Ransomware hit causes pathology paralysis.
Ransomware disrupts London hospitals. Researchers discover serious vulnerabilities in Progress' Telerik Report Server and Atlassian Confluence Data Center and Server. Over three million people are affected by a breach at a debt collection agency. A report finds Rural hospitals vulnerable to ransomware. An Australian mining firm finds some of its data on the Dark Web. Google patches 37 Android vulnerabilities. Russian threat actors target the Summer Olympics in Paris. On our Industry Voices segment, we are joined by Sandy Bird, CTO at Sonrai. Sandy discusses the risks of unused identity infrastructure. The Amazon rainforest goes online.
Today is June 4th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Ransomware disrupts London hospitals.
A ransomware attack on third-party provider Synnovis has caused significant disruptions to pathology services at several London hospitals. This includes Guy's and St Thomas' NHS Foundation Trust, Royal Brompton and Harefield hospitals, and King's College Hospital NHS Foundation Trust, with primary care across south east London also affected.
The attack, which was detected on Monday, has resulted in the cancellation of operations and a critical incident emergency status being declared. This is due to the inability of healthcare professionals to access pathology services, including blood tests for transfusions. The disruption is having a significant impact on patient care, with urgent blood components only being transfused when critically indicated.
The attack highlights the ongoing threat of ransomware attacks on the healthcare sector, which can have serious consequences for patients. In the UK alone, there have been 215 reported ransomware incidents in the health sector since January 2019. The authorities are concerned about the lack of reporting of such incidents and the impact on patients.
The disruption is also expected to put additional pressure on other hospitals, potentially leading to further critical incidents being declared. Patients whose appointments have been canceled or redirected to other providers at short notice are likely to be particularly affected by the incident.
Researchers discover serious vulnerabilities in Progress' Telerik Report Server and Atlassian Confluence Data Center and Server.
Researchers have discovered a vulnerability chain that allows for remote code execution (RCE) on Progress' Telerik Report Server. The chain involves an insecure deserialization flaw (CVE-2024-1800) and an authentication bypass issue (CVE-2024-4358). An attacker can exploit these flaws to create a malicious report, allowing them to execute arbitrary code on the server. The vulnerabilities have been assigned high CVSS scores of 9.9 and 9.8 respectively. A proof-of-concept script has been published, and it is strongly recommended that users patch these flaws as soon as possible. The latest version of Report Server (2024 Q2) addresses both issues.
Meanwhile, a critical remote code execution (RCE) vulnerability has been discovered in Atlassian Confluence Data Center and Server. The flaw allows authenticated attackers to exploit account privileges and execute arbitrary code with no user interaction required. The vulnerability is due to insufficient input validation in the "Add a new language" function of the "Configure Code Macro" section. To exploit this flaw, an attacker must have access to the vulnerable network, privilege to add new macro languages, and upload a forged JavaScript file. Atlassian recommends upgrading to the latest version to fix the vulnerability.
Over three million people are affected by a breach at a debt collection agency.
Financial Business and Consumer Solutions (FBCS) is a nationally licensed debt collection agency that collects commercial and consumer debts on behalf of creditors. They’ve filed a data breach notification affecting over three point two million individuals. The exposed data includes full names, social security numbers, birth dates, account information, drivers' license or state ID numbers, and medical claims information. In some cases, the compromised data also includes health insurance information. The company has sent breach notifications to those affected, offering 12 months of free credit monitoring.
A report finds Rural hospitals vulnerable to ransomware.
A new report from CSC 2.0, an offshoot of the Cyberspace Solarium Commission, warns that rural hospitals are particularly vulnerable to ransomware attacks due to their limited resources and outdated technology. The report finds that federal funding is crucial to addressing this issue, as it will allow for major cybersecurity investments. The threat is no longer theoretical, with recent attacks on large healthcare providers, including Ascension and Change Healthcare, disrupting patient care and medical procedures. The report recommends increasing funding for the Department of Health and Human Services, updating cybersecurity objectives, and encouraging health care providers to invest in basic cybersecurity measures such as employee training and managed IT services.
An Australian mining firm finds some of its data on the Dark Web.
Australian rare earths firm Northern Minerals reported that some of its data was released onto the "dark web" after detecting a cybersecurity breach months ago. The stolen information includes corporate and financial data, personnel details, and shareholder info. The company detected the breach in March 2024 but only recently learned that the stolen data is now available on the dark web. Northern Minerals has informed Australian authorities of the theft. This comes just a day after Australia's government ordered China-affiliated investors to sell their shares in the firm due to concerns over national interest.
Google patches 37 Android vulnerabilities.
Google has released its June 2024 Android security update, which patches 37 vulnerabilities, including multiple high-severity elevation of privilege bugs. The update resolves 19 issues in the Framework and System components, with seven flaws leading to local escalation of privilege. Additionally, 18 more vulnerabilities were addressed in Kernel, Imagination Technologies, and Arm components, with three critical Qualcomm-specific flaws. The update is recommended for all devices running Android to ensure security and prevent potential exploits.
Russian threat actors target the Summer Olympics in Paris.
The Microsoft Threat Analysis Center (MTAC) has detected malicious disinformation campaigns by Russian-backed threat actors targeting the upcoming Summer Olympics in Paris. The goal is to denigrate the International Olympic Committee's reputation and create fear of violence breaking out during the games. MTAC has tracked two main influence actors, Storm-1679 and Storm-1099, which have been using artificial intelligence-generated content to spread false information. Tactics include releasing a fake film, producing fake videos and press releases, and spreading fear of crime or violence through social media bots. One release even included an audio deepfake of the voice of actor Tom Cruise, falsely expressing his support. The campaigns are expected to intensify in the weeks leading up to the Olympics, with MTAC warning that Russian actors may try to exploit security concerns and create illusions of protests or real-world provocations.
Coming up on our Industry Voices segment, I am joined by Sonrai’s CTO Sandy Bird, CTO at Sonrai. Sandy discusses the risks of unused identity infrastructure.
We’ll be right back
Welcome back. You can learn more about Sonrai’s work by reviewing their Quantifying Cloud Access Risk: Overprivileged Identities and Zombie Identities report. There’s a link in the show notes.
The Amazon rainforest goes online.
And finally, there’s an old Hollywood trope about the isolated village or jungle tribe that suddenly finds itself exposed to modern technology, and typically either hilarity or tragedy ensues. Heck, Star Trek has the Prime Directive to deal with this very thing. Well, thanks to Starlink satellite internet, a modern version of this is playing out.
Allyson Reneau is a Brazilian anthropologist and researcher who has dedicated her career to studying and working with Indigenous communities in the Amazon rainforest. She’s also the intrepid benefactor who's traveled to the heart of the Amazonian jungle to document what happens when the small Marubo tribe in Brazil suddenly finds themselves with access to the internet. Reneau provided the tribe with twenty Starlink systems to kickstart their journey into the digital domain.
Enoque Marubo, the tribe's leader (or "boss" as he calls himself), is excited about the prospect of getting online. He's already got his Amazon Prime account ready to go and is planning on binge-watching the entire series of "The Great British Baking Show". Meanwhile, Alfredo Marubo, Enoque's rival (or " arch-nemesis" as he puts it), is less optimistic about the arrival of the internet. He's worried that it'll corrupt the tribe with its "evil ways" and turn them all into gamers.
Interviews with other villagers echo common themes from around the world and from all walks of life. The internet is making these kids lazy, they don’t want to go outside anymore, but of course those grownups just don’t understand.
But seriously, the arrival of the internet in the Amazon rainforest is a big deal. It's a chance for these remote communities to connect with the rest of the world, access important information, and even check out the latest cat videos.
A final programming note, that admittedly is a bit self-promotional as yours truly is on it. We’d love you to take a listen to our newest podcast, “Only Malware in the Building.”
We collaborated with our friends at Proofpoint on this one. The show is hosted by Proofpoint staff threat researcher, Selena Larson, along with N2K’s Rick Howard and me. Each month, we explore the mysteries around today’s most intriguing cyber threats. We have links in the show notes. Have a listen, you won’t regret it.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.