Friday 9th August 2024

Good morning everyone, a very happy Friday to you all and thank you for joining me for the latest installment of Cyber Daily. Today's installment is taking a deep dive into a major security flaw in Progress Software's WhatsUp Gold, the latest on a ransomware breach hitting Bayhealth Hospital, and how cybercriminals are leveraging legitimate cloud services for their latest hacks.

Critical Vulnerability in WhatsUp Gold Exploited

A major security flaw in Progress Software's WhatsUp Gold is being actively exploited. Users need to update to the latest version without delay.

The vulnerability, CVE-2024-4885, boasts a critical CVSS score of 9.8. Found in versions released before 2023.1.3, it allows unauthenticated remote code execution via the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method, leveraging iisapppool\nmconsole privileges.

Security researcher Sina Kheirkhah of the Summoning Team discovered the flaw, which fails to properly validate user-supplied paths. A proof-of-concept (PoC) exploit has been published, and since August 1, 2024, the Shadowserver Foundation has reported exploitation attempts from multiple IP addresses.

Version 2023.1.3 also patches two other critical vulnerabilities: CVE-2024-4883 and CVE-2024-4884, both allowing remote code execution. A high-severity privilege escalation issue (CVE-2024-5009) is also addressed, preventing local attackers from elevating their privileges via the SetAdminPassword method.

Given the history of Progress Software vulnerabilities being exploited, it's crucial to apply these updates immediately and restrict network access to trusted IP addresses.

Rhysida Ransomware Group Hits Bayhealth Hospital

Bayhealth Hospital in Delaware has reportedly fallen victim to the Rhysida Ransomware group, which is demanding 25 BTC for the alleged stolen data. The ransomware gang claims to have breached the hospital's systems, listing it on their Tor leak site and providing screenshots of passports and ID cards as proof.

Bayhealth operates a technologically advanced not-for-profit healthcare system with nearly 4,000 employees and over 650 medical professionals. It serves central and southern Delaware through its Kent and Sussex campuses and a 24-hour emergency center in Smyrna, offering comprehensive inpatient and outpatient services.

Rhysida, active since May 2023, has targeted multiple sectors, including healthcare. This breach is part of a series of attacks on hospitals, including Abdali Hospital in Jordan and King Edward VII’s Hospital in London. The ransomware group has listed at least 62 companies as victims on its Tor site.

Cyberattacks on healthcare facilities have severe implications, as seen with recent incidents at Lurie Children’s Hospital in Chicago and Cogdell Memorial Hospital in Texas. Despite some ransomware gangs imposing restrictions on targeting hospitals, these attacks continue, underscoring the critical need for robust cybersecurity measures.

Cybercriminals Exploiting Legitimate Cloud Services

At the Black Hat infosec conference, Symantec's threat hunters revealed that state-sponsored spies and criminals are increasingly using legitimate cloud services to attack their victims. Over recent months, Symantec has identified three such operations and discovered new malware tools under development.

Criminals use cloud services for many of the same reasons legitimate organisations do, such as low costs and ease of avoiding detection. Marc Elias of Symantec highlighted that nation-state groups exploit free accounts on Google Drive or Microsoft to maintain infrastructure at no cost, making it harder for defenders to detect encrypted traffic to legitimate domains.

Symantec has observed several campaigns abusing cloud tools:

• Grager Backdoor: Used against organisations in Taiwan, Hong Kong, and Vietnam, this malware communicates via Microsoft’s Graph API using Microsoft OneDrive for command and control.
• Moon_Tag: Believed to be under development, this malware also uses the Graph API and has been attributed to a Chinese-speaking group.
• Onedrivetools: Targeted IT services firms in the US and Europe, this malware uses OneDrive for exfiltrating data and downloading additional payloads.

The Grager backdoor campaign was particularly stealthy, involving typosquatting and malicious domains mimicking legitimate software like 7-Zip. The attackers also used Whipweave, a tunneling tool based on the Chinese VPN Free Connect project, to obfuscate malicious traffic further.

Elias noted a significant increase in nation-state APT groups leveraging cloud services over the past two years, expecting this trend to continue due to its benefits for attackers.

For defenders, Symantec has published indicators of compromise and MITRE tactics, techniques, and procedures to help identify and mitigate these threats.