This Month in Cybersecurity - June Edition

VMWare Gives Warning of Two Critical Flaws

VMware, managed by Broadcom, has identified two critical security flaws in its vCenter Server software, which is crucial for managing virtual machines and hosts in its Cloud Foundation and vSphere suites. These flaws, CVE-2024-37079 and CVE-2024-37080, have been rated 9.8 out of 10 in severity.

The vulnerabilities involve how a specific protocol (DCE/RPC) is implemented, potentially allowing a malicious attacker to execute remote code on the vCenter Server through specially crafted network packets. Although Broadcom has not detected any exploitation of these vulnerabilities in the wild, patches for affected versions have been released.

Additionally, a third flaw, CVE-2024-37081, has been identified, which could allow a local user to elevate their privileges on the server. This issue has been rated as important (7.8 score) and also has patches available.


Data Breach at Los Angeles County Public Health Agency Affects 200,000

The County of Los Angeles’ Department of Public Health has reported a data breach affecting 200,000 individuals, stemming from a phishing attack on February 19-20, 2024, targeting 53 employees' login credentials. Attackers accessed personal details like names, birth dates, Social Security numbers, medical records, and financial information using compromised credentials.

Although it's unclear if the data was misused, the agency is notifying affected individuals and offering one year of free credit monitoring. This incident follows similar breaches in other county health agencies earlier this year, affecting thousands more individuals.


Blackbaud on the Hook for Millions More in Settlement

Blackbaud, a software company specializing in apps for education and nonprofits, has agreed to pay $6.75 million to settle with California's attorney general over a 2020 data breach. This comes months after they were able to initially avoid fines from the FTC.

The settlement criticizes Blackbaud for poor cybersecurity practices and lack of transparency regarding the breach's impact, which affected millions worldwide. The company initially downplayed the breach, only revealing its full extent months later.

This fine concludes the final state-level investigation following earlier settlements with other states and regulatory bodies totaling $49.5 million. Blackbaud is also required to improve its data security measures as part of the settlement terms.

 

Defensible Strategies

Learn from those who have been attacked

CISA Warns of Being Impersonated by Scammers

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a rise in impersonation scams where fraudsters pretend to be CISA employees to deceive people into giving away money or personal information. These scams often involve fake communications that appear genuine, such as emails or phone calls, and employ urgent requests or threats to manipulate victims into immediate action.

CISA emphasizes that its staff will never ask for payments via wire transfer, cryptocurrency, or gift cards, nor will they demand secrecy. If targeted, individuals are advised to hang up, verify the contact details independently, and report the incident to CISA or law enforcement to prevent further harm.

If you would like to learn more about Phishing attempts, or social engineering and get your team trained on how to avoid instances like these, please reach out to us today!


Exploiting Mistyped URLS

Web users often click hyperlinks without verifying them, assuming they're correct. However, some links may contain errors that can be exploited by malicious actors to mimic legitimate websites and trick users into disclosing personal information through phishing. This practice, known as typosquatting, involves registering misspelled domain names to capitalize on user mistakes when typing URLs.

Research reveals that many active web links lead to unregistered "phantom domains," with over 572,000 dot-com domains currently unclaimed. By registering a sample of these domains, researchers found significant traffic potential, indicating a widespread issue that could be exploited by attackers at a minimal cost.

This Month in Cybersecurity - May Edition

Over 500 Organizations Hit By Ransomware

Identified in April of 2022, the organization known as Black Basta has hit more than 500 organizations globally, according to warnings put out by multiple United States government departments, including CISA and the FBI. The group operates under a Ransomware-as-a-Service (RaaS) business model and works with affiliates to conduct cyberattacks and deploy malware against victim organizations while taking a percentage of the ransom payment in exchange.

The threat agents rely on phishing and the exploitation of known vulnerabilities, especially those that have only recently been publicly disclosed. This allows Black Basta to compromise a victim’s network and progressively move through the network to get further and further into the victim’s environment.

Of the 16 critical infrastructure sectors, 12 of them have been affected by these attacks, especially healthcare, which proves to be an attractive target due to their size, technological dependence, access to personal health information, and other facets. The authoring organizations of the reports urge all critical infrastructure organizations to apply the recommended mitigations to avoid ransomware attacks.


Gift Card Systems Being Targeted, Warns FBI

The FBI has raised concerns for US retailers regarding a cybercriminal group, STORM-0539 (also known as Atlas Lion), targeting employees through sophisticated phishing attacks to generate fraudulent gift cards. These attacks aim to infiltrate employee accounts and IT systems, allowing the criminals to move laterally within networks and steal sensitive data, including passwords and SSH keys.

The rise in gift card scams, resulting in $217 million in consumer losses in 2023 alone, highlights the urgency of the issue. Atlas Lion not only steals gift card details but also seeks employee and network data for potential sale or future attacks. The group's persistent tactics, including defeating multi-factor authentication, have prompted warnings from both the FBI and Microsoft, indicating the need for heightened cybersecurity measures and potential legislative action to safeguard consumers.


49 Million Customers Data Leaked in Dell API Hack

Dell recently notified customers about a data breach, revealing that personal data, including warranty information and order details, was stolen. The breach was attributed to a threat agent named Menelik, who accessed a portal meant for partners, resellers, and retailers by creating multiple fake accounts without verification.

Exploiting a lack of rate limiting, Menelik claimed to have harvested data from 49 million customer records over three weeks, including details on various Dell products. Although Menelik alerted Dell about the security flaw, they had already accessed the data before the company addressed the issue, underscoring the vulnerabilities associated with easy-to-access APIs and the urgent need for stricter security measures.

This incident underscores a broader trend of threat actors exploiting APIs to scrape sensitive data, with notable breaches involving Facebook, Twitter, and Trello in recent years. These breaches highlight the importance of implementing guard rails to limit how many times an action can be performed on the network and security protocols to safeguard user data.

 

Defensible Strategies

Learn from those who have been attacked

Post Millennial Hack Affected 26 Million People

The online data breach notification service Have I Been Pwned recently added information for over 26 million individuals affected by a hack targeting The Post Millennial, a Canadian news website. The hack, which also affected its American counterpart, resulted in the defacement of both sites' front pages with fake messages purportedly from The Post Millennial's editor.

The exposed data, encompassing names, email addresses, passwords, and even physical addresses and phone numbers, raises concerns about potential misuse by threat actors. While the exact source of the leaked data remains uncertain, Have I Been Pwned decided to include it in its breach notification service to alert potentially impacted individuals.

Despite the breach, neither The Post Millennial nor its parent company, Human Events Media Group, has issued a public statement regarding the incident, emphasizing the importance of users taking proactive measures such as password resets and heightened vigilance against suspicious communications.


New Attack on VPNs

Researchers have devised a new attack that can be used against nearly all virtual private network (VPN) applications. The attack forces them to send and receive all traffic outside of its encrypted tunnel that is designed to protect it from snooping or tampering.

The attack, which researchers have taken to calling TunnelVision, undermines the whole purpose of VPN’s which is to cloak the user’s IP address by taking incoming and outgoing Internet traffic and placing it within an encrypted tunnel. The researchers believe that there is no way to circumnavigate the attack when a user is connected to a hostile network and that the only VPN’s they noted that weren’t affected were those that ran on Linux or Android.

The researchers have warned that this attack they have discovered may have been possible since 2002, and that it may have already been used in the wild.

This Month in Cybersecurity - April Edition

Ransomware Attack Costs Change Healthcare Nearly $1B

United Healthcare, the parent company of Change Healthcare, has released financial information about the recent ransomware attack that disrupted cashflow and the ability to provide care to hospitals and pharmacies across the United States. The company published their quarterly earning results in which they disclosed that repairs are likely to exceed $1 billion over time, including the $22 million ransom payment that was made.

The attack, which has been attributed to an ALPHV/BlackCat associated criminal group, saw Change Healthcare’s data taken ransom and held until an initial payment was made to the group. Once the group started to recover from the initial attack a second group was able to come in and steal around 4TB of data pertaining to personally identifiable information, setting efforts back and driving up the costs of recovery.


Hotfixes for Palo Alto Zero-Day Bug in Firewall OS

Palo Alto Network recently released an update that addresses a critical security flaw, being tracked as CVE-2024-3400, on its PAN-OS platform. The vulnerability affects firewalls that are utilizing versions 10.2, 11.09, and 11.1 of the OS and was found after independent researchers at Volexity noticed suspicious activity on a customer’s firewall.

Palo Alto has noted that limited attacks have been made utilizing this vulnerability, which allow for threat agents to gain unauthorized access to a user’s system and execute harmful commands. While the hotfix has been pushed to all versions of the affected OS, Palo Alto has said that disabling device telemetry can temporarily mitigate the risk, but cannot guarantee the long term efficacy of the practice.

Both researchers and Palo Alto stress the importance of updating to the new, patched versions of the OS, and issues like these are a great example why regular maintenance of all systems and keeping systems up to date with the latest security patches are imperative in the day to day.


Microsoft Fights Spam by Limiting Bulk Emails

Microsoft has announced measures to combat spam by implementing a daily limit of 2,000 external recipients for bulk emails sent via Exchange Online starting in January 2025. Prior to this initiative Microsoft, did not limit the amount of outgoing emails, but now they aim to prevent abuse of resources and ensure fair usage.

The new External Recipient Rate (ERR) limit will be a subset of the existing Recipient Rate limit of 10,000 recipients per day. This change will roll out in two phases, affecting newly created tenants first and then existing ones by the end of 2025.

Customers needing to exceed the ERR limit can consider using Azure Communication Services for Email, tailored for high-volume business-to-consumer communication. This is similar to a practice recently implemented by Google, who requires user accounts to set up SPF/DKIM and DMARC email authentication for their domains.

 

Defensible Strategies

Learn from those who have been attacked

CISA Issues Warning About Breach at Sisense

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a breach at business intelligence company, Sisense, that may have exposed user data. The breach itself seems to be due to a compromise of Sisense’s self-managed deployment of Gitlab.

The method that the threat agents used to gain access to the company’s Gitlab code repository, but by gaining access to that, the agents were able to make their way into Sisense’s Amazon S3 cloud storage. This allowed data like access tokens, email account passwords, and even SSL certificates to be accessed.

CISA has raised the concern that Sisense may not have been doing enough to protect the sensitive data, but also notes that the clean up of the breach will largely not be able to be handled by Sisense, as the data in question can only be changed by the end users of the online dashboard.


X.com Hands Gift to Phishers As it Pivots From Twitter.com

The Company formerly known as Twitter, has started to automatically modify links mentioning “twitter.com” to read as “x.com”, which has led to dozens of new domain registrations trying to exploit this and create convincing phishing links. Domains like “goodrtwitter.com” were registered, but displayed as “goodrx.com” due to the new modifications.

Most of these newly registered domains were created defensively to prevent abuse, but some were not properly limited, and allowed threat agents to divert traffic away from legitimate sites. Twitter/X has since corrected the error, but this incident sparked concern and amusement from social media users and security analysts, alike.

This Month in Cybersecurity - March Edition

WordPress Website Admins Urged to Delete Plugin

Admins who utilize the Malware Scanner and Web Application Firewall plugin from miniOrange on their WordPress are being told to remove the plugins after a critical security flaw was discovered. The flaw, being tracked as CVE-2024-2172, has been rated a 9.8 out of 10 for severity and affects the Malware Scanner versions up to 4.7.2 and Web Application Firewall versions up to 2.1.1.

The vulnerability allows for threat agents to gain administrative access to the website through either of the two plugins, using the flaw to update user passwords and escalate their privileges to that of an administrator. Once the agent has gained access to an account and raised the privileges to that of an admin, they can upload malicious files, modify content, and potentially redirect users to harmful sites or inject spam.

Despite the plugins being permanently closed, WordPress still urges admins to remove them and notes that there are still over 10,000 active installations of the Malware Scanner and 300 of the Web Application Firewall.


Schools in Scranton, Pennsylvania Undergo Ransomware Attack

Schools in Scranton, Pennsylvania, faced a ransomware attack this week, causing IT outages and disruptions to computer systems and services. The Scranton School District is actively investigating the security breach with third-party forensic specialists to determine the source of the incident, assess its impact on systems, and restore full functionality as swiftly as possible. The district ordered staff to refrain from using electronic devices and to uninstall school-related apps from mobile devices, while acknowledging potential limitations in accessing certain files and slower system functions due to increased security measures.

The attack led to delays in classes and prompted the district to implement alternative teaching methods, such as using pencil and paper instead of Chromebooks for student tasks. While the Scranton School District has not disclosed specific details about the ransomware attack, including the identity of the ransomware family or whether there was a data breach, efforts are underway to resolve the issue promptly and securely. Cooperation from staff and the community is emphasized as the district works to mitigate the impact of the attack and return to normal operations.


New Zero-Trust Guidance Released by the NSA

The National Security Agency (NSA) has issued best-practice recommendations for federal agencies regarding cybersecurity, particularly focusing on the Network and Environment pillar of its zero-trust framework. Despite the focus of the new Cybersecurity Information Sheet (CIS) being government related agencies and industries, expert chief information security officer (CISO), Steve Winterfeld, advises that the wider business world can benefit from zero-trust guidance.

The takeaways from the NSA guidance:

  1. Learn All Seven Pillars of Zero Trust

  2. Expect Attackers to Breach Your Perimeter

  3. Map Data Flows to Start

  4. Move to Macrosegmentation

  5. Mature to Software-Defined Networking

  6. Realize Progress Will Be Iterative

Experts agree that unauthorized access incidents are inevitable, the difference being whether organizations are able to catch those incidents before they become breaches. While most networks have evolved over time, rearchitecting them to fit within the new guidance will take time.

 

Defensible Strategies

Learn from those who have been attacked

Scareware Scam Perpetrators Sued by FTC

Two firms involved in a scareware scam have be fined $26 million by the US Federal Trade Commission (FTC) due to their involvement which led to consumers believing that their computers were infected by malware. The tech support scam, operated by Restoro Cyprus Limited and Reimage Cyprus Limited, was claimed to have generated tens of millions of dollars by using false and unsubstantiated claims about malware infected computers.

The scam involved fake Microsoft Windows pop-ups claiming computers were infected with viruses, urging users to scan their computers to avoid damage. Despite the actual health of the computers, scans that “found” performance or security issues convinced users to purchase repair software, costing between $27 and $58, with false promises of urgent fixes. Investigations confirmed victims' claims, revealing that telemarketers also persuaded users to pay for additional remote access services.

The FTC plans on using the fine to compensate scammed consumers and to see a permanent injunction against the companies if the court approves the proposed settlement.


70 Million+ Records Stolen From AT&T

Researchers have found and confirmed that data leaked on Breached claiming to be from AT&T is legitimate. The data in question is over 70 million records that were obtained from an unnamed AT&T department in 2021 by a threat agent group that goes by the moniker ShinyHunters.

AT&T has denied any data breach, and researchers have not been able to confirm that the information included in the database is specifically related to AT&T users, but the claim has been verified in all other aspects. AT&T has claimed that after an internal investigation, that the data does not appear to have come from their systems, but they did not rule out that the breach could have happened via a third party. The information included in the leak is:

  • Name

  • Phone number

  • Physical address

  • Email address

  • Social security number

  • Date of birth

Incidents like these reinforce why it is important to audit your third party risk management practices/plans. If you need any help with this, please feel free to reach out to Cyber Defense!