Aug 23 2024
Welcome toย Gone Phishing, your daily cybersecurity newsletter that wishes all our UK readers a sunny, safe, and sound August Bank Holiday Weekend ๐พ๐พ๐พย
Patch of the Week!ย ๐ฉน
First thingโs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs itโฆ ๐ณย
Congrats to Windows, the cybercriminals are no matchโฆ for your (soon to be released ๐) patch! ๐ฉน
Check out this freshly hatched patch ๐ฃ
Microsoft has released patches for 90 security flaws, including 10 critical zero-daysโsix of which are actively being exploited in the wild! ๐ฅ Of these, nine are rated Critical, 80 Important, and one Moderate. The key zero-days include CVE-2024-38189 (CVSS 8.8) for remote code execution in Microsoft Project, and CVE-2024-38178 (CVSS 7.5), a Windows Scripting Engine memory corruption vulnerability. ๐ฅ๏ธ๐ฃ
These updates also tackle issues like privilege escalationย (CVE-2024-38193) and bypassing security features (CVE-2024-38213). Don't forget to update your systems ASAP to stay protected! ๐ปโจ๐
Additionally, 36 vulnerabilities in Microsoft Edge were patched, and other vendors like Adobe, Google, Intel, and more have released crucial updates. Stay ahead of the threatsโkeep your systems secure! ๐๐๐ฑ
Now, on to this weekโs hottest cybersecurity news stories:ย
๐จ๐ปโ๐ป Dispossesser ransomware servers shut down by FBI ๐ฎ๐ปโโ๏ธ
๐ Vulnerabilities discovered in AI-powered Azure health bot ๐ค
๐ค Black Basta-Linked attacks target Users w/ SystemBC malware ๐พ
๐ฏ Major Disruption! The FBI has dismantled the online infrastructure of Radar/Dispossessor, a rising ransomware group targeting small-to-mid-sized businesses globally. This operation involved taking down multiple servers and criminal domains across the U.S., U.K., and Germany.
๐ฆน Who is Dispossessor?
Active since August 2023, Radar/Dispossessor quickly made a name for itself in sectors like healthcare, education, and finance. The group, allegedly led by someone using the alias "Brain," employs a Ransomware-as-a-Service (RaaS) model similar to LockBit, using dual-extortion tactics to pressure victims into paying up.
๐ Attack Tactics
Dispossessor exploits security flaws and weak passwords to breach systems, encrypt data, and demand ransom. If victims donโt respond, the group ups the ante by directly contacting company employees and threatening to leak sensitive data on video platforms.
๐ Global Reach
So far, 43 companies across 14 countries, including the U.S., U.K., Germany, and Australia, have fallen victim to Dispossessor attacks. The group shares tools and profits with another entity called Radar, suggesting a close collaboration between the two.
๐ The Bigger Picture
This takedown is part of a broader global effort to combat ransomware, which remains a significant threat. Ransomware groups are increasingly targeting smaller organisations, exploiting vulnerabilities, and operating with a level of sophistication that mirrors legitimate businesses.
๐ก Stay Vigilant
As ransomware groups continue to evolve, businesses must stay vigilant, bolster security measures, and prepare for the possibility of being targeted.
ELEKS' intelligent automation service transforms your business operations through data-driven solutions. We automate complex tasks, streamlining processes to increase productivity and reduce operational costs. Our tailored solutions adapt to your changing needs and help you unlock new growth opportunities by freeing your team to focus on high-value tasks.
The result? Enhanced customer satisfaction, improved client retention, and a stronger market position.
Talk to our automation specialists
๐ Security Risks in Healthcare Bots! Cybersecurity researchers have uncovered two critical vulnerabilities in Microsoft's Azure Health Bot Service that could have allowed attackers to access sensitive patient data by moving laterally within customer environments. The issues, now patched by Microsoft, were reported by Tenable in a detailed investigation.
๐ค What is Azure Health Bot?
Azure Health Bot is a cloud platform used by healthcare organisations to develop AI-powered virtual assistants for tasks like managing patient interactions and administrative workloads. These bots are widely used by insurance providers and healthcare entities to help users with tasks such as checking claim statuses or finding nearby doctors.
โ ๏ธ Vulnerabilities Exposed
Tenable's research focused on a feature called Data Connections within the service, which allows bots to integrate with external data sources. Despite built-in security measures, Tenable discovered that these safeguards could be bypassed using redirect responses, allowing attackers to obtain access tokens for sensitive internal resources.
Additionally, another endpoint supporting the FHIR data exchange format was found vulnerable to similar exploits. The flaws raised significant concerns about the security of AI-driven healthcare tools, emphasising the need for robust web app and cloud security practices.
๐ง Microsoftโs Response
After Tenable reported these issues in mid-2024, Microsoft swiftly rolled out patches to all affected regions. There's no evidence to suggest these vulnerabilities were exploited in the wild, but the incident underscores the importance of securing AI-based services in critical sectors like healthcare.
๐ก๏ธ Ongoing Security Efforts
This discovery comes shortly after another reported flaw in Microsoft Entra ID, which allowed for privilege escalation. These incidents highlight the evolving nature of cybersecurity threats in the era of AI and cloud computing.
By keeping software up-to-date and applying rigorous security measures, organisations can better protect sensitive data from emerging threats.
Cybersecurity researchers have uncovered an ongoing social engineering campaign with ties to the Black Basta ransomware group. This campaign, which has been linked to multiple intrusion attempts, is focused on credential theft and deploying the SystemBC malware dropper.
๐ฃ Attack Methodology
The attack begins with an "email bomb," followed by a phone call from the attackers who pose as IT staff offering a "solution" to the overwhelmed users. The attackers typically make these calls via Microsoft Teams, making the scam appear legitimate.
Victims are then convinced to download and install AnyDesk, a legitimate remote access software, which the attackers use as a channel to deploy further malicious payloads and exfiltrate sensitive data. One notable part of the attack is the use of a fake executable named "AntiSpam.exe," which pretends to be an email spam filter update and tricks users into entering their Windows credentials.
๐ฆ Malware Deployment
Once the attackers gain access, they execute several binaries, DLL files, and PowerShell scripts, including a Golang-based HTTP beacon that establishes contact with a remote server, a SOCKS proxy, and the SystemBC malware. This layered approach allows the attackers to maintain persistent access and potentially exfiltrate more sensitive data.
โ ๏ธ Broader Context and Trends
This campaign is part of a broader trend in social engineering and phishing attacks. Data from ReliaQuest indicates that SocGholish (FakeUpdates), GootLoader, and Raspberry Robin are among the most commonly observed loader strains in 2024, serving as gateways for ransomware deployment.
Interestingly, GootLoader has replaced QakBot on the top-three list this year, reflecting shifts in malware distribution strategies. Many of these loaders are marketed on dark web forums under subscription models, making it easier for even less technically skilled attackers to launch sophisticated attacks.
๐ Additional Threats
Phishing attacks have also been observed using the 0bj3ctivity Stealer and Ande Loader in multi-layered distribution mechanisms. These attacks involve obfuscated and encrypted scripts, memory injection techniques, and enhanced anti-detection features, making them harder to detect.
In a related trend, threat actors have been weaponizing fake QR codes and malvertising campaigns. For instance, some campaigns have hijacked Facebook pages to promote seemingly legitimate AI tools, which are then used to deliver Lumma Stealer malware.
๐ง Mitigation Strategies
To defend against these sophisticated attacks, it is recommended to block unapproved remote desktop solutions, educate employees about phishing tactics, and be vigilant against suspicious communications, especially those purporting to be from internal IT staff.
๐ Staying Safe
As attackers continue to innovate with social engineering techniques, itโs crucial for both individuals and organisations to maintain robust security practices, including advanced detection mechanisms and continuous monitoring of potential threats.
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!