NewsBites Volume XXV – Issue 39

Top of the News

2023-05-12

Toyota Discloses Decade-long Data Leak

Toyota Motor Corporation has disclosed that a misconfigured cloud environment exposed customer vehicle location data for nearly a decade. The misconfiguration allowed access to the database without a password. The incident affects both Toyota and Lexus owners who enrolled in Toyota’s cloud service platform.

Editor's Note

A ten-year Time to Detect really skews your metrics in the wrong detection. The data exposed is not very useful for cyberattacks but does point out two weak points that are often not addressed: (1) supply chain security and (2) misconfiguration of cloud services.

John Pescatore

Very few details on this one that we have seen discussed. This could range from an S3 Bucket (or an alternative cloud version of S3) to a Virtual Machine (or Instance) exposed to the Internet with no firewall rules. It’s hard to tell. What is relevant is the statement that they lacked the visibility and detection to notice the gap. They also may not have been penetration testing their cloud environment, so that these items may have never been noticed. Very few details, but they are still very relevant as we see more and more of these types of disclosures by the day. The good news is that tools can help detect and find these in your cloud environments. Hopefully, you have this level of telemetry. If you don’t, look into it. If you do, who is looking at those screens?

Moses Frost

This impacted both Toyota and Lexus customers. The lack of a password on the database hints of taking a shortcut to make things work. At some point after the data were moved to the cloud in 2012, the database was marked public rather than private. While painful, it's important to review access control settings on a periodic basis to avoid surprises, as well as going back to revisit workarounds to ensure they didn't add undue risk.

Lee Neely

Misconfiguration is the number one vulnerability of cloud tenants. The Center for Internet Security produces several hardened images that are available in the cloud service provider’s marketplace. These secure images are built from many CIS benchmarks. This data leak was entirely preventable.

Curtis Dukes

PharMerica Discloses Data Breach

A cyberattack that occurred in March 2023 compromised personal information belonging to 5.8 million PharMerica patients. A forensic investigation revealed that intruders exfiltrated data, including names, Social Security numbers, health insurance and prescription information. PharMerica provides long-term care pharmacy services.

Discord User Data Compromised in Third-Party Breach

A cybersecurity incident at a third-party support provider has compromised personal information belonging to users of the Discord VoIP and instant messaging platform. The compromised data include email addresses, content of customer service messages, and attachments.

The Rest of the Week's News

2023-05-15

US Department of Transportation Data Breach

The US Department of Transportation (DoT) suffered a security breach that exposed personal information belonging to 237,000 current and former employees. The breach affected a system that processes reimbursements for employee commuting costs. DoT informed Congress of the breach on Friday, May 12.

Editor's Note

Given the GAO story below, this is not unexpected, albeit disappointing. The affected system, TRANServe, reimburses staff across the federal government for certain transportation costs, and the breached data includes email, work phone and address, home address as well as SmartTrip and/or TRANServe card numbers. DoT has frozen access to the TRANServe system, and is working to remediate deficiencies. Unless DoT addresses the issues in their cybersecurity programs there is no guarantee there won't be additional incidents discovered. If you're a TRANServe user, make sure that you've got credit monitoring.

Lee Neely

It would be helpful for DoT to share details of the breach, such as security tools employed, as well as patch and configuration status. These security details can help organizations create more effective security best practice guidance.

Curtis Dukes

GAO Report: Department of Transportation Defined Roles and Responsibilities, but Additional Oversight Needed

On Monday, May 15, the US Government Accountability Office (GAO) published a report that “examines the extent to which DoT has defined cybersecurity roles and responsibilities for department and component agency senior officials and managers; provides cybersecurity support to components, and provides oversight of component cybersecurity activities and managers.” The GAO found that the Department of Transportation (DoT) needs to improve the way it implements cybersecurity policies, to include cybersecurity expectations in senior managers’ performance plans, and to involve DoT’s CIO in evaluating component CIO performance.

Staten Island Hospital Suffers Ransomware Attack

A hospital in Staten Island, New York, is operating on network downtime procedures following a ransomware attack. Richmond University Medical Center (RUMC) is still offering patient services and emergency care.

Philadelphia Inquirer Cyberattack Disrupts Printing Operations

A cyberattack affecting systems at the Philadelphia Inquirer prevented the newspaper from printing its Sunday, May 14 edition. On Saturday, May 13, Inquirer staff discovered that the paper’s content management system was not working and that there was unusual activity on several of the paper’s computer systems. Print operations have since been restored, but employees are not able to use offices until Wednesday at the soonest.

CISA Adds Seven Vulnerabilities to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Friday, May 12. The vulnerabilities include a remote code execution flaw in Apache Tomcat; an information disclosure vulnerability in Jenkins User Interface; an unspecified vulnerability in Oracle JavaSE and JRockit; an unspecified vulnerability in multiple Ruckus Wireless products that could lead to remote code execution or cross-site request forgery attacks; an incorrect authorization vulnerability in RedHat Polkit; and two vulnerabilities in Linux Kernel: a race condition vulnerability and an improper input validation issue. US Federal Civilian Executive Branch (FCEB) agencies have until June 2, 2023 to remediate the vulnerabilities.

CISA and FBI: Patch PaperCut Vulnerability Now

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) has published a joint advisory warning that threat actors are exploiting a vulnerability in PaperCut NG and MF vulnerability to target organizations within the education sector. A patch for the flaw was released in March 2023. The advisory urges organizations to apply the fixes.

Rockwell Automation Product Vulnerabilities

Rockwell Automation has published six advisories describing vulnerabilities in several products, including certain Kinetix 5000 industrial control routers, PanelView 800 graphics terminals, Arena event simulation and automation software, and its ThinManager software management platform. Fixes are available for the vulnerabilities.

Spain’s National Police Arrest 40 Linked to Phishing Campaign

La Policía Nacional (the National Police of Spain) have arrested 40 people in connection with a cybercrime campaign involving phishing, identity theft, bank fraud, and money laundering. The operation is believed to have netted more than €700,000 ($764,000) from its victims.