This Week in Cyber 13th September 2024

Analyst Insight

This week, more information on the Transport for London (TfL) cyber-attack was disclosed, where some disruptions were later reported by TfL impacting online services and staff systems. We have also seen further attacks against the education sector where Charles Darwin School, located in the south of London had to close its doors due to a ransomware attack.

The Lazarus Group APT has been identified taking new approaches to infect users, now targeting developers seeking work with fake programming tests to infect the users device.

We also saw payment gateway provider Slim CD suffered a data breach with 1.7 million individuals affected.

Microsoft also released their monthly "Patch Tuesday" with patches for 79 CVE's including seven critical severity and four zero-day vulnerabilities.

UPDATE: Teenager Arrested in Connection with TfL Cyber Attack

An update on the Transport for London (TfL) cyber attack from last week reveals new details about the affected services and those responsible. TfL announced on Thursday that some customers' bank details may have been accessed by hackers, along with additional information on service disruptions. The following services were impacted:

Live train information, including the TfL Go app and website.
Applications for Oyster photocards.
Journey history for pay-as-you-go contactless customers.
Refunds for contactless card journeys.
Staff access to systems and email is limited.

A 17-year-old was arrested in Walsall on 5 September in connection with the attack and is currently being questioned by the National Crime Agency (NCA).

Ransomware Attack Causes London Secondary School to Send Students Home

Charles Darwin School, located in south of London recently suffered a severe ransomware attack, leading the school to close to its approximately 1300 students for the first half of this week. The ransomware attack has severely affected the school’s IT infrastructure, rendering essential systems, such as email and internet services, inaccessible.

In a letter sent to parents/carers, it states “we do not know at this point what data has been accessed however we need to state there is a potential for all information held by the school to have been accessed”. As a response, all staff devices were removed to be cleansed and students accounts disabled. The school’s data protection officer has reported the incident to the ICO (Information Commissioners Office) and is now conducting a full data impact assessment. The school will be without internet, email and access to other systems for an estimated 3 weeks, which highlights the severe impact of ransomware.

Microsoft Releases Patches for 79 CVEs Including Seven Critical and Four Zero-Day Vulnerabilities

Every second Tuesday of the month, Microsoft releases updates and patches for its software products, including Windows, Office and other applications. In this month’s Patch Tuesday, Microsoft addressed 79 CVEs, including seven critical and four zero-day vulnerabilities. According to Tenable, 38% of the vulnerabilities patched this month were elevation of privilege (EoP), followed by remote code execution (RCE) at 29.1%.

One of the critical vulnerabilities CVE-2024-43491, has a CVSS score of 9.8. This remote code execution (RCE) vulnerability affects the Microsoft Windows Update process, specifically targeting Optional Components on Windows 10, version 1507. Microsoft has identified this vulnerability as being actively exploited.

More information about this month’s Patch Tuesday can be found on Microsoft MSRC Security Update’s website.

Lazarus Group Leverages Fake Programming Tests to Target Developers

A new wave of malicious Python packages is targeting software developers through fake programming assessments. According to ReversingLabs Karlo Zanki, these packages are linked to GitHub projects attributed to previous targeted attacks, where developers were lured with fake job interviews. These activities are part of an ongoing campaign called VMConnect which first surfaced in August 2023 and is believed to be orchestrated by Lazarus Group, which has been active since 2010.

Job interviews have been utilised by Lazarus Group as an effective infection vector, particularly targeting developers. For example, within the research conducted by ReversingLabs, the threat actor is conducting technical interviews where the developer being interviewed has to “build a project in 5 minutes, find a bug and fix it in 15 minutes, rebuild and show the result in 10 minutes” as shown in a sample. Due to the sense of urgency, this will make it easier for the threat actor to deploy malicious Python packages.

1.7 Million Credit Card Holders Data Stolen in Payment Gateway Breach

Slim CD provides payment gateway systems to organisations, giving them the ability to take payments from debit/credit cards, gift cards and cheques. Their customer base is predominantly in the US and Canada.

Recently, Slim CD notified customers that their information might have been accessed by an unauthorised party between August 2023 and June 2024. Slim CD only discovered the breach in June of this year, indicating that threat actors had a foothold within the network for a long period of time. Customers have been warned that about the potential risk of identity theft and financial fraud, as the compromised data includes names, addresses, credit card numbers and expiration dates.