CyberSecurity updates
Updated: 2024-11-10 13:30:23 Pacfic


nvd.nist.gov
CyberPanel Critical Vulnerabilities Exploited in Widespread Ransomware Attacks - 6d

Multiple high-severity vulnerabilities have been discovered in CyberPanel, an open-source web hosting control panel. These vulnerabilities have been actively exploited by ransomware groups, posing a significant risk to servers running CyberPanel. Two critical vulnerabilities, CVE-2024-51567 and CVE-2024-51568, allow attackers to bypass authentication and execute arbitrary commands on affected servers. This enables attackers to gain complete control over compromised systems, including the ability to install ransomware, steal sensitive data, and disrupt operations. It is imperative for organizations using CyberPanel to prioritize the installation of security patches released by the vendor to address these vulnerabilities. Failure to do so could result in severe consequences, including data loss, financial damage, and reputational harm. Organizations should also implement strong password policies, enable multi-factor authentication, and regularly monitor their systems for suspicious activity. These vulnerabilities highlight the importance of maintaining a proactive security posture and prioritizing vulnerability management. It is crucial for organizations to stay informed about vulnerabilities affecting their systems and promptly implement necessary security updates and mitigations.

bleepingcomputer.com
Akira Ransomware: Hypervisor Encryption and Recovery - 6d

Akira ransomware has targeted a victim by encrypting the virtual disks (.vmdk files) of an ESXi hypervisor. This attack demonstrates the growing threat of ransomware targeting critical infrastructure elements. To recover the victim’s data, the incident response team used a patched version of vmfs-tools to mount the ESXi datastore, which was partially encrypted. This approach highlights the need for organizations to have comprehensive security measures in place, including regular backups and the ability to recover from attacks targeting critical systems.

Jeffrey Burt @ Security Boulevard
UnitedHealth Group Hires New CISO Amidst Major Data Breach - 9d

UnitedHealth Group, a major healthcare provider, has appointed a new Chief Information Security Officer (CISO) after experiencing a significant ransomware attack that compromised the data of over 100 million individuals. This appointment comes in response to intense scrutiny from lawmakers regarding the previous CISO’s lack of cybersecurity expertise. The new CISO brings extensive experience in cybersecurity, signifying a commitment from UnitedHealth Group to bolster its security posture and prevent future incidents. The appointment reflects the increasing focus on cybersecurity in the healthcare industry, particularly after major breaches and data leaks. This move is expected to enhance UnitedHealth Group’s ability to address security challenges, protect sensitive patient information, and maintain public trust.

securityonline.info
Raccoon Infostealer: Ukrainian Hacker Pleads Guilty for Operating Malware - 30d

A Ukrainian national, Mark Sokolovsky, has pleaded guilty in a U.S. court for operating the Raccoon Infostealer. This malware was used to steal sensitive data from millions of computers globally. The U.S. Justice Department originally charged Sokolovsky with computer fraud in October 2020 for his alleged role in the malware’s distribution. The Raccoon Infostealer was known for its sophisticated capabilities in stealing credentials, financial information, and other sensitive data. The guilty plea signifies a major step forward in the prosecution of cybercriminals involved in the development and distribution of malicious software.

MalBot @ Malware Analysis, News and Indicators
Change Healthcare Data Breach Impacts Over 100 Million Americans - 15d

Change Healthcare, a major healthcare claims processor in the US, has experienced a significant data breach affecting over 100 million individuals. The attack, which was attributed to ransomware, compromised a vast amount of personal and health information, including names, Social Security numbers, and medical records.

cyble.com
Critical Vulnerabilities in Ivanti Products Actively Exploited - 24d

Multiple critical vulnerabilities have been identified in Ivanti Cloud Services Appliance (CSA), a key component for secure device management and communication. These vulnerabilities, CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, are actively exploited by threat actors. CVE-2024-9379 allows remote, authenticated attackers with administrator privileges to execute SQL injection attacks. CVE-2024-9380 enables attackers to achieve remote code execution through OS command injection. CVE-2024-9381 provides a path traversal vulnerability, enabling attackers to bypass restrictions. The vulnerabilities are chained with CVE-2024-8963, highlighting the severity of the situation. CISA has issued an urgent advisory, urging security teams to patch the flaws immediately.

do son @ Cybersecurity News
New Rust-Based Embargo Ransomware Targets US Companies with Advanced Attack Techniques - 16d

Embargo is a new, sophisticated ransomware group that has been targeting US companies. First observed in May 2024, Embargo ransomware attacks have escalated rapidly. The group uses a toolkit that includes a loader named MDeployer and an EDR killer called MS4Killer, both written in Rust. These tools help the ransomware evade detection and compromise systems effectively. Embargo’s advanced techniques and Rust-based tooling make it a serious threat to organizations.

do son @ Cybersecurity News
Akira Ransomware Continuously Evolving and Targeting Vulnerable Systems - 19d

Akira ransomware, a prominent threat actor, is continuously evolving its tactics and targeting vulnerable systems, particularly network appliances. Their latest ransomware encryptor targets both Windows and Linux hosts. Akira affiliates have been exploiting vulnerabilities in SonicWall SonicOS, Cisco ASA/FTD, and FortiClientEMS for initial access, followed by credential harvesting, privilege escalation, and lateral movement. The group’s recent shift back to encryption methods, coupled with data theft extortion, emphasizes their focus on stability and efficiency in affiliate operations.

MalBot @ Malware Analysis, News and Indicators
Ransomware Gangs Using LockBit's Reputation for Intimidation - 16d

Ransomware gangs are increasingly using the notoriety of established variants, such as LockBit, to intimidate victims. They leverage the fear associated with LockBit’s capabilities to pressure victims into paying ransoms. These gangs often embed hard-coded AWS credentials in their ransomware, allowing them to exfiltrate data using Amazon S3’s Transfer Acceleration feature. This tactic highlights the importance of implementing robust data protection measures, such as strong access controls and secure credential management, to prevent data exfiltration and mitigate ransomware threats.

ReliaQuest Threat Research Team @ Blog
Black Basta Ransomware: Evolving Social Engineering Tactics - 15d

The Black Basta ransomware group is employing increasingly sophisticated social engineering techniques to compromise organizations. The attackers now leverage Microsoft Teams chat messages to deceive targeted users and distribute malicious QR codes to gain initial access to their systems. Black Basta’s tactic involves overwhelming users with email spam, then reaching out through Teams, posing as legitimate help desk personnel to respond to support tickets generated by the initial spam campaign. This social engineering scheme aims to establish trust with users and convince them to download and install remote monitoring and management (RMM) tools, providing attackers with a foothold to deploy ransomware. Organizations should be aware of this evolving tactic and implement strong security awareness training to help employees identify and avoid these social engineering traps.

Steven Campbell, Akshay Suthar, and Stefan Hostetler @ Arctic Wolf
Fog and Akira Ransomware Attacks Linked to SonicWall SSL VPN - 16d

Arctic Wolf Labs has observed an increase in Fog and Akira ransomware attacks, with at least 30 intrusions across various industries since early August. These attacks often leverage SonicWall SSL VPN in the early stages of the attack chain, highlighting the importance of securing VPN access points. The malicious VPN logins originate from IP addresses associated with VPS hosting, providing defenders with a viable mechanism for early detection and response.

tomersp@checkpoint.com @ Check Point Research
Ransomware Attacks Target Healthcare and Manufacturing Sectors - 19d

In Q3 2024, cyberattacks surged globally, with an average of 1,876 attacks per organization. The Education/Research sector was the most targeted, while Africa faced the highest attack rates regionally. Ransomware incidents remained persistent, with North America experiencing 57% of the attacks. The Manufacturing and Healthcare sectors were particularly impacted by ransomware.

do son @ Malware Archives
Beast Ransomware Targets Windows, Linux, and VMware ESXi - 20d

Beast Ransomware is a Ransomware-as-a-Service (RaaS) platform that has been actively targeting organizations since 2022. The ransomware targets Windows, Linux, and VMware ESXi systems, allowing attackers to encrypt files and demand payment for their decryption. Beast is known for its sophistication and ability to evade detection, making it a significant threat to organizations of all sizes. The ransomware operators use a variety of techniques to gain access to target systems, including phishing campaigns, exploiting vulnerabilities, and using stolen credentials. Organizations should take steps to protect themselves from Beast Ransomware by implementing strong security measures, keeping their software up to date, and training employees on how to identify and avoid phishing attacks.

djohnson @ Cybercrime Archives
North Korean Fake IT Worker Scheme Targets Global Organizations with Sophisticated Identity Fraud - 22d

A sophisticated identity fraud scheme is being employed by North Korean threat actors to infiltrate global organizations and gain access to sensitive information. The attackers create fraudulent profiles, often using stolen identities, to apply for IT positions within target companies. Once hired, these malicious actors steal company trade secrets and potentially extort the companies for ransom. The scheme highlights the growing threat of sophisticated social engineering tactics used by nation-state actors and the need for robust background checks and security measures to prevent such infiltration.

do son @ Malware Archives
Crypt Ghouls Group: Russian Businesses and Government Agencies Targeted by LockBit and Babuk Ransomware - 22d

The Crypt Ghouls group is suspected to be behind a series of ransomware attacks on Russian businesses and government agencies. The group is known to use a variety of tools and tactics, including VPNs, Mimikatz, XenAllPasswordPro, and PsExec. They have also been observed using a CobInt backdoor loader that allows them to gain a foothold on victims’ systems. The group is known to use a variety of ransomware strains, including LockBit 3.0 and Babuk.

do son @ Malware Archives
Cicada3301 Ransomware Affiliate Program Infiltrated by Security Researchers - 23d

The Cicada3301 ransomware group has been infiltrated by security researchers who gained access to its affiliate panel and discovered details about its ransomware versions. The researchers were able to analyze the group’s infrastructure and operations, potentially leading to the disruption of its activities. Cicada3301 ransomware is known for targeting critical sectors, including healthcare, finance, and government.


This site is an experimental news aggregator using feeds I personally follow. You can reach me at Bluesky if you have feedback or comments.