Group Health Cooperative of South Central Wisconsin Suffers Ransomware Attack
The Group Health Cooperative of South Central Wisconsin (GHC-SCW) has been subjected to a significant ransomware attack, affecting 533,809 individuals.
Identified on 25 January 2024, this incident did not involve data encryption but led to the unauthorised exfiltration of sensitive data. The GHC-SCW, whilst identifying the attacker, has not disclosed their identity publicly. However, the Blacksuit ransomware group claimed responsibility on their leak site in March.
Additionally, the threat actor claims to have accessed patients' financial information, employee data, business contracts, and email correspondences. Compromised data could include individuals' names, addresses, telephone numbers, email addresses, dates of birth and/or deaths, social security numbers, member numbers, and Medicare/Medicaid numbers.
Despite their claims, there's currently no evidence of the leaked data being exploited.
The incident highlights the need for robust cyber security measures such as Network Detection and Response (NDR) and Security Information and Event Management (SIEM) systems. These could have potentially detected the data exfiltration, emphasising the necessity for enhanced network visibility and real-time monitoring to avert similar incidents.
SharePoint Logging Evasion Techniques Uncovered
Recent research has exposed two novel techniques that facilitate the bypassing or manipulation of SharePoint audit logs, raising significant concerns given SharePoint's widespread adoption by enterprises globally.
These methods allow unauthorised file downloads without detection, posing a high risk to confidential company information. The first technique exploits the "Open in App" feature, which is only logged as an "Access" event, rendering the download activity less conspicuous. The second method involves spoofing the user-agent string to mimic Microsoft SkyDriveSync calls, thus appearing as a routine "FileSyncDownloadedFull" event.
Flaws were first reported by Varonis Threat Labs in November 2023, but due to them being as moderate fixes are planned for future updates.
Large numbers of access events should be investigated. Limiting users to only be able to access the files they need will reduce the possible scope of an attack from any one user. Syncronisation events should be monitored for suspicious activity such as strange working hours or unusual access locations.
Fortinet Vulnerabilities: A Trio of Security Concerns
Fortinet has recently disclosed three vulnerabilities in its products, presenting varying degrees of risk, including cookie leakage, arbitrary command execution, and sensitive information exposure.
The most severe, CVE-2023-41677, involves a scenario where attackers could capture administrator cookies under specific conditions, particularly when administrators are deceived into visiting malicious websites while using SSL-VPN. This high-severity vulnerability, rated 7.5, affects multiple versions of FortiOS and FortiProxy.
Another issue, CVE-2023-48784, allows for arbitrary code execution in FortiOS due to an externally controlled format string in the command line interface. This medium-severity vulnerability requires local super-admin profile and CLI access for exploitation. The third, CVE-2024-23662, enables unauthenticated actors to collect sensitive device information via HTTP requests, and was rated as medium severity.
The above vulnerabilities range in severity and likeliness of exploitation. However these vulnerabilities could allow an attacker to gain access to a network or gather important reconnaissance information. Affected products should be patched as soon as possible..
WordPress Sites Targeted by "Crypto Drainers"
The security firm Sucuri has disclosed a widespread campaign targeting WordPress sites, with over 2,000 known compromises designed to siphon cryptocurrency from unsuspecting victims. The attackers embedded fake NFT and discount pop-ups across these sites, coaxing visitors to connect their crypto wallets with promises of receiving discounts or NFTs.
These "Crypto drainers" then proceed to drain the connected wallets of funds and NFTs. The initial attack strategy has evolved, now employing scripts that exploit browser vulnerabilities to brute force other sites' passwords, signifying a shift towards a more extensive and monetised campaign.
The malicious scripts, loaded from dynamic-linx[.]com, activate if the "haw" cookie is absent, injecting harmful code into webpages.
Users are urged to never connect your wallets to a website which uses advertisements as the main connection method. Nothing is for free when related to cryptocurrency, discounts which are offered on websites which never previously accepted cryptocurrency are most likely a scam. Best to only use trusted platforms. Check with platforms who claim to recently accept crypto payments. Connect a wallet with minimal funds when something seems off or uncertain.
