Hunters International is gaining traction
Hunters International took credit for two large ransomware attacks performed recently: a breach into the London branch of the Chinese large bank ICBC, resulting in the exfiltration of 5.2 million files and which access has been possibly gained through an API vulnerability; and an attack against AutoCanada, compromising employee information. Hunters International is a cybercrime RaaS led by Russian hackers that inherited parts of the now-defunct Hive’s malware code. The group recently gained traction with 134 victims in 29 countries for 2024. It mostly reaches initial access through phishing and RDP vulnerabilities.
Flax Typhoon, 260K devices and 66 vulnerabilities
Last June, The FBI and the NSA dismantled issued a massive 260K devices botnet worldwide built by Flax Typhoon (aka UNC5007, Red Juliet, Ethereal Panda) – a knownChinese state actor which focusedon Taiwanese targets. until now. For initial access, the group exploited no less than 66 vulnerabilities, including Log4j and flaws in ServiceNow (CVE-2024-5217), ApacheMQ (CVE-2023-46604), Ivanti Sentry and Endpoint manager (CVE-2023-38035, CVE-2023-35081) and Citrix Netscaler (CVE-2023-3519).
When patching MOVEit is not enough
The Centers for Medicare & Medicaid Services (CMS) federal agency announced that the information of 3 million patients has been compromised in a MOVEit attack which took place more than one year ago. The initial breach took place in a Wisconsin-based health insurance corporation, which fixed the MOVEit vulnerability in June 2023, but recently found out that the data has been exfiltrated before it could apply the patch.
Three Ivanti vulnerabilities exploited in the wild
A new vulnerability in Ivanti Cloud Services Appliance (CVE-2024-8963) is exploited in the wild, apparently chained with another OS command injection flaw (CVE-2024-8190) disclosed only last week. When exploited together, the new vulnerability allows to bypass the admin authentication, required when one uses CVE-2024-8190 to run arbitrary code. In parallel, a critical authentication bypass vulnerability (CVE-2024-7593) in another Ivanti product, Virtual Traffic Manager, has also been observed in the wild.
Mitigate it
In Ivanti CSA, ensure dual-homed CSA configurations with eth0 as an internal network.
Old Oracle flaws exploited
Two old vulnerabilities in Oracle’s Fusion Middleware platform and WebLogic (CVE-2022-21445, CVE-2020-14644) have been included in CISA’s KEV list, possibly due to past exploitations. Chained together, the two allow to run command on applications relying on the ADF Faces component – impacting diverse Oracle products (Business Intelligence, ApplicationTesting Suite, WebCenter Portal, Identity Management and others).
Mitigate it
Disable the T3 and IIOP protocols.
UN1860 - an Iranian initial access provider
It has been revealed that UNC1860, an Iranian state actor mostly targeting government and telecommunication organizations in the Middle East, serves also as an initial access provider. UN1860 gains persistent access to high-priority networks through the deployment of passive backdoors later to be transferred to other Iranian actors. It reaches access by exploiting known vulnerabilities in internet-facing servers, such as an old Microsoft SharePoint flaw (CVE-2019-0604).
Mitigate it
Apply FortiGuard IPS rule “MS.SharePoint.CVE-2019-0604.Remote.Code.Execution”
Vice Society in a campaign against healthcare
Vanilla Tempest (aka Vice Society) is now using the INC ransom malware to perform attacks against the healthcare sector in the US. The group, known for attacking sensitive targets such as schools and clinics, is usually using various strains of malware such as BlackCat or Rhysida. While it gains initial access through stolen credentials, it generally elevates privileges by exploiting the PrintNightmare vulnerabilities(CVE-2021-1675, CVE-2021-34527).
Mitigate it
Download “CVE-2021-1675 | CVE-2021-34527 - PrintNightmare playbook” from Cortex XSOAR MarketPlace and apply the recommendations; Apply Trend Micro IPS rules 1011016 and 1011018.
Vulnerabilities exploited against health organizations
A new report shows a rise in attacks against the healthcare sector in 2024, as over 14 million people have been impacted by data breaches this year in the US. Specifically, ransomware groups have targeted known vulnerabilities against the health sector, 60% of them in Microsoft Exchange such as ProxyShell and Proxylogon. Other exploited flaws include vulnerabilities in PaperCut servers (CVE-2023-27350), in Microsoft WPAD protocol (CVE-2016-0099) and CitrixBleed (CVE-2023-4966).
Apple updates is breaking EDR connectivity
Apple’s latest MacOS update, MacOS 15 Sequoia, is apparently breaking network connectivity to various endpoint security products, including ones from Crowdstrike, Microsoft, ESET and SentinelOne. Issues were also observed for VPN and RDP connections. According to security researchers, the problem lies with strict MacOS firewall rules integrated in its recent version. In the meantime, Microsoft had advised its customers to avoid upgrading to MacOS 15 Sequoia.
Mitigate it
Mitigate it
Mitigate it
Sources
- https://www.bleepingcomputer.com/news/security/autocanada-says-ransomware-attack-may-impact-employee-data/, https://dailysecurityreview.com/security-spotlight/hunters-international-ransomware-claims-breach-of-icbc-london-threatens-data-leak/
- https://www.ic3.gov/Media/News/2024/240918.pdf
- https://www.bleepingcomputer.com/news/healthcare/us-govt-agency-cms-says-data-breach-impacted-31-million-people/
- https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-exploited-in-attacks/,https://thehackernews.com/2024/09/cisa-flags-critical-ivanti-vtm.html
- https://www.securityweek.com/cisa-oracle-vulnerabilities-from-miracle-exploit-targeted-in-attacks/
- https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks
- https://x.com/MsftSecIntel/status/1836456417315656076
- https://www.infosecurity-magazine.com/news/patients-us-healthcare-data/
- https://www.securityweek.com/cybersecurity-products-conking-out-after-macos-sequoia-update/