads. There are privacy-focused crypto tokens out there.

Sources:

ProxyNation: The dark nexus between proxy apps and malware (att.com)

Pohl only found that out by accident, while working with a client's network. "When I got into the device in question, I thought: 'Hey, there's a username and password in here,'" he recalls.

At least the credentials weren't stored in clear text. But Pohl decompiled the Java class he guessed might have been responsible for the decryption, easily discovering an AES static key stored in the source code.

After a little bit of reverse engineering using CyberChef, "all of a sudden, out popped a clear text password. And I took that username and password that I got from the Dell Compellent software, went to the vCenter login, and I literally logged in and took over their entire environment."

It wasn't merely that Pohl possessed the same vCenter admin access as the Dell software, with the ability to observe, steal, or manipulate all of the data contained within. As he emphasized in a press release: "This key is the same for EVERY customer! If a criminal leverages this vulnerability, they could use it against any of Dell's customers."

If you’d been quietly chasing down cryptographic bugs in a proprietary police radio system since 2021, but you’d had to wait until the second half of 2023 to go public with your research, how would you deal with the reveal?

You’d probably do what researchers at boutique Dutch cybersecurity consultancy Midnight Blue did: line up a world tour of conference appearances in the US, Germany and Denmark (Black Hat, Usenix, DEF CON, CCC and ISC), and turn your findings into a BWAIN.

The word BWAIN, if you haven’t seen it before, is our very own jocular acronym that’s short for Bug With An Impressive Name, typically with its own logo, PR-friendly website and custom domain name.

(One notorious BWAIN, named after a legendary musical instrument, Orpheus’s Lyre, even had a theme tune, albeit played on a ukulele.) 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service. Learn More Introducing TETRA:BURST

This research is dubbed TETRA:BURST, with the letter “A” stylised to look like a shattered radio transmission mast.....

Posted just in case you are paywalled.

Summary

At a glance.

• Victims sue US healthcare network for breach of patient data.
• Multiple blanks impacted in MOVEit data breaches.
• A closer look at Cl0p.

A closer look at Cl0p.

The Cl0p ransomware group has been making recent headlines for its role in the mass-hack of a recently discovered vulnerability in the widely-used MOVEit file transfer application. As victims continue to disclose data breaches tied to the bug and Cl0p adds names to its hack list, ZeroFox offers a detailed analysis of the threat group’s activities. Analysts found that Cl0p typically engages in very low levels of activity for a period of several months, then carries out a series of high tempo attacks for several weeks.

As with the MOVEit hacks, Cl0p’s attacks often coincide with the discovery of critical vulnerabilities, allowing the cybercriminals to target multiple high-profile victims simultaneously. Rather than encrypting the infiltrated software, the group’s typical modus operandi is to exfiltrate data and then issue ransom demands. The researchers could find no pattern in the timing of Cl0p’s attacks, likely because they correlate with the unpredictable detection of zero-day vulnerabilities. That said, in the case of the MOVEit attacks, reports suggest group members identified the bug as early as March 2023 and delayed exploitation until the US’s celebration of Memorial Day, when security teams would likely be less vigilant.

Multiple blanks impacted in MOVEit data breaches.

Speaking of the MOVEit attacks, several additional victims have surfaced in recent days. CPO Magazine reports that German multinational investment bank Deutsche Bank shared customer data with a third-party vendor impacted in the MOVEit hacks. A Deutsche Bank spokesperson stated, “We have been notified of a security incident at one of our external service providers, which operates our account switching service in Germany.” Although the bank has chosen not to disclose the identity of the vendor, sources say it’s Majorel Germany, which provides account switching services for several German banks and has confirmed it suffered a MOVEit attack. A Majorel spokesperson explained, “The attack took place before the software’s vulnerability became public and only affected a single system running MOVEit software in Germany.” The compromised Deutsche Bank data include customer names and International Banking Account Numbers for individual German customers, and although the stolen info could not give the attackers access to the customers’ accounts, it could be used to carry out unauthorized direct debits. German banks ING Bank, Postbank, and Comdirect have also disclosed they experienced customer data leaks linked to the MOVEit hack.

Stateside, JDSupra reports that PlainsCapital Bank has also confirmed that one of its vendors was impacted by the MOVEit vulnerability. The Texas-based financial services institution posted a notice on its website explaining that an unauthorized party gained access to sensitive customer data including Social Security numbers and bank account numbers. The unidentified third-party vendor, who uses MOVEit for file transfer activities, disclosed the breach to PlainsCapital on June 27th, and the bank began notifying all compromised individuals on July 14.

Victims sue US healthcare network for breach of patient data.

HCA Healthcare, a medical facilities operator based in the US state of Tennessee, has been hit with at least five lawsuits connected to a massive data breach disclosed earlier this month. HCA explained that the attacker exfiltrated data from an external storage location, and then posted the stolen info online. Becker’s Hospital Review reports that the incident impacted up to 11 million patients across nineteen states, and complaints have been filed by victims in Tennessee, California, Florida and Texas. Attorney Tricia Herzfeld is representing a patient from Nashville, Tennessee says the purpose of her complaint is to "be able to take on a big corporation like HCA and say, 'No, we're not going to take this, and you do have obligations to safeguard our information, and we're going to band together, all 11 million of us in this class, to make sure you know that." After learning of the lawsuits, HCA stated, "Our commitment to our patients is unwavering and is not affected by any class-action lawsuits or other legal proceedings. We will respond to any lawsuits or proceedings, in the appropriate forums and ordinary course."

Selected Reading

HCA now faces at least 5 lawsuits in huge data breach (Becker's Hospital Review) At least five patients in four states are taking legal action against HCA Healthcare after a massive data breach.

MOVEit Data Breach Leaks Deutsche Bank, ING, Postbank, and Comdirect’s Customer Data (CPO Magazine) Deutsche Bank AG has confirmed leaking customer data via a third-party service provider impacted by a MOVEit data breach.

PlainsCapital Bank Announces Data Breach Involving Vendor’s Use of MOVEit (JD Supra) On July 14, 2023, PlainsCapital Bank filed a “Notice of Data Event” with the Attorney General of Montana after discovering that one of the bank’s vendors experienced a data breach related to the vendor’s use of the file-transfer program MOVEit.

FIA World Endurance Championship driver passports leaked (Security Affairs) Le Mans Endurance Management, operating the FIA World Endurance Championship’s website, exposed the data of hundreds of drivers by leaking their IDs and drivers’ licenses, the Cybernews research team has discovered. On June 16th, our researchers came across two misconfigured, meaning publicly exposed, Google Cloud Storage buckets. Both combined, they contained over 1.1 million files. […]

BlackCat and Clop gangs both claim cyber attack on Estée Lauder (ComputerWeekly.com) Cosmetics conglomerate Estée Lauder is experiencing operational disruption in the wake of a cyber attack that seems to involve two different cyber crime gangs.

BlackCat, Clop claim ransomware attack on cosmetics maker Estee Lauder (Record) U.S. cosmetics manufacturer Estee Lauder has suffered a cyberattack, the company confirmed on Tuesday.

Estee Lauder Hit by Cyber Attack, With Some Business Operations Disrupted (Insurance Journal) Cosmetics maker Estee Lauder on Tuesday said a hacker had obtained some data from its systems, with the cyber incident causing, and expected to further

I created some plots from the data I collected for my research on correlating CVEs to Clean Code requirements.

Disclaimer: My n=19 is really low. The data is very probably not significant. It's part of a seminar, it just doesn't have the scope for a bigger data collection. I hope to do that for my masters thesis.

The first plot isn't really that surprising and just "confirms" the intuition, that more contributors catch more bugs.

The second is quite interesting. I may have a bias in there and just picked a lot of inactive projects for the projects without requirements (although projects like npm are in there), but it's still quite surprising for me that there is that big of a difference.

RIP

Also here: https://www.malwarebytes.com/blog/news/2023/07/act-now-unpatched-zimbra-vulnerability-is-actively-exploited

There are Rapid Security Responses for the latest versions of macOS Ventura 13.4.1, iOS 16.5.1 and iPadOS 16.5.1.

For the older supported versions macOS Big Sur and macOS Monterey, there’s an old-style system update that just patches Safari, which will show up as Safari 16.5.2 after the update.

So far, however [2023-07-10T23:00:00Z], there are no updates for any other Apple platforms, even though it’s possible that that iOS 15, still officially supported on older iPhones and iPads, is affected too, along with Apple Watches and TVs.