CDK Global Cyberattack, thousands of U.S Car Dealerships at risk

On the 19^th June – Retail technology and software provider CDK Global suffered a cyberattack which led to thousands of dealerships struggling to conduct normal business during the Juneteeth holiday in the United States. CDK Global was hit by a severe cyberattack causing the company to shut down all its systems for a short period of time.

CDK Global's systems manage a wide range of dealership functions, including inventory management, sales, financing, and customer relationship management. The extent of the data breach is still under investigation, but initial reports indicate that sensitive information, such as customer and dealership data, may have been compromised.

US dealerships were impacted by the cyberbreach as employees were told to either go home for the day as they could not operate as normal, or had been told to work with pen and paper until systems were full back up and running.

Following the story from the breach, this outage could be due to a ransomware though investigates are on going and this is fairly fresh news thus we cannot confirm independently. This will take a few days to confirm the reason behind the outage. However, if this is a confirmed Ransomware attack, then CDK Global will take days or weeks to recover from this attack particularly if the backup of systems are also impacted by this attack.

Critical Analysis of Medibank Cyberattack Reveals Lapses in MFA Enforcement

A comprehensive report by the Office of the Australia’s Information Commissioner on the cyberattack against Medibank has revealed critical security lapses, particularly the failure to enforce multi-factor authentication (MFA).

The cyberattack on Medibank, one of Australia's largest health insurance providers, was executed by exploiting weak authentication protocols. The attackers gained unauthorized access to Medibank’s systems due to the absence of enforced MFA, a fundamental security measure that could have significantly mitigated the risk of such an attack. The breach led to the compromise of vast amounts of sensitive data, including personal and health information of Medibank's customers.

The report reveals that the breach originated from a Medibank contractor, an IT Service Desk Operator, who used his personal browser profile on his work computer and saved his Medibank credentials in the browser. These credentials were then synchronized with his home computer, which was subsequently infected with information-stealing malware. This malware allowed the threat actors to steal all the saved passwords from his browser on August 7, 2022. These stolen credentials included access to both standard and elevated (admin) accounts at Medibank.

It remains unclear whether the attacker behind the Medibank breach acquired the stolen credentials from an online dark web marketplace or conducted the information-stealing malware campaign themselves. The threat actor began using these credentials on August 12, initially breaching the company's Microsoft Exchange server and later logging into Medibank's Palo Alto Networks GlobalProtect Virtual Private Network (VPN), gaining internal access to the corporate network.

The report indicates that Medibank failed to adequately protect user data by not enforcing multi-factor authentication (MFA) on VPN credentials, allowing anyone with access to the credentials to log into the network.

The breach has had severe repercussions, compromising the personal and medical data of millions of customers. This has not only led to potential identity theft and fraud risks for affected individuals but also damaged Medibank's reputation and trust among its customers.

More than 800 operations and 700 outpatient postponed since London Cyber attack

The ransomware attack, which took place on 3^rd June 2024, disrupted pathology services at King’s College Hospital NHS Foundation Trust, Guy’s and St Thomas’ NHS FT and South London and Maudsley NHS FT. Oxleas NHS FT, Lewisham and Greenwich NHS Trust, Bromley Healthcare, and primary care services in south east London have also been impacted, significantly disrupting medical services and patient care. The incident has caused significant operational disruptions, affecting laboratory services critical for patient diagnostics and healthcare delivery.

Dr Chris Streather, medical director for NHS London, said to “expect disruption to be felt for some time”.

“Today’s data shows that NHS teams are working flat out to see as many patients as possible – but there is no doubt the ransomware cyber-attack on Synnovis is having a significant impact on services in south east London, with hundreds of appointments and procedures being postponed,” he said.

The significant impact of this ransomware attack, will take weeks and possibly months before the NHS recovers from this cyberattack and return to normal operations. However, the NHS is working hard to reschedule appointments and operations as quickly as possible.

Asus Warns Of Critical Remote Authentication Bypass on 7 Router

ASUS has issued a warning about a critical remote authentication bypass vulnerability affecting seven of its router models. This flaw, identified as CVE-2023-39238, allows unauthenticated remote attackers to gain administrative access to the routers, potentially compromising the security of connected networks and devices. Exploiting this vulnerability could lead to unauthorized access, data theft, and the deployment of malicious software across affected networks.

ASUS says the issue impacts the following router models:

• XT8 (ZenWiFi AX XT8) – Mesh WiFi 6 system offering tri-band coverage with speeds up to 6600 Mbps, AiMesh support, AiProtection Pro, seamless roaming, and parental controls.
• XT8_V2 (ZenWiFi AX XT8 V2) – Updated version of the XT8, maintaining similar features with enhancements in performance and stability.
• RT-AX88U – Dual-band WiFi 6 router with speeds up to 6000 Mbps, featuring 8 LAN ports, AiProtection Pro, and adaptive QoS for gaming and streaming.
• RT-AX58U – Dual-band WiFi 6 router providing up to 3000 Mbps, with AiMesh support, AiProtection Pro, and MU-MIMO for efficient multi-device connectivity.

• RT-AX57 – Dual-band WiFi 6 router designed for basic needs, offering up to 3000 Mbps, with AiMesh support and basic parental controls.
• RT-AC86U – Dual-band WiFi 5 router with speeds up to 2900 Mbps, featuring AiProtection, adaptive QoS, and game acceleration.
• RT-AC68U – Dual-band WiFi 5 router offering up to 1900 Mbps, with AiMesh support, AiProtection, and robust parental controls.

ASUS has urged users to apply firmware updates immediately to mitigate the risk.

VMware addresses critical vulnerability in vCenter Server- PATCH NOW!

On June 18^th 2024, VMware released fixes for three vulnerabilities, namely CVE-2024-37079, CVE-2024-37080, CVE-2024-37081, summarised as follows:

• CVE-2024-37079: A heap-overflow vulnerability in the DCERPC protocol implementation of vCenter Server that allows a malicious actor with network access to send specially crafted packets, potentially leading to remote code execution. (CVSS v3.1 score: 9.8 “critical”)
• CVE-2024-37080: Another heap overflow vulnerability in the DCERPC protocol of vCenter Server. Similar to CVE-2024-37079, it allows an attacker with network access to exploit heap overflow by sending crafted packets, potentially resulting in remote code execution. (CVSS v3.1 score: 9.8 “critical”)
• CVE-2024-37081: This vulnerability arises from a misconfiguration of sudo in vCenter Server, permitting an authenticated local user to exploit this flaw to elevate their privileges to root on the vCenter Server Appliance. (CVSS v3.1 score: 7.8 “high”)

More information can be found on Broadcoms advisory page: Support Content Notification - Support Portal - Broadcom support portal

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.