In this issue:

Apache OFBiz ERP - zero-day hits OFBiz Enterprise Resource Planning system;
The Grand Palais Réunion des musées nationaux - a ransomware attack hits Paris amidst the Olympics;
McLaren Health Care, INC Ransom - ransomware attack on a major healthcare provider;
Hunters International - a ransomware group targets IT workers with a new Trojan;  
Cryptonator, US DoJ, German law enforcement - Crypto wallet seized by authorities; 
Google, Android - zero-day exploited in the wild, update ASAP; 
INTERPOL, I-GRIP - Authorities recover $40+ million from a BEC
National Public Data - 2.9 billion personal records exposed as a result of data scraping;
CrowdStrike, Windows - Crowdstrike discloses the official reason for the update fiasco;

Subscribe now

Vulnerability of the Week - Apache OFBiz ERP 0-day ( CVE-2024-38856)

A critical zero-day vulnerability, CVE-2024-38856, has been discovered in the Apache OFBiz ERP system, allowing pre-authentication remote code execution. With a CVSS score of 9.8, this flaw affects versions prior to 18.12.15. SonicWall reported that the vulnerability stems from a flaw in the authentication mechanism, enabling unauthenticated users to access restricted functionalities. This issue also bypasses the patch for CVE-2024-36104, resolved in version 18.12.14. The flaw resides in the override view functionality, exposing critical endpoints to unauthenticated threat actors through specially crafted requests.

[Ransomware]
The Grand Palais Réunion des musées nationaux 

The Grand Palais Réunion des musées nationaux in France suffered a ransomware attack on August 3, 2024, causing operational disruptions. The institute is currently hosting the fencing and Taekwondo competitions, as part of the Olympic Games. Systems were shut down to prevent the spread, affecting bookstores and boutiques. The museums under its management continue to operate normally. No group has yet claimed the attack. 

[Ransomware]
McLaren Health Care, INC Ransom

On Tuesday (August, 6th), McLaren Health Care hospitals' IT and phone systems were disrupted by an INC Ransom ransomware attack. The non-profit health system, with $6.5 billion in annual revenue, is investigating the breach and advises patients to bring detailed medical information to appointments due to potential data access issues. INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023 and has since targeted organizations in both the public and private sectors.

[Ransomware]
Hunters International ransomware

The Hunters International ransomware group targets IT workers with SharpRhino, a new C# remote access trojan. The Trojan malware achieves initial infection, elevates privileges, executes PowerShell commands, and deploys ransomware. Reportedly, it uses typosquatting sites to impersonate legitimate networking tools for initial infection.

[Cryptocurrencies]
Cryptonator, US DoJ, German law enforcement

U.S. and German authorities seized Cryptonator's domain, used by ransomware gangs and darknet markets, and indicted its operator Roman Boss for money laundering and operating an unlicensed money service. Cryptonator lacked anti-money laundering controls, enabling illicit activities.

[Update]
Google, Android

Google has patched CVE-2024-36971, a high-severity Linux kernel vulnerability in Android devices. The bug, under limited, targeted exploitation, allows remote code execution. Google's August update also addressed 46 other flaws, with most rated high severity, highlighting the increasing threat of zero-day exploits by both espionage and financially motivated hackers.

[Legal]
INTERPOL, I-GRIP

INTERPOL's stop-payment mechanism, I-GRIP, recovered over $40 million stolen in a BEC attack on an unnamed commodity firm based in Singapore. This marks the largest recovery of funds from a BEC scam to date, demonstrating the effectiveness of the Global Rapid Intervention of Payments (I-GRIP) system.

[Legal]
National Public Data (Jerico Pictures)

A class action lawsuit against National Public Data (Jerico Pictures) alleges a data breach exposed 2.9 billion personal records on the dark web. The breach involved sensitive data collected through ‘scraping’ and has led to accusations of negligence. Plaintiffs seek compensation and improved data protection measures.

[Legal]
CrowdStrike, Windows

CrowdStrike's root cause analysis revealed a content validation issue in the Falcon Sensor update, causing a global Windows crash. The problem stemmed from a mismatch in input parameters during the introduction of a new IPC Template Type, undetected in testing due to wildcard matching criteria.

Resources

• The Hacker News: New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution

• Bleeping Computer: France's Grand Palais discloses cyberattack during Olympic games

• Bleeping Computer: McLaren hospitals disruption linked to INC ransomware attack

• Bleeping Computer: Ransomware gang targets IT workers with new SharpRhino malware

• Bleeping Computer: Cryptonator seized for laundering ransom payments, stolen crypto

• The Record: Google says Android zero-day was exploited in the wild

• Bleeping Computer: INTERPOL recovers over $40 million stolen in a BEC attack

• Tech Radar: One of the biggest data breaches ever leaks details on billions of users — here's what we know so far

• The Hacker News: CrowdStrike Reveals Root Cause of Global System Outages

In this issue:

Acronis - an RCE vulnerability actively exploited, update now;

Dark Angels - biggest ransom ever paid in a ransomware case;

OneBlood - ransomware attack on a blood transfusion clinic;

HealthEquity - 4.3 million records breached from HealthEquity; 

Google Workspace - a flaw enabled hackers circumvent email verification;   

ServiceNow - cloud software breached with the help of two vulnerabilities; 

Delta Air Lines / CrowdStrike - An airline has launched a lawsuit against Crowdstrike after the recent update fiasco; 

Meta / Texas Attorney General - Meta to pay $1.4 billion due to privacy violation;

Subscribe now

Vulnerability of the Week - Acronis RCE (CVE-2023-45249)

Cybersecurity company Acronis has issued a warning about a critical security flaw in its Cyber Infrastructure (ACI) product that has been exploited in the wild. The vulnerability, tracked as CVE-2023-45249 (CVSS score: 9.8), allows remote code execution due to the use of default passwords. 

It impacts ACI builds:

• 5.0.1-61

• 5.1.1-71

• 5.2.1-69

• 5.3.1-53

• 5.4.4-132 

The flaw has been patched in versions: 

• 5.4 update 4.2

• 5.2 update 1.3

• 5.3 update 1.3

• 5.0 update 1.4

• 5.1 update 1.2 

Acronis discovered the issue when investigating a customer's report of performance degradation, finding crypto-mining software installed.

[Ransomware]

Dark Angels

An undisclosed Fortune 50 company paid a record-breaking $75 million ransom to the Dark Angels ransomware gang, as reported by Zscaler ThreatLabz and confirmed by Chainalysis. The largest known ransom payment was previously $40 million, paid by CNA after an Evil Corp ransomware attack.

[Ransomware]

OneBlood

A ransomware attack has severely impacted OneBlood, a major U.S. blood donation center. Operating at reduced capacity, OneBlood has implemented manual processes and asked over 250 hospitals to activate critical blood shortage protocols. They are collaborating with cybersecurity experts and officials to resolve the crisis.

[Data Breach]

HealthEquity

HealthEquity reported a data breach affecting 4.3 million people. A compromised vendor’s user accounts allowed unauthorized access to a data repository, exposing names, contact information, Social Security numbers, health plan details, diagnoses, prescription information, and payment card details (excluding card numbers).

[Data Breach]

Google Workspace

A Google Workspace authentication flaw allowed hackers to bypass email verification, impersonate companies, and access third-party services using "Sign in with Google." The vulnerability, discovered by KrebsOnSecurity, was exploited in the wild and affected thousands of accounts before Google fixed it.

[DDoS]

Microsoft

Microsoft confirmed a nine-hour outage on Tuesday was caused by a DDoS attack. The outage disrupted Microsoft 365, Azure services, and other applications. An error in DDoS defense implementation worsened the impact. A preliminary post-incident review will be released within 72 hours.

[Vulnerability]

ServiceNow

Hackers are exploiting two vulnerabilities in ServiceNow’s cloud software to steal sensitive data. Despite patches released in May and June, public disclosure led to increased attacks. The Cybersecurity and Infrastructure Security Agency warns federal agencies to patch the bugs by August 19 due to their critical severity.

[Legal]

Delta Air Lines / CrowdStrike

Delta Air Lines hired attorney David Boies to seek damages from CrowdStrike and Microsoft after a July 19 software update caused an outage, leading to widespread flight cancellations. The incident cost Delta $350-$500 million and caused CrowdStrike's shares to drop 5%. 

[Legal]

Meta / Texas Attorney General

Meta has agreed to a $1.4 billion settlement with Texas over unauthorized use of biometric data. Texas Attorney General Ken Paxton noted this is the largest state-secured settlement. Previously, Meta settled for $650 million in Illinois. Meta aims to invest further in Texas despite the settlement. 

Resources

• The Hacker News Critical Flaw in Acronis Cyber Infrastructure Exploited in the Wild

• Bleeping Computer: Dark Angels ransomware receives record-breaking $75 million ransom

• The Record: Ransomware attack on major US blood center prompts hundreds of hospitals to implement shortage protocols

• HealthCare Dive: HealthEquity data breach could affect 4.3M

• Tech Radar: Hackers bypass Google Workspace authentication to expose thousands of accounts

• Bleeping Computer: Microsoft says massive Azure outage was caused by DDoS attack  

• The Record: Critical ServiceNow vulnerabilities being targeted by hackers, cyber agency warns

• NBC: Delta hires David Boies to seek damages from CrowdStrike, Microsoft after outage

• AP: Meta agrees to $1.4B settlement with Texas in privacy lawsuit over facial recognition

In this issue:

Crowdstrike - a failed update crashes Windows, invites hackers; 
Play / VMware ESXi - ESXi vulnerability exploited by a vicious ransomware;
Telegram / Android - a raging malware campaign endangers Telegram users; 
Land Registry of Greece - hackers 400 cyberattacks and exfiltrate 1.2 GB of data; 
KnowBe4, North Korea - security company accidentally hires a N. Korean spy; Hamster Kombat - popular play-to-earn game targeted by a spyware campaign;
Verizon / TracFone Wireless - $16m settlement over three data breaches;
Lockbit - two Russian nationals plead guilty for taking part in Lockbit operations; 

Subscribe now

Vulnerability of the Week - Crowdstrike failed update

Although not a vulnerability in the classical sense, the CrowdStrike incident on July 19, 2024, caused major disruptions due to a faulty update affecting Windows workstations. Cybercriminals exploited the chaos, distributing Remcos RAT via a fake "crowdstrike-hotfix.zip" file targeting Latin American users. 

As for the initial incident, CrowdStrike has deployed a fix for its Falcon Sensor product. Impacted users should delete the file "C-00000291*.sys" from the CrowdStrike directory in Safe Mode and restart. The outage also impacted Google Cloud Compute Engine, crashing Windows VMs using csagent.sys. Airlines, banks, retail chains, hospitals, and telecom firms were affected, leading to a 15% drop in CrowdStrike shares in U.S. premarket trading.

[Ransomware]
Play / VMware ESXi

Play ransomware now targets VMware ESXi virtual machines with a new Linux locker. Trend Micro reports this variant checks for ESXi environments before executing and evades detection on Linux systems. This move indicates a broader attack strategy, exploiting the shift of enterprises to ESXi for critical data storage and hosting.

[Vulnerability]
Telegram

A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious APKs disguised as video files. Discovered by ESET researchers and disclosed in June 2024, it was patched in version 10.14.5 on July 11, 2024. Threat actors exploited the flaw for at least five weeks

[Data Breach]
Land Registry of Greece

Greece's Land Registry experienced a limited data breach following 400 cyberattacks over a week. Hackers stole 1.2 GB of non-sensitive administrative data but failed to access or exfiltrate key databases. Emergency measures include password resets and mandatory two-factor authentication. Operations remain unaffected and ongoing attacks are unknown.

[Malware]
KnowBe4, North Korea

KnowBe4 accidentally hired a North Korean threat actor as a software engineer. Despite thorough pre-hiring checks, the individual used a stolen identity and AI-enhanced photo. Upon receiving his workstation, he attempted to load malware. The company detected and contained the threat without any data breach or loss

[Cryptocurrency]
Hamster Kombat

Cybercriminals are exploiting the popularity of the Hamster Kombat game, which has over 250 million players, by distributing fake Android and Windows apps that install spyware and information-stealing malware. Launched in March 2024, the game involves earning fictional currency and has significant growth due to a new crypto token. 

[Legal]
Verizon TracFone Wireless

Verizon Communications will pay $16 million to settle FCC charges over three data breaches at its subsidiary, TracFone Wireless. The breaches, from 2021 to 2023, involved unauthorized access to customer data due to security vulnerabilities. The settlement mandates improved data security measures by TracFone.

[Legal]
Lockbit

Two Russian nationals, Ruslan Magomedovich Astamirov and Mikhail Vasiliev, have pleaded guilty in the U.S. for their roles in the LockBit ransomware scheme. Astamirov, arrested in May 2023, and Vasiliev, extradited from Canada, face significant prison sentences. LockBit has attacked over 2,500 entities globally, demanding substantial ransoms.

Resources

• The Hacker News: Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

• Bleeping Computer: Telegram zero-day allowed sending malicious Android APKs as videos

• Bleeping Computer: Greece’s Land Registry agency breached in wave of 400 cyberattacks

• Bleeping Computer: New Play ransomware Linux version targets VMware ESXi VMs

• Dark Readings: Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

• The Hacker News: Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

• Bleeping Computer: Hamster Kombat’s 250 million players targeted in malware attacks

• Bleeping Computer: Verizon to pay $16 million in TracFone data breach settlement

• The Hacker News: Two Russian Nationals Plead Guilty in LockBit Ransomware Attacks

In this issue:

Exim - 1,567,109 servers exposed to a critical flaw;
AT&T - 109 million accounts breached in Snowflake April attack;
Ticket Heist - fake Paris 2024 Olympics tickets flood the market;
Kaspersky - cybersecurity giant shuts down operations in US;
Tether - stablecoin freezes $29m in Cambodia due to scams;
PHP - new critical RCE flaw discovered, update now;
regreSSHion - new flaw discovered related to the dreaded SSH bug;

Subscribe now

Vulnerability of the Week - Exim bug (CVE-2024-39929)

Censys reports that over 1.5 million Exim mail servers are vulnerable to CVE-2024-39929, a flaw allowing bypass of security filters by incorrectly parsing multiline RFC2231 header filenames. This could let attackers deliver malicious executables. As of July 10, 2024, 1,567,109 exposed Exim servers remain unpatched, mostly in the U.S., Russia, and Canada. The NSA revealed in May 2020 that Russian hackers Sandworm exploited the Exim CVE-2019-10149 flaw since August 2019. In October, Exim developers patched three zero-days, including CVE-2023-42115, exposing millions of servers to pre-auth RCE attacks.

[Data Breach]

AT&T

Metadata from nearly all call logs and texts made by AT&T customers over six months in 2022 was stolen in April via a breach of the Snowflake platform. The breach affected about 109 million accounts and involved hackers accessing and exfiltrating files containing aggregated metadata.

[Fraud]
Ticket Heist

A large-scale fraud campaign, dubbed "Ticket Heist", targets Russian-speaking users with over 700 domains selling fake tickets for the Paris 2024 Olympics. The operation exploits major sports and music events, registering about 20 new domains monthly since 2022.

[Legal]

Kaspersky

Kaspersky Lab will shut down its U.S. operations on July 20, affecting fewer than 50 employees. This follows U.S. sanctions against Kaspersky executives and its inclusion on the Entity List due to national security risks, making their operations non-viable.

[Cryptocurrency]
Tether

Tether stablecoin froze over 29 million USDT linked to a Cambodian online marketplace used for “pig butchering scams”, a type of cryptocurrency pyramid scheme. Researchers from Elliptic revealed Huione Guarantee's role in Southeast Asian cybercrime, with $11 billion in transactions over three years, primarily in USDT.

[Update]
PHP

Threat actors are exploiting the PHP flaw CVE-2024-4577 (CVSS score: 9.8) to deploy remote access trojans, cryptocurrency miners, and DDoS botnets. The vulnerability, publicly disclosed in June 2024, allows remote command execution on Windows systems using Chinese and Japanese locales by misinterpreting Unicode to ASCII conversions. Update PHP to the latest patched versions to mitigate the risk of exploitation.

[Update]
Linux - regreSSHion

The regreSSHion bug, discovered by Qualys, potentially impacts millions of OpenSSH servers. However, a new flaw related to regreSSHion, CVE-2024-6409, found by an independent researcher, Alexander Peslyak, also allows remote code execution but has a lower immediate impact. Linux distributions are releasing patches, while Windows and macOS are likely unaffected.

Resources

• Bleeping Computer: Critical Exim bug bypasses security filters on 1.5 million mail servers

• The Record: Hackers stole ‘nearly all’ call logs over six months from AT&T

• Bleeping Computer: Kaspersky is shutting down its business in the United States

• Bleeping Computer: Ticket Heist fraud gang uses 700 domains to sell fake Olympics tickets

• The Record: Tether freezes $29 million of cryptocurrency connected to Cambodian marketplace accused of fueling scams

• The Hacker News: PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

• Security Week: Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found

In this issue:

Ghostscript - RCE affecting Ghostscript document conversion toolkit;
Eldorado RaaS - new player on the ransomware scene targets 16 victims worldwide;
Ticketmaster/Sp1derHunters - hacker group prints out additional 39k tickets;
Neiman Marcus - 31m customers affected, and not 64k as first reported;
PhilHealth/Medusa Ransomware - 42m leaked sets of data: lawmakers demand immediate explanation;
Polyfill.io/Hertzer CSP - a supply chain attack via cloud affects Mercedes, Warner Bros, Hulu…
Operation MORPHEUS - a crackdown on servers using Cobalt Strike for malicious purposes;

Subscribe now

Vulnerability of the Week - Ghostscript RCE (CVE-2024-29510) - Update Now

A remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510) is being actively exploited. This flaw affects Ghostscript 10.03.0 and earlier, allowing attackers to bypass the -dSAFER sandbox and perform high-risk operations like command execution and file I/O. Ghostscript is widely used in Linux systems and various document conversion software. Security researchers recommend updating to the latest version to mitigate the risk. Attackers are already exploiting this vulnerability by using EPS files disguised as JPGs to gain shell access to vulnerable systems.

For more update information go here.

In other news

[Ransomware]
Eldorado RaaS

Eldorado is an emerging ransomware-as-a-service (RaaS) operation targeting Windows and Linux systems with variants for different platforms. It uses Golang, Chacha20 for file encryption, and RSA-OAEP for key encryption. Its data leak site lists 16 victims as of June 2024, including companies in the U.S., Italy, and Croatia.

[Data Breach]
Ticketmaster - Sp1derHunters

In an extortion campaign against Ticketmaster, hackers leaked 39,000 print-at-home tickets for 150 events, including Pearl Jam and Foo Fighters. The group 'Sp1derHunters' sells data stolen from Snowflake accounts. Initially, the hackers demanded $500,000, later raising it to $2 million after leaking 166,000 Taylor Swift ticket barcodes. Ticketmaster claims the data is useless due to their SafeTix technology, which refreshes barcodes frequently.

[Data Breach]
Neiman Marcus 

A May 2024 data breach at Neiman Marcus exposed over 31 million customer email addresses, despite the company reporting only 64,472 affected people. The breach included names, contact information, birth dates, gift card info, transaction data, partial credit card numbers, Social Security numbers, and employee IDs.

[Data Breach]
PhilHealth - Medusa Ransomware

PhilHealth is under scrutiny for not informing over 42 million individuals of a data breach from a ransomware attack last fall. Lawmakers demand a status report and notification plan be issued this week. The Medusa ransomware attack in September 2023 compromised data, affecting the health information of millions.

[Supply Chain Attack]
Polyfill.io - Hertzer CSP

​​The Polyfill.io supply chain attack is more extensive than initially believed, impacting over 380,000 hosts, with around 237,700 located in Hetzner’s cloud network. Prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson have been affected, embedding malicious scripts in their HTTP responses as of July 2, 2024.

[Legal]
Operation MORPHEUS

Operation MORPHEUS, a coordinated law enforcement effort, dismantled nearly 600 servers linked to cybercriminals using Cobalt Strike. The crackdown targeted unlicensed versions of this pen-testing tool from June 24-28, 2024. The operation involved global authorities and was led by the UK NCA, rendering 590 of 690 flagged IP addresses inaccessible.

Resources

• Bleeping Computer: RCE bug in widely used Ghostscript library now exploited in attacks

• The Hacker News: New Ransomware-as-a-Service 'Eldorado' Targets Windows and Linux Systems

• Bleeping Computer: Hackers leak 39,000 print-at-home Ticketmaster tickets for 154 events

• Bleeping Computer: Neiman Marcus data breach: 31 million email addresses found exposed

• The Record: Philippine lawmakers grill health agency executive over breach affecting 42 million people

• The Hacker News: ​​Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

• The Hacker News: Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike

In this issue:

RegreSSHion - new OpenSSH RCE vulnerability threatening hundreds of thousands of servers.
Prudential / ALPHV - Financial confirms more 2.5 M records leaked.
TeamViewer / Cozy Bear - Russian APT29 hacks the major software company.
Indonesian National Data Center / Brain Cipher - new Lockbit 3.0-based ransomware wreaks havoc in Indonesia.
Cisco / Velvet Ant - a 0-day vulnerability, discovered and patched by Cisco, exploited by a Chinese hacking group.
Ollama - the AI platform discovered and patched a critical vulnerability.
Operation First Light - international law enforcement arrests nearly 4,000 people accused of various accounts of cybercrime.

Subscribe now

Vulnerability of the Week - CVE-2024-6387 (RegreSSHion)

A new OpenSSH unauthenticated remote code execution (RCE) vulnerability, "regreSSHion," grants root privileges on glibc-based Linux systems. Discovered by Qualys in May 2024, CVE-2024-6387 is due to a signal handler race condition in sshd, allowing unauthenticated remote attackers to execute arbitrary code as root. If a client does not authenticate within LoginGraceTime, sshd's SIGALRM handler is called and executes non-async-signal-safe functions. Around 7.3 million SSH servers are exposed to the threat.

Exploiting this flaw could lead to full system takeover, malware installation, and data manipulation. Despite its severity, regreSSHion is hard to exploit and requires multiple attempts.

Check if you’re vulnerable to RegreSSHion on my website https://regresshion.sh/.

In other news

[Data Breach]
Prudential - ALPHV

Prudential Financial disclosed that over 2.5 million individuals were affected by a February data breach, up from an initial estimate of 36,000. The ALPHV/Blackcat ransomware gang claimed responsibility for the attack, which compromised sensitive personal information.

[Data Breach]
TeamViewer - Cozy Bear

TeamViewer confirmed a breach by Russian hacking group APT29 (Cozy Bear) in its corporate IT environment. The incident, traced to compromised employee credentials, exposed employee directory data and encrypted passwords, but did not compromise customer data or the product environment, which are segregated.

[Ransomware]
Indonesian National Data Center - Brain Cipher

Brain Cipher, a new ransomware operation, has targeted organizations globally, notably attacking Indonesia's temporary National Data Center on June 20th. This attack encrypted government servers and disrupted critical services. Brain Cipher, created partly from the leaked LockBit 3.0 builder, demanded $8 million in Monero cryptocurrency for decryption and data non-disclosure.

[Update]
Cisco - Velvet Ant

Cisco patched an NX-OS zero-day (CVE-2024-20399) exploited in April by the Chinese state-sponsored group Velvet Ant. The flaw allowed local attackers with admin privileges to execute root commands on switches. Cisco advises regular credential changes for network-admin and vdc-admin users.

[Update]
Ollama

Cybersecurity researchers have detailed a critical RCE vulnerability (CVE-2024-37032) in the Ollama AI platform, codenamed Probllama. The flaw, due to insufficient input validation, allows remote code execution via path traversal. Patched in version 0.1.34, the issue was disclosed on May 5, 2024.

[Legal]
Operation First Light

International law enforcement dismantled online scam networks in 61 countries, arresting over 3,900 suspects and seizing $257 million. Operation First Light targeted phishing, investment fraud, fake online shopping sites, romance scams, and impersonation scams, identifying 14,600 additional suspects and freezing 6,745 bank accounts.

Resources

• Bleeping Computer: New regreSSHion OpenSSH RCE bug gives root on Linux servers

• The Record: TeamViewer says Russia’s ‘Cozy Bear’ hackers attacked corporate IT system

• Bleeping Computer: Meet Brain Cipher — The new ransomware behind Indonesia's data center attack

• Bleeping Computer: Prudential Financial now says 2.5 million impacted by data breach

• Bleeping Computer: Cisco warns of NX-OS zero-day exploited to deploy custom malware

• The Hacker News: Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

• The Record: Nearly 4,000 arrested in global police crackdown on online scam networks

  Thanks for reading Cyber Dispatch! Subscribe for free to receive new posts and support my work.

The month of May is behind us, and many exciting cybersecurity news are worth mentioning. If you missed them, check out the latest monthly edition of Cyber Dispatch. Highlights definitely include IntelBroker’s stunt of breaking into Europol, the subsequent revenge act of FBI shutting down BreachForums. In other news, Windows has launched an AI feature that triggers some dubious privacy concerns…

The rundown:

VMware ESXi - Vulnerabilities actively exploited by ransomware groups;
IntelBroker/Europol - Allegedly leaked sensitive data from the European law enforcement agency;
BreachForums/FBI - FBI swiftly took control of a notorious dark web forum;
Dell - Data of 49 million customers leaked;
Lockbit - Website back online, now in police hands, leader's identity revealed;
UK Ministry of Defence - 270,000 sensitive data leaked from UK Ministry of Defence;
Tinyproxy - Critical vulnerability endangering tens of thousands of devices;
REvil - One of the leaders of the group responsible for the Kaseya attack 2021 convicted;
Incognito Market - Founder of one of the largest dark web drug markets arrested;
Apache Flink - Three-year-old vulnerability patched due to increased exploitation;
Google Chrome - Third 0day in seven days, totaling four patched 0day vulnerabilities in May;

Welcome to the third monthly overview of cybersecurity events that shaped the month of May, 2024.

[Ransomware]
VMWare ESXi vulnerabilities actively exploited in ransomware campaigns

Cybersecurity company Sygnia conducted an investigation and identified the modus operandi of a series of ransomware attacks exploiting vulnerabilities in VMware ESXi virtual machine solutions. The vulnerabilities stem from inherent configuration flaws and other weaknesses in VMware ESXi software, and some of the groups exploiting these vulnerabilities include LockBit, HelloKitty, BlackMatter, Akira, BlackCat, among others. Users are advised to enhance monitoring, implement adequate event logging, and regularly update backups.

[Ransomware]
Lockbit site back online, now in police hands

The previously shut down Lockbit forum, used for communicating ransomware group operations, has been restored to function, albeit in a completely different role. The police seized the site in February and have now released it along with data obtained during the investigation. The identity of the group's alleged leader, Russian national Dmitry Horoshev, has been disclosed. The dark website was previously thoroughly infiltrated by the British cyber crime department.

[Data Breach]
IntelBroker disclosed sensitive Europol data

IntelBroker, a hacker who recently claimed access to Zscaler systems and sold them on the dark web, made headlines again, this time for allegedly stealing data from Europol. IntelBroker claims to have "hacked" into Europol's systems and accessed highly confidential information classified as "For Official Use Only." However, Europol denies the leakage of sensitive data, asserting that the hacker accessed the Europol Platform for Experts (EPE), which, despite its name, does not contain information crucial or jeopardizing their police operations.

[Legal]
In response to the data breach, the FBI seized BreachForums

If the beginning of the week was marked by the theft of Europol's data, then the swift action of the FBI and the US Department of Justice marked its end. As stated, the FBI managed to take control of BreachForums, one of the most popular platforms for distributing and reselling leaked and stolen data. This information was posted on the BreachForums website and Telegram channel.

[Data Breach]
Dell - 49 million data leaked in the latest cyber attack

The American computer and computer equipment manufacturing and sales company, Dell, has issued a statement that 49 million of their users' data have leaked online. Compromised data includes warranty details, customer names, computer serial numbers, locations, and other order-related information. The hacker(s) behind this attack informed Dell about their feat, but only after putting the data up for sale. Despite this, Dell has not yet addressed the vulnerability that led to the leak, citing that they "do not negotiate with criminals."

[Data Breach]
WebTPA data breach impacts over 2.4 million individuals

WebTPA, an American company specializing in health plan administration, reported a data breach affecting nearly 2.5 million individuals. WebTPA's clients include some of the largest American insurance companies, and the current data compromise has affected companies such as Hartford, Transamerica, and Gerber Life Insurance.

[Data Breach]
Cencora discloses data breach affecting 11 major pharmaceutical companies worldwide

Cencora, a platform for pharmaceutical logistics and distribution, revealed information about a cyberattack that occurred in February, resulting in a data breach affecting 11 of the world's largest pharmaceutical companies. Among the first three affected partner companies are corporations like Novartis and Bayer. Although the stolen data has not yet been published on the internet, Cencora determined through its investigation that it includes personal data, medical diagnoses, treatment histories, and prescriptions of an unspecified number of users of these 11 pharmaceutical companies.

[Data Breach]
Over 270,000 sensitive data leaked from the UK Ministry of Defence

The British Ministry of Defence has confirmed a cyber attack resulting in the leakage of sensitive data of active duty personnel, reservists, and retirees. The leak was limited to an external system managed by a partner firm handling employee payroll. Although the central MoD system was not compromised, the leak affected up to 270,000 details, including payment, names, surnames, and banking information. It is believed that hackers associated with Chinese intelligence services are behind the attack.

[Privacy]
Microsoft Recall feature records complete computer history, including screen screenshots

Microsoft has introduced a new AI feature called Recall, which will be integrated into the new Windows 11 operating system. Recall's role is to record all computer activities, processes, operations, as well as random screen screenshots, enabling users to deeply record the complete history of the operating system. Recall is designed to work locally, encrypt data, and operate in conjunction with the MS Copilot system. However, such a feature also implies potential abuses and privacy violations by operating system distributors.

[Legal]
One of the leaders of the REvil ransomware group convicted

Ukrainian citizen Jaroslav Vasinski, known as Rabotnik, has been sentenced to 13 years in prison and fined $16 million for conducting over 2,500 ransomware attacks. Vasinski was a key member of the REvil group, which extorted over $700 million in cryptocurrencies through ransomware attacks. Additionally, REvil is responsible for the 2021 Kaseya supply chain attack. Vasinski was apprehended in Poland and extradited to the US, where he will serve his sentence.

[Legal]
Founder of Incognito Market arrested in the US

Twenty-three-year-old Taiwanese citizen Rui-Shiang Lin has been arrested in the US on charges of running Incognito Market, a dark web e-commerce platform specializing in drug trafficking. Incognito Market generated over $100 million in profits from drug trading and ceased operations in March of this year when Lin launched a campaign to extort money from all dealers on the platform, threatening to report them to the police.

[Update]
Dozens of thousands of Tinyproxy servers exposed to critical vulnerability

Over 50% of the 90,310 Tinyproxy server hosts are exposed to a critical vulnerability rated at 9.8 on the CVSS scale. Cisco Talos was the first to alert about this flaw, but Tinyproxy claims that the company poorly communicated its discovery, and the security update is still in progress. It concerns a memory corruption bug that subsequently enables remote code execution for attackers. Users are advised to remove their Tinyproxy servers from the public internet and await a patch.

[Update]
Apache Flink addresses a high-risk security vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified active exploitation of a vulnerability in Apache Flink, documented under CVE-2020-17519 dating back to 2020. This vulnerability allows attackers to read local files via the JobManager REST interface. The exploit can be remotely exploited and affects Apache Flink versions from 1.11.0 to 1.11.2. If you are using Apache Flink, update to versions 1.11.3 and 1.12.0.

[Update]
Google discovered and fixed four 0day vulnerabilities in May

Google addressed four Chrome zero-days in May 2024. A total of 8 zero-day vulnerabilities were detected by Google since the beginning of the year. Experts warn of various exploitations by attackers, emphasizing the need for prompt updates and continuous user education on cybersecurity. Google's open-source nature adds complexity to vulnerability management.

Resources

• The Hacker News: Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern

• CSO Online: IntelBroker steals classified data from the Europol website

• Bleeping Computer: FBI seize BreachForums hacking forum used to leak stolen data

• Malwarebytes: Dell notifies customers about data breach

• The Record: LockBit's seized darknet site resurrected by police, teasing new revelations

• CloudSEKNews: UK Ministry of Defence Confirms Cyber Attack, 270,000 Personnel Records Exposed

• The Hacker News: Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

• The Hacker News: Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million

• The Record: Dark web narcotics market’s alleged leader arrested and charged in New York

• The Hacker News: CISA Warns of Actively Exploited Apache Flink Security Vulnerability

• Bleeping Computer: Google fixes third actively exploited Chrome zero-day in a week

Welcome to the April edition of the Cyber Dispatch newsletter on information security! April witnessed a significant discovery: a nearly catastrophic campaign aimed at infecting the xz compression/decompression tool for Linux operating systems with malware. This open-source program, utilized by millions worldwide, narrowly escaped compromise. Uncovered by a Microsoft security researcher, the campaign spanned two years and relied on social engineering tactics. If the plan went through, however, it would allow attackers to develop sophisticated malicious software, granting backdoor access to all Linux systems utilizing xz.

Despite this alarming revelation, April had more in store for the cybersecurity community, underscoring the ongoing challenges and threats faced in safeguarding digital environments.

The Rundown of April cybersecurity events

Translated parts:

1. Linux - XZ Utils backdoor discovered

2. Frontier - US telco hit by a data breach

3. Hospital Simone Veil - French hospital under ransomware siege

4. Akira - ransomware group amassed $42 million since last year

5. LockBit - ransomware group hits the D.C. Department of Insurance, Securities and Banking

6. MITRE - warnings about Ivanti VPN 0-day vulnerabilities exploited

7. CrushFTP - announced a 0-day, update available

8. Palo Alto - 22,500 firewall devices exposed to a critical vulnerability

9. Hoya Corporation - Healthcare company hit by ransomware

10. French municipalities - five French municipalities under ransomware attack

11. Roku - over 500,000 user accounts compromised

12. IxMetro Powerhost / VMware ESXi - new type of ransomware attack

13. City of Hope - compromised data of cancer patients

14. SurveyLama - 4.4 million users compromised

15. D-Link NAS - 92,000 outdated devices vulnerable to critical flaw

16. PandaBuy - leaked data of 1.3 million users

17. Palo Alto Network - exploited critical 0-day vulnerability

18. Crema/Nirvana Finance - software engineer convicted of cryptocurrency theft

19. Google / EU - Google agrees to delete incognito logs

The Newsletter

[Ransomware]

One of key medical facilities in France, Hospital Simone Veil hit by bad actors

The Hospital Simone Veil in Cannes faced a cyberattack, disrupting its operations and reverting to manual processes. As a crucial medical institution in France, it serves thousands annually but hasn't disclosed ransom demands from attackers. 

Read more: Bleeping Computer: 840-bed hospital in France postpones procedures after cyberattack

[Ransomware]
Akira ransomware group amassed $42 million since last year

The FBI and European law enforcement agencies issued a warning about the Akira ransomware gang, which has targeted 250+ organizations globally, affecting businesses and critical infrastructure. Collaborating agencies published an advisory on Thursday, revealing the group's earnings of $42 million since March 2023.

Read more: The Record: Akira ransomware gang made $42 million from 250 attacks since March 2023: FBI

[Ransomware]
LockBit hits a US government institution

LockBit ransomware gang stole data from a third-party provider linked to a Washington, D.C., government agency. On April 13, they claimed to have breached the D.C. Department of Insurance, Securities and Banking, aiming to pressure for ransom payment by leaking 1GB of data.

Read more: The Record: DC city agency says LockBit claims tied to third-party attack

[Ransomware]

Hoya Corporation halts operations due to ransomware attack

Japanese giant in ophthalmic equipment manufacturing, Hoya, reported a ransomware attack that halted operations at 160 of their branches worldwide. The responsibility was claimed by the Hunters International group, demanding a $10 million ransom in cryptocurrencies. The attack crippled production, orders, and IT operations.

Read more: The Record: Japanese optics company Hoya says cyber incident affected production

[Ransomware]

New ransomware targets VMware ESXi servers

Chilean hosting provider IxMetro Powerhost reported a ransomware attack by the unknown SEXi group, encrypting VMware ESXi servers and their backups. The company, operating across North and South America, faces a ransom demand of $140 million in cryptocurrency equivalents.

Read more: Bleeping Computer: Hosting firm's VMware ESXi servers hit by new SEXi ransomware

[Ransomware]

Five municipalities in France hit by ransomware attacks

Described by French media as a "large-scale cyber attack," resembling a ransomware attack, it struck five municipalities in the Loire Valley. It's yet unknown if citizen data was compromised. The attackers remain unidentified, with only telephone lines and email servers affected. A similar attack occurred in Brittany in January, but any connection between the two incidents is undisclosed.

Read more: The Register: French issue alerte rouge after local governments knocked offline by cyber attack

[Data Breach]

Frontier hit by a cyberattack, potentialy millions of customers affected

American telecom Frontier Communications is recovering from a cyberattack where a cybercrime group breached IT systems, accessing unspecified personally identifiable information (PII). After discovering the incident, the company was forced to partially shut down some systems to prevent the threat actors from laterally moving through the network, which also led to some operational disruptions.

Read more: Bleeping Computer: Frontier Communications shuts down systems after cyberattack

[Data Breach]

Roku reports hundreds of thousands of compromised user accounts in latest breach

Streaming platform Roku disclosed a data leak affecting 576,000 user accounts. Initially reported in March with 15,000 affected accounts, the scope expanded after investigation. Attackers utilized data from various platforms to compromise valid Roku accounts through password reset mechanisms and two-factor authentication.

Read more: Bleeping Computer: Roku warns 576,000 accounts hacked in new credential stuffing attacks

[Data Breach]

City of Hope cancer clinic experiences massive data breach

A cyber attack on City of Hope cancer clinic compromised data of 827,000 patients. Initial investigation results suggest data theft between September and October of the previous year. Stolen data includes personal patient information and medical records.

Read more: Bleeping Computer: US cancer center data breach exposes info of 827,000 patients

[Data Breach]

Data of 4.4 million SurveyLama users compromised

Survey Lama, a survey conducting platform, suffered a data breach compromising 4.4 million users. Have I Been Pwned service recorded the incident, noting it involved primarily personal information, including email addresses and passwords.

Read more: Bleeping Computer: SurveyLama data breach exposes info of 4.4 million users

[Data Breach]

PandaBuy user data leaked

Data of over 1.3 million users of the Chinese shopping platform leaked due to critical vulnerabilities in the Panda Buy API. Sangierro and IntelBoker claimed responsibility and released user data, including names, contacts, and other information.

Read more: Bleeping Computer: Shopping platform PandaBuy data leak impacts 1.3 million users

[Update]

New 0-day vulnerability exploited in Palo Alto firewall solution

Cybersecurity researchers detected exploitation of a 0-day vulnerability in Palo Alto Network firewall solutions, designated CVE-2024-3400. The vulnerability creates a backdoor access, enabling remote code execution. Palo Alto released a patch; for more information, visit Palo Alto's website. Suspected attackers have ties to certain state entities, possibly members of an unnamed security service.

Read more: Bleeping Computer: 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

[Update]

Critical Linux backdoor vulnerability discovered

The Linux user community uncovered a malicious package in the latest version of the open-source compression tool, xz, making it vulnerable to a backdoor attack. Designated CVE-2024-3094, it affects versions from 5.6.0 to 5.6.1. Before the security patch release, it carried a risk score of 10 on the CVSS scale. The patch is available for Kali Linux and Debian.

Read more: Kali[.]org: All about the xz-utils backdoor

[Update]

Obsolete D-Link NAS devices vulnerable to critical flaw

The discovered flaw, classified as CVE-2024-3273, affects Network-Attached Storage (NAS) devices deemed obsolete but still in use. Over 92,000 such devices are vulnerable, and D-Link recommends replacing them to avoid exploitation. At risk are models DNS-320L, DNS-325, DNS-327L, and DNS-340L.

Read more: Bleeping Computer: Over 92,000 exposed D-Link NAS devices have a backdoor account

[Update]

XZ Utils strikes again, this time in Rust

Test files containing the XZ Utils backdoor were discovered in the Rust crate liblzma-sys. The affected version, 0.3.2, distributed on Crates.io, contained these files. Following disclosure, version 0.3.3 removed the files, with the previous version withdrawn. 

Read more: The Hacker News: Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files

[Update]
CrushFTP announces a 0-day, update now

CrushFTP issued a private memo today alerting customers to an actively exploited zero-day vulnerability, advising immediate patching. The flaw allows attackers to escape the virtual file system, accessing system files. Using a DMZ can mitigate risks. Upgrading to version 11 is urged for v9 users. 

Read more: Bleeping Computer: CrushFTP warns users to patch exploited zero-day “immediately”

[Update]

Palo Alto warns of 22,500 firewal devices exposed to a critical vulnerability

Approximately 22,500 Palo Alto GlobalProtect firewall devices are exposed to CVE-2024-3400, a critical command injection flaw exploited since March 26, 2024. Palo Alto Networks disclosed the flaw on April 12, urging immediate mitigations until patches were released between April 14 and 18. Threat actors, including state-backed group 'UTA0218,' exploited the vulnerability to deploy a custom backdoor named 'Upstyle.' 

Read more: Bleeping Computer: 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

[Update]

MITRE breached via exploit of Ivanti VPN 0-day vulnerabilities

State-backed hackers exploited two zero-day vulnerabilities in Ivanti VPN to breach MITRE Corporation's systems in January 2024. Detected on the NERVE network, MITRE notified affected parties, engaged authorities, and is restoring operations. Fortunately, the breach did not impact core enterprise or partner systems.

Read more: ​​Bleeping Computer: MITRE says state hackers breached its network via Ivanti zero-days

[Legal]

Former Amazon employee sentenced to three years in prison

Software engineer, Shakib Ahmed, received a three-year prison sentence for abusing and manipulating "smart contracts," resulting in the theft of $12 million in cryptocurrencies via Crema Finance and Nirvana Finance platforms. Ahmed admitted guilt in late 2023, leading to the three-year prison sentence, becoming the first person convicted for a cyber attack on "smart contracts."

Read more: Cybersecurity News: Ex-Amazon Manager Whole Stole $10 Million Sentenced to 16 Years

[Legal]

Google agrees to delete billions of "incognito" logs under threat of lawsuits

While Apple and Meta are still under scrutiny for compliance with the new European Digital Markets Act, Google decided to align with new legal regulations in the European Union. To avoid privacy violations, they agreed to delete billions of recorded searches in the "incognito" mode, as well as block third-party cookies for five years

Read more: The Guardian: Google to destroy billions of private browsing records to settle lawsuit

Southeast Europe is known for many things, but until a few years ago, cybercrime was still not one of them. In this blog, I will examine monthly activities of international cybercrime activity that affect the region, and try to create a chronicle of increasing attacks that bear the mark of renowned malicious actors. 

This article specifically explores the cybersecurity incidents that occurred in February in Albania and Romania. Additionally, it offers a glance into a ransomware attack on Slovenia's critical infrastructure which occurred in late 2023. 

As we navigate the aftermath of these events, the aim is to illuminate the context surrounding mounting incidents in the region, which often remain obscured in the fog of sporadic news coverage. 

Without further ado, I bring you three separate cybersecurity news stories in the region that caught my attention in the past month. 

Over 100 Hospitals in Romania Knocked Out by Ransomware

In a distressing turn of events, more than 100 Romanian hospitals find themselves ensnared in the clutches of a ransomware threat, with Phobos group claiming the attack — a Russian-speaking entity renowned for exploiting vulnerabilities in the Remote Desktop Protocol for unauthorized access.

The bull's eye of the attack was the Hypocrite Information System, an integral IT management solution utilized by various healthcare institutions for managing patient data and other critical services. In response to the attack, medical personnel across the nation have resorted to the age-old practice of pen-and-paper, striving to maintain essential hospital functions.

The Romanian National Cyber Security Directorate (DNSC), in collaboration with cybersecurity experts from third-party entities, is actively engaged in investigating and containing the ongoing assault. However, as this battle unfolds, Romanian patients find themselves caught in the crossfire, their well-being hanging in the balance.

The cybercriminals behind this assault have set a hefty ransom of 3.5 Bitcoin, equivalent to over $164,500, in exchange for decrypting the vital files they've maliciously locked away.

While ransomware incidents targeting the healthcare sector are unfortunately not novel, it appears that the FBI's December 2023 crackdown on the ALPHV/BlackCat Dark Web infrastructure acted as a catalyst. 

The aftermath has seen a surge in hospital-targeted attacks, not only in the US and Germany but now reaching Romania. The resilience of local authorities in handling such a crisis is yet to be fully gauged as the country experiences the full scope of a ransomware offensive. 

Albanian Cybersecurity Under Siege: Iran-Backed Group Strikes Institutions

In the enduring shadow of Iran's geopolitical maneuvers, Albanian institutions face the looming and persistent threat of the country’s cyber warfare capacities. Air traffic control systems, Telco operators and government institutions have all fallen victim to the Teheran-backed Homeland Justice group in the past two years.  

Most recently, on February 1, Homeland Justice executed a Wiper cyberattack on INSTAT, deleting crucial national data. The INSTAT cyber attack aimed to erase data and compromised as many as 40 computers, raising concerns about the integrity of sensitive information. A similar attack targeted the Albanian parliament at the end of 2023, though the official statement claimed there was no permanent data loss. 

Homeland Justice’s motivation comes from Albania sheltering a shadowy Iranian opposition group, called the Mujahedeen-e-Khalq (MEK) and its 3,000 members. The MEK has been in Albania since 2013 and is a thorn in the side of official Teheran, which has turned to cyber pressure in hopes of arranging extradition of the group. 

The group itself is reportedly unpopular in Albania – even more so – after the recent string of attacks. Yet Albanians are bound by the 2013 agreement brokered by the USA, which stipulates that MEK can remain in the country, under the condition of refraining from political activities and abiding by the nation's laws.

Stuck in limbo, the country braces itself, as Homeland Justice announces new attacks are inbound via its Telegram channel.  

Rhysida Ransomware, Used in the Slovenian Power Plants Attack, Gets Decrypted: Is it a Little Too Late? 

In November 2023, the notorious Rhysida ransomware targeted Slovenia's electrical infrastructure, specifically at the key holding company responsible for 60% of the nation's power production. Despite the potential for catastrophic consequences, the attack did not directly impact power production, although it did leave a lingering shadow that extended into 2024.

The aftermath raises questions about HSE Holding, the Slovenian power plant company, and how it dealt with the ransomware attack. Whether they paid the ransom, independently restored their data, or are still awaiting the recovery of parts of their infrastructure remains unclear.

If the last option is the case, and they are still affected, then a recent breakthrough might just be an answer to all their prayers. 

Cybersecurity experts from Kookmin University and the Korea Internet & Security Agency (KISA) successfully cracked Rhysida's complex code. Exploiting an "implementation vulnerability" within the ransomware, they have provided a strong foothold against this digital threat in the form of free-to-use decryption software. 

Whether or not this will be the silver bullet for Rhysida remains to be seen, as the group faces possibilities of mutation and resurgence or integration into emerging cartels like Lockbit and ALPHV/BlackCat.

Why is Southeast Europe Becoming a Hotbed of Cybercriminal Activity? 

While the process of digitalization in the region has seen great growth, cybersecurity lags as a marginal effort in the overall digital culture. In short, progress occurs only after a cyber attack already happened. 

Yet, relying solely on this reactive approach falls short of achieving robust security for organizations. Legal frameworks, both nationally and internationally, along with collaborative efforts, are still in their infancy. In turn, this offers additional maneuvering space for attackers.

Simultaneously, geopolitical motivations cast a shadow over the Balkans, enticing nation-state hackers to breach the digital defenses of vulnerable institutions for political pressure as seen between Iran and Albania.

In essence, the region is poised to remain a breeding ground for high-profile cybercrime attacks unless comprehensive strategies and substantial investments fortify the cybersecurity landscape. Achieving this feat will undoubtedly encounter numerous setbacks and will demand years of concerted effort, but it is what needs to be done if the region plans to counter the surging cyber risk demonstrated in the attacks listed above. 

Did you like this article? Subscribe to Cyber Dispatch and follow me for more insights on the exciting cyber landscape of Southeast Europe. 

Resources

• Albanian Post: ‘Homeland Justice’, is it a whole network of Iranian hackers with real threats to the Government?

• Anadolu Agency: Albania blames Iranian-backed group for cyberattack on its statistical institute

• Associated Press: Police raid Iranian opposition camp in Albania, seize computers

• The Register: Korean eggheads crack Rhysida ransomware and release free decryptor tool

• Dark Readings: Slovenian Electrical Utility HSE Suffers Ransomware Attack

Tigo, Black Hunt

On January 4, Tigo, Paraguay's leading mobile phone company that serves half of the country’s 6.7 million people, suffered a security incident impacting infrastructure and specific services for corporate customers. The country’s military attributed the attack to the Black Hunt ransomware group, claiming that it impacted more than 300 companies downstream. Tigo tried to downplay the effect of the attack initially, but is now collaborating with affected organizations and assures that internet, phone, and wallet services beyond the corporate segment remain unaffected. 

[Ransomware]

Bosch, Nozomi

Researchers at Nozomi Networks identified vulnerabilities in Bosch's pneumatic torque wrench, commonly used in automotive production lines. The flaws, not yet exploited, pose ransomware risks. Threat actors could compromise tightening programs, affecting torque levels, operational performance, and safety measures making ransomware attacks very likely, as they can potentially cause severe production stoppages and financial losses. Bosch acknowledged the issues, stating a patch will be released by the end of the month. 

[Ransomware]

Katholische Hospitalvereinigung Ostwestfalen (KHO), Lockbit

Although in the unofficial cybercriminals' code of conduct, hospitals are considered off-limits, associates of the Lockbit ransomware group have decided to break that rule. Three hospitals under the management of Katholische Hospitalvereinigung Ostwestfalen (KHO) in Germany have suffered a ransomware attack from the Lockbit group. The attack caused technical difficulties, leading to the suspension of the intensive care units' operations. The management ensures that patients' lives are not endangered.

[Ransomware]

Capital Health, Lockbit

Capital Health, a prominent healthcare organization managing numerous clinics in the U.S., recently revealed a cybersecurity crisis at the end of November 2023. While not officially confirmed by Capital Health, the Lockbit group claimed responsibility, stating they had stolen over 10 million files. However, they chose not to encrypt the hospital network to avoid endangering patient lives. This statement reflects the growing threat of ransomware attacks on healthcare institutions, particularly jeopardizing high-risk patients.

[Data Breach]

Court Services Victoria (CSV), Qilin

The Australian state of Victoria's court has fallen victim to a ransomware attack by the Qilin group, leading to the leakage of sensitive recordings of court hearings. The attack was discovered on December 21, 2023, and the incident allowed hackers to disrupt operations and gain access to the audio-visual archive containing sensitive hearing recordings. The mentioned recordings contain public and confidential information, so depending on the case, they may expose sensitive information regarding court cases. However, the announced court proceedings will not be postponed.

[Data Breach]

HealthEC

HealthEC, a company providing IT services to numerous clinics in the United States, has announced a data breach affecting approximately 4.5 million individuals. The incident is dated back to July of last year, and the leaked sensitive information includes names, addresses, dates of birth, social security numbers, taxpayer identification numbers, medical data, health insurance information, as well as billing and claims information. The perpetrator of the attack has not yet been identified.

[Crypto]

Orbit Chain 

On New Year's Eve, the Orbit Chain blockchain and DApps management platform fell victim to a cyberattack, resulting in a direct loss of $86 million in various cryptocurrencies. The attackers remain unknown, but the sophistication suggests an involvement of North Korean hackers specialized in large-scale cryptocurrency theft. Orbit Chain has cautioned users about fake profiles on the X social network promising refunds and advised them to await further official statements.

[Crypto]
SEC

The Securities and Exchange Commission's (SEC) Twitter account was compromised, with a fraudulent tweet falsely claiming approval for Bitcoin exchange-traded funds. The SEC confirmed the breach after the misleading tweet was posted last week, marking another high-profile account takeover on the social media platform, along with Mandiant earlier this month. 

[Infrastructure]

Sandworm, Kyivstar

Russian hackers, known as the Sandworm group, conducted a cyber attack on Kyivstar, Ukraine's largest telecom service provider, in December. The attack temporarily caused an internet outage for over 25 million users and wiped the data from 10,000 computers and thousands of servers on Kyivstar's network. Sandworm, closely linked to Russian military intelligence units, gained global recognition in 2015 when they caused a power outage in Ukraine.

[Update]

Apache OFBiz

Experts from Shadowserver have detected attempts to exploit a critical 0-day vulnerability in the Apache OFBiz open-source Enterprise Resource Planning (ERP) system, which is also the foundation for Atlassian Jira. The identified vulnerability can be exploited to bypass authentication and achieve server-side request forgery (SSRF), allowing attackers access to sensitive information and arbitrary code execution (ACE). The vulnerability affects Apache OFBiz versions 18.12.11 and earlier. If you are using any vulnerable versions, update to the latest version.

[Update]

Apache RocketMQ

Experts warn of a rising number of potential attackers exploiting vulnerabilities discovered in Apache RocketMQ last year, even after the company released a security patch that proved only partially effective. In a specific context, the flaw could lead to remote code execution (RCE) and affect NameServer, Broker, and Controller services. Updating NameServer to version 5.1.2/4.9.7 or newer is recommended to avoid attacks.

[Update]

Ivanti Endpoint Protection Manager (EPM)

Ivanti, a cybersecurity solutions company, alerts about a newly discovered critical flaw in its endpoint protection software (Endpoint Protection Manager). The flaw allows SQL injection, allowing potential attackers to execute arbitrary queries without authentication and gain control over devices with the EPM agent. Urgent updating or implementing other risk reduction measures outlined on the Ivanti website is advised.

[0-Day Vulnerability]

Ivant VPN 

Chinese nation-state actors are actively exploiting two critical zero-day vulnerabilities in Ivanti VPN services, allowing unauthenticated remote code execution. Discovered by Volexity in December, the vulnerabilities (CVE-2023-46805 and CVE-2024-21887) were chained together for complete system compromise, enabling attackers to run RCE, steal configuration data, modify files, and conduct reverse tunneling from the Ivanti Connect Secure VPN appliance. Ivanti announced an upcoming patch in the following days.

[Legal]

23andMe

The popular ancestry discovery app 23andMe experienced a cyber attack in November of last year, compromising the data of 6.9 million users. Recently, due to a collective lawsuit against the company, the case has reappeared in the media. However, leveraging the lack of clear guidelines in the California Privacy Rights Act, 23andMe denies responsibility for data protection, shifting blame to users who did not regularly change passwords and follow security recommendations on the website. The case is another indicator of the underdeveloped framework for user data protection globally.

[Legal]

DoJ, xDedic Marketplace

The U.S. Department of Justice has indicted 19 individuals worldwide concerning the now-defunct xDedic Marketplace, a Dark Web site for selling stolen data. Three defendants received 6.5 years in prison, eight received sentences ranging from one to five years, and one individual received five years of probation. xDedic, until its shutdown in January 2019, facilitated cybercriminals in trading stolen access credentials and personal information, affecting over 700,000 hacked computers worldwide, with estimated damages exceeding $68 million.

Resources: 

• The Recorded Future: Paraguay military warns of ‘significant impact’ of ransomware after attack on internet provider

• The Recorded Future: Vulnerabilities found in high-power Bosch wrenches popular with carmakers

• KnowBe4: Lockbit 3.0 Ransomware Disrupts Emergency Care at Multiple German Hospitals

• The Cyber Express: Capital Health Hit by Cyberattack: Traces of LockBit Foul Play Emerge

• Bleeping Computer: Victoria court recordings exposed in reported ransomware attack

• Security Week: 4.5 Million Individuals Affected by Data Breach at HealthEC

• Bleeping Computer: Orbit Chain loses $86 million in the last fintech hack of 2023

• Recorded Future: SEC's X account compromised, used to spread false bitcoin announcement

• Bleeping Computer: Russian hackers wiped thousands of systems in KyivStar attack

• Security Week: Critical Apache OFBiz Vulnerability in Attacker Crosshairs

• Bleeping Computer: Hackers target Apache RocketMQ servers vulnerable to RCE attacks

• Ars Technica: Ivanti warns of critical vulnerability in its popular line of endpoint protection software

• CSO Online: Chinese hackers exploit Ivanti VPN zero days for RCE attacks

• Ars Technica: 23andMe told victims of data breach that suing is futile, letter shows

• Hacker News: DoJ Charges 19 Worldwide in $68 Million xDedic Dark Web Marketplace Fraud