Welcome to the April edition of the Cyber Dispatch newsletter on information security! April witnessed a significant discovery: a nearly catastrophic campaign aimed at infecting the xz compression/decompression tool for Linux operating systems with malware. This open-source program, utilized by millions worldwide, narrowly escaped compromise. Uncovered by a Microsoft security researcher, the campaign spanned two years and relied on social engineering tactics. If the plan went through, however, it would allow attackers to develop sophisticated malicious software, granting backdoor access to all Linux systems utilizing xz.

Despite this alarming revelation, April had more in store for the cybersecurity community, underscoring the ongoing challenges and threats faced in safeguarding digital environments.

The Rundown of April cybersecurity events

Translated parts:

1. Linux - XZ Utils backdoor discovered

2. Frontier - US telco hit by a data breach

3. Hospital Simone Veil - French hospital under ransomware siege

4. Akira - ransomware group amassed $42 million since last year

5. LockBit - ransomware group hits the D.C. Department of Insurance, Securities and Banking

6. MITRE - warnings about Ivanti VPN 0-day vulnerabilities exploited

7. CrushFTP - announced a 0-day, update available

8. Palo Alto - 22,500 firewall devices exposed to a critical vulnerability

9. Hoya Corporation - Healthcare company hit by ransomware

10. French municipalities - five French municipalities under ransomware attack

11. Roku - over 500,000 user accounts compromised

12. IxMetro Powerhost / VMware ESXi - new type of ransomware attack

13. City of Hope - compromised data of cancer patients

14. SurveyLama - 4.4 million users compromised

15. D-Link NAS - 92,000 outdated devices vulnerable to critical flaw

16. PandaBuy - leaked data of 1.3 million users

17. Palo Alto Network - exploited critical 0-day vulnerability

18. Crema/Nirvana Finance - software engineer convicted of cryptocurrency theft

19. Google / EU - Google agrees to delete incognito logs

The Newsletter

[Ransomware]

One of key medical facilities in France, Hospital Simone Veil hit by bad actors

The Hospital Simone Veil in Cannes faced a cyberattack, disrupting its operations and reverting to manual processes. As a crucial medical institution in France, it serves thousands annually but hasn't disclosed ransom demands from attackers. 

Read more: Bleeping Computer: 840-bed hospital in France postpones procedures after cyberattack

[Ransomware]
Akira ransomware group amassed $42 million since last year

The FBI and European law enforcement agencies issued a warning about the Akira ransomware gang, which has targeted 250+ organizations globally, affecting businesses and critical infrastructure. Collaborating agencies published an advisory on Thursday, revealing the group's earnings of $42 million since March 2023.

Read more: The Record: Akira ransomware gang made $42 million from 250 attacks since March 2023: FBI

[Ransomware]
LockBit hits a US government institution

LockBit ransomware gang stole data from a third-party provider linked to a Washington, D.C., government agency. On April 13, they claimed to have breached the D.C. Department of Insurance, Securities and Banking, aiming to pressure for ransom payment by leaking 1GB of data.

Read more: The Record: DC city agency says LockBit claims tied to third-party attack

[Ransomware]

Hoya Corporation halts operations due to ransomware attack

Japanese giant in ophthalmic equipment manufacturing, Hoya, reported a ransomware attack that halted operations at 160 of their branches worldwide. The responsibility was claimed by the Hunters International group, demanding a $10 million ransom in cryptocurrencies. The attack crippled production, orders, and IT operations.

Read more: The Record: Japanese optics company Hoya says cyber incident affected production

[Ransomware]

New ransomware targets VMware ESXi servers

Chilean hosting provider IxMetro Powerhost reported a ransomware attack by the unknown SEXi group, encrypting VMware ESXi servers and their backups. The company, operating across North and South America, faces a ransom demand of $140 million in cryptocurrency equivalents.

Read more: Bleeping Computer: Hosting firm's VMware ESXi servers hit by new SEXi ransomware

[Ransomware]

Five municipalities in France hit by ransomware attacks

Described by French media as a "large-scale cyber attack," resembling a ransomware attack, it struck five municipalities in the Loire Valley. It's yet unknown if citizen data was compromised. The attackers remain unidentified, with only telephone lines and email servers affected. A similar attack occurred in Brittany in January, but any connection between the two incidents is undisclosed.

Read more: The Register: French issue alerte rouge after local governments knocked offline by cyber attack

[Data Breach]

Frontier hit by a cyberattack, potentialy millions of customers affected

American telecom Frontier Communications is recovering from a cyberattack where a cybercrime group breached IT systems, accessing unspecified personally identifiable information (PII). After discovering the incident, the company was forced to partially shut down some systems to prevent the threat actors from laterally moving through the network, which also led to some operational disruptions.

Read more: Bleeping Computer: Frontier Communications shuts down systems after cyberattack

[Data Breach]

Roku reports hundreds of thousands of compromised user accounts in latest breach

Streaming platform Roku disclosed a data leak affecting 576,000 user accounts. Initially reported in March with 15,000 affected accounts, the scope expanded after investigation. Attackers utilized data from various platforms to compromise valid Roku accounts through password reset mechanisms and two-factor authentication.

Read more: Bleeping Computer: Roku warns 576,000 accounts hacked in new credential stuffing attacks

[Data Breach]

City of Hope cancer clinic experiences massive data breach

A cyber attack on City of Hope cancer clinic compromised data of 827,000 patients. Initial investigation results suggest data theft between September and October of the previous year. Stolen data includes personal patient information and medical records.

Read more: Bleeping Computer: US cancer center data breach exposes info of 827,000 patients

[Data Breach]

Data of 4.4 million SurveyLama users compromised

Survey Lama, a survey conducting platform, suffered a data breach compromising 4.4 million users. Have I Been Pwned service recorded the incident, noting it involved primarily personal information, including email addresses and passwords.

Read more: Bleeping Computer: SurveyLama data breach exposes info of 4.4 million users

[Data Breach]

PandaBuy user data leaked

Data of over 1.3 million users of the Chinese shopping platform leaked due to critical vulnerabilities in the Panda Buy API. Sangierro and IntelBoker claimed responsibility and released user data, including names, contacts, and other information.

Read more: Bleeping Computer: Shopping platform PandaBuy data leak impacts 1.3 million users

[Update]

New 0-day vulnerability exploited in Palo Alto firewall solution

Cybersecurity researchers detected exploitation of a 0-day vulnerability in Palo Alto Network firewall solutions, designated CVE-2024-3400. The vulnerability creates a backdoor access, enabling remote code execution. Palo Alto released a patch; for more information, visit Palo Alto's website. Suspected attackers have ties to certain state entities, possibly members of an unnamed security service.

Read more: Bleeping Computer: 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

[Update]

Critical Linux backdoor vulnerability discovered

The Linux user community uncovered a malicious package in the latest version of the open-source compression tool, xz, making it vulnerable to a backdoor attack. Designated CVE-2024-3094, it affects versions from 5.6.0 to 5.6.1. Before the security patch release, it carried a risk score of 10 on the CVSS scale. The patch is available for Kali Linux and Debian.

Read more: Kali[.]org: All about the xz-utils backdoor

[Update]

Obsolete D-Link NAS devices vulnerable to critical flaw

The discovered flaw, classified as CVE-2024-3273, affects Network-Attached Storage (NAS) devices deemed obsolete but still in use. Over 92,000 such devices are vulnerable, and D-Link recommends replacing them to avoid exploitation. At risk are models DNS-320L, DNS-325, DNS-327L, and DNS-340L.

Read more: Bleeping Computer: Over 92,000 exposed D-Link NAS devices have a backdoor account

[Update]

XZ Utils strikes again, this time in Rust

Test files containing the XZ Utils backdoor were discovered in the Rust crate liblzma-sys. The affected version, 0.3.2, distributed on Crates.io, contained these files. Following disclosure, version 0.3.3 removed the files, with the previous version withdrawn. 

Read more: The Hacker News: Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files

[Update]
CrushFTP announces a 0-day, update now

CrushFTP issued a private memo today alerting customers to an actively exploited zero-day vulnerability, advising immediate patching. The flaw allows attackers to escape the virtual file system, accessing system files. Using a DMZ can mitigate risks. Upgrading to version 11 is urged for v9 users. 

Read more: Bleeping Computer: CrushFTP warns users to patch exploited zero-day “immediately”

[Update]

Palo Alto warns of 22,500 firewal devices exposed to a critical vulnerability

Approximately 22,500 Palo Alto GlobalProtect firewall devices are exposed to CVE-2024-3400, a critical command injection flaw exploited since March 26, 2024. Palo Alto Networks disclosed the flaw on April 12, urging immediate mitigations until patches were released between April 14 and 18. Threat actors, including state-backed group 'UTA0218,' exploited the vulnerability to deploy a custom backdoor named 'Upstyle.' 

Read more: Bleeping Computer: 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

[Update]

MITRE breached via exploit of Ivanti VPN 0-day vulnerabilities

State-backed hackers exploited two zero-day vulnerabilities in Ivanti VPN to breach MITRE Corporation's systems in January 2024. Detected on the NERVE network, MITRE notified affected parties, engaged authorities, and is restoring operations. Fortunately, the breach did not impact core enterprise or partner systems.

Read more: ​​Bleeping Computer: MITRE says state hackers breached its network via Ivanti zero-days

[Legal]

Former Amazon employee sentenced to three years in prison

Software engineer, Shakib Ahmed, received a three-year prison sentence for abusing and manipulating "smart contracts," resulting in the theft of $12 million in cryptocurrencies via Crema Finance and Nirvana Finance platforms. Ahmed admitted guilt in late 2023, leading to the three-year prison sentence, becoming the first person convicted for a cyber attack on "smart contracts."

Read more: Cybersecurity News: Ex-Amazon Manager Whole Stole $10 Million Sentenced to 16 Years

[Legal]

Google agrees to delete billions of "incognito" logs under threat of lawsuits

While Apple and Meta are still under scrutiny for compliance with the new European Digital Markets Act, Google decided to align with new legal regulations in the European Union. To avoid privacy violations, they agreed to delete billions of recorded searches in the "incognito" mode, as well as block third-party cookies for five years

Read more: The Guardian: Google to destroy billions of private browsing records to settle lawsuit