Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The latest in cybersecurity: MOVEit, Mystic Stealer, Clop Ransomware, Onix Group, BlackCat/ALPHV, Smartpay Holdings, Huawei, ZTE, DDoS-for-Hire, Genetic Testing.
HPE has released Security Bulletins on June 16, 2023, to address vulnerabilities in HPE Insight Remote Support version 7.12, HPE Integrity MC990 X Server RMC firmware version 1.2.7 and earlier, and SGI UV 300 RMC firmware version 1.2.7 and earlier. A security vulnerability in HPE Insight Remote Support (I-RS) may result in the local disclosure of privileged information. HPE has provided the following software update to resolve a vulnerability in HPE Insight Remote Support 7.12: • HPE Insight Remote Support 7.12 P1 (220.127.116.115) The MC990X and UV300 RMC components had an outdated OpenSSL and inadequate default configuration. The RMC was updated to OpenSSL 1.0.2zg and its default configuration was improved.
Progress has released Security Bulletins addressing a critical vulnerability, CVE-2023-35708, in MOVEit Transfer. The vulnerability, present in versions released prior to 2021.0.8, allows for SQL injection attacks, potentially leading to unauthorized access and modification of the MOVEit Transfer database. All MOVEit Transfer customers are advised to take immediate action by applying the provided patch and following the recommended mitigation steps. These steps include disabling HTTP and HTTPS traffic to the MOVEit Transfer environment, accessing MOVEit Transfer via remote desktop as a workaround, and enabling HTTP and HTTPS traffic once the patch is applied. It is crucial for customers to stay informed by bookmarking the Progress Security Page for the latest updates.
In response to identified vulnerabilities, Microsoft has released a vital security update for versions preceding 114.0.1823.51 of the Microsoft Edge Extended Stable Channel. Users and administrators are strongly advised by the Cyber Centre to review the provided web link and promptly apply the necessary update to ensure their systems are protected against potential cyber threats.
The recently released Windows 11 22H2 KB5027231 cumulative update has caused compatibility issues with Google Chrome on systems protected by Cisco and WatchGuard EDR and antivirus solutions. Users have reported difficulties launching the web browser after installing the Windows 11 update, and attempts to rollback the update have been hindered by a “catastrophic error” via WSUS. Malwarebytes has confirmed the problem, advising affected users to disable Chrome as a protected app. Cisco and WatchGuard users have also experienced similar issues and are recommended to disable anti-exploit protection or set Chrome as the default browser to resolve the problem. Microsoft and Cisco have not provided further details on the issue at this time.
A new information-stealing malware called “Mystic Stealer” has gained significant attention in the cybercrime community since April 2023. Available for rent at $150 per month, Mystic Stealer targets various web browsers, browser extensions, cryptocurrency applications, MFA and password management apps, and more. Reports from Zscaler and Cyfirma highlight the malware’s rapid development, its promotion on hacking forums and darknet markets, and its effectiveness as an info-stealer. With the addition of a loader functionality, Mystic Stealer poses an elevated risk, potentially enabling the deployment of additional malicious payloads like ransomware. Users and organizations are advised to exercise caution when downloading software from the internet due to the emergence of this sophisticated malware.
Western Digital has issued a warning to owners of My Cloud series devices, stating that without upgrading to the latest firmware version 5.26.202, they will lose the ability to connect to cloud services starting June 15, 2023. This step has been taken to protect users from a remotely exploitable vulnerability that can lead to unauthenticated code execution. Users are urged to update their devices to the latest firmware to regain access to their data through mycloud.com and the My Cloud OS 5 mobile app, as unauthorized access could result in data breaches and ransomware attacks.
Millions of driver’s licenses have been compromised in a data breach orchestrated by the Clop ransomware gang, who exploited vulnerabilities in the MOVEit Transfer file transfer systems used by the Louisiana Office of Motor Vehicles and the Oregon Driver & Motor Vehicle Services. The breach, which affected government entities, major businesses, and organizations worldwide, led to the exposure of personal data such as names, addresses, social security numbers, and driver’s license numbers. While the ransomware actors claimed to have deleted the stolen data, affected individuals are advised to take precautionary measures, including protecting their identity, resetting passwords, and monitoring for suspicious activities.
Pennsylvania-based commercial real estate company Onix Group has disclosed a ransomware incident that compromised the personal and health information of 319,500 patients and employees. The ransomware attack, discovered on March 27, corrupted certain systems and involved the exfiltration of a subset of files. The affected information included patients’ names, Social Security numbers, birthdates, scheduling, billing, clinical information, as well as employee data such as names, Social Security numbers, direct deposit information, and health plan enrollment information. Onix is taking steps to enhance its security protocols and protect the information in its care.
In a targeted spear-phishing attack, Reddit experienced a security breach in February, where unauthorized access was gained to internal documents, code, and some business systems. Reddit clarified that user passwords and accounts were not compromised. The BlackCat/ALPHV ransomware gang has now claimed responsibility for the attack, boasting about stealing 80GB of data and demanding a $4.5 million ransom for its deletion. The group has a history of targeting various organizations, including SOLAR INDUSTRIES INDIA, NJVC, and Moncler, with ransom demands ranging from thousands to millions of dollars.
Smartpay Holdings, a payments solutions provider based in New Zealand, revealed that it experienced a ransomware attack last week, joining the growing list of victims targeted by cyberattacks in the region. An investigation conducted by the company confirmed the theft of customer information from its systems in Australia and New Zealand. In response to the incident, Smartpay has enlisted the help of cybersecurity specialist CyberCX and is collaborating with the government. Despite the attack, the company assured its customers that its payment platforms and terminals can still be used normally.
Microsoft has disclosed that the recent weeks of outages affecting Azure and Microsoft 365 were the result of Distributed Denial-of-Service (DDoS) attacks conducted by a pro-Russian hacktivist group known as Storm-1359. The attacks, launched in early June, utilized botnets, multiple cloud services, open proxies, and DDoS tools to disrupt the services. Anonymous Sudan, a self-identified DDoS hacktivist group, claimed responsibility for the attacks and is believed to be a subgroup of the pro-Russian threat actor group Killnet.
The European Union (EU) is being criticized for not taking sufficient measures to block equipment from Huawei and ZTE from entering 5G networks, according to a report by the EU’s Network and Information Systems Cooperation Group. Less than half of the EU member states have excluded “high-risk” suppliers from their high-speed cellular networks. EU Internal Market Commissioner Thierry Breton has called for more aggressive action against the Chinese manufacturers and emphasized the importance of replacing high-risk suppliers from 5G networks. Concerns arise from Chinese laws that could potentially facilitate espionage or limit product availability during trade wars, raising security vulnerabilities for the EU.
Polish police officers, in collaboration with international law enforcement agencies and Europol, have arrested two individuals involved in operating a long-standing DDoS-for-hire service. The arrests were part of Operation PowerOFF, aimed at dismantling online platforms facilitating large-scale DDoS attacks worldwide. The operation resulted in the seizure of valuable evidence, including user accounts, login records, and IP addresses associated with the illicit service. This crackdown highlights ongoing global efforts to combat cybercrime and emphasizes the legal consequences for individuals engaged in such activities.
Google has taken legal action against Ethan QiQi Hu and his company, Rafadigital, accusing them of fabricating 350 fraudulent Business Profiles and 14,000 fake reviews as part of a business verification service. While Google has already removed the deceptive content, the lawsuit aims to prevent similar fraudulent activities in the future. The lawsuit alleges that Hu and his team engaged in a complex scheme to manipulate Google’s business listings, deceiving consumers and small business owners for profit.