Russian military satellite comms provider offline after hack
ALSO: Ransomware hit on Mancunian Uni spills NHS patient deets, USPTO leaks inventor info, and this week's crit vulns
Infosec in brief A Russian satellite communication provider has been knocked offline by hackers, and more than one party – including hackers who say they're associated with mutinous mercenary outfit Wagner Group – has claimed responsibility.
Multiple news sources have reported that Dozor-Teleport – which counts among its customers Russian energy companies and the country's military – was knocked offline on early Thursday morning, Moscow time. It appeared to still be down as of late Friday night in the Russian capital.
Amtel Svyaz, Dozor's parent company and itself a satellite service provider, also experienced outages not long before Dozor was hit.
According to Russian technology news website ComNews (machine translated), Dozor general director Alexander Anosov has acknowledged the breach and said the provider believes it was compromised via one of its cloud providers.
"Restoration work is underway now, most of it was restored yesterday, the rest is being restored as equipment becomes available," Anosov said.
Whether the hack was caused by Wagner mutineers or members of an unnamed hacktivist group is unclear. Regardless of the actor behind it, hackers claim they sent malicious software to Dozor satellite terminals to knock them offline – which makes sense given the "up to two weeks" that ComNews said experts predict it will take to restore service.
The situation is clearly reminiscent of the Viasat satellite broadband outage that occurred on February 24 last year – the day Russia illegally invaded Ukraine. Viasat terminals were knocked offline across Europe, including inside Ukraine, by attackers who managed to break into a poorly-configured VPN that they used to pivot into a trusted management segment of Viasat's network.
From there, the Viasat hackers sent a signal to Viasat subscribers' modems to overwrite their flash memory. That resulted in to a similar situation to the one unfolding inside Russia today.
Regardless of whether Wagner is behind the virtual hit, it makes for an interesting next step in Putin's power struggle. Either unknown hackers are using Wagner's name to sow discord within Russia's borders by taking its military satellite comms offline, or Wagner isn't done getting revenge.
Critical vulnerabilities: Quiet week edition
There may have been plenty of vulnerabilities disclosed this week – anyone who gets CISA's email blasts will tell you that – but surprisingly few were critical, fortunately.
Only a single new actively exploited vulnerability that was reported was critical – though with a CVSS score of 9.8 it's very critical indeed.
The vulnerability, reported as CVE-2023-25717, affects the Ruckus Wireless admin portal through version 10.4 and allows remote code execution via an unauthenticated HTTP get request. Patches are available, so Ruckus users ought to stop reading and get installing. Now. Go.
As for newly discovered vulnerabilities, there's a few of those, too:
- CVSS 9.8 – CVE-2023-31222: Medtronic's Paceart Optima software used to manage cardiac device data contains a deserialization vulnerability that can be exploited via its messaging service.
- CVSS 9.1 – Multiple CVEs: Mitsubishi Electric's FA engineering software used in several products contains vulnerabilities that could be used by attackers to gain access to CPU modules and OPC UA server modules, execute programs and view files.
- CVSS 8.6 – Multiple CVEs: Multiple models of Rockwell Automation's CompactLogix 5370 are vulnerable to uncontrolled resource consumption and stack-based buffer overflow exploits that could render them unusable.
- CVSS 8.6 – CVE-2023-32274: Solar power provider Enphase's installer toolkit for Android – version 3.27.0, at least – contains hard-coded credentials that can be abused by an attacker.
Ransomware operators find oasis of NHS data in Manchester Uni systems
A ransomware attack on University of Manchester systems has exposed the details of more than one million NHS patients, the University admitted this week.
"We confirmed on 23 June that our systems have been accessed and student and alumni data has been copied," a University spokesperson told The Register. "Our in-house data experts and external support are working around-the-clock to resolve this incident and respond to its impacts."
Compromised in the attack was a database of NHS data gathered by the University for research purposes. According to officials, data in the stolen set includes NHS numbers, the first three digits of patient postcodes, and records of major trauma and terror attack treatments from across the country. While the database contains records for 1.1 million patients, it's not clear if all those records were compromised, and UoM said it's not sure if names were stolen as well.
As a result of the breach, UoM closed the dataset and has warned NHS leaders that some of the data could be made public. NHS patients are advised to keep an eye out, as they may not even realize their names were in the database – records in the list go back to 2012, and patient consent wasn't sought for inclusion.
The NHS has declined to comment.
Three years worth of US patent applicant info exposed online
The US Patent and Trademark Office (USPTO) has admitted publicly this week to a years-long data exposure that may have allowed bad actors to harvest home addresses belonging to American inventors.
Individuals who file patent applications in the United States are required to include their home address as a way to combat fraud, but a poorly configured API had apparently been exposing supposedly private domicile data to anyone who knew where to look in the Office's Trademark Status and Document Review system. To make matters worse, the API has been misconfigured since early 2020.
The USPTO said it discovered the issue in February of this year, and closed the hole in late March. Some 61,000 applicants may have had their data exposed, but the USPTO said it has no reason to believe anyone has misused the data – yet.
Several law firms that work on intellectual property law said notices were quietly sent to affected parties in mid-June, warning that the stolen information could be used in phishing scams or attempts to infringe on trademarks. ®