Threat Report – Palo Alto Patch – April 2024

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Customers should continue to monitor this security advisory for the latest updates and product guidance.
Palo Alto Networks has released fixes for a zero-day vulnerability affecting its GlobalProtect VPN product that is being targeted following its disclosure last week. Hotfixes for the vulnerability – labelled CVE-2024-3400 – were published on Sunday.

Source – https://www.smarttech247.com/news/threat-report-palo-alto-patch-april-2024/

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

Security researchers have uncovered a “credible” takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project.
“The OpenJS Foundation Cross Project Council was alerted to a concerning set of emails containing comparable content but originating from various names and GitHub-associated email addresses,” stated a joint alert by the OpenJS Foundation and the Open Source Security Foundation (OpenSSF).
The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to have been at the receiving end of similar activity.
That said, none of the people who contacted OpenJS were granted privileged access to the OpenJS-hosted project.

Source – https://thehackernews.com/2024/04/openjs-foundation-targeted-in-potential.html

Chipmaker Nexperia confirms breach after ransomware gang leaks data

Dutch chipmaker Nexperia confirmed late last week that hackers breached its network in March 2024 after a ransomware gang leaked samples of allegedly stolen data.#
Nexperia is a subsidiary of Chinese company Wingtech Technology that operates semiconductor fabrication plants in Germany and the UK, producing 100 billion units, including transistors, diodes, MOSFETs, and logic devices. The Nijmegen-based company employs 15,000 specialists and has an annual revenue of over $2.1 billion.

In a press statement on Friday, the company disclosed a data breach that forced it to shut down IT systems and launch an investigation to determine the scope of impact.
“The statement indicates that Nexperia has been informed of unauthorized access by a third party to specific Nexperia IT servers in March 2024.”

Source – https://www.bleepingcomputer.com/news/security/chipmaker-nexperia-confirms-breach-after-ransomware-gang-leaks-data/

Roku cyberattack impacts 576,000 accounts

Roku said it uncovered the second incident while monitoring account activity following the first breach earlier this year, when unauthorized actors accessed the accounts of about 15,000 users.
In both cases, threat actors are believed to have used a method known as “credential stuffing” to steal login information, i.e. usernames and passwords.
Credential stuffing is a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms.
“Roku stated in a declaration that there is no evidence suggesting that the account credentials utilized in these attacks originated from Roku or that Roku’s systems were compromised in either instance.”

Source – https://cybernews.com/news/roku-cyberattack-impacts-576000-accounts/

Ransomware gang starts leaking alleged stolen Change Healthcare data

The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company.
In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system, preventing pharmacies and doctors from billing or sending claims to insurance companies.
The attack was ultimately linked to the BlackCat/ALPHV ransomware operation, who later said they stole 6 TB of data during the attack.
After facing increased pressure from law enforcement, the BlackCat gang shut down their operation. This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack.

Source – https://www.bleepingcomputer.com/news/security/ransomware-gang-starts-leaking-alleged-stolen-change-healthcare-data/

Daixin ransomware gang claims attack on Omni Hotels

The Daixin Team ransomware gang claimed a recent cyberattack on Omni Hotels & Resorts and is now threatening to publish customers’ sensitive information if a ransom is not paid.
The hotel chain was added to Daixin Team’s dark web leak site over the weekend, two weeks after a massive outage brought down the company’s IT systems and impacted reservation, hotel room door lock, and point-of-sale (POS) systems.
On April 2nd, Omni Hotels confirmed that a cyberattack was the root cause behind the nationwide IT outage at its locations.
“Omni Hotels & Resorts has been actively addressing a cyberattack on its systems since Friday, March 29. Upon discovering the issue, Omni promptly initiated measures to shut down its systems to safeguard and control its data,” the hotel chain informed BleepingComputer.

Source – https://www.bleepingcomputer.com/news/security/daixin-ransomware-gang-claims-attack-on-omni-hotels/

Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign

Cybersecurity researchers have discovered a new campaign that’s exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.
Cybersecurity firm Forescout is tracking the campaign under the codename Connect:fun owing to the use of ScreenConnect and Powerfun for post-exploitation.
The intrusion targeted an unnamed media company that had its vulnerable FortiClient EMS device exposed to the internet shortly after the release of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.

Source – https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html

Cherry Health hit by ransomware attack

In a data breach notification letter dated April 16th, 2024, Cherry Health states that it experienced “a recent data security incident” involving patients’ personal data.
According to data that the healthcare provider submitted to the Maine Attorney General, Cherry Health suffered from a ransomware attack. Ransomware gangs operate by infiltrating the victim’s networks, siphoning and encrypting data, and later demanding a ransom payment to return the stolen data.
Attackers target healthcare providers precisely for this type of information, as individual healthcare data can be sold for hundreds of dollars on dark web forums.
Other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

Source – https://cybernews.com/news/cherry-health-ransomware-attack/

FIN7 targets American automaker’s IT staff in phishing attacks

The financially motivated threat actor FIN7 targeted a large U.S. car maker with spear-phishing emails for employees in the IT department to infect systems with the Anunak backdoor.
According to researchers at BlackBerry, the attack happened late last year and relied on living-off-the-land binaries, scripts, and libraries (LoLBas). The threat actor focused on targets with high level privileges, luring them with links to a malicious URL impersonating the legitimate Advanced IP Scanner tool.
BlackBerry attributed the attacks to FIN7 with a high level of confidence based on the use of unique PowerShell scripts using the adversary’s signature ‘PowerTrash’ obfuscated shellcode invoker, first seen in a 2022 campaign.

Source – https://www.bleepingcomputer.com/news/security/fin7-targets-american-automakers-it-staff-in-phishing-attacks/

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

Security researchers have uncovered a “credible” takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project.
The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to have been at the receiving end of similar activity.
That said, none of the people who contacted OpenJS were granted privileged access to the OpenJS-hosted project.

Source – https://thehackernews.com/2024/04/openjs-foundation-targeted-in-potential.html

Smarttech247