Threat Intelligence Report – October 28th

Published:

Cyber Research Discoveries: Weekly Insights (28th October 2024)

As the digital landscape continues to evolve, so do the threats that accompany it. The week of October 28, 2024, has seen significant developments in cyber research, highlighting the persistent challenges organizations face in safeguarding their data and infrastructure. This article delves into the latest attacks, breaches, vulnerabilities, and threat intelligence reports, providing a comprehensive overview of the current cyber threat landscape.

Top Attacks and Breaches

RansomHub Targets Mexican Airports

Grupo Aeroportuario del Centro Norte (OMA), which operates 13 airports across Mexico, recently fell victim to a cyberattack orchestrated by the RansomHub ransomware gang. The attackers threatened to leak 3TB of stolen data unless a ransom was paid. This breach disrupted terminal information screens and forced OMA to activate backup systems. Fortunately, there have been no reported material adverse effects on operations or finances thus far. Organizations can bolster their defenses against such threats using solutions like Check Point Harmony Endpoint and Threat Emulation, which provide protection against RansomHub ransomware variants.

Landmark Admin Data Breach

In another alarming incident, Landmark Admin, a third-party administrator for major insurance carriers, announced a data breach affecting over 800,000 individuals. The breach, which resulted from unauthorized network access and data encryption between May and June 2024, exposed sensitive personal and financial information, including names, Social Security numbers, passport numbers, and medical records. This incident underscores the importance of robust cybersecurity measures for third-party vendors.

Henry Schein’s Ransomware Attack

Healthcare giant Henry Schein confirmed a ransomware attack from 2023 that resulted in the theft of sensitive data, impacting its manufacturing, distribution, and e-commerce operations. The BlackCat ransomware group claimed responsibility for this attack, which has raised concerns about the security of healthcare data. Check Point Harmony Endpoint and Threat Emulation can help organizations protect against such ransomware threats.

Telecom Breaches Linked to Chinese Hackers

The FBI and CISA are investigating breaches at multiple U.S. telecommunications companies, including AT&T, Verizon, and Lumen Technologies, attributed to a Chinese government-affiliated group known as Salt Typhoon. These attacks targeted systems used for wiretaps and compromised devices belonging to prominent politicians, including former President Trump and Vice President Harris. This incident highlights the geopolitical dimensions of cybersecurity threats.

UnitedHealth’s Massive Data Breach

UnitedHealth’s subsidiary, Change Healthcare, admitted to a ransomware attack by the BlackCat group that compromised personal and healthcare data of 100 million individuals. The breach, which led to a $22 million ransom payment, is now considered the largest healthcare data breach in U.S. history, with ongoing losses estimated at $2.45 billion. This incident serves as a stark reminder of the vulnerabilities within the healthcare sector.

Swiss Vocational School Ransomware Attack

Berufsbildungszentrum (BBZ), a vocational school in Switzerland, experienced a ransomware attack that blocked access to several IT systems due to a security gap in the firewall. Investigators are currently assessing whether personal data was compromised. This attack is part of a broader wave of cyberattacks targeting educational institutions across Europe, emphasizing the need for enhanced cybersecurity measures in the education sector.

Vulnerabilities and Patches

Critical Vulnerabilities Identified by CISA

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent advisories for two critical vulnerabilities: CVE-2024-20481 and CVE-2024-37383. The first vulnerability, rated at 9.8, affects Cisco ASA and FTD, allowing system crashes through crafted HTTP requests. The second, rated at 6.5, is a cross-site scripting vulnerability in RoundCube Webmail, which could lead to data theft and session hijacking. Organizations are urged to apply patches promptly to mitigate these risks.

Lazarus Group Exploits Google Chrome

The notorious Lazarus Group has exploited a zero-day vulnerability (CVE-2024-4947) in Google Chrome via a fake DeFi game website, targeting cryptocurrency users. This vulnerability allowed attackers to control victims’ browsers and access sensitive data, including authentication tokens and passwords. Check Point IPS provides protection against this threat, emphasizing the importance of keeping software up to date.

Fortinet and VMware Address Critical Vulnerabilities

Fortinet has patched a critical vulnerability (CVE-2024-47575) in FortiManager, which was exploited in zero-day attacks, allowing unauthorized access to servers and the exfiltration of sensitive data. Additionally, VMware has fixed two critical-severity vulnerabilities (CVE-2024-38812 and CVE-2024-38813) in its vCenter Server and VMware Cloud Foundation products, which could enable remote code execution and privilege escalation.

Threat Intelligence Reports

APT29’s Phishing Campaign

Amazon has identified internet domains abused by the Russian APT29 group as part of a phishing campaign that deploys rogue Remote Desktop Protocol (RDP) files. These malicious RDP connections enable attackers to access and potentially steal data from government and military organizations. Organizations can protect themselves against these threats using Check Point Harmony Endpoint and Threat Emulation.

Emergence of Qilin.B Ransomware

Researchers have discovered a new variant of the Qilin ransomware, dubbed Qilin.B, which exhibits advanced encryption techniques and enhanced defense evasion capabilities. This ransomware targets both Windows and Linux systems for double extortion schemes, highlighting the evolving sophistication of cyber threats.

Grandoreiro Banking Trojan Analysis

Researchers have analyzed Grandoreiro, a Brazilian banking trojan utilized by threat actors to conduct fraudulent banking operations globally. This trojan bypasses banking institutions’ security measures, emphasizing the need for robust cybersecurity practices among financial institutions.

Conclusion

The cyber threat landscape is constantly evolving, with new attacks, breaches, and vulnerabilities emerging weekly. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect sensitive data and infrastructure. By leveraging advanced security solutions and staying informed about the latest threats, businesses can better defend against the ever-present risks in the digital world. For more in-depth insights, download our Threat Intelligence Bulletin.

Related articles

Recent articles