New attacks against pharmacies

Inc Ransom has exfiltrated 800K patients’ information from OnePoint Patient Care, an Arizona-based pharmacy network serving 40,000 people a day. INC Ransom is an opportunistic data extortion group known for having hacked Xerox and Yamaha Motors through the exploitation of a Citrix Netscaler vulnerability (CVE-2023-3519).

‍

‍

Chrome flaws used for cryptotheft

The North Korean state actor Lazarus (aka APT38) launched a fake game website that exploited a Google Chrome vulnerability (CVE-2024-5274) to deploy malware stealing cryptocurrency. The flaw has been used to get read and write access in the Chrome process. Followingly, Lazarus exploited another flaw in Chrome to escape V8’s sandbox. Both issues were fixed by Google last March. Lazarus allegedly stole over 1 billion dollars in cryptocurrencies during 2023.

‍

[mitigate]Enable “Safe Browsing” in Chrome’s settings[/mitigate]

Dark Side resurfaces

DarkRaaS claimed to have exfiltrated strategic documents from a network storage device of a prominent oil and gas company. It also announced the hack of a Windows server belonging to the Argentinian government, and sells access to email addresses, FTP accounts and domains from Israel and other Middle Eastern countries. DarkRaas is an affiliate of Dark Side, a cybercrime group which performed high profile attacks in 2022 and became quiet since then. Among other methods, it got initial access through the exploitation of ESXi vulnerabilities (CVE-2019-5544, CVE-2020-3992).

‍

[mitigate]Limit network access to port 427[/mitigate]

An exploited Cisco vuln is used for DOS attacks on VPNs

Cisco patched a vulnerability in its Remote Access VPN (CVE-2024-20481), which has been observed exploited in the wild. The flaw allows attackers to send large amounts of authentication requests to a device, resulting in Denial-Of-Service. The attacks exploiting this vulnerability were apparently linked to last April’s large-scale campaigns that compromised various VPN and SSH services, including vendors such as Checkpoint, Fortinet, SonicWall or MikroTik.

‍

Configure VPN gateways to limit the rate of authentication requests

RansomHub attacks Mexican airports

RansomHub published information stolen from a company operating 19 airports in Mexico. The attack forced the airports to turn to backup systems. RansomHub is one of the leading ransomware groups worldwide, recently responsible for various high-profile attacks using diverse vulnerabilities in Citrix, Confluence, F5, Fortinet and Windows.

‍

‍

Mass exploitation of new CyberPanel vulnerabilities

A new ransomware named PSAUX has widely exploited two RCE zero-days (CVE-2024-51567/8) in Internet-exposed CyberPanel instances. The flaws, disclosed last week, lie in three distinct issues: defective authentication, command injection on unprotected pages and security bypass. CyberPanel is a web hosting control panel with an interface for managing websites, email accounts, files, and databases. Almost 22,000 instances were exposed online, half of them in the US. PSAUX, a group that emerged last June, is focused on targeting vulnerabilities in web servers.

‍

New attacks on water plants

The Cucamonga Valley Water District has been attacked by the Fog Ransomware and its billing service systems have been disrupted. Fog, possibly connected to Akira, is a ransomware group that has recently exploited vulnerabilities in Veeam Backup (CVE-2024-40711) and in SonicWall VPNs (CVE-2024-40766). In a possibly related event, American Water has stopped sending billing notifications following an unattributed cyberattack. American Water is the largest regulated water and waste water utility company in the US, servicing more than 14 million customers.

‍

‍

Windows Themes spoofing vulnerabilities

An exploited Windows vulnerability allows attackers to steal NTLM authentication hashes from users. The flaw is similar to a Windows Themes spoofing issue (CVE-2024-38030) patched last July. It impacts all Windows versions from 7 to 11.

‍

Automating exploit of a Mura vulnerability

Concerns were raised around the publication of a POC automating the exploitation of an SQLi vulnerability in Mura CMS (CVE-2024-32640). Mura is a popular open-source content management platform for marketing teams and web developers.

‍