Cybersecurity News & Updates - June, 2024
Inspirisys Solutions Limited (a CAC Holdings Group Company)
Experience Possibilities
Check out the latest updates on high vulnerabilities, data breaches and ransomware attacks.
High Vulnerabilities
Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.
Included among the tools deployed is a remote access tool that's capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog?said ?in a report published last week.
Analysis of the campaign has uncovered tactical overlaps with a previous activity dubbed?Spinning YARN , which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes.
Asus has rolled out a critical firmware update to patch a severe vulnerability affecting seven of its?business router ?models, urging customers and users to check their firmware status and apply the update accordingly.
The flaw, identified as CVE-2024-3080 with a VCSS v3.1 score of 9.8, is an authentication bypass vulnerability that allows unauthenticated remote attackers to gain control of the device.
The affected routers, a series of XT8 and RT models, should now be checked for firmware updates in order to prevent unwarranted access and to ensure optimal protection.
Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances.
The vulnerability, tracked as?CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system.
According to DEVCORE security researchers, the shortcoming makes it possible to bypass protections put in place for another security flaw,?CVE-2012-1823 .
"While implementing PHP, the team did not notice the?Best-Fit ?feature of encoding conversion within the Windows operating system," security researcher Orange Tsai?said .
"This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack."
Following responsible disclosure on May 7, 2024, a fix for the?vulnerability ?has been made available in?PHP versions 8.3.8, 8.2.20, and 8.1.29.
Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tags that could allow attackers to access customers' private data.
Service Tags are groups of IP addresses for a specific Azure service used for firewall filtering and IP-based Access Control Lists (ACLs) when network isolation is needed to safeguard Azure resources. This is achieved by blocking incoming or outgoing Internet traffic and only allowing Azure service traffic.
Tenable's Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks."This is a high severity vulnerability that could allow an attacker to access Azure customers' private data,"?Matan said .
Attackers can exploit the "availability test" feature in the "classic test" or "standard test" functionality, allowing them to access internal services and potentially expose internal APIs hosted on ports 80/443.
This can be achieved by abusing the Application Insights Availability service’s availability tests feature, which grants attackers the ability to add custom headers, modify methods, and customize their HTTP requests as needed.
Matan has shared more technical information in his report on abusing custom headers and Azure Service Tags to access internal APIs that are not normally exposed.
Threat actors are constantly evolving their TTPs and developing new malicious tools to execute their activities.
Recently, Akamai researchers have noted a concerning trend of attackers exploiting known vulnerabilities, such as the years-old ThinkPHP RCE?CVE-2018-20062 ?and CVE-2019-9082.?
Initially detected in October 2023 with limited probes, a much larger campaign resurged in April 2024, exploiting these vulnerabilities to install remote shells.
Spatial computing attacks targeting VR headsets are rare. Possibly the first ever hack against Apple’s Vision Pro only became public knowledge in the second week of June 2024. But now a researcher has demonstrated a method of delivering any malware to Meta’s Quest 3 headset.
Researcher Harish Santhanalakshmi Ganesan took claims on Reddit that it’s almost impossible to install malware on Quest 3 VR as a personal challenge to explore emerging threat surfaces – he decided to do so without enabling developer mode.?
Simple googling told him Meta was using a restricted version of Android Open Source Project (AOSP). “It means I can install any APKs just like installing apps in your Android phone,” he said.
More googling, this time with YouTube, unearthed a methodology using an app from Meta’s App Lab which gives access to native Android’s file manager. “I used this method to install CovidLock ransomware on my headset,” he explained.
CovidLock is a ransomware that targets Android devices. It masquerades as a COVID-19 tracker app and uses permission creep to gain additional permissions. If it gets enough, it locks users out of the device and displays a ransom note.?
Ransomware Attacks??????????
Auction house Christie’s has informed authorities that?the data breach ?caused by a recent ransomware attack impacts the information of roughly 45,000 individuals.
According to information submitted by the company to the?Maine Attorney General , the intrusion was discovered on May 9. An investigation showed that the attackers managed to steal some files containing personal information.?
Impacted individuals are being notified. The notification letter sample submitted by Christie’s to the Maine AG does not specify what type of data was compromised besides names, driver’s license numbers, and non-driver identification card numbers.?
Impacted individuals are being offered identity theft and fraud monitoring services for 12 months, which suggests sensitive personal information was stolen by the hackers.
The RansomHub ransomware group has taken credit for the attack, claiming to have stolen information such as name, birth date, address, and data from identification documents.?
The hackers claimed to have stolen information belonging to at least 500,000 Christie’s clients from around the world, but it’s not uncommon for ransomware groups to exaggerate their claims.
More than 1,130 planned operations and 2,190 outpatient appointments have been postponed after a cyber attack hit London hospitals, it has been revealed.
The disruption was caused when hackers targeted pathology services provider Synnovis.
NHS England said two NHS trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust - were affected the most.
Medical director for NHS London, Dr. Chris Streather said the cyber-attack was "continuing to have a significant impact" on NHS services in south-east London.
Data released by NHS London on Thursday was the second update on the clinical impact of the ransomware cyber-attack on 3 June.
Between 10 June and 16 June, more than 1,294 outpatient appointments and 320 planned operations were postponed across King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust. So far 1,134 planned operations and 2,194 outpatient appointments have been postponed at the two trusts since 3 June.
Additionally, 46 organs were diverted for use by other trusts in the second week after the attack, compared to 18 in the first week.
The notorious TargetCompany?ransomware ?group introduced a new Linux variant targeting VMware ESXi environments.
This evolution in their tactics underscores the increasing sophistication of ransomware attacks and the growing threat to critical virtualized infrastructure.
Discovered in June 2021, the TargetCompany ransomware, tracked by Trend Micro as “Water Gatpanapun” and known on its leak site as “Mallox,” has been actively targeting organizations in Taiwan, India, Thailand, and South Korea.
The group has continuously refined its techniques for bypassing security defenses, including using PowerShell scripts to circumvent the Antimalware Scan Interface (AMSI) and fully undetectable (FUD) obfuscator packers.
A cyberattack on Indonesia's national data centre compromised hundreds of government offices and caused long delays at the capital's main airport, with the hacker demanding an $8 million ransom, officials said Monday.
Long queues formed at immigration gates at Jakarta's Soekarno-Hatta International Airport last week after systems went down in the attack, carried out using software developed by Russian ransomware outfit LockBit, an official from the communications ministry said.
The attack "affected 210 institutions at the national and local levels," senior official Semuel Abrijani Pangerapan told reporters on Monday, adding a dark web hacker had demanded a $8 million ransom.
He added that immigration services were returning to normal on Monday morning and work was being done to restore other affected services.
Authorities are still investigating the ransomware, known as Brain Cipher, which made government data inaccessible due to encryption, he said.
领英推荐
P2PInfect, originally a dormant peer-to-peer malware botnet with unclear motives, has finally come alive to deploy a ransomware module and a cryptominer in attacks on Redis servers.
According to?Cado Security , which has been tracking P2PInfect for some time now, there is evidence the malware operates as a "botnet for hire," although conflicting information prevents the researchers from drawing safe conclusions at this time.
Cado reports that starting on May 16, 2024, devices infected with P2PInfect received a command to download and run a ransomware payload (rsagen) from a specified URL, with the command being valid until December 17, 2024.
Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called?Rafel RAT?to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps.
"It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point?said ?in an analysis published last week.
It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware.
The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was?previously highlighted ?by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads.
The campaign, which took place in April 2024, is said to have utilized military-themed PDF lures to deliver the malware.
Check Point said it identified around 120 different malicious campaigns, some targeting high-profile entities, that span various countries like Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S.
South Africa’s National Health Laboratory Service (NHLS) confirmed on Tuesday that it is dealing with a ransomware attack significantly affecting the dissemination of lab results as the country responds to an outbreak of mpox.
A spokesperson for the organization told Recorded Future News that the ransomware attack began Saturday morning and that hackers deleted sections of their system, including backup servers, meaning they will have to rebuild many of the affected parts.
The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country’s nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom will be paid.
CEO Koleka Mlisana said in a statement that officials do not know when systems will be restored. Preliminary results of an investigation have shown that databases holding patient information were not lost or compromised.
An unidentified strain of ransomware was used to target specific parts of the agency’s IT systems, “rendering them inaccessible and blocking communication” from databases to and from users.
“As such, all our systems remain inaccessible both internally and externally including to and from healthcare facilities until the integrity of the environment is secured and repaired,” he said. “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted,” Mlisana explained.
The U.S. Federal Bureau of Investigation (FBI) has disclosed that it's in possession of more than 7,000 decryption keys associated with the LockBit ransomware operation to help victims get their data back at no cost.
"We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov ," FBI Cyber Division Assistant Director Bryan Vorndran?said ?in a keynote address at the 2024 Boston Conference on Cyber Security (BCCS).
LockBit, which was once a prolific ransomware gang, has been linked to over 2,400 attacks globally, with no less than 1,800 impacting entities in the U.S. Earlier this February, an international law enforcement operation?dubbed ?Cronos led by the U.K. National Crime Agency (NCA) dismantled its online infrastructure.
Last month, a 31-year-old Russian national named Dmitry Yuryevich Khoroshev was?outed ?by authorities as the group's administrator and developer, a claim LockBitSupp has since denied.
Data Breaches
A debt collection enterprise called Financial Business and Consumer Solutions (FBCS) has been impacted by a massive data breach that affects millions of Americans. FBCS is a debt collection agency that specializes in recovering charged-off consumer and commercial debts, such as car loans, health care bills, utility bills, student loans and credit cards.
The initial tally of those affected was around 1.9 million, which the company raised to 3 million in June 2024. The data breach leaked a treasure trove of consumer data, including full name, Social Security number (SSN), date of birth, and driver’s license number or ID card. The company has informed affected individuals as well as concerned authorities.
Less than 24 hours remain on a threat by the LockBit ransomware group to release 33 terabytes of government data tied to an alleged breach of the Federal Reserve Board. While there has been no confirmation of the breach and the Fed remains mum, the deadline of June 25 looms.
Multiple reports came out June 24 that the notorious LockBit group was negotiating with the Federal Reserve Board over a ransom payment in exchange for not making public 33 terabytes of government data.
Food service giant Jollibee has allegedly suffered a cyberattack and a data breach after experts claim to have found a database filled with sensitive customer data for sale.
Deep Web Konek found a database being sold by a threat actor under the alias “Sp1d3r”. The archive allegedly contains sensitive data on 32 million Jollibee customers, including their full names, postal addresses, phone numbers, and email addresses. Furthermore, Sp1d3r is apparently selling “extensive records” of food delivery orders, sales transactions, and service details.
The company responded to say that it is currently actively investigating the incident and that it deployed response protocols.
AMD is investigating whether it suffered a cyberattack after a threat actor put allegedly stolen data up for sale on a hacking forum, claiming it contains AMD employee information, financial documents, and confidential information.
"We are aware of a cybercriminal organization claiming to be in possession of stolen AMD data," AMD told BleepingComputer in a statement.
"We are working closely with law enforcement officials and a third-party hosting partner to investigate the claim and the significance of the data."
Dell Technologies has announced that the company faced a massive data breach wherein personal details of the users ended up online. This data included customer’s names and physical addresses. Dell recently posted, “Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved.”
The post also revealed the details of the leaked data. In addition to the physical addresses and customer names, “Dell hardware and order information, including service tag, item description, date of order and related warranty information” were also leaked on the internet.
A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum.
On Thursday, a hacker put up for sale the alleged stolen data from TEG, claiming to have information of 30 million users, including the full name, gender, date of birth, username, hashed passwords and email addresses.?
In late May, TEG-owned ticketing company Ticketek?disclosed a data breach ?affecting Australian customers’ data, “which is stored in a cloud-based platform, hosted by a reputable, global third party supplier.”?
The company said that “no Ticketek customer account has been compromised,” thanks to the encryption methods used to store their passwords. TEG conceded, however, that “customer names, dates of birth and email addresses may have been impacted” — data that would line up with that advertised on the hacking forum.?
The hacker included a sample of the alleged stolen data in their post. TechCrunch confirmed that at least some of the data published on the forum appears legitimate by attempting to sign up for new accounts using the published email addresses. In a number of cases, Ticketek’s website gave an error, suggesting the email addresses are already in use.
?
?
?
?
?
?
?
?
?
?
?
?
?