We’re collecting notable incident and vulnerability reports from the past week.

MGM Resorts claims ransomware attack cost it $110 million

MGM Resorts recently faced a devastating ransomware attack, which we informed you about in a previous Security Sunday episode. The company said the costs caused by the crippling of operations primarily at their Las Vegas facilities exceeded $110 million, including $10 million in one-time consulting fees, technology consulting services, legal fees and other third-party consultant expenses.

The company confirmed breaches at some of its operations but said the breaches did not result in the theft of bank account numbers or customer payment card details.

However, MGM Resorts said the hackers stole personal information (including name, contact details (phone number, email address and postal address), gender, date of birth and driver’s license number). “For a limited number of customers, criminals also obtained social security and passport numbers,” the company added.

“The types of information affected varied from person to person. At this time, we do not believe that criminals have obtained customer passwords, bank account numbers or payment card information. In addition, the company does not believe that criminals gained access to The Cosmopolitan of Las Vegas’ systems or data,” MGM Resorts added.

---

Active exploitation of a critical Zero-Day bug in Atlassian Confluence.

This week a zero-day vulnerability was discovered in the popular Atlassian Confluence software tool. This vulnerability, identified as CVE-2023-22515, exposes a critical access control vulnerability that impacted Confluence Data Center and Server versions.

Atlassian said the vulnerability was exploited to create unauthorized administrator accounts in Confluence and then access Confluence instances. The affected versions are 8.0.0 to 8.5.1 and Atlassian has recommended upgrading to one of the patched versions which are 8.3.3, 8.4.3, 8.5.2 (Long Term Support release) or later.

A recommendation has also been published for customers who cannot upgrade their instances immediately to limit external network access until the upgrade is possible.

Updating to the patched size version addresses the vulnerability but does not remove the possible compromise, so administrators should also check for indicators of compromise, which are:

• Unexpected confluence-administrator group members
• Unexpected newly created user accounts
• Accesses to /setup/*.action
• The presence of /setup/setupadministrator.action in the exception message in the atlassian-confluence-security.log file in the Confluence home directory

At the time of writing Security Sunday, there was no CVSSv3 score assigned to the vulnerability. Atlasian assigned this vulnerability an internal score of 10.0 CRITICAL.

---

Exploit for CVE-2023-4911 vulnerability compromises many Linux systems

An exploit for the CVE-2023-4911 vulnerability was recently released. This vulnerability, referred to as ‘Looney Tunables’, has been identified in the GNU C library, specifically in the dynamic loader ld.so, and if successfully exploited allows local privilege escalation, which may allow attackers to gain root privileges.

The vulnerability is caused by a buffer overflow error that occurs when processing the GLIBC_TUNABLES environment variable during process initialization.

Administrators must act immediately because this security flaw, which allows full root access to systems running the latest versions of widely used Linux platforms, including Fedora, Ubuntu and Debian, poses a significant threat.

While administrators of Alpine Linux, a distribution that is not affected by this vulnerability, do not have to worry about patching their systems, administrators of other affected systems must prioritize patching to ensure the security of their systems.

“Our successful exploit, which led to full root privileges being obtained on major distributions such as Fedora, Ubuntu and Debian, highlights the severity and prevalence of this vulnerability,” Saeed Abbasi, product manager of Qualys’ threat research department, said Tuesday.

---

Sony reveals data leak that affected thousands of people

This week, Sony Interactive Entertainment (“Sony”) confirmed a serious data leak that affected thousands of people, mostly in the United States. The incident affected current and former employees of the company.

This data leak was the result of the exploitation of a zero-day vulnerability in the MOVEit Transfer platform, specifically vulnerability CVE-2023-34362, which was related to a critical vulnerability allowing remote code execution. The attacker was the Clop ransomware group, which exploits this vulnerability on a large scale, leading to the compromise of many organizations around the world.

According to available information, sensitive information concerning approximately 6,800 individuals was compromised. Sony detected unauthorised downloads 2. June 2023, just days after the attack itself, which took place on 28 June 2023. May 2023. Sony subsequently launched an investigation with the help of external cybersecurity experts.

---

Cloudflare Versus Cloudflare: The Irony in Protecting Against DDoS Attacks

Recently, an interesting and ironic security issue was discovered regarding Cloudflare, a platform known for its ability to protect against DDoS attacks. Stefan Proksch, an Austrian security engineer, revealed that it is possible to bypass Cloudflare’s DDoS protection using tools provided by Cloudflare itself.

The root of the problem lies in logical flaws in Cloudflare’s interclient security management. These flaws allowed attackers to create a specific attack process to bypass Cloudflare’s firewall and DDoS prevention mechanisms, which are typically used to protect websites from cyberattacks.

The attacker first sets up a custom domain with Cloudflare and points the DNS A record to the victim’s IP address (the original server). It then disables all protection features for that custom domain in its Cloudflare client and can route its attacks through the Cloudflare infrastructure using a shared certificate, effectively bypassing the victim’s protection settings.

According to Proksch, the security problem can be solved by using custom certificates, but this requires customers to create and maintain their own certificates for origin pull, which may be less convenient than using a Cloudflare certificate.

---

NSA and CISA reveal the 10 most common misconfigurations that compromise security

The National Security Agency (NSA) and the Cybersecurity Infrastructure Security Agency (CISA) have revealed the top ten cybersecurity misconfigurations their Red and Blue teams have uncovered in large organizations’ networks.

“These teams assessed the security posture of multiple networks within the Department of Defense (DoD), the Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial governments (SLTT), and the private sector,” the NSA said.

The ten most common network configurations that were uncovered in the Red and Blue assessment by the NSA and CISA Hunt and Incident Response team include:

• Default software configuration
• Incorrect separation of user/administrator permissions
• Insufficient monitoring of the internal network
• Insufficient network segmentation
• Poor update management
• Bypassing system access controls
• Weak or poorly configured multi-factor authentication (MFA) methods
• Insufficient access control lists (ACLs) for network shares and services
• Unlimited code execution
• Insufficient password complexity