Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories.
NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
Ransomware attack forces 18 Romanian hospitals to go offline.
(TLP: CLEAR) A ransomware attack has targeted the Hipocrate Information System (HIS) used by 100 hospitals across Romania, leading to the encryption of data on the healthcare management system. The attack occurred over the weekend, forcing 25 hospitals to confirm data encryption while 75 others using HIS have taken systems offline as a precaution. The Romanian Ministry of Health reported the incident and initiated an investigation with the National Cyber Security Directorate (DNSC). The attackers demanded a ransom of 3.5 BTC (approximately €157,000). Due to the attack, hospitals have resorted to paper records, and the recovery possibilities are being assessed. The DNSC stated that most affected hospitals have recent data backups, except for one with data saved 12 days ago. The ransomware variant used is Backmydata from the Phobos family. As of now, there is no evidence of data theft, and the software service provider, RSC, has not issued a public statement on the incident. The DNSC continues to investigate the impact of the attack on medical services management platforms.
(TLP: CLEAR) Comments: The healthcare industry continues to be a very lucrative target for malicious actors due to the amount of Personal Identifiable Information (PII) and sensitive health information stored.
(TLP: CLEAR) Recommended best practices/regulations: Healthcare must follow the Health Insurance Portability and Accountability Act security requirements which includes conducting risk assessments by a qualified compliance officer to identify potential security risks. It is highly recommended that organizations implement a security-in-depth strategy to include network segmentation for public/guests, hospital employees, and mission-critical systems. Employing a protective DNS solution would enable the detection and blocking of network traffic to malicious domains and sites.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
New Fortinet RCE bug is actively exploited, CISA confirms.
(TLP: CLEAR) The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical remote code execution (RCE) vulnerability (CVE-2024-21762) in Fortinet’s FortiOS operating system and FortiProxy secure web proxy. The flaw allows unauthenticated attackers to execute arbitrary code remotely through maliciously crafted HTTP requests. Fortinet recently patched the vulnerability and advised disabling SSL VPN on affected devices if immediate security updates cannot be deployed. CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, emphasizing the significant risks posed by such vulnerabilities. The agency ordered U.S. federal agencies to secure FortiOS and FortiProxy devices against the bug within seven days. Fortinet had also recently patched two other critical RCE vulnerabilities in its FortiSIEM solution, initially causing confusion with denials that later turned into an acknowledgment of the issues. The article highlights the history of Fortinet flaws being targeted in cyber espionage and ransomware attacks, underlining the urgency of securing all Fortinet devices promptly.
(TLP: CLEAR) Comments: Malicious actors will look to start scanning for and exploiting vulnerabilities within 10-15 minutes after being disclosed due to them knowing there is only a short window before organizations start applying security patches to address the vulnerabilities.
(TLP: CLEAR) Recommended best practices/regulations: Organizations should have a patching policy that establishes a time frame from when a patch is released to when all affected systems are updated. It is also recommended that organizations set up a testing environment or sandbox to test patches to ensure that they will not cause any unforeseen issues with other network configurations.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
US dismantles Warzone RAT malware operation.
(TLP: CLEAR) A multinational law enforcement operation led by the United States has successfully dismantled the “Warzone” malware operation, a sophisticated remote access Trojan (RAT). The malware enabled cybercriminals to eavesdrop on communications; steal credentials and sensitive information; and access victims’ webcams. The FBI purchased and analyzed the RAT; while law enforcement partners in Canada, Croatia, Finland, Germany, the Netherlands, and Romania located and dismantled the servers comprising its online infrastructure. Federal authorities in Boston seized www.warzone[.]ws and three related domains. Daniel Meli of Malta, indicted in December 2023 for offenses including unauthorized damage to protected computers and selling electronic interception devices, was arrested on February 7 and awaits extradition to the US. Another individual connected with Warzone, Prince Onyeoziri Odinakachi of Nigeria, was arrested for conspiracy to commit computer intrusion offenses, including obtaining unauthorized access and causing damage to protected computers. The operation highlights a commitment to combating cybercriminals and their tools on an international scale.
(TLP: CLEAR) Comments: The Warzone Remote Access Trojan (RAT) is a malware that allows malicious actors unauthorized remote access to a system which is often used for stealing sensitive information, monitoring user actives as well as executing remote commands on affected systems. The Warzone RAT was normally distributed through social engineering attacks such as phishing emails or tricking users to visit a malicious website. This will more than likely only have a limited effect on the Warzone operations due to malicious actors will look to re-establish their infrastructure as soon as possible.
(TLP: CLEAR) Recommended best practices/regulations: Organizations should have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks as well as the proper reporting procedures to the information security teams. Employing a protective-DNS that would be able to detect and block network traffic to malicious domains and sites.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Sources: https://www.infosecurity-magazine.com/news/us-dismantles-warzone-rat-malware/
Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor.
(TLP: CLEAR) Hackers are actively exploiting a server-side request forgery (SSRF) vulnerability (CVE-2024-21893) in Ivanti Connect Secure, Policy Secure, and ZTA gateways, deploying the DSLog backdoor on vulnerable devices. The flaw, disclosed as a zero-day on January 31, 2024, affects the SAML component of these products, allowing attackers to bypass authentication and access restricted resources on Ivanti gateways running versions 9.x and 22.x. Ivanti has released security updates to address the issue. Threat monitoring service Shadowserver reported attackers attempting to exploit the vulnerability on February 5, with some using published proof-of-concept (PoC) exploits. Orange Cyberdefense confirmed the successful exploitation of CVE-2024-21893 to install the DSLog backdoor, enabling remote command execution on compromised Ivanti servers. The backdoor, inserted into the DSLog file, allows attackers to execute commands as root, and nearly 700 compromised Ivanti servers have been identified. Orange recommends following Ivanti’s latest recommendations to mitigate threats targeting the affected products.
(TLP: CLEAR) Comments: SSRF attacks are when a malicious actor abuses the functionality of one server to read or update internal resources. The malicious actor could use a modified URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the malicious actor may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.
(TLP: CLEAR) Recommended best practices/regulations: It is advised that the organization security policy include routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Hackers used new Windows Defender zero-day to drop DarkMe malware.
(TLP: CLEAR) Microsoft has patched a Windows Defender SmartScreen zero-day (CVE-2024-21412) exploited in the wild by a financially motivated threat group known as Water Hydra and DarkCasino. The hackers targeted foreign exchange traders, exploiting the zero-day to deploy the DarkMe remote access trojan (RAT). Trend Micro researchers discovered the attack on New Year’s Eve, noting that the zero-day bypasses a previously patched Defender SmartScreen vulnerability (CVE-2023-36025). Water Hydra utilized tactics such as abusing internet shortcuts and Web-based Distributed Authoring and Versioning (WebDAV) components to evade SmartScreen. The attackers aimed to trick forex traders into installing DarkMe through social engineering, posting messages in English and Russian on trading forums and Telegram channels. This incident follows Microsoft’s recent patch for another Windows SmartScreen zero-day (CVE-2024-21351) that allowed attackers to inject code into SmartScreen and gain code execution. Water Hydra has a history of exploiting zero-day vulnerabilities and has targeted the financial sector in the past.
(TLP: CLEAR) Comments: The DarkMe malware is a Remote Access Trojan (RAT) that is used to steal data, install additional malware, or perform actions on infected systems. Recent attacks utilizing this malware have been on the financial industry and have been delivered using social engineering attacks.
(TLP: CLEAR) Recommended best practices/regulations: It is advised that the organization’s security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Zoom desktop flaws let attackers launch privilege escalation attacks.
(TLP: CLEAR) Zoom has addressed seven vulnerabilities, including a critical flaw (CVE-2024-24691) impacting its desktop and mobile applications, with a focus on a high-severity escalation of privilege issue on Windows (CVE-2024-24697). The critical flaw, with a CVSS score of 9.6, involves improper input validation in the Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows, potentially allowing unauthorized users to escalate privileges via network access. The high-severity vulnerability (CVE-2024-24697) relates to an untrusted search path in some Zoom 32-bit Windows clients, enabling an authorized user to carry out local access privilege escalation. Zoom recommends users update their applications to the latest available versions promptly.
(TLP: CLEAR) Recommended best practices/regulations: It is advised that the organization’s security policy include routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Sources: https://cybersecuritynews.com/zoom-desktop-flaws/
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
