Written by
Team Nucleus
Content
Written on
15th August, 2024
SHARE ARTICLE
Analyst Insight:
This week in cyber, we see law enforcement proactively interrupting cybercriminal gangs including the FBI disrupting Dispossessor Ransomware Group servers and the NCA arresting one of the world’s most prolific cybercrime actors. Despite law enforcement disrupting these threat actors, this can also be seen as an opportunity to take their place, as we see new threat actors emerge every week. Threat actors are motivated by many different factors, and every business can fall victim.
Keeping proactive with the latest threat intelligence will ensure that your organisation is aware of the emerging threats within the cyber security landscape.
FBI Reveals Disruption of Radar/Dispossessor Ransomware Group
On Monday, U.S. Federal Bureau of Investigation (FBI) Cleveland announced the successful take down of the “Radar/Dispossessor” ransomware groups servers and domains. This included three US servers, three UK servers, 18 German servers, eight US-based criminal domains, and one German-based criminal domain.
“Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sised businesses and organisations from the production, development, education, healthcare, financial services, and transportation sectors.” the FBI said. It is reported that 43 organisations fell victim of the Dispossessor attacks, including countries across the UK, Europe, Central and South America, South Asia and Australia.
The group is operated by a person with the online moniker "Brain" who was first sighted in the cybercriminal scene in August of 2023, as an operation who used data stolen by the LockBit ransomware gang in an attempt to profit from it, according to SentinelOne.
Kootenai Health Targeted By ThreeAM Ransomware Group Stealing 464,000 Patients Data
Ransomware groups target another organisation within the healthcare sector. Kootenai Health is a community owned hospital in Idaho. On Monday, Kootenai revealed a data breach affecting over 464,000 patients, after the ThreeAM ransomware group gained unauthorised access to Kootenai’s systems on February 22, 2024, and remaining undetected until March 2, 2024.
According to BleepingComputer, the stolen data consists of a 22GB archive, available for free, allowing any cybercriminal to download the data and utilise it. “To date, Kootenai Health is not aware of any attempt to misuse any of the information potentially involved in this incident.” Kootenai Health stated.
The healthcare sector is a common target for cyber criminals, due to the need to keep operations running without disruption and the value of the data is worth to attackers.
GitHub Vulnerability “ArtiPACKED” Allows Attackers to Take Over Repositories
Yaron Avital, a Palto Alto Unit 42 researcher recently discovered an attack vector in GitHub Actions artefacts, which allows the compromise of GitHub repositories. “A combination of misconfigurations and security flaws can make artefacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume” Yaron stated.
Stealing GitHub tokens could allow malicious actors unauthorised access to repositories, which can lead to the poisoning of the source code and pushing it to production. As many organisations utilise GitHub within their software development processes, this attack vector may become more prominent within the next year.
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
On Tuesday, Microsoft released patches for 7 rated critical, 80 rated important and 1 rated moderate vulnerabilities. According to Tenable, 41% of the vulnerabilities were Elevation of Privilege (EoP) and 33% were Remote Code Execution (RCE) vulnerabilities. Some critical vulnerabilities are as follows:
CVE-2024-38206 – Authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio.
CVE-2024-38109 – Authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Asure Health Bot to elevate privileges.
CVE-2024-38106, CVE-2024-39133, CVE-2024-38153 - Windows Kernel Elevation of Privilege Vulnerability
More information can be found on Microsoft’s MSRC Security Updates website.
Critical Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063)
On August 13, 2024. Microsoft announced a critical severity vulnerability affecting Windows 10, Windows 11 and Windows Server systems. Discovered by Wei at Kunlun Lab, which allows “an authenticated attacker to repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution” Microsoft stated.
Ensure that affected systems are updated with Tuesday's patch, as the vulnerability has been marked as “Critical” severity, so exploitation is very likely. Microsoft is proactive in patching vulnerabilities, with the recent Tuesday patch addressing 88 CVEs. More information can be found on Microsoft’s MSRC Security Updates website.
