1M NextGen Patient Records Compromised in Data Breach
Analysis: NextGen Healthcare, a provider of cloud-based healthcare technology, has suffered a data breach in which a database containing over one million people’s personal information was stolen.
The company disclosed that the breach took place between March 29 and April 14, and was discovered on April 24. It was due to unauthorized access to the database resulting from stolen client credentials that appear to have been stolen from other sources.
The database contains names, personal identifiers, and Social Security numbers. Samples of the stolen data appeared on ransomware operator BlackCat’s leak site but were later removed. The breach could result in widespread identity theft, with healthcare providers being particularly vulnerable due to their historically inadequate cybersecurity measures. Ransomware attacks on healthcare organizations have been a persistent problem in recent years, with multiple government advisories and industry warnings.
Access Point recommends that you prioritize the following cybersecurity measures:
- Implement multi-factor authentication as a multi-layer defense.
- Have a strong password policy which requires a reset every 90 days.
- Ensure your staff are not using their corporate credentials for anything outside of corporate use.
- Have a dedicated threat hunting team to monitor for any leaked credentials pointing back to your business.
- Should any credentials be found, force a password reset for those users’ accounts.
Source
MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web
Analysis: MSI, a Taiwanese PC maker, has suffered a double extortion ransomware attack by a new ransomware gang known as Money Message.
In the attack, the hackers were able to steal MSI’s private code signing keys, including private signing keys for Intel Boot Guard used by 116 MSI products. This could impact several device vendors, including Intel, Lenovo, and Supermicro.
Intel Boot Guard is a hardware-based security technology that is designed to protect computers against executing tampered UEFI (Unified Extensible Firmware Interface) firmware. The leak of the Intel Boot Guard keys poses significant risks as it undermines a vital firmware integrity check and could allow threat actors to sign malicious updates and other payloads to deploy them on targeted systems without raising any red flags.
The leak also follows another advisory from MSI, recommending that users be on the lookout for fraudulent emails targeting the online gaming community. The sender claims to be company-related, reaching out to users under the pretext of a potential collaboration.
Access Point recommends having strong encryption methods for sensitive data, and robust monitoring and logging mechanisms to detect and alert on any unauthorized access or unusual activity within your system. It is also essential that you have a dedicated security awareness training program that regularly educates and tests employees to ensure that they know how to detect and report a fraudulent email.
Source
New Cactus ransomware encrypts itself to evade antivirus
Analysis: A new ransomware operation named Cactus has been using vulnerabilities in VPN appliances to gain initial access to the networks of large commercial entities.
The operation, which began no later than March, has adopted file encryption and data theft as seen in other ransomware attacks, but added its own encryption twist to avoid detection. The ransomware encrypts itself using a batch script to obtain the encryptor binary using 7-Zip, which helps it evade anti-virus and network monitoring tools. To make file encryption possible, a unique AES key is provided using the -i command line argument. The ransomware steals data from victims and threatens to publish stolen files unless the ransom is paid.
Access Point never recommends that you pay ransom should you find yourself in that situation. When there is a compromise, having a tried and tested incident response plan, policies, and procedures for data breach incidents is essential to minimize the impact, while containing and mitigating the attack without business disruption.
Source
Meet Akira – A new ransomware operation targeting the enterprise
Analysis: Akira is a new ransomware operation that has targeted 16 companies since its launch in March 2023.
The ransomware encrypts files with a long list of extensions and appends the “.akira” extension to the filename. It also uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption. Each victim has a unique negotiation password that is entered into the threat actor’s Tor site, which includes a chat system that the victim can use to negotiate with the ransomware gang. The ransom note threatens to sell personal information, trade secrets, databases, and source codes if the victim does not pay the ransom.
As the threat landscape continues to evolve and grow and threat actors continuously find new ways to evade detection, your organization should have a dedicated threat hunting program. This program should focus on pro-actively hunting within your network for any indicators of compromise (IOCs) associated to threat groups that may have evaded detection. Constinuously monitoring these threat groups and their latest tactics, techniques, and procedures will help keep your organization safe from trending threats.
It is also essential that while hunting for any indicators of compromise, your team is also blocking any IOCs such as URLs, IP ranges, email addresses, file hashes, etc. Your focus should be on prevention and mitigation strategies, such as robust backups, segregated networks, defense mechanisms, and a tried and tested disaster recovery plan.
Source
ALPHV gang claims ransomware attack on Constellation Software
Analysis: Canadian software company Constellation Software confirmed that some of its systems were beached by threat actors who stole personal information and business data.
The attack was limited to a small number of systems related to internal financial reporting and related data storage. The independent IT systems of Constellation’s operating groups and business were not affected by the attack.
The ALPHV ransomware gang claimed responsibility for the attack and threatened to leak the stolen data if the company refused to negotiate. Constellation has restored all the IT infrastructure systems impacted in the incident and is contacting affected individuals and business partners. The ALPHV gang is considered one of the most significant ransomware threats targeting enterprises worldwide.
Access Point recommends taking the following precautionary measures:
- Keep all software and operating systems up to date with the latest patches and security updates.
- Implement MFA for all user accounts.
- Regularly backup critical data and keep it stored securely offline
- Have a proactive approach to detecting threats.
Source
Vulnerabilities
New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks
Analysis: Advanced Custom Fields plugin for WordPress has discovered a security flaw that requires users to update to version 6.1.6.
The vulnerability (CVE-2023-30777) is a case of reflected cross-site scripting (XSS), allowing the injection of arbitrary executable scripts into benign websites. This could lead to privilege escalation on the WordPress site, enabling any unauthenticated user to steal sensitive information. The free and pro versions of the plugin both have over two million active installations.
The reflected XSS attack takes place when victims are tricked into clicking on a bogus link via email or another means, sending the malicious code to the vulnerable website. The malicious attack then reflects back to the user's browser, causing harm. Although CVE-2023-30777 can occur on a default installation or configuration of Advanced Custom Fields, logged-in users with plugin access could also activate it.
Two medium-severity XSS flaws in Craft CMS (CVE-2023-30177 and CVE-2023-31144) have also been patched. Threat actors could exploit these vulnerabilities to distribute malicious payloads.
A separate XSS flaw has also been reported in the cPanel product. Without any authentication, this vulnerability (CVE-2023-29489) could run arbitrary JavaScript, allowing an attacker to attack the management ports of cPanel and the applications running on port 80 and 443, potentially leading to hijacking of valid user's cPanel sessions.
Access Point Technology recommends that users of Advanced Custom Fields plugin for WordPress update to version 6.1.6 to mitigate the security flaw that has been discovered (CVE-2023-30777).
Users of Craft CMS should also update their systems to mitigate the two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144). It is always recommended that users keep software and systems up to date with the latest security patches and updates to reduce the risk of vulnerabilities being exploited by malicious actors.
Source
Azure API Management Vulnerabilities Allowed Unauthorized Access
Analysis: Cloud security firm Ermetic has identified three vulnerabilities in Microsoft’s Azure API Management service that could allow malicious actors to access internal Azure assets, perform a denial-of-service attack, bypass web application firewalls, and upload malicious files.
All three vulnerabilities have been fully patched, according to Ermetic. The vulnerabilities were identified in the Azure API Management hosting proxy, the developer portal, and the Import from URL feature. Two of the vulnerabilities were related to server-side request forgery (SSRF) attacks, and one was a file upload path traversal flaw.
Ermetic found a URL formatting bypass that exploited the Import from URL feature, which allows for the use of a schema from a URL in APIs. By manipulating values in the request, attackers could bypass existing SSRF protections and access Azure internal services through a redirect bypass. The second bug exploited policies for inbound and outbound API processing in the hosting proxy, enabling an SSRF attack. The third vulnerability exploited the developer portal’s file upload feature, which allowed authenticated users to upload files and images without proper file type and path validation.
Ermetic researchers were able to clone their self-hosted API management instance and drop unwanted files onto the system using the third vulnerability. Ermetic notified Microsoft of its findings, which fully patched all three vulnerabilities.
Access Point Technology recommends that organizations using Microsoft’s Azure API Management service ensure that they have installed the latest security patches to address the identified vulnerabilities. These vulnerabilities could have allowed threat actors to perform various types of malicious actions, including accessing internal Azure assets and uploading malicious files. Ensure that your employees are aware of these vulnerabilities and take necessary precautions to protect your data and systems.
Source
New PaperCut RCE exploit created that bypasses existing detections
Analysis: A newly released proof-of-concept exploit for an actively exploited PaperCut vulnerability that bypasses all known detection rules has been discovered.
The vulnerability (CVE-2023-27350) is a critical severity unauthenticated remote code execution flaw in PaperCut MF or NG versions 8.0 or later that has been used in ransomware attacks. Since the flaw was first disclosed in March 2023, researchers have released PoC exploits, and security companies have released detection rules for PaperCut exploits and indicators of compromise. However, the new attack method discovered by VulnCheck can bypass existing detections, allowing attackers to exploit CVE-2023-27350 unobstructed.
VulnCheck's PoC exploits the "User/Group Sync" feature in PaperCut NG instead of using the built-in scripting interface, allowing an admin user to specify a custom program for user authentication. This approach does not create direct child processes or generate distinctive log entries, so Sysmon and Log File detections are bypassed. As for network signature detection methods, those can be easily bypassed if the attacker modifies the malicious HTTP request by adding an extra slash or an arbitrary parameter into it.
VulnCheck warns that hackers closely monitor what detection methods are employed by defenders and adjust their attacks to make them undetectable. Therefore, the best way to deal with this threat is to apply the recommended security updates, which are PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later.
Access Point Technology recommends that PaperCut MF or NG users apply the recommended security updates, which are versions 20.1.7, 21.2.11, and 22.0.9 and later. These updates mitigate the critical severity unauthenticated remote code execution flaw in PaperCut MF or NG versions 8.0 or later.
Since a new PoC exploit has been discovered that can bypass all known detection rules, relying solely on detection rules may not be sufficient to prevent exploitation. Therefore, it is crucial to apply the recommended security updates to reduce the risk of vulnerabilities being exploited by malicious actors.
Source
Fortinet Patches High-Severity Vulnerabilities in FortiADC, FortiOS
Analysis: Fortinet has released its monthly security updates that cover nine vulnerabilities across multiple products, including two high-severity bugs in FortiADC, FortiOS, and FortiProxy.
The first vulnerability (CVE-2023-27999) is described as an “improper neutralization of special elements used in an OS command vulnerability” and affects FortiADC application delivery controller. The bug could be exploited by authenticated attackers through crafted arguments to execute unauthorized commands.
The second vulnerability (CVE-2023-22640) is an out-of-bounds write in the sslvpnd component of FortiOS and FortiProxy. An authenticated attacker can send a specially crafted request to achieve arbitrary code execution. The bug was found in various versions of FortiOS and FortiProxy and was addressed in newer versions.
Fortinet also released patches for medium-severity vulnerabilities in FortiNAC and FortiADC, including weak authentication issues, hard-coded credentials, path traversal, and improper neutralization of input. Additionally, several low-severity bugs in FortiNAC were addressed.
Fortinet has not reported any of these vulnerabilities as being exploited maliciously. However, the company warns customers that unpatched Fortinet products are susceptible to attack and advises them to apply available security updates as soon as possible.
Fortinet’s PSIRT advisories page provides further information on the resolved vulnerabilities. Fortinet is a multinational cybersecurity company that provides network security solutions and services for businesses, governments, and service providers.
Access Point Technology recommends Fortinet customers apply the available security updates as soon as possible to address the vulnerabilities in their Fortinet products. Customers should refer to Fortinet’s PSIRT advisories page for additional information on the resolved vulnerabilities.
Source
.webp)
.png)
