Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Largest non-bank lender in Australia warns of a data breach.
(TLP: CLEAR) Firstmac Limited, a significant player in Australia’s financial services industry, disclosed a data breach following the emergence of the Embargo cyber-extortion group, which claimed to have leaked over 500GB of data allegedly stolen from the company. Headquartered in Brisbane, Queensland, FirstMac specializes in mortgage lending, investment management, and securitization services, employing 460 people and managing $15 billion in mortgages. The breach compromised sensitive customer information, including full names, residential addresses, email addresses, phone numbers, dates of birth, external bank account details, and driver’s license numbers. Despite the breach, Firstmac assured customers that their accounts and funds remain secure and implemented additional security measures, such as two-factor authentication or biometrics for account changes. Customers were also offered free identity theft protection services and advised to remain vigilant against unsolicited communications and monitor account statements for unusual activity. The Embargo gang claimed responsibility for the attack, leaking stolen data on their website, though it remains unclear whether they conducted the breach themselves or obtained the data from other sources for extortion purposes. The group’s motives, whether ransomware-related or solely focused on extortion, are yet to be determined.
(TLP: CLEAR) Comments: The financial industry continues to be a primary target for malicious actors due to the amount of sensitive information/data that is maintained in their databases. Although FirstMac stated that no banking accounts were compromised, the malicious actors will look to sell the stolen data on the dark web for a profit. According to additional open-source reporting, the Embargo gang gave FirstMac a deadline to pay the ransom, and when that was not met, the group posted the stolen data, which consisted of over 500 Gigabytes. The stolen data consisted of “source code archive,” “database backups,” and emails/phone numbers of the C-suite and IT team.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), intercepts and blocks malicious online activity using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is vicious before endpoints can be infected by them.
CISA: Black Basta ransomware breached over 500 orgs worldwide.
(TLP: CLEAR) CISA and the FBI issued a joint report revealing that Black Basta ransomware affiliates have targeted over 500 organizations between April 2022 and May 2024, encrypting and stealing data from at least 12 critical infrastructure sectors. The attacks have affected entities in North America, Europe, and Australia, including healthcare organizations. The rise in attacks prompted a threat bulletin from Health-ISAC, particularly warning the healthcare sector of escalated threats from Black Basta. Emerging in April 2022 as a Ransomware-as-a-Service operation, Black Basta has targeted high-profile victims worldwide, amassing over $100 million in ransom payments by November 2023. The advisory provides defenders with tactics, techniques, and procedures used by Black Basta affiliates, emphasizing the importance of updating systems, implementing multi-factor authentication, training users against phishing, securing remote access software, and backing up critical systems. Healthcare organizations, in particular, are urged to apply recommended mitigations to prevent potential attacks, given their attractiveness to cybercriminals due to their size and access to sensitive patient information.
(TLP: CLEAR) Comments: The Black Basta group first emerged in early 2022 and is known for conducting double extortion tactics where they not only encrypt the victim’s data but also exfiltrate sensitive information and threaten to release it publicly unless their demands are met. This group is also known to be a Ransomware-as-a-Service (RaaS) where they provide their ransomware to their affiliates who conduct their own cyber-attacks.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Hackers exploiting MS-SQL severs [sic] to deploy Mallox ransomware.
(TLP: CLEAR) Cybersecurity researchers at Sekoi have uncovered active exploitation of MS-SQL servers by hackers to deploy Malloz ransomware. Weak passwords, unpatched vulnerabilities, and misconfigurations in MS-SQL installations make them prime targets for threat actors using automated scanning and exploitation tools. The attackers swiftly compromised an MS-SQL honeypot via brute-force attacks, leveraging exploits to deploy Mallox ransomware using PureCrypter. Analysis revealed two affiliate groups involved in the exploitation, with one exploiting vulnerabilities and the other conducting broader system compromises. Mallox, a notorious ransomware-as-a-service operation, utilizes double extortion techniques and targets MS-SQL servers for initial access. The ransomware transitioned to a RaaS model in mid-2022 and impacted various sectors, including manufacturing and retail, across multiple countries. The attackers behind Mallox exploit MS-SQL vulnerabilities and employ phishing for initial access, with evidence suggesting former tier ransomware group members are involved. The report highlights the ransomware’s evolution and its use of triple extortion strategies.
(TLP: CLEAR) Comments: Mallox ransomware, also known as TargetCompany ransomware, is a malicious software that encrypts files on a victim’s system, demanding a ransom for decryption. Active since mid-2021, it spreads through various methods, including exploiting vulnerabilities, phishing emails, and poorly secured RDP connections. Known for targeting specific industries, Mallox not only encrypts data but may also exfiltrate it, threatening public release if the ransom isn’t paid, a tactic known as double extortion. Effective defense against Mallox involves regular data backups, prompt patch management, robust network security measures, user awareness training, and advanced endpoint protection to detect and respond to threats in real time.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website category feeds.
OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can defend critical applications with even the most complex workflows and prevent the most common threats that target the application layer, such as SQLi, XSS, and CSRF.
Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://cybersecuritynews.com/exploit-ms-sql-mallox-ransomware/
Critical Next.js vulnerability let attackers compromise server operations.
(TLP: CLEAR) Two critical vulnerabilities have been uncovered in Next.js, labeled CVE-2024-34350 and CVE-2024-34351, with a severity rating of 7.5 (High). The first vulnerability, related to response queue poisoning, arises due to inconsistent handling of crafted HTTP requests, potentially leading to desynchronized responses and manipulation of backend responses. The second vulnerability, involving Server-Side Request Forgery (SSRF), is rooted in a vulnerable component present and enabled by default in Next.js, allowing attackers to exploit it by manipulating certain parameters. Both vulnerabilities have been patched in the latest versions of Next.js (13.5.1 and 14.x), and security advisories have been issued. Additionally, a proof of concept for CVE-2024-34351 has been published, providing detailed insights into the exploitation methods. Users of Next.js are strongly advised to update to the latest versions to mitigate these vulnerabilities.
(TLP: CLEAR) Comments: Nexy.js is a React framework that enables individuals the building blocks to create web applications by handling the tooling and configuration that is needed for React as well as providing additional structure features and optimizations.
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can provide you with protection in the way that you need it. UltraWAF allows security postures that assume that all traffic is allowed – except an already identified threat or an attack (negative security) – or zero trust models where all traffic is denied unless explicitly permitted (positive security).
Source: https://cybersecuritynews.com/next-js-server-compromise/
Ascension ransomware attack diverts ambulances, delays appointments.
(TLP: CLEAR) A ransomware attack on the US private healthcare giant Ascension has resulted in the diversion of ambulances and the postponement of patient appointments. The attack, confirmed on May 9 after detecting unusual activity on technology network systems, has affected electronic health records systems and various systems for booking tests, procedures, and medications. While all hospitals and facilities remain open, non-emergent elective procedures and appointments have been temporarily paused as Ascension works to restore its systems. Ascension is currently working with cybersecurity experts to restore and recover its systems and has notified law enforcement and federal agencies, including the Department of Health and Human Services (HHS). The attack is believed to be the work of the Black Basta ransomware gang, a Russian-based Ransomware-as-a-Service (RaaS) operator whose activity has surged in 2024. The incident underscores a concerning trend of sophisticated ransomware groups targeting the US healthcare sector following a recent attack on Change Healthcare in February 2024. The US government is investigating both incidents to determine the extent of potential data breaches and regulatory compliance.
(TLP: CLEAR) Comments: The healthcare industry continues to be a primary target for ransomware groups due to the amount of sensitive personal health information as well as personally identifiable information maintained on their networks.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.
“An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.
“The deployed anti-malware solution(s):
• Detects all known types of malware.
• Removes, blocks, or contains all known types of malware.
“Any system components that are not at risk for malware are evaluated periodically to include the following:
- A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection.
“The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”
Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://www.infosecurity-magazine.com/news/ascension-ransomware-diverts/
Source: https://www.infosecurity-magazine.com/news/black-basta-ransomware-victim/
Hackers use DNS tunneling for network scanning, and tracking victims.
(TLP: CLEAR) Threat actors are utilizing Domain Name System (DNS) tunneling techniques to monitor the activity of their targets when they open phishing emails and click on malicious links, as well as to scan networks for potential vulnerabilities. DNS tunneling involves encoding data or commands within DNS queries, essentially turning DNS into a covert communication channel. This technique allows hackers to bypass network firewalls and filters, using it for command and control (C2) operations and Virtual Private Network (VPN) activities. Palo Alto Networks’ Unit 42 security research team has recently uncovered malicious campaigns employing DNS tunneling for victim tracking and network scanning. The “TrkCdn” campaign focuses on tracking victim interactions with phishing email content by embedding content in emails that perform DNS queries to attacker-controlled subdomains. These subdomains contain encoded content, allowing attackers to evaluate their strategies and deliver malicious payloads. Another campaign, dubbed “SecShow,” utilizes DNS tunneling to scan network infrastructures, mapping out network layouts and discovering potential configuration flaws. Threat actors prefer DNS tunneling due to its ability to bypass security tools, avoid detection, and maintain operational flexibility. Unit 42 recommends organizations implement DNS monitoring and analysis tools to detect unusual traffic patterns and anomalies and limit DNS resolvers to handle only necessary queries to mitigate the misuse of DNS tunneling.
(TLP: CLEAR) Comments: Using DNS tunneling to carry malicious traffic or exfiltrate proprietary data is an increasingly common way for attackers to leverage a trusted protocol to perform malicious tasks. Network assessments, continuous monitoring, and due diligence deployment of a protective DNS solution are all prudent steps to remediate this issue.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01:
“Networks and network services are monitored to find potentially adverse events”
One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. It is advised that organizations should conduct periodic network assessments to identify/close nonessential ports and protocols that expand their potential attack surface. If organizations require certain ports and protocols to be exposed to the internet for business operations, they should then establish security in depth as well as change all default usernames/passwords and create complex passwords that are harder to brute force.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
The Vercara OSINT Report is published every week. To see the current and past OSINT reports, click here.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.