Tag Archive for: hackers

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

/in


Apr 25, 2024NewsroomVulnerability / Zero-Day

Cisco Zero-Day Vulnerabilities

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.

Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).

“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” Talos said.

Cybersecurity

The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of two vulnerabilities

  • CVE-2024-20353 (CVSS score: 8.6) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
  • CVE-2024-20359 (CVSS score: 6.0) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

It’s worth noting that a zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered during internal security testing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

Cisco Zero-Day Vulnerabilities

The exact initial access pathway used to breach the devices is presently unknown, although UAT4356 is said to have started preparations for it as early as July 2023.

A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the former of which is an…

Source…

Hackers Were in Change Healthcare 9 Days Before Attack

/in


Hackers were reportedly in the networks of UnitedHealth Group’s Change Healthcare unit for days before launching their ransomware strike.

They gained entry to the networks on Feb. 12, using compromised credentials on an application that allows staff to remotely access systems, The Wall Street Journal (WSJ) reported Monday (April 22).

During the nine days they were in the system before launching the attack on Feb. 21, they may have been able to steal “significant” amounts of data, Seeking Alpha reported Monday, citing a WSJ article.

Change Healthcare posted its first update reporting connectivity issues Feb. 21, saying that “some applications are currently unavailable” and that the company was triaging the issue.

On April 16, UnitedHealth Group CEO Andrew Witty said during an earnings call that the cyberattack cost the company $872 million.

Witty said that the incident “was straight out an attack on the U.S. health system and designed to create maximum damage,” adding: “I think we’ve got through that very well in terms of the remediation and the build back to functionality.”

In the wake of that attack, the federal government announced it is offering a $10 million reward to help identify the people behind the organization that launched the attack: the ransomware-as-a-service group ALPHV BlackCat.

In addition, U.S. Sen. Mark R. Warner, D-Va., introduced a bill that would accelerate Medicare payments to healthcare providers that have suffered a cyberattack.

The bill, the “Health Care Cybersecurity Improvement Act of 2024,” is meant to incentivize cybersecurity in the healthcare industry.

“The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game,” Warner said in a March 22 press release announcing the introduction of the bill. “This legislation would provide some important financial incentives for providers and vendors to do so.”

PYMNTS Intelligence has found that 82% of eCommerce merchants endured cyber or data breaches in the last year. Forty-seven percent of those merchants said the breaches resulted in both lost revenue and lost…

Source…

Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist

/in


A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime.

The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.

World-Check is a screening database used for “know your customer” checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions. The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm.

A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

Simon Henrick, a spokesperson for the London Stock Exchange Group, which maintains the database, told TechCrunch: “This was not a security breach of LSEG/our systems. The incident involves a third party’s data set, which includes a copy of the World-Check data file. This was illegally obtained from the third party’s system. We are liaising with the affected third party, to ensure our data is protected and ensuring that any appropriate authorities are notified.”

LSEG did not name the third-party company, but did not dispute the amount of data stolen.

The portion of stolen data seen by TechCrunch contains records on thousands of people, including current and former government officials, diplomats, and private companies whose leaders are considered “politically exposed people,” who are at a higher risk of involvement in corruption or bribery. The list also contains individuals accused of involvement in organized crime, suspected terrorists, intelligence operatives and a European spyware vendor.

The data varies by record. The database contains names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more.

World-Check is currently owned by the London Stock Exchange Group following…

Source…

Carpetright is latest British business to be hit by cyber attack as hackers target company HQ to affect hundreds of customer orders

/in


  •  Hackers targeted the company HQ in Purfleet, Essex on Tuesday



Flooring chain Carpetright is the latest British business to be hit by a cyber attack affecting hundreds of customer orders. 

Hackers targeted the company HQ in Purfleet, Essex on Tuesday, sending malware to gain unauthorised access. 

Carpetright’s network was taken offline due to the cyber attack but bosses insist that the virus was isolated before any data was swiped. 

However phone lines are still down with callers met with the automated message ‘Thank you for your patience while we work on a solution’.

Staff and hundreds of customers were affected by the malicious virus with employees reportedly unable access their payroll information.   

Flooring chain Carpetright is the latest British business to be hit by a cyber attack affecting hundreds of customer orders (file pic)
Hackers targeted the company HQ in Purfleet, Essex on Tuesday, sending malware to gain unauthorised access (stock photo)

A source told The Sun: ‘Some staff networks were taken down including the portals that workers use to book time off and look at payslips.

‘It happened abruptly and was worrying because customers couldn’t get through to helplines.

READ MORE: Hackers publish NHS patients’ data after cyber attack including names, addresses and medical conditions – as they vow to post thousands more unless ransom is paid

‘Everything at HQ was taken offline as that was the best way to stop the attack spreading to customer data.’

A spokesperson for Carpetright said: ‘We would like to apologise for any inconvenience caused.

‘We are not aware of any customer or colleague data being impacted by this incident and are testing and resetting systems, with investigations ongoing.’

The cyber attack at the flooring chain comes after hackers managed to access a ‘small number’ of patients’ data last month. 

Ransomware group – INC Ransom – targeted NHS Dumfries and Galloway and claimed it was in possession of three terabytes of data from NHS Scotland.

A post on its dark web blog included a ‘proof pack’ of some of the data, which was…

Source…