Cyber-security News – 21 June 2024

The following are hand-picked cybersecurity stories for 21 June 2024.

The National Health Service confirms more than 1,100 operations in total — almost 200 of them relating to cancer treatments — have been postponed due to the ransomware incident. In a statement NHS England said it “has been made aware that the cyber criminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack.The cyber extortionist gang Qilin hit Synnovis, a business providing pathology services for hospitals and local clinics in the capital. It caused major disruption to services, forcing NHS England London to declare a regional critical incident. Read the full story on The Record.

LockBit 3.0 has resurfaced as the leading threat actor. Previously dormant following a takedown, LockBit 3.0 accounted for 37% of all attacks in May 2024. Matt Hull, global head of threat intelligence at NCC Group says: “Following the takedown of LockBit 3.0 earlier this year, speculation has swirled around whether the group would simply dissolve, as we’ve seen with other threat groups like Hive. “However, the current surge in victim numbers suggests a different story. It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signalling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organisation.” Read the full story at Computing UK.

The Ticketmaster data breach happened on 20 May, 2024 on account of the Snowflake database vulnerability. The threat actor has released data of 1 million users of Ticketmaster. The compromised data includes a wide array of personal details: names, addresses, IP addresses, emails, dates of birth, credit card types, last four digits of credit cards, and expiration dates. The incident includes a vast trove of data belonging to 680 million Ticketmaster customers. Read the full story at Cyber Express.

The personal information of over 12,000 employees of Santander has been compromised in a reported data breach. The incident was identified on May 10, and involved a third-party database used by an affiliate between late April and early May 2024, the bank said in a notification letter to the affected individuals, a copy of which was submitted by Santander Holdings USA to the Maine Attorney General’s Office. As part of the attack, the bank said hackers obtained from the database records containing employee names, Social Security numbers, and bank account information used for payroll. Read the full story at Security Week.

The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. Unlike RansomHub’s Windows and Linux versions that are written in Go, the ESXi version is a C++ program likely derived from the now-defunct Knight ransomware. Interestingly, Recorded Future has also found a simple bug in the ESXi variant that defenders can leverage to send it to an endless loop and evade encryption. Read the full story at Bleeping Computer.

A security vulnerability in SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. CVE-2024-28995 with a CVSS score of 8.6 could allow attackers to read sensitive files on the host machine. This is a ‘Directory traversal’ vulnerability. Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it’s not locked. Read the full story at The Hacker News.

The company managing the Sellafield nuclear site in the United Kingdom has pleaded guilty to three criminal charges over cybersecurity failings in a landmark prosecution, with its legal representative denying in court claims that the facility had been hacked. Earlier this year, Britain’s nuclear safety regulator announced it was bringing charges against the company operating the facility over “alleged information technology security offenses during a four year period between 2019 and early 2023.” Read the full story on The Record.

A group of threat actors breach various NHS hospitals in London on June 3, 2024. On Thursday, the threat actor Qilin Qilin shared almost 400GB of the private information on their darknet site. A sample of the data seen by the BBC includes patient names, dates of birth, NHS numbers and descriptions of blood tests. It is not known if test results are also in the data. There are also business account spreadsheets detailing financial arrangements between hospitals and GP services and Synnovis. Read the full story on BBC.

CDK Global shut down its systems on Wednesday due to a cyberattack. This resulted in software shutdown across auto-dealership retail locations across North America. The core systems were brought up on Wednesday after a few hours of outage. However, the company is still in the midst of an investigation into the cyberattack. It remains unclear if all the systems have been restored. On a similar note, there is no confirmation of any data breach. Unconfirmed reports suggest that nearly 15,000 retail locations were impacted in the US and Canada. Read more about the story on Auto News.

Poland’s state authorities said that Russian hackers could be behind the recent disruption to an online broadcast of the Euro 2024 soccer tournament. Over the weekend, unknown hackers attacked the website for the public television network TVP, which was broadcasting the Polish national team’s opening match against the Netherlands.  A distributed denial of service (DDoS) incident began at the start of the match, making the online broadcast on TVP’s website temporarily unavailable, authorities said. Read the full story at the Record.

The Japan Aerospace Exploration Agency, or JAXA, suffered unauthorized access multiple times from last autumn toward this year, even after the space agency took countermeasures following a cyberattack last June, it was learned Friday. According to informed sources at the science ministry and JAXA, the hacks may have led to breaches of communications between the agency and external organizations with which it has confidentiality agreements, such as Toyota Motor Corp. Read the full story at Nippon.

IntelBroker has claimed a massive data breach at AMD. In the report first published on 18 June 2024, IntelBroker has confirmed that the AMD data leak encompasses a vast array of sensitive information from AMD’s databases. This includes detailed data on future AMD products, specification sheets, customer databases, property files, ROMs, source code, firmware, financial records, and comprehensive employee data such as user IDs, full names, job functions, phone numbers, and email addresses. AMD is investigating the data breach to uncover more details. Read the full story at Cyber Express.

A hacker is claiming to have extracted contact details of 33,000 current and former employees of the IT giant Accenture in a breach that involves a third-party firm. Employee data comprising of names and email addresses have been posted on the darkweb. No user passwords have been leaked. The said data breach happened in the month of June at one of the third-party firms associated with Accenture. Read the full story at HackRead.

Advance Auto Parts has confirmed it suffered a data breach after a threat actor attempted to sell stolen data on a hacking forum earlier this month. The SEC ruling filed by the company confirms the data breach at the company. Advance operates 4,777 stores and 320 Worldpac branches and serves 1,152 independently owned Carquest stores in the United States, Canada, Puerto Rico, the U.S. Virgin Islands, Mexico, and various Caribbean islands. Read full story at Bleeping Computer.

Hundreds of PC and server models that use Intel processors could be affected by a high-severity vulnerability found recently in Phoenix Technologies’ SecureCore UEFI firmware solution. The vulnerability tracked as CVE-2024-0762 and dubbed UEFIcanhazbufferoverflow, was discovered by an automated analysis system developed by enterprise firmware and hardware security firm Eclypsium.  Read the full story on Security Week

Change Healthcare provides technology used to submit and process billions of insurance claims a year. Hackers gained access in February to its system and unleashed a ransomware attack that encrypted and froze large parts of it. This data breach resulted in disruption of payment and claims processing around the country. Customer data including names, addresses, health insurance information and personal information like Social Security numbers may have been exposed in the attack. Read full story on Security Week.

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) on Thursday announced a “first of its kind” ban that prohibits Kaspersky Lab’s U.S. subsidiary from directly or indirectly offering its security software in the country. “The company’s continued operations in the United States presented a national security risk — due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations — that could not be addressed through mitigation measures short of a total prohibition,” the BIS said. Read the full story on The Hacker News

Russian threat actors, Midnight Blizzard (formerly Nobelium), has been found targeting French diplomatic entities in recent cyber attacks. The attacks entail sending phishing emails to French public organizations from foreign institutions and individuals previously compromised by the threat actor to initiate a series of malicious actions. In the past, French embassies in Kyiv and Rumania have been targeted by Nobelium. Read the full story at the Hacker News.

Cybersecurity researchers conclude that 59% of user passwords could be cracked within an hour using just a modern graphics card and some technical knowledge. This can be attributed to multiple factors such as poor user password security and the effectiveness of brute-force attacks with GPUs that are becoming increasingly powerful. Read the full story on Cyber Security News.

Two new security vulnerabilities have been uncovered in the NVIDID Triton Servers. CVE-2024-0087 and CVE-2024-0088, pose severe risks, including remote code execution and arbitrary address writing, potentially compromising the security of AI models and sensitive data. CVE-2024-0088 is a CRITICAL vulnerability with CVSS score of 9. Exploiting these flaws could lead to unauthorized access, data theft, and manipulation of AI model results, posing significant risks to user privacy and corporate interests. Both these vulnerabilities were last updated on 14 May 2024. Read the full story on Cyber security News

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.