Cyber News Roundup for August 5, 2024

Start your week in the know.

Last week’s cyber headlines bring news from Delta Air Lines CEO Ed Bastian stating the recent CrowdStrike outage cost the company $500 million in damages plus CrowdStrike is also being sued by shareholders over the outage. In healthcare news—OneBlood, a major blood donation nonprofit, sustained a ransomware attack disrupting its operations, and has asked hospitals to activate critical blood shortage protocols. Additionally, researchers in the Netherlands report a significant increase in cyberattacks on the shipping industry, with 64 incidents in 2023 compared to just three in 2013. HealthEquity is notifying 4.3 million people of a data breach that compromised personal and health information due to a third-party vendor. A phishing campaign dubbed “EchoSpoofing” exploited weak permissions in Proofpoint’s email protection service, sending millions of fake emails impersonating Fortune 100 companies.

All this and more on this week’s Cyber News Roundup.

 

South Korea investigates reported military intelligence leak

South Korea is investigating a leak that reportedly exposed the identities of its military intelligence agents, the New York Times reports. South Korean media reported that the leak, which includes the identities of agents operating under civilian cover, may have reached North Korea. NK News cites sources as saying the leak is believed to have occurred “through a personal laptop belonging to a military-civilian public servant in the DIC’s overseas operations department.” The owner of the laptop claims the device was hacked, in which case they would still be guilty of storing classified information on a personal device. Seoul’s defense ministry said in a statement, “[T]he matter is currently under investigation by military authorities, so we cannot provide detailed explanations. Based on the investigation results, the military will handle the matter strictly according to the law and regulations.” (NYT)

 

Cyberattacks in the shipping industry

Researchers at the Netherlands’ NHL Stenden University of Applied Sciences warn that the shipping industry is facing a significant increase in cyberattacks, the Financial Times reports. The sector saw sixty-four attacks in 2023, compared to just three a decade earlier in 2013. More than 80 percent of cyberattacks since 2001 were tied to a known threat actor tied to Russia, China, North Korea, or Iran. (FT)

 

4.3 million impacted by HealthEquity data breach

One of the largest HSA providers in the U.S., HealthEquity, is in the process of notifying 4.3 million people that their personal and health information was compromised. The company disclosed that the breach was attributed to a third-party vendor and that threat actors stole PII, including names, social security numbers, and payment information. While HealthEquity did not name the compromised vendor, those impacted should expect to be notified early next month. (Security Week), (Bleeping Computer)

 

Proofpoint exploit allows for millions of fake emails 

This phishing campaign was reeling in the big boys. Dubbed “EchoSpoofing,” this massive phishing campaign exploited now-fixed weak permissions in Proofpoint’s email protection service. The emails impersonated Fortune 100 companies like Disney, Nike, IBM, and Coke, with an average of 3 million fake emails sent daily. It wasn’t easy deciphering these fake emails; they included properly configured Sender Policy Framework and DomainKeys Identified Mail signatures to make the emails look authentic. The sec urity gap was discovered in May and has since been fixed, though Bleeping Computer reports the campaign reached a peak of 14 million emails in early June. (Bleeping Computer)

 

PatchNow: CISA adds two ServiceNow critical RCE bugs to catalog

A threat actor has claimed to have harvested email addresses and associated hashes from over 105 ServiceNow databases by exploiting two critical vulnerabilities,  (CVE-2024-4879 and CVE-2024-5217). These vulnerabilities, with CVSS scores of 9.3 and 9.2, respectively, have been actively exploited and are now being sold for $5,000. The US Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its known exploited vulnerabilities catalog, mandating federal agencies patch it by August 19. (Dark Reading)

 

WhatsApp for Windows allows Python to run wild

A security flaw in the latest version of WhatsApp for Windows allows execution of Python and PHP attachments without warning when opened, Bleeping Computer reports.  This primarily affects users with Python already installed, like developers and researchers. The issue is similar to a previous Telegram vulnerability. Despite blocking several risky file types, WhatsApp does not block Python scripts, which can be executed directly from the app. Security researcher Saumyajeet Das discovered this vulnerability and reported it to Meta, but the issue was dismissed as non-applicable. Das criticized this decision, suggesting that simply adding the relevant file extensions to WhatsApp’s blocklist could prevent exploitation. WhatsApp advises users not to open files from unknown sources and has no current plans to fix the issue, leaving users vulnerable to potential attacks. (Bleepingcomputer)

 

Dark Angels receives record-breaking ransom payment

A new report from Zscaler ThreatLabz has revealed that an unnamed company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang. Zscaler did share that the company was in the Fortune 50 and that the attack occurred in early 2024. The record-breaking ransom payment was further confirmed on X by crypto intel company, Chainalysis. One Fortune 50 company that suffered a cyberattack back in February is pharmaceutical giant Cencora, ranked #10 on the list. Cencora has not confirmed it made this particular payment. DarkAngels launched in May 2022 and is known for “big game hunting” and using Windows and VMware ESXi ransomware encryptors. Previously, the largest known ransom payment was $40 million shelled out back in 2021 by insurance giant, CNA. (Bleeping Computer)

 

Microsoft services go down… again

On Tuesday, Microsoft once again found itself grappling with service outages, this time seemingly unrelated to Crowdstrike. These issues appear to have affected Microsoft 365 admin center, Intune, Entra, Power Platform, and Power BI in addition to reports of lagging authentication requests taking up to 10 minutes to complete. The company acknowledged the issues and said the outage was caused by an “unexpected usage spike” that “resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds.” Security expert Kevin Beaumont speculated that the issues may have been caused by a botnet-generated, distributed denial of service (DDoS) attack. (ZDNet and Bleeping Computer)

 

CISA warns of actively exploited ServiceNow vulnerabilities

CISA has also added two critical ServiceNow vulnerabilities (CVE-2024-4879 and CVE-2024-5217) to its KEV Catalog, requiring FCEB agencies to patch the flaws by August 19th, the Record reports. ServiceNow issued patches for the vulnerabilities in May and June, and threat actors have been attempting to exploit them since a proof-of-concept exploit was released earlier this month. According to Resecurity, the vulnerabilities “enable unauthenticated remote attackers to execute arbitrary code within the Now Platform, potentially leading to compromise, data theft, and disruption of business operations.” (The Record)

 

Ransomware gangs are exploiting VMware ESXi flaws

Microsoft has warned that several ransomware actors are exploiting a vulnerability (CVE-2024-37085) in ESXi hypervisors that can be used to obtain full administrative permissions. VMware has issued patches for the flaw. Microsoft stated, “Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named ‘ESX Admins’ in the domain and adding a user to it.” The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to apply patches by August 20th. (Broadcom)

 

Delta dishes on CrowdStrike damages

Just yesterday we mentioned that Delta Air Lines began lawyering up for legal action against CrowdStrike. In an update, Delta CEO Ed Bastian laid out the stakes on CNBC for any potential legal action, saying it cost the company $500 million in damages. This accounts for the lost revenue from the outage as well as compensation and hotels for stranded passengers. Delta canceled over 5,000 flights over a five-day period due to the outage, more than all cancelations in 2019. The outage also sparked an investigation by the US Department of Transportation. Bastian said the company has “no choice” but to seek damages from CrowdStrike. (CNBC)

 

CrowdStrike sued by shareholders over outage

CrowdStrike’s shareholders have filed a lawsuit against the company over last week’s outage, accusing CrowdStrike of making “false and misleading” statements about its software testing, the BBC reports. CrowdStrike has denied the allegations and says it will defend itself. Delta Air Lines is also planning to sue CrowdStrike for compensation, CNBC reports. Delta estimates that the outage cost the airline up to $500 million after 7,000 flights were canceled. The company has hired high-profile attorney David Boies to handle the suit. (BBC, CNBC)

 

Ransomware attack disrupts US blood donation nonprofit

OneBlood, a major nonprofit blood donation organization operating in the southeastern US, has sustained a ransomware attack that’s disrupting its ability to provide blood to hospitals, the Record reports. Susan Forbes, OneBlood’s senior vice president of corporate communications, said in a statement, “We have implemented manual processes and procedures to remain operational. Manual processes take significantly longer to perform and impacts inventory availability. In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being.”

OneBlood added, “To help augment their supply the national blood community is rallying to assist OneBlood and the hospitals and patients it serves. Blood centers across the country are sending blood and platelets to OneBlood, and the AABB Disaster Task Force is coordinating national resources to assist with additional blood products being sent to OneBlood. All blood types are needed, but there is an urgent need for O Positive, O Negative and Platelet donations.” According to CBS News, OneBlood serves 355 hospitals across Florida, Georgia, and the Carolinas. (The Record, CBS)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.