Tag: disrupts | Page 3

Ivanti Zero-Day Exploit Disrupts Norway’s Government Services

July 27, 2023/in Internet Security

A zero-day authentication bypass vulnerability in Ivanti software was exploited to carry out an attack on the Norwegian Ministries Security and Service Organization.

The attack affected communications networks at 12 Norwegian government ministries, according to the original statement, preventing employees in those departments from accessing mobile services and email.

The government noted that the Prime Minister’s office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs were not impacted.

What Was the Ivanti Security Vulnerability?

According to a statement posted by the Norwegian Security Authority, the flaw is a remote unauthenticated API access vulnerability (CVE-2023-35078) in the Ivanti Endpoint Manager.

The bug would allow a remote attacker to obtain information, add an administrative account, and change the device’s configuration, due to an authentication bypass. The vulnerability affects several software versions, including Version 11.4 and older; versions and releases from 11.10 are also at risk.

A statement from the US Cybersecurity and Infrastructure Security Agency (CISA) said the vulnerability allows unauthenticated access to specific API paths, which a cyberattacker can use to access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system.

Tenable senior research engineer Satnam Narang said in a blog post that an attacker could potentially utilize the unrestricted API paths to modify a server’s configuration file, which could result in the creation of an administrative account for the endpoint manager’s management interface, known as EPMM (short for Endpoint Manager Mobile), that can then be used to make further changes to a vulnerable system.

According to a post by Ivanti, the company had received information from a credible source indicating exploitation has occurred. A follow-up blog by Ivanti said that upon learning of the vulnerability, “we immediately mobilized resources to fix the problem and have a patch available now for supported versions of the product. For customers on an earlier version, we have an RPM script to assist…

Source…

Google disrupts malware that steals sensitive data from Chrome users

April 26, 2023/in Internet Security

Image Credits: Bryce Durbin / TechCrunch

Google has disrupted infrastructure linked to the notorious CryptBot malware, which the company claims has stolen data from hundreds of thousands of browser users in the past year alone.

CryptBot is malicious information-stealing malware first discovered in 2019. The infostealer malware is typically distributed by spoofed websites masquerading as legitimate software sites that offer free downloads. Once installed, the malware steals sensitive information from infected computers, like passwords, cookies, cryptocurrency wallets and credit card information.

In a blog post, Google said it observed the malware spreading by way of maliciously modified apps, including Google Chrome and Google Earth Pro. In the last 12 months, Google says the malware compromised about 670,000 computers in order to steal sensitive information that’s “eventually sold to bad actors to use in data breach campaigns.”

Google said it tracked recent CryptBot versions impersonating its browser and mapping software, worked to identify the malware’s Pakistan-based distributors, and took action.

After filing a legal complaint against several of CryptBot’s major distributors, the tech giant confirmed Wednesday that it had secured a temporary court order to hamper the developers’ ability to spread of the infostealer malware.

The order, granted by a federal judge in the Southern District of New York, allows Google to take down current and future domains that are linked to the distribution of the CryptBot malware.

“This will slow new infections from occurring and decelerate the growth of CryptBot,” the technology giant said in a blog post. “Lawsuits have the effect of establishing both legal precedent and putting those profiting, and others who are in the same criminal ecosystem, under scrutiny. This litigation is another step forward in holding cybercriminals accountable, by not just targeting those that operate botnets, but also those that profit from malware distribution.”

Google’s disruption of CryptBot comes after the company took legal action in 2021 against the two alleged operators of the Russia-based Glupteba botnet, which the…

Source…

Ransomware Attack Against Barcelona Hospital Disrupts Operations

March 7, 2023/in Internet Security

A ransomware cyber-attack has targeted one of Barcelona’s leading hospitals, shutting down its computer system and forcing the cancellation of 150 non-urgent operations and up to 3000 patient checkups.

Reported Monday on Twitter, the attack against Hospital Clinic de Barcelona occurred on Sunday. At the time, the institution said it was working to determine the scope of the leak and restore systems.

A few hours after first reporting the incident, Hospital Clinic published a new post, saying 10% of visits for external consultations would be restored by today, alongside some non-urgent operations.

“We have recovered 10% of consultation activity and part of elective surgery,” the hospital confirmed today. “Patients able to be visited will receive a call to confirm their booking. Rescheduled visits will be announced soon.”

A Catalonia government statement (in Catalan) further explained the region’s cybersecurity agency was working to restore the hospital’s systems. The attack was attributed to the threat actors known as RansomHouse.

According to Avishai Avivi, CISO of security company SafeBreach, despite the few details about the attack, some information can be deduced from what was said by the Catalonian Cybersecurity Agency.

“This was a remote access attack – the spokesperson for the hospital [stated] the attack originated outside of Spain. This means that the malicious actors could breach the hospital network remotely,” Avivi explained.

“The malicious actors were able to spread laterally – considering that multiple locations were shut down (laboratories, emergency rooms, pharmacies and several external clinics). This suggests that the hospital’s networks were not properly segmented and segregated from each other.”

The security expert also discussed the alleged attribution of the attack, clarifying that RansomHouse typically does not encrypt the data but instead focuses on data exfiltration.

“This indicates that shutting down the computers was done to prevent further data exfiltration. This also suggests that Hospital Clinic de Barcelona does not have good egress security controls to prevent data leakage,” Avivi added.

“This conjecture…

Source…

AGCO ransomware attack disrupts tractor sales during U.S. planting season

May 6, 2022/in Internet Security

May 6 (Reuters) – U.S. agricultural equipment maker AGCO Corp (AGCO.N) said on Friday a ransomware attack was affecting operations at some of its production facilities, and dealers said tractor sales had been stalled during the crucial planting season.

Georgia-based AGCO said in a statement it expects operations at some facilities to be affected for “several days and potentially longer.”

The ransomware attack comes at a time U.S. agricultural equipment makers were already facing persistent supply chain disruptions and labor strikes that left them unable to meet equipment demand from farmers. read more

Register now for FREE unlimited access to Reuters.com

AGCO did not disclose the names of the facilities or if any data was stolen, but said it was still probing the extent of the attack that occurred on Thursday and working to repair its systems.

Tim Brannon, president and owner of B&G Equipment Inc in Tennessee, told Reuters he has not been able to access AGCO’s website for ordering and looking up parts since Thursday morning.

“We just have to trust that it will be over as soon as possible because we are coming into our busiest time of the year and it will be very damaging to our business and customers,” Brannon said.

AGCO, which competes with larger rival Deere & Co (DE.N), sells tractors and combines, manufactures and assembles products in 42 locations worldwide with 1,810 dealerships in North America.

Dealers are now struggling to keep up with orders that were already backlogged.

The company told dealers that it was “prioritizing” the most business critical systems in an e-mail read to Reuters by a dealer who declined to be identified.

“I’ve got about nine orders that I need to place right now,” said the dealer.

He said AGCO told him “digital systems” had been impacted worldwide.

AGCO did not respond to requests for additional comment.

AGCO’s shares were down 6% at $125.55 in late afternoon trading.

Ransomware attacks have targeted food and fuel companies in the United States in recent years, including the Colonial Pipeline’s oil network and meat processing company JBS (JBSS3.SA). Last autumn, at least three grain handlers in the Midwest were hit with ransomware attacks. read more

Tag Archive for: disrupts

What Was the Ivanti Security Vulnerability?

Register now for FREE unlimited access to Reuters.com