Rival Gangs Rise as LockBit Falls
The takedown of LockBit in February has paved the way for rival gangs, with Play overtaking it after LockBit's eight-month dominance. The National Crime Agency's (NCA) successful disruption of LockBit is evident as, for the first time, LockBit did not top the attack charts in a single month.
Lockbit have been in the top 3 ransomware gangs in terms of victim numbers/activity in the last 3 years at least, with the last 8 months being at the number 1 spot.
Two weeks ago, Dmitry Khoroshev, believed to be LockBit's leader, was unmasked, revealing that LockBit's operations are now "running at limited capacity" and pose a "significantly reduced" threat. The NCC Group's findings, published today, indicate that LockBit has been reposting previously attacked organisations to maintain appearances. In April, LockBit posted only 23 organisations, a 60% drop from pre-bust numbers.
Nissan Admits Data Breach with over 50,000 Employees' Personal Information Stolen in Cyber Attack
Nissan has admitted to another data breach, affecting over 50,000 employees' personal information. The carmaker's disclosure, filed with the US state of Maine, reveals a cyber attack in November 2023. A targeted attack compromised Nissan's external VPN, leading to the theft of 53,038 employees' social security numbers after the attacker shut down certain systems and demanded payment.
Initially, Nissan believed only business information was stolen. By late February, they discovered employees' SSNs were also accessed. Nissan asserts there's no evidence the employee data was targeted or misused.
Following the breach, Nissan implemented several security measures, including an enterprise-wide password reset, Carbon Black monitoring, and vulnerability scans. In March, Nissan also disclosed that its Oceania division was hit by the Akira ransomware gang, compromising over 100,000 customers' personal information. The connection between the North American and Oceania breaches remains unclear, and Nissan has been asked for more details.
Veeam Releases Critical Update to Fix Severe Vulnerabilities in Backup & Replication Software
On Tuesday, Veeam released a Backup & Replication update to address four vulnerabilities, including a critical-severity bug in Backup Enterprise Manager that allows authentication bypass. The critical flaw, CVE-2024-29849, has a CVSS score of 9.8 and permits unauthenticated attackers to log into the web interface as any user.
This vulnerability affects product versions 5.0 to 12.1 and is resolved in Backup Enterprise Manager version 12.1.2.172, included in Backup & Replication version 12.1.2 (build 12.1.2.172). The update also fixes a high-severity issue (CVE-2024-29850, CVSS score 8.8) enabling account takeover via NTLM relay attacks, and another high-severity flaw (CVE-2024-29851, CVSS score 7.2) allowing NTLM hash theft by high-privileged users.
Additionally, the update resolves a low-severity flaw that lets high-privileged users read backup session logs. Instances on dedicated servers can be updated independently of Veeam Backup & Replication. If upgrading isn't possible, Veeam advises halting Backup Enterprise Manager. The update also addresses a high-severity bug (CVE-2024-29853) in Veeam Agent for Windows, impacting versions 2.0 to 6.1, and is fixed in version 6.1.2 (build 6.1.2.134).
Veeam urges users to update promptly, noting no evidence of these vulnerabilities being exploited in attacks yet.
Rockwell Automation urges immediate disconnection of ICS from Internet amid rising cyber threats
Rockwell Automation has issued a security notice urging customers to ensure their industrial control systems (ICS) are not connected to the internet, highlighting the risks posed by cyber threats. The industrial automation giant emphasised the need for immediate action, advising customers to verify that devices not designed for public connectivity are not exposed to the web.
The company expressed concern over potential attacks due to global geopolitical tensions and increasing cyber activity.
"Users should never configure their assets to be directly connected to the public-facing internet," Rockwell stated. Disconnecting these devices can significantly reduce exposure to unauthorized and malicious activities from external threats. The advisory includes links to resources, best practices, and highlights several patched vulnerabilities, such as CVE-2021-22681, CVE-2022-1159, CVE-2023-3595, and more.
The US cyber security agency CISA has also issued an alert regarding Rockwell's notice, underscoring the importance of these measures.
Ukraine's CERT-UA warns of UAC-0006 resurgence, urges heightened cyber security measures
Ukraine’s Computer Emergency Response Team (CERT-UA) has issued an urgent warning about the resurgence of the financially motivated cybercriminal group UAC-0006. After a period of inactivity, the group has launched new phishing attacks in spring 2024, primarily targeting Ukrainian organizations. UAC-0006 is using SMOKELOADER malware, which often delivers additional malicious payloads. Their latest campaigns distribute SMOKELOADER through emails containing ZIP archives with booby-trapped images and Microsoft Access files. Once compromised, the hackers deploy other malware like TALESHOT and RMS to control the victim’s machine.
CERT-UA believes UAC-0006 is building a botnet of infected computers, potentially in the hundreds, raising concerns about a wave of fraudulent activity targeting Ukraine's remote banking systems. The attackers aim to steal sensitive financial information or manipulate accounts for financial gain.
