Royal Mail cybersecurity still a bit of a mess, infosec bods claim
Also: Most Mainers are MOVEit victims, NY radiology firm fined for not updating kit, and some critical vulnerabilities
Infosec in brief After spending almost a year cleaning up after various security snafus, the UK's Royal Mail had an open redirect flaw on one of its sites, according to infosec types. We're told this vulnerability potentially exposes customers to malware infections and phishing attacks.
Open redirects essentially allow attackers to use a legitimate website or a web application – in this case, a Royal Mail website – to redirect users to a malicious website by manipulating the URL. It occurs when the application doesn't validate user input, so miscreants can manipulate it as they please.
Once they've tricked users into going to a fake website, criminals can steal credentials and financial account information via phishing, or fool visitors into downloading malware.
According to a Cybernews investigating team, one of the British postal service's websites had this type of security flaw, which potentially sets customers up for phishing attacks. The researchers did not say which site had the issue, since it appeared to be still actively exploitable until it went offline some time ago.
"We've repeatedly informed the company about the flaw, and the site in question has been down for months now, indicating that Royal Mail is working to mitigate the issue or has already done so," Cybernews's Jurgita Lapienytė explained. "The company has yet to respond to our requests for comments."
The Register hasn't heard back, either.
Critical vulnerabilities of the week
It's been a bit quiet this week – great for giving overworked security professionals a bit of a break. That said, there are a few new critically risky vulnerabilities to report, and one new known exploit to be wary of – even though it's not critical.
The issue, CVE-2023-29552, is in the Service Location Protocol, which is used by a wide variety of devices to find services on local area networks. A vulnerability in the protocol allows unauthenticated remote attackers to register arbitrary services, which can be used to spoof UDP traffic and conduct a denial-of-service attack.
- CVSS 10.0 – CVE-2023-4804: Johnson Controls' Quantum HD Unity, which allows monitoring of multiple controllers on one display, is exposing debug features to unauthorized users.
- CVSS 9.9 – https://www.veeam.com/kb4508: Data management software vendor Veeam's flagship Veeam ONE product has this nasty, revealed last Monday, which allows an unauthenticated user to gain information about the SQL server connection used to access the tool's configuration database. Remote code execution on the SQL server hosting the Veeam ONE configuration database may follow. Veeam also warned of the 9.8-rated CVE-2023-38548, which means an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. While you're fixing those, why not consider CVE-2023-38549 and CVE-2023-41723, flaws rated at 4.5 and 4.3 respectively. Both allow inappopriate access to various Veeam products.
- CVSS 8.1 – CVE-2023-47610: Several models of Telit Cinterion modules are writing copy to buffers without checking input size, opening the door for an attacker to execute code with specially crafted SMS messages.
Nearly everyone from Maine is a MOVEit victim, state admits
Attention, residents of the US state of Maine: There's a distinct possibility that your data was exposed when the state government's MOVEit instance was compromised earlier this year.
Maine's government has admitted that it, too, was a victim of mass exploitation of vulnerabilities in Progress Software's MOVEit file transfer application, which it said is used by several state agencies. According to Maine's investigation of its MOVEit breach, data belonging to approximately 1.3 million people was compromised.
According to the most recent US census data, Maine's population is around 1.39 million.
The data stolen varies from person to person based on their association with the state government, but includes name, social security number, birthdate, tax information, and medical information. More than half of the data stolen originated with the Maine Department of Health and Human Services, with another 10 to 30 percent stolen from the Maine Department of Education.
Maine's government is asking everyone to contact the state's call center dedicated to the MOVEit breach, which is linked above. Affected individuals are being offered free credit monitoring services.
New York radiology firm pays $450k for failing to protect patient data
A ransomware attack on a radiology group in New York state that affected 92,000 residents has resulted in a $450,000 fine because the company failed to upgrade its systems to prevent known attacks.
According to the New York Attorney General's office, US Radiology Specialists "failed to adopt reasonable data security practices to protect patients' personal information by failing to protect its firewall from a known vulnerability."
"When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care," said NY AG Letitia James.
The incident that spurred the payout occurred in late 2021, and affected a number of healthcare firms that US Radiology contracted with. The AG's office said that attackers made off with names, birthdates, social security numbers, drivers license information, diagnoses and other personal information. A total of 198,260 had data stolen, including the 92,000 New Yorkers.
"In the face of increasing cyber attacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems," James warned. ®