Cyber Incident Weekly Report - Week of July 29, 2024

Microsoft Outage Caused by Cyber Attack

WHAT HAPPENED: Microsoft began investigating an ongoing global outage blocking access to some Microsoft 365 and Azure services on Tuesday, July, 30. Later in the week, Microsoft confirmed that the outage was caused by a distributed denial-of-service (DDoS) attack. Users reported issues using and accessing Microsoft 365 admin center; Intune; Entra; Power Platform; Power BI, Azure, Xbox, Bing,? Entra, Intune, and Power Apps. Microsoft is planning on releasing a Preliminary Post-Incident Review (PIR) within 72 hours and a final review within the next two weeks. There are currently no indicators that this outage was related to the global Microsoft/ Crowdstrike outage.

CONCERNING: Microsft, Outage, distributed denial-of-service (DDoS).

SENSCY'S ANALYSIS: While Microsoft continues to manage and investigate this incident, it comes only two weeks after the global Crowdstrike outage impacted Crowdstrike and Microsoft users. This time, Microsoft 365 and Azure services were targeted by a denial-of-service (DDoS) attack, a cybercrime that involves flooding a server, network, or service with internet traffic to disrupt its normal traffic and make it inaccessible. Threat actors are highly likely to target software platforms like Microsoft because of the potential impact. A DDoS can likely lead to service disruptions, where legitimate users are unable to access critical services such as Microsoft 365 or Azure, which could lead to lengthy service interruptions, damaging the reputation of the organization and potentially leading to a loss in revenue. The operational costs in mitigating these outages can be substantial, including IT staff overtime, incident response costs, and potential hardware upgrades. In some rare cases, DDoS attacks can lead to data loss or data corruption if the attacks are prolonged.? Depending on the nature of the attack and the jurisdictions affected, there could be legal repercussions for Microsoft. For instance, failure to meet service legal agreements (SLAs) or data protection regulations can result in fines and legal actions.? Earlier this week, Crowdstrike investors began suing the company after the outage that caused the stock price to drop to 38%. In Microsoft’s case, no threat actor has claimed the attack so far. However, last year, a similar incident was caused by a hacktivist group, attempting to expose how reliant organizations worldwide are on their IT services like Microsoft. DDoS usually requires fewer resources and technical skills, making it likely that it was another hacktivist group responsible for the attack.?

New Jersey City University Suffers Ransomware Attack

WHAT HAPPENED: In a post on the school’s website, New Jersey City University (NJCU) explained it suffered a ransomware incident between June 4-10. The incident resulted in a data leak after an unauthorized threat actor gained access to the school computer network. The ransomware group Rhysida claimed the attack and is demanding 10 Bitcoins, or roughly $700,000, by Aug. 3. The group allegedly exfiltrated miscellaneous data including agreements, passports, and SSNs.?

CONCERNING: Academic, New Jersey City University, Ransomware, Data Breach

SENSCY'S ANALYSIS: Universities and schools would typically see an increased risk of cyber-attacks around key dates like back-to-school, the holidays, or during finals. But in some cases, hackers will target schools in the summer to take advantage of potentially reduced IT staff, and because most schools and universities suspend awareness training and phishing simulations during the down months of the school calendar. For NJCU, the attack led to a ransom demand of 10 Bitcoin, while there are no indicators that the school paid the ransom, SensCy, and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, recommend that ransomware victims should never pay the ransom, has it doesn’t guarantee that data will be returned or deleted, and it encourages future attacks. But why do hackers request ransomware payments in Bitcoin or cryptocurrencies? Bitcoin transactions are pseudonymous, meaning that while each transaction is recorded on the blockchain, the identities of the parties involved are not directly tied to the transaction record, they are tied to a Bitcoin address not associated with the personal information. These transactions are therefore incredibly challenging to track, requiring large amounts of resources. Bitcoin transactions are also borderless, making it accessible to all globally without cross-border regulations. Finally, all Bitcoin transactions are irreversible once confirmed, making it impossible to cancel or reverse a transaction. All these aspects make Bitcoin an attractive choice for threat actors. While law enforcement agencies and cybersecurity experts are developing new methods to track and combat the use of Bitcoin in cybercrime, the inherent characteristics of the cryptocurrency are significant challenges in this ongoing effort.

ServiceNow Vulnerabilities Exploited by Hackers

WHAT HAPPENED: In May, security specialists AssetNote notified ServiceNow of three critical vulnerabilities. While ServiceNow released patches in May and June, a proof-of-concept exploit was published on July 11. Since then, threat actors have begun exploiting unpatched ServiceNow systems. Many reports indicate that anywhere from 13,000 to 42,000 unpatched instances are at risk of compromise. ServiceNow is a popular IT Management provider.?

CONCERNING: Vulnerabilities, CVEs, ServiceNow, IT Manager, Patching Management.

SENSCY'S ANALYSIS: SensCy has observed an increase in cyber attacks targeting IT services, corporate portals, and help desks, to seek access to systems that would typically allow legitimate users to access their company’s systems remotely. Threat actors can be found on dark web forums discussing and sharing intelligence on potentially compromised systems. Typically, once a vulnerability is disclosed and a patch is released, hackers will begin scanning the internet, using external scanning tools available to all, to find unpatched systems. These ServiceNow vulnerabilities, if exploited, could allow threat actors to read files, which could potentially lead them to move across the entire system, potentially stealing any piece of information. While ServiceNow provided a quick patch, the number of unpatched systems shows how many organizations struggle with patching and third-party management, but it is also a great indicator of how essential it has become to protect an organization’s data, operations, reputations, and compliance.?