Originally reported by Security Affairs
TL;DR
Qualys disclosed nine critical AppArmor vulnerabilities allowing unprivileged users to gain root access on Linux systems. Meanwhile, Payload ransomware claimed responsibility for breaching Royal Bahrain Hospital and stealing 110 GB of sensitive data.
Nine critical privilege escalation vulnerabilities in AppArmor affecting Linux systems since 2017, combined with active ransomware targeting critical healthcare infrastructure.
Qualys researchers disclosed nine vulnerabilities in the Linux kernel's AppArmor security module, collectively designated as "CrackArmor." The flaws have persisted since 2017 and allow unprivileged users to bypass AppArmor protections, escalate privileges to root level, and compromise container isolation mechanisms.
AppArmor serves as a mandatory access control framework designed to restrict program capabilities and prevent unauthorized system access. The discovery of these long-standing vulnerabilities represents a significant security gap in Linux distributions relying on AppArmor for system hardening.
The vulnerabilities particularly impact containerized environments where AppArmor provides critical isolation boundaries between containers and the host system. Successful exploitation could enable attackers to break out of container sandboxes and gain full system control.
The Payload ransomware group claimed responsibility for breaching Royal Bahrain Hospital (RBH), a prominent healthcare facility in Bahrain. The threat actors allegedly exfiltrated 110 GB of sensitive data before adding the hospital to their Tor-based data leak site.
The ransomware operators published proof-of-breach materials on their leak site, following the established double-extortion model where threat actors both encrypt systems and threaten to release stolen data. Healthcare organizations remain high-value targets for ransomware groups due to their critical operational requirements and sensitive patient data.
This incident highlights the continued targeting of healthcare infrastructure by ransomware operators, particularly in regions where cybersecurity resources may be limited.
Security Affairs released their 88th malware newsletter roundup, featuring several notable research developments. Key highlights include analysis of Coruna, described as a nation-state iOS exploit kit, demonstrating advanced persistent threat capabilities targeting mobile platforms.
Additional research covered BoryptGrab stealer campaigns targeting Windows users through deceptive GitHub pages, and ClipXDaemon, an autonomous clipboard hijacker delivered via Bincrypter-based loaders. The newsletter also highlighted A0Backdoor research, indicating continued evolution in backdoor malware capabilities.
These research findings underscore the diverse threat landscape spanning mobile platforms, desktop systems, and advanced persistent threat toolkits.
Originally reported by Security Affairs