Keytronics attacked by BlackBasta

‍

The electronics manufacturing company Keytronics announced that last May, it fell victim to a ransomware attack led by the infamous BlackBasta group. As a result, the activities of Keytronics' American and Mexican sites were suspended for two weeks. BlackBasta has recently launched wide vulnerability exploitation campaigns, using flaws in ScreenConnect (CVE-2024-1708/9), in Windows error reporting service (CVE-2024-26169) and in ESXi hypervisors (CVE-2024-37085).

‍

‍

A popular network monitoring tool under exploitation

A new vulnerability in Progress WhatsUp Gold (CVE-2024-4885), a popular networking monitoring tool, is under active exploitation. The exploitation allows threat actors to run arbitrary commands with elevated privileges, although not as an admin.

‍

[mitigate]Monitor exploitation attempts at the'/NmAPI/RecurringReport' endpoint and restrict access to trusted IP addresses on ports 9642 and 9643.[/mitigate]

Michigan hospitals under attack

‍

The operations of McLaren Healthcare hospitals, a not-for-profit company running 13 hospitals across Michigan, have been disrupted following a ransomware attack conducted by INC Ransom. INC Ransom is an opportunistic data extortion group known for having hacked Xerox and Yamaha Motors through the exploitation of a Citrix Netscaler vulnerability (CVE-2023-3519).

‍

The new ESXi vulnerability affects blood donations

OneBlood, a large not-for-profit blood center serving more than 250 hospitals in the US, has been attacked by a ransomware operation apparently exploiting the new vulnerability in ESXi hypervisors (CVE-2024-37085). The flaw is currently at the center of several campaigns led by various known threat actors.

‍

‍

‍

[mitigate]Manually deny access of the “ESX Admins” group by changing settings in the ESXi hypervisor; Track Defender for Endpoint alert “Suspicious modifications to ESX Admins group”.[/mitigate]

Disruption of Indian banks following a Jenkins vulnerability exploitation

RansomEXX has compromised Brontoo, a fintech company providing secure payment solution to various Indian banks including the central bank of India. The initial access, possibly gained by the infamous IntelBroker, has been achieved through the exploitation a vulnerability in Jenkins (CVE-2024-23897), a Java-based open-source automation platform with 44%share of the CI/CD market. The RCE flaw allows attackers to read arbitrary files on the controller file system and followingly provides access to cryptographic keys. RansomEXX is a ransomware group usually targeting large organizations, especially in the government and healthcare sectors.

‍

‍

Disable Jenkins’ CLI endpoint and create a post-initialization script so that the endpoint remains disabled after restart; disable the SSH server plugin that provides access to Jenkins CLI through SSH1.

‍

A new vulnerability in Apache OFBiz

‍

New varieties of Mirai-based botnets are exploiting a directory traversal vulnerability vulnerability in Apache OFBiz (CVE-2024-32113), a widely used Java-based framework for creating ERP applications. The exploitation is easily executed by inserting a semicolon in a URL request. The flaw, which has been patched last May, is apparently related to another ApacheOFBiz vulnerability (CVE-2024-38856).

‍

‍

[mitigate]Apply Checkpoint IPS rule “ApacheOFBiz Path Traversal”.[/mitigate]

Magniber resurfaces

‍

There seems to be a surge in attacks conducted by Magniber, a ransomware targeting mostly individuals and SMBs worldwide. Among other methods, Magniber is skilled in weaponizing Windows zero-days, such as a 2023 Windows SmartScreen bypass flaw (CVE-2023-24880).   

‍

Chinese actors spy on Taiwan

Since 2023, the Chinese state actor APT41 has infiltrated a Taiwanese governmental institute conducting research on advanced computing. While the initial access remains unclear, a loader exploiting a 2018 Windows RCE vulnerability(CVE-2018-0824) was utilized to inject malware. APT41, a group operating for both espionage and financial gain, is known for leveraging old pre-2019 vulnerabilities.

‍

North Korean actors spy on South Korea

Last April, the North Korean APT45 (aka Andariel) exploited vulnerabilities in a VPN communication protocol to replace update files with remote access malware, with the aim of spying on South Korean construction and machinery companies. In parallel, in January APT43 (aka Kimsuky), another North Korean group, exploited a vulnerability in the file upload mechanism of a South Korean construction company’s website to modify the login process with malicious code. It is unclear if the two are connected.

‍

‍

An old design flaw in Defender SmartScreen exploited

A design vulnerability in Defender SmartScreen and Windows Smart App Control (SAC) has possibly been used threat actors, as it as been exhibited in viruses dating back to 2018. SmartScreen is a security feature detecting malicious links when clicked upon and aimed at protecting users from online threats. SAC, launched with Windows 11, has added further protection by blocking malicious or untrusted apps. The vulnerability lies in the handling of LNK files and its exploitation allows attackers to bypass the security controls by using different techniques, such as LNK stomping, signing malware or reputation hijacking, seeding and tampering.

‍

Crowdstrike's crisis follow-up

Crowdstrike published a root cause analysis of the large incident that resulted in worldwide outages on July 19 and announced several changes to avoid such events occurring in the future. Concretely, Crowdstrike will soon provide customers with more control over update installations. It will also implement stricter testing and validation procedures over Falcon’s configuration system and updates. The company is currently handling different lawsuits from its shareholders and customers, including a widely publicized dispute with Delta Airlines.

‍