Cyber News Roundup for April 26, 2024

Welcome to our Cyber News Roundup, your go-to source for staying informed about the ever-evolving world of cybersecurity. Staying ahead of the curve is more crucial than ever as cyber threats continue to evolve and adapt at an unprecedented pace.

Each week, we’ll share a curated selection of top stories from around the globe. Whether you’re a seasoned cybersecurity professional, a business owner looking to safeguard your digital assets, or simply someone interested in staying informed about online security issues, our roundup has something for you.

Our team of cybersecurity experts sifts through the noise to deliver concise summaries on the latest in cybersecurity, empowering you to make informed decisions and strengthen your cyber defenses.

 

1. Frontier Communications discloses cyberattack 

US telecom provider Frontier Communications disclosed in an SEC filing yesterday that the company sustained a cyberattack on Sunday, Dark Reading reports. The attack resulted in the theft of personally identifiable information and caused the company to shut down some of its systems. The nature of the attack wasn’t disclosed, but SecurityWeek notes that Frontier’s response to the incident suggests that ransomware was involved. Frontier says it believes “the third party was likely a cybercrime group.” The company added, “As of the date of this filing, the Company believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations.” (SecurityWeek)

 

2. Texas town repels water system cyberattack by unplugging 

In the face of a cyberattack reportedly linked to Russia that targeted the water system of a small Texan city, one notable action taken was the decision to physically unplug computers from the network. This move, while seemingly simple, played a crucial role in mitigating the impact of the attack and preventing further infiltration into the city’s critical infrastructure. (Bloomberg)

 

3. MITRE’s breach was through Ivanti zero-day vulnerabilities 

The MITRE Corporation is a not-for-profit organization that oversees federally funded research. In a blog post released on Friday the organization stated that it had been breached and reconnoitered by nation-state hackers in January. The group exploited one of its VPNs through two vulnerabilities in Ivanti Connect Secure. In the blog post, MITRE explained that the hackers used a “combination of sophisticated backdoors and webshells to move laterally and harvest credentials.” The organization said, “it followed advice from the government and Ivanti to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure,” adding, “at the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.” (The Record and MITRE blog post

 

4. SafeBreach researchers disclose vulnerabilities in Windows Defender that allow remote file deletion

At the Black Hat Asia conference, SafeBreach cybersecurity researchers Tomer Bar and Shmuel Cohen disclosed vulnerabilities in Windows Defender that allow remote file deletion on Windows and Linux servers, risking data loss and system instability. By inducing false positives in security systems, they demonstrated the potential to bypass security controls and delete crucial files without authentication. The researchers developed a Python tool to discover unique byte signatures in Endpoint Detection and Response (EDR) systems, exploiting these for remote deletions of significant files, including Windows event logs and Microsoft’s own detection logs. Despite Microsoft’s attempt to fix the vulnerability, SafeBreach found the patch partially effective, leaving some attack vectors open and discovering another vulnerability as a bypass. Microsoft acknowledged the findings, implementing measures to minimize false positives and allowing configurations to quarantine remediation actions by default. (GBHackers)

 

5. The White House and HHS update HIPAA rules to protect private medical data

The Biden administration introduced new rules on Monday aimed at protecting the privacy of abortion providers and patients from conservative legal challenges. These regulations, updated by the Department of Health and Human Services (HHS), prohibit healthcare providers, insurers, and related entities from disclosing health information to state officials involved in investigating or prosecuting patients or providers related to abortion services. The updates to the Health Insurance Portability and Accountability Act (HIPAA), originally established in 1996, now address modern challenges in reproductive rights, particularly for those seeking legal abortions across state lines or under special circumstances like rape. These changes, set to take effect in two months, come amid significant concerns about the misuse of private medical data in the charged post-Dobbs legal environment. The new rule also mandates that any requests for health information related to reproductive health must be formally declared as unrelated to criminal investigations or legal actions. (The Record)

 

6. TikTok ban passes the US House

The bill passed as part of a larger foreign aid package by a vote of 360-58. THe House passed a similar standalone TikTok ban last month by a vote of 362-65, but that currently sits stalled in the Senate. Due to the new bill’s ties to allies in Ukraine and Israel, the Senate will likely vote on it much faster. Senate Commerce Committee Chair Maria Cantwell already signed her support of the legislation. The new bill gives ByteDance potentially up to a year to divest of TikTok prior to a formal ban, up from six months laid out in the earlier bill. If it passes the Senate as-is, President Biden already signaled he would sign it into law. (The Verge)

 

7. CrushFTP exposes system files

Security researcher Simon Garrelou reported a vulnerability in the CrushFTP service. All versions of CrushFPT under 11.1 contain the flaw, which for virtual file system escape and access to full system files. CrowdStrike reports seeing the flaw under active exploitation “in a targeted fashion.” CrowdStrike’s intelligence report indicates these attacks represent politically motivated recognizance. CrushFTP released a patch for the flaw, available through its dashboard. (Infosecurity Magazine)

 

8. Medical diagnostic services disrupted by ransomware

The medical diagnostic and testing services provider Synlab Italia announced it suffered a security breach on April 18th. It took all IT systems offline including email and suspended medical services. This impacted 380 labs and medical centers across Italy. It did not impact the rest of the Synlab group, which operates in 29 other countries. Synlab Italia did not confirm if it lost patient data in the attack. No word on any group taking responsibility for the attack. (Bleeping Computer)

 

9. ArcaneDoor hackers exploit Cisco zero-days to breach govt networks

Hackers utilizing previously undiscovered vulnerabilities in Cisco’s firewall products, executed a sophisticated campaign targeting government entities worldwide. Dubbed ArcaneDoor, this operation has been active since November 2023, and is linked to the threat groups UAT4356 and STORM-1849. These groups deployed custom malware for espionage, leading Cisco to issue urgent advisories for updating affected devices to mitigate risks. (Bleepingcomputer)

 

10. Siemens working to fix device affected by Palo Alto firewall bug

Siemens is rushing to fix a bug we reported last week on Cyber Security Headlines, that is affecting its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual next-gen firewalls. The bug in question is a maximum severity zero-day command injection vulnerability (identified as CVE-2024-3400) that affects multiple versions of PAN-OS. Palo Alto said a growing number of attacks are leveraging public proof-of-concept exploit code to deploy a novel Python backdoor. Siemens’ advisory references Palo Alto’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, which they point out are disabled by default in Ruggedcom APE1808 deployments. (Dark Reading)

 

11. Russian hackers claim cyberattack on Indiana water plant

Over the weekend, the threat actor known as the Cyber Army of Russia posted a video on its Telegram channel showing how they hacked systems of the Tipton Wastewater Treatment Plant. Tipton provides the city of Tipton and surrounding areas with electric power, water, and wastewater collection and treatment. An Indiana official confirmed that the plant suffered a cyberattack on Friday evening. Tipton’s general manager, Jim Ankrum, said, “TMU experienced minimal disruption and remained operational at all times.” Security research firm Mandiant recently reported that the Cyber Army of Russia has ties to the Russian state actor, Sandworm, which was responsible for a separate attack on a water facility in Muleshoe, Texas that caused a tank to overflow. (The Record)

 

12. Siemens working to fix device affected by Palo Alto firewall bug

Siemens is rushing to fix a bug we reported last week on Cyber Security Headlines, that is affecting its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual next-gen firewalls. The bug in question is a maximum severity zero-day command injection vulnerability (identified as CVE-2024-3400) that affects multiple versions of PAN-OS. Palo Alto said a growing number of attacks are leveraging public proof-of-concept exploit code to deploy a novel Python backdoor. Siemens’ advisory references Palo Alto’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, which they point out are disabled by default in Ruggedcom APE1808 deployments. (Dark Reading)

 

13. Russian hackers claim cyberattack on Indiana water plant

Over the weekend, the threat actor known as the Cyber Army of Russia posted a video on its Telegram channel showing how they hacked systems of the Tipton Wastewater Treatment Plant. Tipton provides the city of Tipton and surrounding areas with electric power, water, and wastewater collection and treatment. An Indiana official confirmed that the plant suffered a cyberattack on Friday evening. Tipton’s general manager, Jim Ankrum, said, “TMU experienced minimal disruption and remained operational at all times.” Security research firm Mandiant recently reported that the Cyber Army of Russia has ties to the Russian state actor, Sandworm, which was responsible for a separate attack on a water facility in Muleshoe, Texas that caused a tank to overflow. (The Record)

 

14. ArcaneDoor hackers exploit Cisco zero-days to breach government networks

Hackers utilizing previously undiscovered vulnerabilities in Cisco’s firewall products, executed a sophisticated campaign targeting government entities worldwide. Dubbed ArcaneDoor, this operation has been active since November 2023, and is linked to the threat groups UAT4356 and STORM-1849. These groups deployed custom malware for espionage, leading Cisco to issue urgent advisories for updating affected devices to mitigate risks. (Bleepingcomputer)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.