Vercara’s Open-Source Intelligence (OSINT) Report – June 7 – June 13, 2024

Vercara’s Open-Source Intelligence (OSINT) Report – June 7 – June 13, 2024

Table of Contents
Share on LinkedIn

Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here

NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.

IoT vulnerabilities skyrocket, becoming key entry point for attackers. 

(TLP: CLEAR) Recent reporting has highlighted a dramatic surge in the number of vulnerable Internet of Things (IoT) devices, revealing a staggering 136% increase over the past year. A comprehensive study was recently performed, which scrutinized nearly 19 million devices and discovered that the percentage of IoT devices with vulnerabilities increased from 14% in 2023 to 33% in 2024. According to reporting, the most vulnerable network devices include wireless access points, routers, printers, VoIP devices, and IP cameras. Investigators stressed that cybercriminals are predominantly targeting IoT devices integrated into enterprise systems, such as IP cameras and building management systems, rather than consumer smart devices. These endpoints present significant opportunities, in other words attack vectors, for attackers to infiltrate and exfiltrate organizational networks without detection. Reporting also touched on the substantial risks associated with the Internet of Medical Things (IoMT), revealing that 5% of these devices are vulnerable. The most hazardous IoMT devices include medical information systems, electrocardiographs, DICOM workstations, PACS, and medication dispensing systems. Ransomware attacks on dispensing systems have also been documented to delay patient treatment. Compared to 2023, IoMT now poses a higher risk than operational technology (OT). Lastly, per the intelligence reporting, network devices emerged as the most vulnerable, indicating that routers and wireless access points, were identified as the most susceptible to compromise. In OT environments, the five most vulnerable device types are uninterruptible power supplies (UPS), distributed control systems, programmable logic controllers (PLC), robotics, and building management systems. 

(TLP: CLEAR) Comments: The latest reporting identifies the technology, education, manufacturing, and financial sectors as having the highest average device risk scores. Notably, the healthcare industry, which previously had the highest risk score in 2023, now exhibits the lowest risk score. This improvement could be attributed to substantial investments in device security and efforts to reduce exposure to vulnerabilities such as Telnet and Remote Desktop Protocol. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION   

“Control:   

“a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;   

“b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;   

“c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and   

“d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

Vercara’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements.  

Source: https://www.infosecurity-magazine.com/news/iot-vulnerabilities-entry-point/ 

Source: https://www.forescout.com/resources/2024-riskiest-connected-devices/  

China-backed hackers exploit Fortinet bug, infecting 20, 000 systems globally. 

(TLP: CLEAR) The Dutch Military Intelligence and Security Service (MIVD) and the National Cyber Security Centre (NCSC) recently reported that a Chinese nation-state cyber-espionage campaign, initially identified in February 2024, has compromised a substantially larger number of devices than initially assessed. The attacker exploited CVE-2022-42475, a critical remote code execution vulnerability in FortiOS SSL-VPN, to gain initial access to 20,000 Fortinet FortiGate systems on a global scale. This heap-based buffer overflow vulnerability enabled the deployment of the COATHANGER RAT backdoor from a command-and-control (c2) server on compromised FortiGate network security appliances over several months in 2022. According to reporting, the COATHANGER RAT functions as a conduit for further malware distribution and facilitates persistent access within the targeted network. According to the NCSC, the strategic deployment of this backdoor for sustained access was implemented well after the initial breach. That being said, the full scope of COATHANGER RAT compromised systems remains undetermined at this time. 

(TLP: CLEAR) Comments: The backdoor persistence technique leveraged by aforementioned Chinese nation-state actors in this cyber espionage campaign highlights the substantial security challenges entities encounter when deploying publicly accessible edge devices like firewalls and VPN servers. This campaign is set to amplify the adversary’s network of compromised systems, enabling further malware dissemination and potential exfiltration of confidential data. The NCSC asserts that the COATHANGER malware is exceptionally challenging to detect and eliminate, as it can endure system reboots and firmware updates. It functions outside the scope of traditional detection tools and is specifically tailored for FortiGate devices. Moreover, CVE-2022-42475 was exploited as a zero-day vulnerability to infiltrate government organizations and related entities, as disclosed by Fortinet in January 2023. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.  

Source: https://therecord.media/dutch-intelligence-fortigate-vulnerability-espionage  

Source: https://www.ncsc.nl/actueel/nieuws/2024/juni/10/aanhoudende-statelijke-cyberspionagecampagne-via-kwetsbare-edge-devices  

Black Basta ransomware gang linked to Windows zero-day attacks. 

(TLP: CLEAR) The Black Basta ransomware syndicate is suspected of exploiting a critical Windows privilege escalation vulnerability, identified as CVE-2024-26169, as a zero-day exploit prior to Microsoft releasing a patch. This vulnerability, with a CVSS v3.1 rating of 7.8, affects the Windows Error Reporting Service, enabling attackers to elevate their privileges to SYSTEM level. Despite the patch release, Microsoft remediated the bug back on March 12, 2024, during its monthly Patch Tuesday updates, investigators have suggested that the Cardinal cybercrime group, operators of Black Basta, likely exploited this vulnerability prior to its remediation. The exploit, utilized post-initial infection by the DarkGate loader, capitalizes on the flaw to obtain elevated privileges. Furthermore, investigators have determined that the exploit involves manipulating the werkernel[.]sys file by exploiting its null security descriptor to establish a registry key. This registry key, located at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault[.]exe, permits the execution of arbitrary code with SYSTEM-level privileges. Additionally, two separate variants of the exploit tool were identified, which, according to reporting, were compiled on February 27, 2024, and December 18, 2023. Reporting indicates that the evidence suggests that Black Basta had a fully operational exploit tool for a significant period of time prior to Microsoft issuing out a patch for the vulnerability in question. 

(TLP: CLEAR) Comments: Black Basta, reportedly affiliated with the Conti cybercrime syndicate, has a proven track record of adeptly exploiting Windows tools and system vulnerabilities. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have highlighted Black Basta’s extensive operations, attributing around 500 breaches to the group since April 2022.  

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:   
“Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:   
“”– By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.   
“– All vulnerabilities are ranked in accordance with requirement 6.3.1.   
“– All vulnerabilities are corrected.   
“– The application is re-evaluated after the corrections   
“OR   
“Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:   
“– Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.   
“– Generating audit logs.   
“– Configured to either block web-based attacks or generate an alert that is immediately investigated.”   

Additionally, it is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing outdated systems or establishing extra security-in-depth measures to protect non-updated systems.  

(TLP: CLEAR) Vercara: Vercara’s UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.  

Source: https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-linked-to-windows-zero-day-attacks/ 

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day  

London hospitals face blood shortage after Synnovis ransomware attack. 

(TLP: CLEAR) Synnovis, a leading pathology and diagnostic service provider in the UK, recently suffered a ransomware attack that critically impaired its IT infrastructure, causing extensive disruptions to pathology services in major London hospitals. The attack in question, which transpired on Monday, June 10th, has affected the provision of NHS services at partner hospitals and primary care facilities across six boroughs. While emergency care remains operational, reporting has indicated that numerous patient appointments, including transplant surgeries, have been either cancelled or rescheduled. Synnovis, in conjunction with NHS Trust partners, is working closely with government cybersecurity agencies to mitigate the attack’s repercussions and restore normal operations. 

(TLP: CLEAR) Comments: The aforementioned ransomware assault on Synnovis highlights the exposure of healthcare systems to cyber threats and the potential for extensive network disruption within the sector. This incident is reminiscent of prior attacks on healthcare institutions, emphasizing the lucrative nature of hospitals and clinics as targets for ransomware hacker groups. The intricate nature of healthcare networks amplifies the impact of such attacks, as disruptions at one entity can ripple across its affiliated partners. 

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:  

“implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;  

“implementing procedures to guard against and detect malicious software;  

“training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and  

“implementing access controls to limit access to ePHI to only those persons or software programs requiring access.”  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.  

Source: https://www.bleepingcomputer.com/news/security/london-hospitals-face-blood-shortage-after-synnovis-ransomware-attack/ 

DDoS attacks target EU political parties as elections begin. 

(TLP: CLEAR) According to recent intelligence reporting, the European Parliament elections have commenced in the Netherlands and are slated to begin in 26 additional EU countries in the coming days, ultimately triggering politically motivated cyberattacks. Hacktivists are orchestrating distributed denial of service (DDoS) attacks on European political parties advocating policies that ultimately oppose the hacktivists interests. Reporting reveals that multiple waves DDoS attacks on various election-related websites in the Netherlands as well as on several political parties have been thwarted by defenders. Details of the attack were later disclosed to the public of the two significant DDoS attacks occurring on June 5 and 6. The first attack peaked at 115 million requests per hour, with one targeted site receiving 73,000 requests per second for a duration of four hours. The second DDoS attack reported, while less intense, still reached a volume of 44 million requests per hour and peaked at 52,000 requests per second on one of the targets. This attack, like the previous one, focused on political websites in the Netherlands. Following the attack, the hacktivist group ‘HackNeT’ claimed responsibility for the attacks on their telegram channel, identifying their targets as PVV (Party for Freedom) and FvD (Forum for Democracy). While German authorities have not disclosed extensive details about the attack, they have advised all Bundestag parties to enhance their protective measures to safeguard against similar threats. 

(TLP: CLEAR) Comments: The attack on Germany’s CDU network highlights the persistent threat to political institutions, especially those taking strong geopolitical stances. The CDU’s opposition to Russia’s actions in Ukraine positions it as a target for retaliatory cyber activities. Furthermore, the emergence of ‘HackNeT’ and its high-profile DDoS attacks demonstrate the increasing sophistication and capacity of new hacktivist groups. These events highlight the critical need for continuous monitoring and threat intelligence sharing across national and international levels. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”  

Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time, such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.  

Source: https://www.techradar.com/pro/elections-kick-off-sees-wave-of-ddos-attacks-hitting-european-governments 

Source: https://www.bleepingcomputer.com/news/security/ddos-attacks-target-eu-political-parties-as-elections-begin/ 

About Vercara.

The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.

To learn more about Vercara solutions, please visit our solutions overview page or contact us.

Interested in learning more?
  • Solutions
  • Products
  • Industries
  • Why Vercara
  • Plans
  • Partners
  • Resources
  • Company