Cyber Weekly Digest - 2022 Week #40

Updated: Oct 14

Take a look at this week’s Cyber Weekly Digest for a round-up of the biggest cyber security news for the week including the latest mitigation update from Microsoft for the ProxyNotShell zero-days as well as Uber’s former chief security officer being convicted after the 2016 data breach. Keep reading to stay up to date on the latest cyber security news from across the world.

1. Microsoft has updated the mitigation for the ProxyNotShell Exchange zero days.

Microsoft has updated the mitigations for the latest Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, referred to as ProxyNotShell. CVE-2022-41040 is a server-side request forgery that enables privilege escalation and works with CVE-2022-41082 to trigger remote code execution on on-premise Exchange server deployments, both are rated critical. The initial recommendations were insufficient as researchers showed that they can be easily bypassed to allow new attacks exploiting the two bugs. The second improvement was still not enough as the mitigation could still allow ProxyNotShell attacks. Microsoft has since released a third update for mitigating ProxyNotShell.

2. Uber’s former CSO has been convicted of federal charges following a data breach in 2016.

Uber's former chief security officer, Joe Sullivan has been convicted of federal charges for illegally covering up the theft of Uber drivers' and customers' personal information in 2016. In 2016 threat actors had broken into Uber’s infrastructure and stole 57 million customer and driver records. A year later, in 2017, court documents showed Sullivan had learned of the theft in November 2016 but tried to cover up that theft by trying to disguise the ransom payment made to the threat actors to recover the data as a bug bounty award.

3. LAUSD School system data leaked by ransomware gang.

The Vice Society Ransomware gang published data and documents Sunday morning that was stolen from the Lost Angeles Unified School District during a cyberattack earlier in September 2022. LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter, along with a hotline for concerned parents to ask questions about the data leak. The public release of data comes after the school system announced Friday that they would no