Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The British Library has confirmed that last month’s outages were the result of a ransomware attack that resulted in the theft of sensitive internal data. The attack occurred back in October, but at the time it was reported only as a “major technology outage”, which saw their website, phone lines, and on-site services crippled. The Rhysida ransomware gang appears to be the culprit behind this attack, who are threatening to publicise the stolen data if their ransom demands are not met. The gang are currently hoping for payment of $740,000 in bitcoin, but no payment has been made by the victim yet. The contents of the stolen data is still unknown, but the British Library is still advising user’s and employees to reset their passwords immediately.
A critical vulnerability (CVE-2023-46604) in Apache ActiveMQ has been exploited by the Kinsing malware, posing a significant threat to Linux systems. Kinsing commonly uses vulnerable web applications to infiltrate systems and spread across networks; the currently vulnerable Apache ActiveMQ is widely used across many Linux-based systems, making it an ideal avenue for exploitation.
A patch is available for the affected versions of ActiveMQ; we strongly urge all users of the software to apply the latest updates as soon as possible. The official update advisory for CVE-2023-46604 can be found here.
The US Department of Justice has announced that Binance, the world's largest cryptocurrency exchange, and its CEO Changpeng Zhao have pleaded guilty to multiple financial crimes.
Binance will pay $10 billion in fines and settlements for failing to register as a money services business in the US, violating the Bank Secrecy Act by neglecting anti-money laundering measures, and breaching the International Emergency Economic Powers Act by allowing US users to transact with individuals in sanctioned countries, including transferring nearly $1 billion to individuals believed to reside in Iran.
The Justice Department highlighted that Binance prioritized profits and knowingly and willfully committed these crimes, including facilitating trades to users in Syria, Russia, and Russian-controlled parts of Ukraine. The exchange aimed to gain market share and profit quickly by operating as an unlicensed exchange, knowing it would lose market share if cut off from US users.
Welltok, which provides online services for the US healthcare sector, has warned they were involved in a data breach that has exposed the data of 8.5 million US patients. The data breach was made possible by a vulnerability in their file transfer program, MOVEit. Similar to the prevalent MOVEit attacks seen earlier this year, the system was actively exploited by the attackers and was used to steal data sensitive data.
“The following types of information may have impacted: name and address, telephone number, email address. The type of information at issue varies for each person. For a small group of impacted clients, Social Security Numbers, Medicare/Medicaid ID Numbers, or certain Health Insurance information such as plan or group name, were also implicated. For other individuals, certain health information such as a provider name, prescription name, or treatment code may have been included.”
The U.S. Department of Health and Human Services also confirmed that 8,493,379 people were impacted by the breach, making it the second largest MOVEit related breach recorded this year.
As part of a new bug bounty program Microsoft will be offering up to $20,000 for the discovery of vulnerabilities in its defender products
“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team,” the company says.
Participants are expected to receive 4500 to $20,000 depending on the impact and report quality with up to $8,000 for RCE vulnerabilities and $3,000 for spoofing and tampering vulnerabilities.
A pro-Russian APT group, known as Storm-0978 or RomCom, has been reportedly using weaponized Office documents to exploit a Windows Search remote code execution vulnerability. Successful exploitation allows an attacker to bypass the Windows Mark of the Web security feature, disabling the ‘protected view’ of Office documents. This allows a malicious .docx file to request the download of external RTF files without any restriction allowing the attacker to connect the computer to a hacker-controlled SMB server. This process ultimately results in the theft of the victim’s NTLM credentials.
This attack requires the exploitation of two vulnerabilities, one security bypass and one RCE flaw (CVE-2023-36884 & CVE-2023-36584). More details on the attack, and a full list of IoCs, can be found here.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #259 – 24th November 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.