The month of May is behind us, and many exciting cybersecurity news are worth mentioning. If you missed them, check out the latest monthly edition of Cyber Dispatch. Highlights definitely include IntelBroker’s stunt of breaking into Europol, the subsequent revenge act of FBI shutting down BreachForums. In other news, Windows has launched an AI feature that triggers some dubious privacy concerns…

The rundown:

VMware ESXi - Vulnerabilities actively exploited by ransomware groups;
IntelBroker/Europol - Allegedly leaked sensitive data from the European law enforcement agency;
BreachForums/FBI - FBI swiftly took control of a notorious dark web forum;
Dell - Data of 49 million customers leaked;
Lockbit - Website back online, now in police hands, leader's identity revealed;
UK Ministry of Defence - 270,000 sensitive data leaked from UK Ministry of Defence;
Tinyproxy - Critical vulnerability endangering tens of thousands of devices;
REvil - One of the leaders of the group responsible for the Kaseya attack 2021 convicted;
Incognito Market - Founder of one of the largest dark web drug markets arrested;
Apache Flink - Three-year-old vulnerability patched due to increased exploitation;
Google Chrome - Third 0day in seven days, totaling four patched 0day vulnerabilities in May;

Welcome to the third monthly overview of cybersecurity events that shaped the month of May, 2024.

[Ransomware]
VMWare ESXi vulnerabilities actively exploited in ransomware campaigns

Cybersecurity company Sygnia conducted an investigation and identified the modus operandi of a series of ransomware attacks exploiting vulnerabilities in VMware ESXi virtual machine solutions. The vulnerabilities stem from inherent configuration flaws and other weaknesses in VMware ESXi software, and some of the groups exploiting these vulnerabilities include LockBit, HelloKitty, BlackMatter, Akira, BlackCat, among others. Users are advised to enhance monitoring, implement adequate event logging, and regularly update backups.

[Ransomware]
Lockbit site back online, now in police hands

The previously shut down Lockbit forum, used for communicating ransomware group operations, has been restored to function, albeit in a completely different role. The police seized the site in February and have now released it along with data obtained during the investigation. The identity of the group's alleged leader, Russian national Dmitry Horoshev, has been disclosed. The dark website was previously thoroughly infiltrated by the British cyber crime department.

[Data Breach]
IntelBroker disclosed sensitive Europol data

IntelBroker, a hacker who recently claimed access to Zscaler systems and sold them on the dark web, made headlines again, this time for allegedly stealing data from Europol. IntelBroker claims to have "hacked" into Europol's systems and accessed highly confidential information classified as "For Official Use Only." However, Europol denies the leakage of sensitive data, asserting that the hacker accessed the Europol Platform for Experts (EPE), which, despite its name, does not contain information crucial or jeopardizing their police operations.

[Legal]
In response to the data breach, the FBI seized BreachForums

If the beginning of the week was marked by the theft of Europol's data, then the swift action of the FBI and the US Department of Justice marked its end. As stated, the FBI managed to take control of BreachForums, one of the most popular platforms for distributing and reselling leaked and stolen data. This information was posted on the BreachForums website and Telegram channel.

[Data Breach]
Dell - 49 million data leaked in the latest cyber attack

The American computer and computer equipment manufacturing and sales company, Dell, has issued a statement that 49 million of their users' data have leaked online. Compromised data includes warranty details, customer names, computer serial numbers, locations, and other order-related information. The hacker(s) behind this attack informed Dell about their feat, but only after putting the data up for sale. Despite this, Dell has not yet addressed the vulnerability that led to the leak, citing that they "do not negotiate with criminals."

[Data Breach]
WebTPA data breach impacts over 2.4 million individuals

WebTPA, an American company specializing in health plan administration, reported a data breach affecting nearly 2.5 million individuals. WebTPA's clients include some of the largest American insurance companies, and the current data compromise has affected companies such as Hartford, Transamerica, and Gerber Life Insurance.

[Data Breach]
Cencora discloses data breach affecting 11 major pharmaceutical companies worldwide

Cencora, a platform for pharmaceutical logistics and distribution, revealed information about a cyberattack that occurred in February, resulting in a data breach affecting 11 of the world's largest pharmaceutical companies. Among the first three affected partner companies are corporations like Novartis and Bayer. Although the stolen data has not yet been published on the internet, Cencora determined through its investigation that it includes personal data, medical diagnoses, treatment histories, and prescriptions of an unspecified number of users of these 11 pharmaceutical companies.

[Data Breach]
Over 270,000 sensitive data leaked from the UK Ministry of Defence

The British Ministry of Defence has confirmed a cyber attack resulting in the leakage of sensitive data of active duty personnel, reservists, and retirees. The leak was limited to an external system managed by a partner firm handling employee payroll. Although the central MoD system was not compromised, the leak affected up to 270,000 details, including payment, names, surnames, and banking information. It is believed that hackers associated with Chinese intelligence services are behind the attack.

[Privacy]
Microsoft Recall feature records complete computer history, including screen screenshots

Microsoft has introduced a new AI feature called Recall, which will be integrated into the new Windows 11 operating system. Recall's role is to record all computer activities, processes, operations, as well as random screen screenshots, enabling users to deeply record the complete history of the operating system. Recall is designed to work locally, encrypt data, and operate in conjunction with the MS Copilot system. However, such a feature also implies potential abuses and privacy violations by operating system distributors.

[Legal]
One of the leaders of the REvil ransomware group convicted

Ukrainian citizen Jaroslav Vasinski, known as Rabotnik, has been sentenced to 13 years in prison and fined $16 million for conducting over 2,500 ransomware attacks. Vasinski was a key member of the REvil group, which extorted over $700 million in cryptocurrencies through ransomware attacks. Additionally, REvil is responsible for the 2021 Kaseya supply chain attack. Vasinski was apprehended in Poland and extradited to the US, where he will serve his sentence.

[Legal]
Founder of Incognito Market arrested in the US

Twenty-three-year-old Taiwanese citizen Rui-Shiang Lin has been arrested in the US on charges of running Incognito Market, a dark web e-commerce platform specializing in drug trafficking. Incognito Market generated over $100 million in profits from drug trading and ceased operations in March of this year when Lin launched a campaign to extort money from all dealers on the platform, threatening to report them to the police.

[Update]
Dozens of thousands of Tinyproxy servers exposed to critical vulnerability

Over 50% of the 90,310 Tinyproxy server hosts are exposed to a critical vulnerability rated at 9.8 on the CVSS scale. Cisco Talos was the first to alert about this flaw, but Tinyproxy claims that the company poorly communicated its discovery, and the security update is still in progress. It concerns a memory corruption bug that subsequently enables remote code execution for attackers. Users are advised to remove their Tinyproxy servers from the public internet and await a patch.

[Update]
Apache Flink addresses a high-risk security vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified active exploitation of a vulnerability in Apache Flink, documented under CVE-2020-17519 dating back to 2020. This vulnerability allows attackers to read local files via the JobManager REST interface. The exploit can be remotely exploited and affects Apache Flink versions from 1.11.0 to 1.11.2. If you are using Apache Flink, update to versions 1.11.3 and 1.12.0.

[Update]
Google discovered and fixed four 0day vulnerabilities in May

Google addressed four Chrome zero-days in May 2024. A total of 8 zero-day vulnerabilities were detected by Google since the beginning of the year. Experts warn of various exploitations by attackers, emphasizing the need for prompt updates and continuous user education on cybersecurity. Google's open-source nature adds complexity to vulnerability management.

Resources

• The Hacker News: Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern

• CSO Online: IntelBroker steals classified data from the Europol website

• Bleeping Computer: FBI seize BreachForums hacking forum used to leak stolen data

• Malwarebytes: Dell notifies customers about data breach

• The Record: LockBit's seized darknet site resurrected by police, teasing new revelations

• CloudSEKNews: UK Ministry of Defence Confirms Cyber Attack, 270,000 Personnel Records Exposed

• The Hacker News: Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

• The Hacker News: Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million

• The Record: Dark web narcotics market’s alleged leader arrested and charged in New York

• The Hacker News: CISA Warns of Actively Exploited Apache Flink Security Vulnerability

• Bleeping Computer: Google fixes third actively exploited Chrome zero-day in a week