This Week in Cyber 29th November 2024

Analyst Insight

This week in cyber we have seen major cyber-attacks against critical services and software, a ransomware attack against a supply chain management software company, affecting major retailers in the US and UK, and an NHS trust declaring a major incident after a cyberattack. Meta took significant steps to prevent cybercrime by removing two million scam accounts from its platforms. Meanwhile, INTERPOL conducted a major operation across 19 African countries, resulting in the arrest of 1,006 cybercriminals. And finally, we have seen two zero-day vulnerabilities being actively exploited to deliver the RomCom backdoor.

 Authorities Arrest 1006 Suspects in Huge Interpol Cybercrime Operation

INTERPOL, in collaboration with AFRIPOL, conducted Operation Serengeti from September 2nd to October 31st 2024, targeting cybercriminals across 19 African countries. Their efforts led to the arrest of 1,006 suspects and the disruption of 134,089 malicious infrastructures and networks, as explained in this article.

35,000 victims were linked to the cases, with over $193 million lost. Operation Serengeti recovered roughly $44 million to the victims. In Kenya, authorities cracked an $8.6 million online credit card fraud scheme, leading to nearly two dozen arrests. Senegal dismantled a $6 million Ponzi scheme, arresting eight people. Nigeria arrested a man for a $300,000 cryptocurrency scam. Cameroon disrupted a multi-level marketing scam, freeing trafficked victims and seizing $150,000. Angola dismantled a virtual casino scam, making 150 arrests and seizing 200 computers and over 100 mobile phones.

Two Million Scam Accounts Removed by Meta This Year

Meta is increasing its efforts to combat organised crime behind scam centres, particularly targeting "pig butchering" activities. These scams involve building trusted personal relationships with victims to trick them into making fraudulent investments, often using cryptocurrency, and in the end losing that money. Meta has taken down over two million accounts linked to scam centres in Myanmar, Laos, Cambodia, the UAE, and the Philippines this year alone collaborating with law enforcement and industry peers to disrupt these operations and protect users globally.

Major Supply Chain Management Company Hit by Ransomware Attack

Blue Yonder, a supply chain management software company serving US and UK grocery stores and other Fortune 500 companies fell victim to a ransomware attack last weekend. Disclosing their first update to customers on November 22nd at 5pm, reporting a disruption to its managed services hosted environment determining it to be a result of a ransomware incident.

Major customers affected include Starbucks which use Blue Yonder’s managed services for their scheduling and shift-tracking activities. In addition, two of the UK’s largest supermarkets Sainsbury’s and Morrisons also experienced impact from the attack.

UK Hospital Declares “Major Incident” After Cyberattack

The Wirral University Teaching Hospital NHS Trust, located in the North West of England released a statement disclosing an “ongoing incident” earlier this week.

After declaring a “major incident” at the hospital due to a cyberattack, the hospital cancelled all outpatient appointments due to “cybersecurity reasons.” At the time of writing, the type of attack is unknown.

“We are working hard to rectify the issue after a major incident was declared at the Trust earlier this week following a targeted cyber security issue.” explains their statement. “The Trust continues to prioritise emergency treatment but there are likely to be longer than usual waiting times for unplanned treatment in our Emergency Department and assessment areas.”

ESET Discovers Firefox and Windows Zero Days Exploited in The Wild

Researchers at ESET discovered two zero day vulnerabilities in Mozilla and Microsoft products, both actively exploited by the RomCom Advanced persistent threat (APT) group. The Mozilla vulnerability assigned CVE-2024-9680, with a CVSS score of 9.8 (Critical), affects Firefox, Thunderbird, and Tor Browser products. This vulnerability arises from a "use-after-free" flaw in the animation timeline component, allowing attackers to achieve code execution in the content process, this has promptly been patched by Mozilla.

This vulnerability is chained with a Windows vulnerability, CVE-2024-49039, which has a CVSS score of 8.8 (High). This Windows Task Scheduler elevation of privilege vulnerability allows attackers to gain higher privileges on the system. Together, these vulnerabilities enable the delivery of the RomCom backdoor, allowing attackers to execute arbitrary code on victims' computers without user interaction. This has been since patched by Microsoft.