GitLab has issued an urgent security update to address a severe vulnerability found in both its Community Edition (CE) and Enterprise Edition (EE) versions. This critical flaw, identified as CVE-2024-0402, carries a high-risk CVSS score of 9.9, indicating its potential to allow authenticated users to overwrite files arbitrarily on the GitLab server during workspace creation.
The vulnerability affects all GitLab CE/EE versions starting from 16.0 up to the versions before 16.5.8, 16.6.6, 16.7.4, and 16.8.1. GitLab's security team discovered that while creating a workspace, an authenticated user could exploit this flaw to write files to any location on the server, posing a significant security risk. In response, GitLab has swiftly backported patches to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1 as of January 25, 2024.
In addition to this critical issue, GitLab has also addressed four medium-severity vulnerabilities in its latest security update. These vulnerabilities could lead to various security concerns, including a regular expression denial-of-service (ReDoS), HTML injection, and the unintended disclosure of a user's public email address through the tags RSS feed.
This announcement comes shortly after GitLab resolved two critical vulnerabilities two weeks prior, one of which allowed for account takeovers without any user interaction required, emphasizing the continuous threat landscape that DevSecOps platforms face.
The primary risk associated with CVE-2024-0402 is unauthorized file writing, which could lead to server compromise, data leakage, or further exploitation depending on the files written and their locations. The severity of this risk is underscored by its high CVSS score, indicating that the vulnerability is easy to exploit and can have a widespread impact.
It is strongly recommended for all GitLab CE and EE users to update their installations to the latest patched versions immediately. These updates are crucial to protect against potential exploitation and secure GitLab servers from unauthorized access and manipulation. GitLab.com and GitLab Dedicated environments have already been updated to the latest versions, ensuring their security against this vulnerability.
LockBit ransomware group has taken responsibility for a recent cyberattack on Saint Anthony Hospital, a children's hospital in Chicago, marking a concerning shift in the gang's operational tactics. This move deviates from LockBit's previously stated policy of exempting nonprofit organizations from its targets, illustrating a distressing escalation in the ransomware landscape.
The attack on the hospital has been met with a stark refusal from LockBit to reverse the damage, a departure from their prior actions where they mitigated the effects of an attack on Toronto's SickKids hospital. The ransom demand set by the attackers is $800,000, a sum that poses an improbable financial burden for a nonprofit healthcare institution like Saint Anthony Hospital. The deadline for this ransom was set for 01:41 UTC on February 2, with an option to extend the deadline by 24 hours for a payment of $1,000.
Saint Anthony Hospital confirmed the cyberattack, stating that an unauthorized entity had copied files containing patient information, although it assured that no medical or financial records were compromised. The hospital's investigation, which concluded that patient data was at risk, led to immediate measures to secure its network and maintain uninterrupted patient care.
Despite the hospital's swift response to safeguard its systems and patients, the incident underscores the heightened threats hospitals face from cybercriminals. Saint Anthony Hospital has emphasized its commitment to cybersecurity and patient privacy, reporting the incident to the FBI and cooperating with their investigation, as well as notifying appropriate regulatory bodies.
LockBit's attack and its refusal to backtrack highlight a concerning trend of ransomware groups targeting vulnerable sectors without regard for the ethical implications. This incident is particularly alarming as it suggests a potential shift in LockBit's strategy, allowing its affiliates more freedom to target any organization, including those in sensitive sectors like healthcare.
The hospital has pledged to notify potentially impacted individuals and is offering a year of free credit monitoring to all patients as a precautionary measure against identity theft or financial fraud.
This incident serves as a stark reminder of the persistent cybersecurity threats facing healthcare institutions and the need for continuous vigilance and improvement in cybersecurity measures to protect sensitive patient information.
To protect against future ransomware attacks, healthcare organisations should:
Regularly update and patch systems to close security vulnerabilities.
Implement comprehensive backup and recovery procedures for critical data.
Conduct regular security training for staff to recognise and respond to phishing attempts and other cyber threats.
Employ multi-layered security measures, including firewalls, antivirus software, and intrusion detection systems.
AnyDesk, a leading provider of remote desktop software, announced Friday that it experienced a cybersecurity breach affecting its production systems. The Germany-based company clarified that the incident was not a ransomware attack but did not specify the nature of the compromise. Following a security audit that led to the discovery of the breach, AnyDesk took immediate action by notifying relevant authorities and implementing critical security measures.
As part of its response, AnyDesk revoked all security-related certificates and replaced or remediated affected systems. The company is in the process of revoking its previous code signing certificate for its binaries and introducing a new one. In a precautionary move to safeguard user accounts, AnyDesk has reset all passwords for its web portal, my.anydesk.com, and is urging its users to change their passwords, especially if the same credentials are used across multiple online services.
AnyDesk also recommends that users download the latest version of its software, which includes a new code signing certificate, to ensure the highest level of security. While the company has not provided specific details regarding the timing or method of the breach, it has reassured that there is no evidence suggesting any end-user systems have been compromised.
The breach was first hinted at when Günter Born of BornCity reported that AnyDesk had undergone maintenance starting January 29, with the issue being resolved on February 1. This followed an earlier notice from the company on January 24 about "intermittent timeouts" and "service degradation" affecting its Customer Portal.
Serving over 170,000 customers globally, including notable names like Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales, AnyDesk's security breach raises concerns about the potential implications for its vast user base. This incident comes amid growing cybersecurity threats, as demonstrated by a similar breach disclosed by Cloudflare, which involved unauthorised access by a suspected nation-state attacker.
The recent cybersecurity breach at AnyDesk underscores the importance of rigorous security practices for companies providing critical remote access solutions. AnyDesk's prompt actions, including system remediations, certificate revocations, and mandatory password resets, are crucial steps in mitigating potential risks arising from the breach.
For users of AnyDesk and similar remote desktop services, this incident serves as a reminder of the need for continuous vigilance and adherence to best security practices, including:
Regularly updating software to the latest versions to benefit from enhanced security measures.
Using unique passwords for different online services to prevent widespread access from a single compromised password.
Monitoring accounts for any unusual activity and adopting multi-factor authentication where possible to add an extra layer of security.
The breach at AnyDesk highlights the persistent threat landscape facing remote desktop software providers and their users, emphasising the need for proactive security measures to protect against unauthorised access and potential data compromises.