By the CyberWire staff
At a glance.
- NHS asks for blood donors following ransomware attack.
- Stolen credentials used to breach at least 165 Snowflake customers.
- Whistleblower claims that Microsoft prioritized profit over security.
- Microsoft postpones Windows Recall release.
- Chinese cyberespionage campaign infected 20,000 FortiGate systems.
- Ascension ransomware attack caused by employee error.
- New York Times source code leaked.
- Sticky Werewolf targets Russia's aviation sector.
- Cosmic Leopard targets Indian entities.
- Black Basta ransomware gang may have exploited Windows zero-day.
- UK and Canada to investigate 23andMe data breach.
NHS asks for blood donors following ransomware attack.
The UK's National Health Service (NHS) today issued an urgent call for O-type blood donations following last week's ransomware attack on pathology lab provider Synnovis, the Record reports. The impacted London hospitals are using up more of their O-type blood stocks because they "cannot currently match patients’ blood at the same frequency as usual."
Stephen Powis, medical director for NHS England, stated, "To help London staff support and treat more patients, they need access to O Negative and O Positive blood, so if one of these is your blood type, please come forward to one of the 13,000 appointments currently available in NHS Blood Donor Centres."
London hospitals are also asking for medical student volunteers to work long shifts hand-delivering blood tests to and from the affected pathology labs, according to Shaun Lintern at the Sunday Times.
Stolen credentials used to breach at least 165 Snowflake customers.
QuoteWizard, a subsidiary of financial services firm LendingTree, has confirmed that it sustained a data breach after threat actors compromised the company's Snowflake cloud storage account. A LendingTree spokesperson told the Record, "As of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, Lending Tree. Given that this is an ongoing investigation we are not able to comment further."
Snowflake warned last week that customers using single-factor authentication were being targeted by a threat actor using stolen credentials. Mandiant, which Snowflake hired to investigate the campaign, stated in a blog post yesterday that the financially motivated threat actor UNC5537 "is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims." Mandiant has identified at least 165 victims of the campaign.
The company added, "Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials." These credentials were stolen via "infostealer malware campaigns that infected non-Snowflake owned systems."
Join Cobalt’s Webinar on June 18 at 10:00AM PT: The Rise of AI and its impact on the Attack Surface
Join Cobalt security experts Caroline Wong, Chief Strategy Officer, and Anne Neilsen, Senior Director of Product Marketing from Cobalt, as they explore Cobalt 2024 State of Pentesting Report and reveal how top security teams are juggling the implications of accelerated AI adoption, the increased use of open source software, growing shifts to cloud technology, and an exploding attack surface, all amidst resource limitations within a tight talent pool of security practitioners. Here is what you will learn:
- How organizations like yours are identifying and securing AI usage and AI-related threats amidst the rapid adoption of AI tools.
- How a continued lack of cybersecurity resources impacts organizations and can lead to a backlog of unaddressed vulnerabilities - and increased security risk.
- How the power of modern pentesting and an offensive security posture can help address these challenges.
Register today to save your spot!
Whistleblower claims that Microsoft prioritized profit over security.
ProPublica has published a report outlining claims by former Microsoft employee Andrew Harris that Microsoft prioritized profit over security, leaving the US government open to the 2020 SolarWinds attack. Harris says he uncovered a severe flaw in Microsoft's Active Directory Federation Services (AD FS) that allowed attackers to forge Security Assertion Markup Language (SAML) tokens. The Russian state-sponsored threat actor behind the SolarWinds hack exploited the flaw discovered by Harris to breach several US Federal agencies, including the National Nuclear Security Administration and the National Institutes of Health.
Harris says he urged Microsoft for years to apply a temporary fix by disabling single-sign-on (SSO), but the company declined in order to pursue a long-term alternative. ProPublica states that at the time, "The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing."
Note: While Microsoft is an N2K CyberWire partner and sponsor, we cover them the same way we do any other company.
Microsoft postpones Windows Recall release.
Microsoft is delaying the release of its Windows Recall feature following widespread criticism regarding the security and privacy implications of the tool, the Verge reports. Microsoft stated, "Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks....We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security. This decision is rooted in our commitment to providing a trusted, secure, and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users."
If you're on the front line, we've got your back.
Mark your calendar for mWISE™, the unique cybersecurity conference from Mandiant, now part of Google Cloud. Built by practitioners for practitioners, it runs from September 18–19, 2024 in Denver, Colorado.
What makes mWISE different from other cybersecurity conferences? It’s a targeted event with hands-on learning for frontline practitioners. The intimate setting allows you to make one-on-one connections with leaders in the field. And best of all, it’s focused on learning without the sales pitches.
Chinese cyberespionage campaign infected 20,000 FortiGate systems.
The Dutch Military Intelligence and Security Service (MIVD) has offered more details on a Chinese cyberespionage campaign disclosed earlier this year, BleepingComputer reports. The threat actor exploited a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) to compromise at least 20,000 Fortigate network security appliances in 2022 and 2023. The MIVD stated, "During [the] so-called 'zero-day' period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations, and a large number of companies within the defense industry." The threat actor continued exploiting the vulnerability to target unpatched systems after Fortinet released a fix in December 2022, and maintained persistence on systems that were infected before the patch was applied.
The MIVD added, "It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data."
Ascension ransomware attack caused by employee error.
US healthcare system Ascension has disclosed that the ransomware attack the company sustained last month was caused by an employee who accidentally downloaded a malicious file. The company added, "At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. These servers represent seven of the approximately 25,000 servers across our network. Though we are still investigating, we believe some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual."
New York Times source code leaked.
The New York Times has disclosed that its internal source code was stolen from GitHub and posted to the 4chan message board in January, BleepingComputer reports. BleepingComputer notes that the leaked folder names "indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game."
The Times said in a statement, "The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."
The Times also told BleepingComputer that some personal and work-related information belonging to freelance visual contributors was compromised in the breach.
Skill up for today’s top IT & cyber roles.
Want to dive deep into trending topics like AI, machine learning, or cloud? Or looking to reinforce concepts for top certifications from AWS, CompTIA, or ISC2? Explore N2K’s expansive learning library of on-demand training courses to help supplement your studies and accelerate your career journey. Get started today.
Sticky Werewolf targets Russia's aviation sector.
Morphisec says a threat actor tracked as "Sticky Werewolf" is conducting a cyberespionage campaign against Russia's aviation industry. Sticky Werewolf's home country is unclear, but the researchers believe the group has "geopolitical and/or hacktivist ties."
Morphisec states, "The phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall, targets individuals in the aerospace and defense sector. The email invites recipients to a video conference on future cooperation, providing a password-protected archive that contains a malicious payload, and aims to deceive recipients into opening the harmful attachment under the lure of a legitimate business invitation."
Cosmic Leopard targets Indian entities.
Cisco Talos describes a cyberespionage campaign dubbed "Operation Celestial Force" that's using the GravityRAT Android malware to target "Indian entities and individuals likely belonging to defense, government, and related technology spaces." Talos attributes the operation to a Pakistani nexus of threat actors tracked as "Cosmic Leopard."
Talos states, "Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent. Cosmic Leopard initially began the operation with the creation and deployment of the Windows based GravityRAT malware family distributed via malicious documents (maldocs). Cosmic Leopard then created Android-based versions of GravityRAT to widen their net of infections to begin targeting mobile devices around 2019. During the same year, Cosmic Leopard also expanded their arsenal to use the HeavyLift malware family as a malware loader. HeavyLift is primarily wrapped in malicious installers sent to targets tricked into running the into running the malware via social engineering techniques."
Black Basta ransomware gang may have exploited Windows zero-day.
Researchers at Symantec have found that Cardinal, a cybercriminal group that operates the Black Basta ransomware, appears to have exploited a Windows privilege escalation vulnerability (CVE-2024-26169) before it was patched. The researchers note, "The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
UK and Canada to investigate 23andMe data breach.
Data privacy watchdogs in the UK and Canada will investigate a data breach sustained by genetic testing company 23andMe in October 2023, the BBC reports. Canada's Privacy Commissioner Philippe Dufresne stated that the joint investigation will examine:
- "the scope of information that was exposed by the breach and potential harms to affected individuals;
- "whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
- "whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws."
23andMe disclosed in December that hackers compromised 14,000 customer accounts via password spraying, which gave them access to data belonging to 5.5 million people who had opted into 23andMe's DNA Relatives feature.
Globe Life investigates web portal breach.
US insurance giant Globe Life is investigating a breach of one of its web portals, BleepingComputer reports. The company said in an SEC filing that the breach "likely resulted in unauthorized access to certain consumer and policyholder information." The company added, "Immediately upon notification of these circumstances, the Company removed external access to the portal. At this time, the Company believes the issue is specific to this portal, and all other systems remain operational. The Company’s operations will not be significantly impacted by the removal of external web access to the portal in question."
Patch news.
Arm has issued an advisory warning of an actively exploited vulnerability (CVE-2024-4610) affecting Bifrost and Valhall GPU kernel drivers, BleepingComputer reports. The use-after-free vulnerability affects drivers from version r34p0 to version r40p0, and was fixed on June 7th with version r41p0. The flaw can allow "a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory."
A proof-of-concept exploit has been released for a critical authentication bypass flaw (CVE-2024-29849) affecting Veeam Backup Enterprise Manager, SecurityAffairs reports. The vulnerability, which was patched last month, "allows unauthenticated users to log in as any user to enterprise manager web interface." Users are urged to update to version 12.1.2.172 as soon as possible.
JetBrains has fixed a security issue (CVE-2024-37051) affecting the JetBrains GitHub plugin on the IntelliJ Platform that could expose GitHub access tokens. JetBrains stated, "On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host."