By the CyberWire staff
At a glance.
- Fortinet discloses critical vulnerability exploited since June.
- Change Healthcare breach affected 100 million people.
- Ransomware attackers may be abusing SonicWall SSL VPN vulnerability.
- AWS seizes phishing domains used by Russia's APT29.
- Internet Archive sustains another breach.
- Officials investigate how TSMC chips ended up in Huawei products.
- ESET partner breached to send wiper malware to Israeli organizations.
- NotLockBit ransomware targets macOS.
- The Bumblebee malware loader resurfaces.
- Embargo ransomware gang deploys new toolkit.
- Popular mobile apps contain hardcoded credentials.
Fortinet discloses critical vulnerability exploited since June.
Fortinet has publicly disclosed a critical vulnerability affecting FortiManager API that can "allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests." The vulnerability (CVE-2024-47575) has been assigned a CVSS score of 9.8 out of 10. The company began privately notifying customers about the flaw on October 13th, BleepingComputer notes.
Fortinet said in a statement, "After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."
Mandiant published a report on the vulnerability, stating that a threat actor has been exploiting the flaw as a zero-day since at least June 27th, 2024. Mandiant tracks the threat actor as "UNC5820," but hasn't yet attributed it to any known group. Mandiant explained, "UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment."
Change Healthcare breach affected 100 million people.
UnitedHealth has disclosed that approximately 100 million people were affected by the breach of its Change Healthcare platform earlier this year, BleepingComputer reports. The company's CEO Andrew Witty told Congress in May that "maybe a third" of Americans' health information was breached, but this is the first time the company has issued an official number. TechCrunch notes that this marks "the largest-ever US healthcare data breach."
The ALPHV/BlackCat ransomware-as-a-service operation attacked UnitedHealth Group's Change Healthcare payment processing platform in February 2024, causing widespread disruptions across the US healthcare sector. During the incident, the attackers exfiltrated a great deal of personal, financial, and medical information belonging to patients. UnitedHealth paid a $22 million ransom to restore its systems and prevent the group from leaking the data. The BlackCat crew pulled an exit scam and disappeared with the money, causing the affiliate that carried out the attack to form its own group and demand a second ransom.
Are You Confident in the Security of Your Remote and Hybrid Employees?
A remote or hybrid workforce expands your company's surface area of attack beyond corporate firewall boundaries. Employees’ personal computers introduce shadow IT, and home networks with default settings are easy targets, compounded by public Wi-Fi vulnerabilities. You need to develop a strategy to stay secure while remote employees work across untrusted networks. To learn how you can secure your company's workforce, get a free copy of the latest ThreatLocker® whitepaper on how to secure remote workforces.
Ransomware attackers may be abusing SonicWall SSL VPN vulnerability.
Arctic Wolf has published a report on an increase in ransomware attacks abusing SonicWall SSL VPN accounts. The company has observed "at least 30 Akira and Fog intrusions across a variety of industries since early August, each involving SonicWall SSL VPN early in the cyber kill chain."
The researchers note that all of the affected VPNs were vulnerable to CVE-2024-40766, an access control vulnerability that SonicWall says may be under active exploitation. SonicWall issued a patch for the flaw in August. Arctic Wolf notes, "While we do not have definitive evidence of this vulnerability being exploited in the intrusions we investigated, all SonicWall devices involved were running firmware versions affected by it. Although credential-based attacks can’t be ruled out in some intrusions, the trend of increased threat activity against SonicWall devices highlights the necessity of maintaining firmware updates and implementing external log monitoring."
AWS seizes phishing domains used by Russia's APT29.
Amazon Web Services (AWS) announced that it had identified and seized phishing domains being used by Russia's APT29 to impersonate AWS. APT29 (also known as "Cozy Bear") is attributed to Russia’s Foreign Intelligence Service (SVR). CJ Moses, Amazon's Chief Information Security Officer and VP of Security Engineering, said in a statement, "Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn’t the target, nor was the group after AWS customer credentials. Rather, APT29 sought its targets’ Windows credentials through Microsoft Remote Desktop."
Moses added, "In this instance, their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at stealing credentials from Russian adversaries. APT29 sent the Ukrainian language phishing emails to significantly more targets than their typical, narrowly targeted approach."
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
Internet Archive sustains another breach.
The Internet Archive has sustained a breach affecting its Zendesk email support platform, BleepingComputer reports. The hacker told BleepingComputer they obtained a Zendesk token that granted them access to more than 800,000 support tickets sent to the Internet Archive team since 2018, including requests for site removals from the Wayback Machine. BleepingComputer notes that some people uploaded personal information to request removal from the Archive, and the hacker can now access this data.
The Internet Archive sustained a major breach earlier this month, with a hacker stealing information belonging to 33 million users. BleepingComputer says the hacker wasn't politically or financially motivated, but was solely interested in gaining "cyber street cred."
Officials investigate how TSMC chips ended up in Huawei products.
Taiwan Semiconductor Manufacturing Company (TSMC) discovered this month that Huawei obtained chips meant for a specific TSMC client, potentially violating US sanctions, Bloomberg reports. It's unclear if the client was complicit in sending the chips to Huawei, but TSMC has cut ties with them while it investigates the incident.
A US Commerce Department spokesperson told Bloomberg that the agency’s Bureau of Industry and Security is "aware of reporting alleging potential violations of US export controls." Officials are now investigating whether third-party distributors played a role in bypassing export restrictions. A TSMC spokesperson told CNBC, "TSMC is a law-abiding company and we are committed to complying with all applicable rules and regulations, including applicable export controls. We proactively communicate with the U.S. Commerce Department regarding the matter in the report. We are not aware of TSMC being the subject of any investigation at this time."
Save 30% on N2K Cyber & IT practice tests
In celebration of Cybersecurity Awareness Month, N2K is offering a 30% discount on all N2K practice tests with promo code "SECURE30". Choose from our vast exam prep library that includes top vendors like AWS, CompTIA, ISC2, Microsoft, and more. Get access to simulated exams, custom quizzes, e-flashcards, and more. Whether you're gearing up for a certification exam or looking to enhance your skills, now is the perfect time to invest in your cybersecurity journey. Visit n2k.com/certify to find your cert and save 30% with promo code “SECURE30” today.
ESET partner breached to send wiper malware to Israeli organizations.
ESET has confirmed that its Israeli distributor, Comsecure, was breached by a threat actor who used the access to send phishing emails to Israeli organizations, the Register reports. The phishing messages informed users that a state-sponsored threat actor was targeting them, and encouraged them to install an ESET product designed to counter advanced threats. The download link would install wiper malware disguised as ransomware. Security researcher Kevin Beaumont says the emails appear to be targeting cybersecurity personnel at Israeli companies.
ESET said its own systems were not compromised, and the "limited malicious email campaign was blocked within ten minutes." The company says it's "working closely with its partner to further investigate."
NotLockBit ransomware targets macOS.
SentinelOne has published a report on "NotLockBit," a strain of ransomware written in Go that's designed to target macOS systems. The researchers note, "Until now, ransomware threats for Mac computers had been at best ‘proof of concept’ and at worst entirely incapable of succeeding at their apparent aim. Interestingly, despite one of the more credible previous attempts being from LockBit itself, this latest discovery appears to be an entirely different threat actor appropriating the name of a more notorious one." The malware is "distributed as an x86_64 binary, meaning it will only run on Intel Macs or Apple silicon Macs with the Rosetta emulation software installed."
Trend Micro released a technical report on the ransomware last week, noting that the malware developers are likely impersonating LockBit for name recognition.
The Bumblebee malware loader resurfaces.
Netskope warns that the Bumblebee malware loader has resurfaced with a new infection chain following a law enforcement disruption in May 2024. The malware is being distributed via phishing emails with malicious ZIP files: "The ZIP file contains an LNK file named 'Report-41952.lnk' that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns." The researchers add, "The usage of LNK files is very common in Bumblebee campaigns, either to download the next stage payloads or to directly execute files. In this case, the file is used as a downloader and is responsible for downloading and executing the next stage of the infection chain."
Embargo ransomware gang deploys new toolkit.
ESET has published a report on a new toolkit being deployed by the Embargo ransomware group. The Rust-based toolkit consist of a loader named "MDeployer" and an endpoint detection killer called "MS4Killer." The researchers note, "MS4Killer is particularly noteworthy as it is custom compiled for each victim’s environment, targeting only selected security solutions."
ESET adds, "In July 2024, we observed ransomware incidents targeting US companies, where the threat actor utilized its new tooling. The versions of MDeployer and MS4Killer observed in each intrusion differ slightly, suggesting that the tools are actively developed. Interestingly, we spotted two different versions of MDeployer in a single intrusion, probably tweaked after a first, failed attempt."
Popular mobile apps contain hardcoded credentials.
Researchers at Symantec warn that several popular apps in the Google Play Store and Apple's App Store contain hardcoded and unencrypted cloud service credentials within their codebases. The affected apps include photo collage maker Pic Stitch, cookie ordering app Crumbl, survey provider Eureka, and others. The issues are due to poor coding security practices. Symantec notes, "anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches."
Crime and punishment.
Italian police have arrested an Australian man wanted by the US FBI for allegedly stealing US$31 million via tech support scams, the Sydney Morning Herald reports. Italian police stated, "The charges relate to a scam, dating back some time, that affected a large number of people, especially the elderly and the particularly frail." The man was arrested at an airport in Milan, and will be extradited to the US to face charges of computer fraud, damaging computer security, and money laundering.
Courts and torts.
The US Securities and Exchange Commission (SEC) has fined four tech companies for making misleading claims that downplayed damages related to the 2019 SolarWinds breach, TechCrunch reports. The SEC has fined Check Point $995,000, Mimecast $990,000, Unisys $4 million, and Avaya $1 million. The fines are relatively small for companies of their size. The Commission stated, "The SEC’s orders find that each company violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules thereunder. Without admitting or denying the SEC’s findings, each company agreed to cease and desist from future violations of the charged provisions and to pay the penalties described above. Each company cooperated during the investigation, including by voluntarily providing analyses or presentations that helped expedite the staff’s investigation and by voluntarily taking steps to enhance its cybersecurity controls."
Michigan-based Great Expression Dental Centers, a dental chain with 250 locations across nine states, has agreed to pay $2.7 million to settle a class-action lawsuit over a 2023 data breach, BankInfoSecurity reports. The breach affected more than 1.9 million patients and employees.