This Week in Cyber 25th October 2024

Analyst Insight

This week in cyber we have seen multiple new vulnerabilities disclosed and actively exploited. The Irish Data Protection Commission (DPC) has imposed additional substantial fines on social media companies, continuing the trend seen earlier this month. Meanwhile, Microsoft researchers reported a sharp rise in ransomware attacks targeting healthcare providers. Additionally, threat researchers observed a resurgence in the Bumblebee loader campaign, signaling renewed activity in this malware strain.

?

Critical FortiManager Vulnerability Actively Exploited in Attacks

Fortinet has disclosed details of a critical vulnerability impacting their FortiManager tool, which is known to be actively exploited in attacks. The advisory on Wednesday, tracked as CVE-2024-47575 with a CVSS score of 9.8 (Critical) states:

“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests”

The advisory gives detailed advice on what versions of FortiManager are affected, and how to patch the vulnerability. If your organisation is using the FortiManager service on its systems, we strongly recommend following the advice within the advisory.

?

CISA Discloses Microsoft SharePoint Vulnerability Actively Exploited in Attacks

A vulnerability affecting Microsoft SharePoint, tracked as CVE-2024-38094 with a CVSS score of 7.2 (High) has been added to CISA’s KEV (Known Exploited Vulnerabilities) catalogue this week. Despite being disclosed in July 2024, the late addition of the vulnerability to CISA’s KEV reveals the consistent nature of threat actors persistently exploiting vulnerabilities in outdated software, months after being patched.

?

“An unauthenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of the SharePoint Server.” Microsoft states in the vulnerability disclosure .

?

As always, vulnerability management is pivotal in protecting your environments. Keeping up to date with the latest patches and vendor recommendations will help improve your organisational security.

?

Increased Trend of Ransomware Attacks to Healthcare Providers

A recent Microsoft Security Insider has outlined the increased trend of healthcare providers being targeted by ransomware gangs. The report mostly focuses on the US healthcare sector but outlines a disturbing trend for all in the global healthcare sector.

?

“Healthcare organisations prioritise patient care above all else, and if they must pay millions of dollars to avoid disruptions, they are often willing to do so.” the article states. Threat actors are taking advantage of the life-threatening nature of healthcare outages, increasing the chance of a successful payout. In a survey conducted of 402 healthcare organisations, 53% of healthcare sector organisations paid the ransom averaging of $4.4 million per payment.

?

LinkedIn Fined €310 Million by Irish Data Protection Commission for GDPR Violations

The Irish Data Protection Commission (DPC ) in the last month has been cracking down on social media companies’ illegal data practices, falling foul of the General Data Protection Regulation (GDPR).

?

The press release by the DPC describes a €310 million fine over multiple infringements of articles within the GDPR regulations. The DPC has specifically stated concerns of data processing of personal data related to behavioural analysis and targeted advertising. Their decision concerns the “lawfulness, fairness and fairness of this processing.”

?

Last year, a similar decision of a €345 million fine imposed by the DPC on popular social media app TikTok for their GDPR violations in handling personal data related to child users.

Bumblebee Loader Returns Despite Efforts of Operation Endgame

In late May this year EUROPOL conducted the largest ever campaign on dropper service ecosystems. The takedown included the seizing of 2000 domains, 100 servers, the searching of 16 locations and the arrests of 4 individuals. This action sought to disrupt the activities of the infamous droppers IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee. Since the takedown many of these droppers have gone silent, either stopping their activities or moving to different avenues.

?

However, threat researchers at Netskope have warned of Bumblebee loader resurfacing in a new wave of attacks. The infection chain starts with a ZIP file that contains an LNK file. Execution of the LNK file starts a chain of processes to download and execute the Bumblebee payload.

?

The resurgence of a Bumblebee campaign is likely to spark renewed interest from authorities after their previous crackdown.