SYNLAB Italia, a provider of medical diagnostic services has temporarily halted its healthcare services across Italy after experiencing a cyber incident. The healthcare diagnostics entity stated the SYNLAB Italia cyber-incident occurred during the early hours of 18th April and that it had become aware of the incident at 07.00 CET (Central European Time). Following the SYNLAB Italia cyber-incident, the IT department took action to block the entire company infrastructure from accessing the affected network while shutting down all machines in accordance with the company’s security guidelines. SYNLAB Italia is part of SYNLAB Group, which was founded by a loose association of German physicians. The group claims a presence in over 30 countries, with a staffing of over 28,000 employees and claims to conduct approximately 600 million tests every year.

Firm Halts Operations After SYNLAB Italia Cyber-incident

[caption id="attachment_64376" align="alignnone" width="1000"] Source: Shutterstock[/caption] After becoming aware of the SYNLAB Italia cyber-incident, the healthcare facilitator established a task force consisting of internal and external professionals who took action to mitigate potential impact stemming from the attack while focusing on restoring critical services as early as possible. SYNLAB then moved to secure biological samples that had already been collected and subsequently restored patient services such as specialist outpatient visits and physiotherapy. Upon visiting SYNLAB Italia’s site, visitors are prompted with links to visit either a patient service or customer service updates page. The patient page provides details about regional availability, outpatient services, regional center emergency numbers while informing patients about the services that remain suspended. The Customer and Business services page provides visitors with details about the cyberattack, alternative emergency numbers SYNLAB stated that its task force is investigating every aspect of its IT infrastructure as well as its backup systems to restore its systems as soon as possible. The company stated that it had filed a complaint with the Postal Police, and has followed procedure for issuing a preliminary notification to the Guarantor Authority for the Protection of Personal Data. SYNLAB has apologized to its patients for the incident and stated that it had made available dedicated telephone and social channels for managing patient requests and information in the interim as some of its services and official email system remained down. The company stated that it would update patients, customers and the public on updates through its official website and social media channels while stating that it is working on limiting customer inconvenience and providing necessary support.

Medical Data at Risk in SYNLAB Italia Cyber-incident

[caption id="attachment_64377" align="alignnone" width="1000"] Source: Shutterstock[/caption] The healthcare provider stated that although the investigation is ongoing and the full extent of compromised data hasn't been confirmed, it acknowledged the potential exposure of sensitive medical data. Moreover, SYNLAB Italia affirmed its adherence to GDPR regulations when addressing concerns regarding potential data exposure. It pledged to restore systems as readily as possible while implementing necessary measures aimed at secure resumption of services on an urgent basis. The company confirmed that it had issued emails communicating the incident to some of its patients through an external provider not impacted by the attack. The Cyber Express has reached out to SYNLAB Italia for further details regarding the attack, but no response has been received yet. No threat actor group or individual has been observed claiming responsibility for the attack so far. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actor USDoD (previously known as NetSec, ScarFace_TheOne, and Scarfac33) previously known for attacks against U.S. infrastructure and Airbus has claimed Bureau van Dijk as its latest victim. The threat actor also claimed that the alleged attack on Bureau van Dijk would likely be his last and seemed to bid farewell to the BreachForums community. Bureau van Dijk, a leading business intelligence firm owned by Moody's Analytics. The firm offers various consumer and private company intelligence-related products with a primary focus on sales, marketing, and customer support. The firm is known to maintain country-specific databases and the threat actor was likely referring to the US variant of the consumer database. The two shared files combined together form about 11.7 million lines of sensitive data as mentioned in the post description on BreachForums.

USDoD Threat Actor Targets Bureau van Dijk in Farewell Post

In a surprising gesture, USDoD bid farewell to the BreachForums community, federal agencies and ‘friends around the globe’, claiming his post as a way of stating goodbye. The threat actor stated that he did not expect anything further from the community, while expressing gratitude for all the people that he contacted over the years with the forums. The threat actor reiterated that he was a lone individual working alone in his activities while framing his decision to step away as a move to focus on personal life and family. The post description mentions the information in the first stolen database as containing around 8.9 GB of data and being delivered in CSV format. The file included fields such as Last Name, First Name, Email Addresses, Priority Telephone Number, and Priority Email Address. The Cyber Express has reached out to Bureau van Dijk to verify the authenticity of the hackers claims. However, at the time of writing this, no official statement has been received, leaving the claims of the Bureau van Dijk cyberattack stand unverified.

US Consumer Database Included Within Threat Actor's Post

The second database included within the threat actors post was purportedly a US consumer database stolen from the same agency and seemed to include data such as First Name, Last Name, Business Email, Mobile Phone, Direct Number, Job Title, Personal Address and Company Address. The second database was also in .csv format and was stated to include about 2.8 million lines of data records. Both databases were freely available for public download through shared links shared in the post. The attacker previously targeted the defense contractor Thales in a data breach on March 1, 2024 involving 24 GB of data. Prior to the incident the threat actor was responsible for the Airbus data breach on September 12, 2023. Earlier in August 2021 while operating under the NetSec moniker, the threat actor revealed that they had obtained administrator access to several websites belonging to the U.S. Army. This attack was part of a wider individual campaign under the '#RaidAgainstTheUS hashtag' involving large-scale attacks on the U.S. Department of Defense (DoD), U.S. Army websites, and U.S. Defense manufacturers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Several Victorian councils confirmed that their data had been exposed to the public, after their third-party OracleCMS call center operator had been breached. The compromised data from the customer services vendor may extend beyond the Victorian cities data breach. OracleCMS, (not to be confused with Oracle corporation) is an Australia-based localized provider of customer care solutions and call center services. According to the OracleCMS official disclosure, the breached information may include 'corporate information, contract details, invoices, and triage process workflows'. Last week, the LockBit #ransomware group mentioned OracleCMS as a victim on its official leak site.

Authorities Issue Data Breach Notices on Official Sites After Victorian Cities Data Breach

[caption id="attachment_64113" align="alignnone" width="1000"] Source: Shutterstock[/caption] Local governments entities are among those affected by the OracleCMS breach, with many of them conducting investigations into the incident over the weekend. Some affected entities instructed the OracleCMS provider to not to collect any further information information during the interim and requested direct transfer of urgent calls, including after-hour calls to their staff until further notice. The affected cities that are known to have issued official data breach notices include: Knox City, City of Port Phillip, Manningham Council, Whitehorse City Council and the City of Monash Earlier, LockBit had published some sample data such as bills associated with OracleCMS, giving the group until April 16th to negotiate with the group, with no ransom amount being publicly mentioned. The group had then published more than 60 gigabytes of leaked data contained within a single compressed archive. A “Clients” directory from the leaked data included more than 50 different folders of organizations ranging from local city councils to senior citizen care services. The Australian publication Cyber Daily stated that more than a dozen local councils were on the list, including the Campbelltown Council, Tweed Shire Council, Dandenong City Council, among various other government entities. Other clients included within the leak include several different law firms, a real estate agent giant, and the Queensland branch of the Philadelphia Church of God.

OracleCMS Issues Several Safety Recommendations After Victorian Cities Data Breach

[caption id="attachment_64117" align="alignnone" width="1000"] Source: Shutterstock[/caption] OracleCMS confirmed a cyber security incident had occurred where an unauthorised party gained access to a portion of its data and published the leaked data online. After discovering the incident, OracleCMS approached cyber security experts to aid in securing its systems and in conducting an official investigation. The site states that basic contact information could be extracted from contracts and invoices appearing in the breach, but  advised that the data presented 'a low risk of misuse. The organization stated that it had contacted clients which it had identified as being impacted, and would work with them to issue further notification and support to affected parties and individuals. OracleCMS apologized for the incident and affirmed its commitment to keeping stakeholders updated during the on-going incident response and investigation. The site issued several recommendations to affected parties to stay safe from the fallout of the data breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The ransomware gang 8Base might have been responsible for an attack on the Atlantic States Marine Fisheries Commission (ASMFC) in the United States, that caused to go down temporarily. This development has raised concerns given the ASMFC's pivotal role in overseeing fisheries along the Atlantic seaboard after the U.S. Atlantic States Marine Fisheries Commission's email system was temporarily down. Established 80 years ago, the fishery organization states on its site that its mission is 'to promote the better utilization of the fisheries, marine, shell and anadromous, of the Atlantic seaboard by the development of a joint program for the promotion and protection of such fisheries, and by the prevention of physical waste of the fisheries from any cause.' The 8Base ransomware group claimed the organization as a victim in its leak site and claimed to have stolen several pieces of critical data. However, the authenticity of these claims is still in question, given the corporation has not shared any update regarding any cyberattack or intrusion.

Atlantic States Marine Fisheries Commission: Officials were Given a Four-Day Deadline

[caption id="attachment_63831" align="alignnone" width="683"] Source: Shutterstock[/caption] On April 15th, the 8Base ransomware group asserted on its official leak site that it had obtained information such as personal data, invoices, receipts, accounting documents and certificates. The group gave the organization a deadline of four days to pay the ransom, warning that if the ransom was not paid by April 19th, they would release the data. Of particular concern is the extent of the alleged data breach due to the nature of the data stored on the ASMFC's website, which includes confidential information on fishery management, nearshore fish species, habitat conservation efforts and law enforcement initiatives. For a while, the commission's official website displayed a notice instructing users to use a different address and phone number temporarily while its official services remained down. While it's email services seem to have been restored as the notice is no longer displayed, it is uncertain if the disruption was due to the alleged attack, a routine maintenance effort, or otherwise. [caption id="attachment_63860" align="alignnone" width="2696"] Source: Archived copy of the official site(asmfc.org) displaying earlier notice.[/caption] The Cyber Express reached out to the ASMFC for further details and confirmation regarding the ransomware gang's claims, but have not received a response yet at the time of working on this report.

8Base Ransomware Group Shares Similarity with Other Groups

The ransomware group, which claimed this cyberattack, has been a notorious threat actor on the dark web, sharing similarities with other threat actors of equal prowess. Last year in 2023, researchers from VMware reported that they had discovered significant similarities between the operations of both 8Base and RansomHouse. These similarities included a 99% similarity match in ransom notes between the groups, and other similarities in the verbiage of the two groups in the leak site on the welcome page, terms of service page and FAQ page. Other similarities were also noted between 8Base and the Phobos threat actor group, raising questions about the relationships between these groups and the scale of collaboration or independence. Moreover, what seems like a possible cyberattack in the case of the Atlantic States Marine Fisheries Commission (ASMFC), the water industry saw many cyberattacks in 2023. In September 2023, another joint body water association between the U.S. and Canada, the International Joint Commission was been hacked by NoEscape. The group had stolen and encrypted similar confidential data including contracts, legal documents, personal details of employees and members, and financial and insurance information. These incidents highlight the need for robust measures within organizations responsible for managing vital resources and essential sectors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Void Interactive, the Ireland-based indie game developer behind Ready or Not, fell victim to massive data breach with over 4TB of data stolen consisting of over 2.1 million files in total. Ready or Not is a tactical, first-person shooter taking place in a contemporary modern and involves SWAT team operations. While reports circulating about the data breach, no particular threat actor was mentioned, however, the incident did occurred in March 2024. Void Interactive confirmed the data breach to Insider Gaming while stating that “no user or staff-related information has been leaked, and our development assets and proprietary code remain intact.” In response to the breach, Void Interactive seems to be conducting an on-going investigation to understand the full-extent of the intrusion.

Void Interactive Data Breach Linked to TeamCity Cloud Vulnerabilities

The data was stated to include the entire Ready or Not PC source code. It also includes data from performance benchmark tests and development builds for console versions of Ready or Not, for the Xbox One, Xbox Series X|S, and PlayStation 5 platforms. Purported images of the PS4 build of the game running on a PlayStation 4 test kit was also revealed in the leak, as reported by Insider Gaming. In another report from Kotaku, a representative from Void Interactive stated that the hack was a result of “critical vulnerabilities” present in TeamCity’s cloud service component for build-management. The game developer added that the hackers obtained access to certain source code and screenshots involving an upcoming project. The Void Interactives spokesperson further claimed that no user-related data had been breached, as they 'do not capture any personal user information in the first place'.  The developer again confirmed that some source code & directory information had been stolen as a part of the attack. However, development assets and proprietary code were not part of the breach. Void Interactive pointed the attack as being 'limited to the TeamCity services interface.' The Cyber Express has reached out to Void Interactive requesting information about the on-going investigation. [caption id="attachment_63453" align="alignnone" width="596"] Source: d0nutleaks leak site claim[/caption] [caption id="attachment_63457" align="alignnone" width="626"] Source: /u/DrinkMoreCodeMore's claim on /r/ReadyOrNotGame subreddit[/caption] While Kotaku and Insider Gaming seem to refuse to directly name the hacker group responsible, it is worth noting that around the same time the incident was stated to occur, a reddit user by the username "DrinkMoreCodeMore" claimed to have noticed the d0nutleaks ransomware group listing Void Interactive as a victim on its data leak site.

Data Breaches, Source-Code Leaks, and Hacks Plague Gaming Industry

[caption id="attachment_63515" align="alignnone" width="1000"] Source: Shutterstock[/caption] The gaming industry has been rife with data breach and hacking incidents affecting both prominent studios and smaller development teams. Last month in March, the Apex Legends North American Finals had been postponed after two professional players had been hacked to provide 'aimbots' and 'wallhacks' mid-tournament. In December 2023, prominent game developers Insomaniac Games and RockStar Games suffered massive data breach attacks. The Ryhsida ransomware gang leaked 1.67 TB (1.3 million files) of data from Insomniac Games, while another group leaked two files— a 4 GB file and a 200 GB File from Rockstar Games. The smaller file mostly contained code, while the bigger one contained 3D models and assets. The leaked data included data of at least 1158 of Rockstar employees. The recent series of data breaches serves as a stark reminder that as developers continue to innovate and push boundaries in gaming, protecting intellectual property and sensitive data must remain a top priority in order to provide a secure environment for creators and players alike. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The RansomHouse group allegedly added Lopesan Hotels to the list of victims on its extortion site, claiming that they had obtained 650GB of data regarding the hotel revenue ($382.4M) and details about 408 employees. The group claims to have encrypted the data on March 22 2024 while stating that the company is not interested in the confidential data being leaked on the internet. The Lopesan Hotel Group is a family-owned group that began its activities in 1972 as group that takes on public construction projects. The hotel chain later scaled to become a multinational company, operating from its headquarters in the Gran Canaria islands.

RansomHouse Group Shares Details on the Lopesan Hotels Cyberattack

The Cyber Express has reached out to the hotel group to learn more about this Lopesan Hotels cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for this intrusion stand unverified right now. However, the hacker group alleges that along with the claims of the cyberattack, the group added that the hotel chain is failing to resolve the cyberattack situation, stating, "Dear Lopesan Hotel Group, We are sure that you are not interested in your confidential data to be leaked or sold to a third party. We highly advise you to start resolving that situation." Moreover, RansomHouse shared a link to the downloadable data that doesn't require any password, making the data available to all the users on the data leak site.

RansomHouse Group is Known to Target High-Value Targets

The ransomware gang that claimed this attack began as a ransomware-as-a-service operation that emerged in late 2021 with active attacks against the networks of large enterprises and high-value targets. RansomHouse initially began targeting Italy, but later began targeting countries such as the United States and Spain. The group primarily tends to target the industrial and technology sectors and  set up a victim extortion page  on May 2022. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are 'extortion only,' claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments. The group's operations tend to be smaller and more sophisticated than some of the bigger contemporary ransomware groups. They are known to recruit members on prominent underground marketplaces and utilize a Tor-based chat room for ransom negotiations. Since the group tends to conduct extortion only attacks, their techniques tend to be stealthier and quicker as no encryption process occurs and typical ransomware detection triggers are avoided.

RansomHouse Group Was Responsible for Massive Data Breaches

The RansomHouse group recently developed a new tool dubbed as 'MrAgent' that targets VMware ESXi hypervisors typically known to house valuable data.  The group targeted several large-sized organizations through the last year. Their campaigns include attacks such as the theft of 450 GB of data from the semi-conductor giant AMD, an attack disrupting the healthcare services of the Hospital Clínic de Barcelona in Spain, and an an attack on Shoprite, Africa's largest supermarket chain The sophistication of the RansomHouse group's campaigns and scale of their attacks demand heightened vigilance and proactive defense strategies to safeguard against similar breaches, despite their claims to be a positive force. As for the Lopesan Hotels cyberattack, this is an ongoing story. The Cyber Express will be monitoring the situation and we'll update this post once we have more information on this alleged attack or any official confirmation from Lopesan Hotels. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Federal Trade Commission (FTC) has proposed a $7 million fine against Cerebral Inc for what it sees as a mishandling of consumer data. Cerebral, allegedly not only mishandled the data but actively shared it with third parties for advertising purposes. The complaint alleges that Cerebral Inc consumer data consisting of sensitive information of nearly 3.2 million individuals had been to various third-party agencies, such as Google, Meta (Facebook), TikTok, among other advertising giants. This sharing of consumer data reportedly occurred through Cerebral's platforms by utilizing tracking tools on its website or apps, such as tracking pixels.

Cerebral, Inc. agreed to comply with a settlement with the FTC, which includes restrictions on the company's use or disclosure of sensitive consumer data.  In the statement, the FTC reaffirmed its fight against the poor data handling of consumers’ sensitive health data in some health companies.

FTC Cites Poor Handling and Malpractices Behind Cerebral Inc Consumer Data Collection

[caption id="attachment_63212" align="alignnone" width="1000"] Source: Shutterstock[/caption]

The data being mishandled reportedly included not only typical contact and payment information but also detailed medical histories, prescriptions, health insurance details, and even sensitive personal beliefs and orientations. The publication cites various examples of Cerebral's poor practices including a failure to restrict former employees from accessing confidential medical records, promotional postcards that disclosed patient health details, and relying on insecure access methods for its patient portal, which allowed users to access others' the confidential health information of other patients. Furthermore, the lawsuit accused Cerebral Inc. of violating the 'Restore Online Shoppers’ Confidence Act' (ROSCA) by making it difficult for consumers to cancel subscriptions. The complaint outlined a convoluted cancellation process that involved staff contacting consumers to dissuade them from canceling, keeping subscriptions active until staff "confirmed" cancellation demands, and even removing a simplified cancellation button after observing an increase in cancellations.

Mental Health Firm Issued Data Breach Notice Last Month

[caption id="attachment_63214" align="alignnone" width="1494"] Source: cerebral.com[/caption] Cerebral Inc. disclosed in a breach notice published on its website that company data had been shared through invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since 2019, without adequate patient permission. The breach had been reported on the U.S. Department of Health and Human Services breach portal, mentioning the personal details of 3,179,835 people being exposed as part of this breach. The data breach was stated to include details such as full name, phone number, email address, date of birth, IP address, Cerebral client ID number, and demographic information. However, the firm stated that the shared information did not include Social Security numbers, credit card information, or bank account information. The firm indicated that it had 'enhanced' its information security practices and technology vetting processes to mitigate the sharing of such information in the future. The firm claimed that it was among several others across industries such as health systems, traditional brick-and-mortar providers, and other telehealth companies who had resorted to the use of pixel and other common tracking technologies. Cerebral stated that it would provide free credit monitoring to help affected users. The data breach incident as well as FTC's proposed fine highlight the importance of safeguarding consumer data and ensuring transparent and accessible cancellation processes, particularly in sensitive industries such as mental health care. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The clearnet domain of the notorious BreachForums data leak and hacking forum has been taken down by rival threat actors. The threat actor group, R00TK1T, along with the pro-Russian gang Cyber Army of Russia, announced a breach of user data following the BreachForums take down. R00TK1T was previously responsible for an attack campaign targeting the Malaysian government and various private entities including one of one of Malaysia’s leading telecommunications operators. The hackers responsible for the attack on BreachForums also claimed that they would leak a list of the forum's users, IP addresses and emails. Despite the attack, the TOR version of the site remains operational.

Groups Claim More Surprises for Hacker Community and Active Users

[caption id="attachment_63054" align="aligncenter" width="2144"] Source: R00TK1TOFF Telegram channel[/caption] R00TK1TOFF claimed on Telegram, that the site 'has currently crashed due to the extent of our attack, which was executed with extreme precision and efficiency.' The DDoS campaign against the site had been conducted in a joint-effort operation of both groups. However, the BreachForums TOR address remains active and is known to implement DDoS protection. Cybersecurity firm Hackmanac claimed in a note on X (Twitter) that:

R00TK1T is known for making grand claims about significant data breaches, which more often than not turn out to be merely a collection of publicly available data. Given the group's reputation, the threat to publish the IP and email addresses is likely to be a mere republishing of user details that were leaked last year by more credible threat actors.

Baphomet Issues Statement Regarding BreachForums Take Down

Baphomet, the administrator of BreachForums, made a statement about the incident on Telegram: 'The domain is currently suspended. We're working on it. We apologize for any inconvenience.' He further advised its users to access the forums through via the TOR site until the issue was sorted. In a later post via Telegram, Baphomet joked that the action must have been the work of the Five Eyes network along with various other large nations 'working together to silence our forums.' He then downplayed the takedown of the .cx domain, recommending users to switch to a temporary new domain (breachforums.st). [caption id="attachment_63041" align="aligncenter" width="785"] Source: Baphomet Official  Telegram channel[/caption] He stated that the .st domain would temporarily function as their main site while the admins work on 'protection over the next week that'll make these one-time suspensions less effective' while emphasizing on the availability of the TOR domain at all times. He then claimed that nothing had been 'seized, hacked, or even reasonably attacked.' Noting that while their site might experience DDoS attacks and downtime, they would always come back. He advised users to be patient while thanking the community for being patient with such incidents. R00TK1T, later responded in its own channel that Baphomet was denying the attacks and that together with the Cyber Army of Russia would 'unleash a torrent of chaos that will leave you (Baphomet) reeling. BreachForums has faced a series of troubles in recent times, including the arrest of its former owner Conor Brian Fitzpatrick (pompompurin), followed by an official seizure of the site by the Federal Bureau of Investigation(FBI) in cooperation with several U.S. agencies. The FBI stated in an affidavit that during the time of seizure, it had access to the BreachForums database. A forum administrator operating under the screen name "Baphomet" took ownership of the website and its operations after the arrest of Fitzapatrick. The site was temporarily shut down after Baphomet's suspicion of the forum still being compromised. However, Baphomet later reopened the forum to the public with the aid of black-hat hacking group ShinyHunters. ShinyHunters was previously responsible for several large-scale data breach attacks, obtaining about 200 million records of stolen data from various companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A vulnerability had been discovered in the devices of several prominent manufacturers within the Lighttpd open-web server component. Lighttpd is recognized for its 'secure, fast, standards compliant, and flexible web server optimized for high-performance environments.' These features make it a popular choice for incorporating into various projects and tools, and it had been previously used to power sites such as Youtube and Wikipedia. This vulnerability existing for at least six-years within Lighttpd, affects over 2000 devices deployed by vendors such as American Megatrends International (AMI), Intel, Lenovo, and Supermicro. Researchers caution that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. BMCs are built into servers to allow cloud centers as well as their clients to remotely manage servers. They enable administrative actions such as OS management, installation of apps, and control over different aspects of servers even while they are powered off. Over the years, BMCs from multiple manufacturers have incorporated vulnerable versions of lighttpd.

Lighttpd Bug Had Been Identified but Not Disclosed as Vulnerability

[caption id="attachment_62950" align="alignnone" width="1000"] (Source: Shutterstock)[/caption] The vulnerability had been discovered and patched in 1.4.51 of the software, described as fixing 'various use-after-free scenarios' while being marked as consisting of 'security fixes' in the change logs. The MITRE corporation describes this category of bugs as that 'can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw'. Researchers from Binarly who discovered the flaw's existence on Lenovo and Intel sold devices,  noted that the update did not describe the issue as a “vulnerability” or include a CVE vulnerability number. Such action they claim might have affected 'proper handling of these fixes down both the firmware and software supply chains'. While the bug is of moderate severity on its own, it could be chained with other vulnerabilities to access the read memory of a lighttpd Web Server process and exfiltrate sensitive data and  potentially bypass memory-protection techniques such as ASLR (Address space layout randomization). The ASLR memory protection is implemented in software to protect against buffer overflow or out-of-bounds memory attacks.

Vendors Plan Not to Release Lighttpd Bug Fix As They No Longer Support Hardware

[caption id="attachment_62955" align="alignnone" width="1000"] (Source: Shutterstock)[/caption] The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. Both Intel and Lenovo have reportedly stated that they had no plans to release fixes as they no longer support the hardware where these flaws may perist.  Supermicro, has however stated support for versions of its hardware still relying on lighttpd.

A Lenovo spokesman reportedly stated to ArsTechnica that 'Lenovo is aware of the AMI MegaRAC concern identified by Binarly. We are working with our supplier to identify any potential impacts to Lenovo products. ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) do not use MegaRAC and are not affected.'

It’s worth mentioning explicitly, however, that the severity of the lighttpd bug is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability. In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet. Chip giant Intel previously issued an advisory in 2018 warning customers about over 13 security bugs discovered in its version of the baseboard management controller (BMC) firmware for Intel Server products while conducting internal evaluation.  The reported flaws included including one critical flaw that could be exploited to leak sensitive data or allow attackers to escalate privileges. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.