Ransomware Attack Disrupts Services at California Credit Union, Recovery Could Take Weeks

A California-based credit union with over 450,000 members experienced a ransomware attack, disrupting account services and potentially taking weeks to recover. Patelco Credit Union CEO Erin Mendez informed members on July 1 that the attack on June 29 caused limited functionality in online banking and several other services. Patelco proactively shut down day-to-day banking systems to contain the issue, affecting transactions, transfers, payments, and deposits. Despite these challenges, debit and credit cards are still functioning with limited capacity.

Patelco, a nonprofit cooperative with $9 billion in assets, is prioritising the safe restoration of its systems, working with cyber security experts and cooperating with regulators and law enforcement. Members have reported difficulties.

Patelco is waiving fees and warning of more outages, with a chart indicating which services are unavailable. The credit union is investigating the incident's scope and potential risks to personal information.

Europol's operation Morpheus takes down nearly 600 IP addresses linked to illegal copies of Cobalt Strike

Europol announced that a week-long operation at the end of June took down nearly 600 IP addresses supporting illegal copies of Cobalt Strike. The red-teaming tool by Fortra is often misused by cybercriminals in ransomware operations like Ryuk, Trickbot, and Conti. Operation Morpheus, conducted between June 24 and 28, involved law enforcement from multiple countries, including the UK, US, Canada, and Germany, coordinated by Europol.

During the operation, 690 IP addresses linked to criminal activities were flagged for online service providers, resulting in the takedown of 593 addresses. Private sector partners like BAE Systems, Trellix, and Spamhaus supported the effort using Europol's Malware Information Sharing Platform, contributing over 730 pieces of threat intelligence and nearly 1.2 million indicators of compromise.

Researchers highlighted Cobalt Strike's prevalence among cybercriminals and nation-state actors, underscoring the operation's significance. Despite the success, China's substantial share of Cobalt Strike resources remains untouched.

Critical RCE flaw in OpenSSH exposes millions of Linux systems to potential full system compromise

An unauthenticated remote code execution (RCE) flaw in OpenSSH’s server on glibc-based Linux systems, identified as CVE-2024-6387, was discovered, potentially leading to full system compromise without user interaction. The Qualys Threat Research Unit highlighted this in a July 1 blog post, noting the flaw could allow attackers to execute arbitrary code with the highest privileges, leading to malware installation, data manipulation, and creating backdoors for persistent access.

The researchers identified over 14 million potentially vulnerable OpenSSH server instances exposed online, with around 700,000 external internet-facing instances vulnerable in the Qualys global customer base. This flaw, named regreSSHion, is a regression of CVE-2006-5051, reintroduced in October 2020. The researchers emphasised the severity, as it affects OpenSSH's default configuration and doesn’t require user interaction.

We recommend immediate patch management, enhanced access control, network segmentation, and temporary mitigations to prevent exploitation and full system compromises.

Ransomware surge: Over 4,000 new victims recorded in past year, small businesses most affected

Over the past 12 months, more than 4,000 new ransomware victims have been recorded, marking a 77% increase from 2023, with 4,374 new cases detected across 75 countries. In Q1 2024 alone, 1,046 victims were hit by 43 different threat actors, according to cyber security researchers.

At the Cy-Xplorer 2024 report launch in Antwerp, it was explained that victims are monitored via dark web leak sites, often listed for not paying ransoms. Opportunistic threat groups are increasingly targeting small businesses, which are four times more likely to be impacted than larger enterprises due to weaker cyber security measures.

The research also identified over 200 instances of "re-victimisation," where victims were attacked multiple times, with 39 cases spotted in Q1 2024. Diana Selck-Paulsson, global lead security researcher, noted that half of these re-victimisations occurred within 80 to 302 days, often due to attackers switching between ransomware groups, exacerbating the victim's plight.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.