The Ntirety Weekly Threat Intelligence Report: October 07, 2024

Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.

Industry Breaches:?

• University Medical Center: One of the largest hospitals in West Texas has been forced to divert ambulances after a ransomware attack shut down many of its systems last Thursday.?The University Medical Center Health System in Lubbock confirmed on Friday that IT outages are being caused by a ransomware incident.
• Community Clinic of Maui: The clinic, also known as Mālama, said the hackers had access to personal data between May 4 and May 7, stealing information including Social Security numbers, passport numbers, financial account numbers with CVV numbers and expiration dates as well as troves of data on medical treatments.
• Rackspace: Cloud hosting provider Rackspace suffered a data breach exposing "limited" customer monitoring data after threat actors exploited a zero-day vulnerability in a third-party tool used by the ScienceLogic SL1 platform.
• Wayne County, Michigan: Wayne County, Michigan is dealing with a cyberattack that has shut down all government websites and limited the operations of several offices.?Home to Detroit, the county is the largest in the state with more than 1.75 million residents.
• Highline Public Schools: On Thursday, K-12 school district Highline Public Schools confirmed that a ransomware attack forced it to shut down all schools in early September. Highline Public Schools has over 2,000 staff members and offers programs ranging from early childhood education to college preparation. It serves over 17,500 students across 34 schools in the Burien, Des Moines, Normandy Park, SeaTac, and White Center communities in Washington State.

Threats to Watch:?

• WatchGuard: Cybersecurity firm RedTeam Pentesting GmbH has disclosed two critical vulnerabilities,?CVE-2024-6592?and?CVE-2024-6593, in WatchGuard’s Authentication Gateway (also known as Single Sign-On Agent) and Single Sign-On Client software, potentially impacting thousands of organizations.
• TI WooCommerce Wishlist: A critical security vulnerability has been discovered in the widely-used WordPress plugin, TI WooCommerce Wishlist, potentially exposing over?100,000 websites?to malicious attacks. The flaw, tracked as CVE-2024-43917 with a CVSS score of 9.3, allows unauthenticated users to execute arbitrary SQL queries, potentially granting them full control over affected websites.
• Zimbra: The bug, identified as?CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it.
• FIN6: A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more_eggs" backdoor, which is capable of executing secondary malware payloads.
• PHP: The PHP project has recently?released?a security advisory, addressing several vulnerabilities affecting various versions of PHP. These vulnerabilities range from potential log tampering to arbitrary file inclusion and data integrity violations. It is strongly recommended that all PHP users update their systems to the latest patched versions immediately.
• Stonefly: The North Korean-based Stonefly group, also known by aliases such as APT45 and Silent Chollima, has been observed continuing its financially motivated cyber-attacks against US organizations despite a recent indictment by the US Department of Justice (DoJ).
• Prince: Proofpoint researchers identified a campaign impersonating the British postal carrier Royal Mail delivering Prince ransomware. Prince is a ransomware variant freely available on GitHub with a “disclaimer” that it is only designed for educational purposes.
• perfctl: A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.
• CosmicSting: The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server.
• APT45: Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack.

Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.?

For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?

Get Started ?