CISA and the FBI warned that the notorious BlackBasta ransomware group has compromised more than 500 large organizations worldwide since its establishment in April 2022. BlackBasta, once known for gaining initial access through spearphishing, has now partly pivoted to exploiting vulnerabilities, such as the ConnectWise’s ScreenConnect flaw (CVE-2024-1709). The group is also apparently behind the recent attack on Ascension, a leading healthcare provider operating 140 hospitals across 20 states, which led to various system outages and disruption in medical operations.
After having infiltrated an isolated test server in Zscaler last week, IntelBroker sold documents stolen from an information sharing portal of Europol and leaked data exfiltrated almost a year ago from the US Army Aviation and Missile Command. The information was put on sale on BreachForums, the hacking darkweb forum in which IntelBroker has become a prominent member. A few days later, in a second law enforcement operation against the group, the FBI seized the forum webpage and arrested one of its admins.
DragonForce claimed responsibility for the attack on the December 2023 Ohio Lottery, exposing 540,000 people. DragonForce is a relatively new sophisticated double extortion group which has been observed using a leaked Lockbit’s ransomware builder.
Unidentified threat actors have leveraged a vulnerability in a remote access server to gain initial access to the education network of the city of Helsinki, compromising 80,000 students’ records. Although a relevant patch was available, it has not been applied prior to the attack. In recent years, Finland has become a main target of state-sponsored Russian hacking activities.
A Windows DWM Core Library vulnerability (CVE-2024-30051) is exploited in the wild by threat actors using the QakBot initial access trojan. The flaw, that allows local attackers already on a network to escalate privileges, can be chained with a RCE vulnerability to get full takeover of a targeted system and to enable lateral movement.
Mitigate it
Activate Tenable plugins 197004, 197006, 197009, 1970011, 197014-16
After ten years of silence, the Spanish-speaking ransomware named “The Mask” (or “Careto”) has resurfaced and performed two attacks against targets in Latin America and Africa. In both attacks, the APT apparently used a zero-day in a security product used by its targets as part of the attack chain.
Apple released a second patch for an exploited vulnerability in the RTKit real-time operating system (CVE-2024-23296), letting attackers with kernel read-and-write capability to bypass kernel memory protections. The vulnerability was patched last March against the newest versions of iPhones, iPads and Macs – but since ongoing exploitation has been observed after the patch release, the company is now also issuing a fix against older versions.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
