Cyber Dispatch #1: Streamlined Cybersecurity Insights
These are the events that shaped the cybersecurity frontline in the days leading up to 2024, as well as the first weeks of the new year. (29.12.2023 – 12.1.2024)
[Ransomware]
Tigo, Black Hunt
On January 4, Tigo, Paraguay's leading mobile phone company that serves half of the country’s 6.7 million people, suffered a security incident impacting infrastructure and specific services for corporate customers. The country’s military attributed the attack to the Black Hunt ransomware group, claiming that it impacted more than 300 companies downstream. Tigo tried to downplay the effect of the attack initially, but is now collaborating with affected organizations and assures that internet, phone, and wallet services beyond the corporate segment remain unaffected.
[Ransomware]
Bosch, Nozomi
Researchers at Nozomi Networks identified vulnerabilities in Bosch's pneumatic torque wrench, commonly used in automotive production lines. The flaws, not yet exploited, pose ransomware risks. Threat actors could compromise tightening programs, affecting torque levels, operational performance, and safety measures making ransomware attacks very likely, as they can potentially cause severe production stoppages and financial losses. Bosch acknowledged the issues, stating a patch will be released by the end of the month.
[Ransomware]
Katholische Hospitalvereinigung Ostwestfalen (KHO), Lockbit
Although in the unofficial cybercriminals' code of conduct, hospitals are considered off-limits, associates of the Lockbit ransomware group have decided to break that rule. Three hospitals under the management of Katholische Hospitalvereinigung Ostwestfalen (KHO) in Germany have suffered a ransomware attack from the Lockbit group. The attack caused technical difficulties, leading to the suspension of the intensive care units' operations. The management ensures that patients' lives are not endangered.
[Ransomware]
Capital Health, Lockbit
Capital Health, a prominent healthcare organization managing numerous clinics in the U.S., recently revealed a cybersecurity crisis at the end of November 2023. While not officially confirmed by Capital Health, the Lockbit group claimed responsibility, stating they had stolen over 10 million files. However, they chose not to encrypt the hospital network to avoid endangering patient lives. This statement reflects the growing threat of ransomware attacks on healthcare institutions, particularly jeopardizing high-risk patients.
[Data Breach]
Court Services Victoria (CSV), Qilin
The Australian state of Victoria's court has fallen victim to a ransomware attack by the Qilin group, leading to the leakage of sensitive recordings of court hearings. The attack was discovered on December 21, 2023, and the incident allowed hackers to disrupt operations and gain access to the audio-visual archive containing sensitive hearing recordings. The mentioned recordings contain public and confidential information, so depending on the case, they may expose sensitive information regarding court cases. However, the announced court proceedings will not be postponed.
[Data Breach]
HealthEC
HealthEC, a company providing IT services to numerous clinics in the United States, has announced a data breach affecting approximately 4.5 million individuals. The incident is dated back to July of last year, and the leaked sensitive information includes names, addresses, dates of birth, social security numbers, taxpayer identification numbers, medical data, health insurance information, as well as billing and claims information. The perpetrator of the attack has not yet been identified.
[Crypto]
Orbit Chain
On New Year's Eve, the Orbit Chain blockchain and DApps management platform fell victim to a cyberattack, resulting in a direct loss of $86 million in various cryptocurrencies. The attackers remain unknown, but the sophistication suggests an involvement of North Korean hackers specialized in large-scale cryptocurrency theft. Orbit Chain has cautioned users about fake profiles on the X social network promising refunds and advised them to await further official statements.
[Crypto]
SEC
The Securities and Exchange Commission's (SEC) Twitter account was compromised, with a fraudulent tweet falsely claiming approval for Bitcoin exchange-traded funds. The SEC confirmed the breach after the misleading tweet was posted last week, marking another high-profile account takeover on the social media platform, along with Mandiant earlier this month.
[Infrastructure]
Sandworm, Kyivstar
Russian hackers, known as the Sandworm group, conducted a cyber attack on Kyivstar, Ukraine's largest telecom service provider, in December. The attack temporarily caused an internet outage for over 25 million users and wiped the data from 10,000 computers and thousands of servers on Kyivstar's network. Sandworm, closely linked to Russian military intelligence units, gained global recognition in 2015 when they caused a power outage in Ukraine.
[Update]
Apache OFBiz
Experts from Shadowserver have detected attempts to exploit a critical 0-day vulnerability in the Apache OFBiz open-source Enterprise Resource Planning (ERP) system, which is also the foundation for Atlassian Jira. The identified vulnerability can be exploited to bypass authentication and achieve server-side request forgery (SSRF), allowing attackers access to sensitive information and arbitrary code execution (ACE). The vulnerability affects Apache OFBiz versions 18.12.11 and earlier. If you are using any vulnerable versions, update to the latest version.
[Update]
Apache RocketMQ
Experts warn of a rising number of potential attackers exploiting vulnerabilities discovered in Apache RocketMQ last year, even after the company released a security patch that proved only partially effective. In a specific context, the flaw could lead to remote code execution (RCE) and affect NameServer, Broker, and Controller services. Updating NameServer to version 5.1.2/4.9.7 or newer is recommended to avoid attacks.
[Update]
Ivanti Endpoint Protection Manager (EPM)
Ivanti, a cybersecurity solutions company, alerts about a newly discovered critical flaw in its endpoint protection software (Endpoint Protection Manager). The flaw allows SQL injection, allowing potential attackers to execute arbitrary queries without authentication and gain control over devices with the EPM agent. Urgent updating or implementing other risk reduction measures outlined on the Ivanti website is advised.
[0-Day Vulnerability]
Ivant VPN
Chinese nation-state actors are actively exploiting two critical zero-day vulnerabilities in Ivanti VPN services, allowing unauthenticated remote code execution. Discovered by Volexity in December, the vulnerabilities (CVE-2023-46805 and CVE-2024-21887) were chained together for complete system compromise, enabling attackers to run RCE, steal configuration data, modify files, and conduct reverse tunneling from the Ivanti Connect Secure VPN appliance. Ivanti announced an upcoming patch in the following days.
[Legal]
23andMe
The popular ancestry discovery app 23andMe experienced a cyber attack in November of last year, compromising the data of 6.9 million users. Recently, due to a collective lawsuit against the company, the case has reappeared in the media. However, leveraging the lack of clear guidelines in the California Privacy Rights Act, 23andMe denies responsibility for data protection, shifting blame to users who did not regularly change passwords and follow security recommendations on the website. The case is another indicator of the underdeveloped framework for user data protection globally.
[Legal]
DoJ, xDedic Marketplace
The U.S. Department of Justice has indicted 19 individuals worldwide concerning the now-defunct xDedic Marketplace, a Dark Web site for selling stolen data. Three defendants received 6.5 years in prison, eight received sentences ranging from one to five years, and one individual received five years of probation. xDedic, until its shutdown in January 2019, facilitated cybercriminals in trading stolen access credentials and personal information, affecting over 700,000 hacked computers worldwide, with estimated damages exceeding $68 million.
Resources:
Bleeping Computer: Orbit Chain loses $86 million in the last fintech hack of 2023
Recorded Future: SEC's X account compromised, used to spread false bitcoin announcement