June 2024 was a busy month in cybersecurity. Hackers targeted many victims, from major corporations like the New York Times to hospitals and fitness chains. Let’s dive into some of the Cybersecurity Monthly Updates: June 2024

Ransomware

1. London hospitals

Victim: Synnovis

Victim sector: Healthcare

Date: 3 June 2024

The attack, detected on Monday, impacted a company called Synnovis that provides pathology services, such as blood tests for transfusions, to several healthcare organizations, according to reports and internal emails published on social media.

A Russian cyber gang is believed to be behind a ransomware attack that disrupted London hospitals and led to canceled operations and appointments, the former head of British cybersecurity said Wednesday.

Reference: https://abcnews.go.com/Health/wireStory/russian-cyber-gang-thought-ransomware-attack-hit-london-110854278

Current Report:

  1. Synnovis is working to restore services and hasn’t confirmed if they’ll pay the ransom.
  2. NHS England – London issued a statement apologizing for the inconvenience and highlighting the ongoing efforts to address the disruption.

London statement: Following publication, Synnovis chief executive Mark Dollar released a statement confirming that the business — a partnership between the company SYNLAB and two London hospital trusts — had become “the victim of a ransomware attack.”

Reference: https://www.england.nhs.uk/london/2024/06/04/nhs-london-statement-on-synnovis-ransomware-cyber-attack

2. RansomHub Ransomware

Date: June 4, 2024

RansomHub is a ransomware-as-a-service (RaaS) platform that has recently emerged, targeting systems running Windows, Linux, and ESXi.

RansomHub is a ransomware-as-a-service (RaaS) Launched in February 2024, operation that has claimed over 45 victims in 18 countries. It has code overlaps and member associations with both the ALPHV/BlackCat and Knight ransomware.

The ESXi version of RansomHub has a special technique to stop several instances from running simultaneously: it creates a file called /tmp/app.pid. Making changes to this file can stop the ransomware from operating, giving impacted systems a possible mitigation method.

Symantec experts who analyzed the recently emerged ransomware operation speculate that it is a rebranded version of Knight ransomware. Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.

3. Ransomware Gang Leaks Data From Australian Mining Company

Date: June 5, 2024

Victim: Northern Minerals

Attacker: BianLian ransomware gang

Date of Breach: Northern Minerals became aware of the breach in late March 2024.

Type of Data Leaked: The leaked data reportedly includes a wide variety of sensitive information:

  1. Operational details of the company
  2. Documents related to projects and mining research
  3. Financial data
  4. Personal data of employees
  5. Shareholder and investor data
  6. Email archives of key executives

As threat intelligence provider CyberKnow points out, the BianLian cybergang, which typically compromises organizations weeks or months before listing them on its leak site, is most likely financially motivated. Since the beginning of 2024, the group has listed nine mining companies on its website.

4. kadokawa corporation Attack

Date of Attack: June 8th, 2024

Attacker: The BlackSuit ransomware group

KADOKAWA, a prominent Japanese media conglomerate, operates numerous companies across the film, publishing, and gaming industries, including FromSoftware, the developer of Elden Ring.

The cyberattack, which happened on June 8, disrupted KADOKAWA’s business operations. The company stated that the cyberattack was the reason behind “multiple websites of the KADOKAWA Group are currently experiencing service outages” approximately three weeks ago.

Reference: https://izoologic.com/region/central-asia/blacksuit-ransomware-attack-on-kadokawa-poses-data-leak-risk/

Impact:

  1. The attack disrupted operations across Kadokawa and its subsidiaries, including the popular Japanese video-sharing platform Niconico.
  2. BlackSuit encrypted interconnected networks, potentially impacting various services.

Current Status: As of June 30th, 2024, Kadokawa is still working on solutions and hasn’t confirmed if they paid the ransom or the extent of the data breach.

5. CDK Global outage caused by BlackSuit ransomware attack

Victim: CDK Global

Date of Attack: June 18th, 2024

The BlackSuit ransomware gang is behind CDK Global’s massive IT outage and disruption to car dealerships across North America, according to multiple sources familiar with the matter.

Impact: the attack forced CDK to shut down its data centers and IT systems, significantly disrupting car dealerships across North America. These dealerships rely on CDK’s platform for crucial operations like sales, financing, inventory management, service, and back-office tasks.

Negotiations: Reports suggested CDK was negotiating with BlackSuit to obtain a decryptor for their systems and prevent potential data leaks. Two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, disclosed yesterday that they, too, were impacted by the outages. CDK continues to provide updates as they strive to resolve the situation promptly.

6. Keytronic Blackbasta ransomware

Date: June 18, 2024

Keytronic did fall victim to the Black Basta ransomware group in June 2024, resulting in a data breach. Here’s a timeline of the events:

  1. May 6, 2024: Keytronic detects unauthorized access to their systems, likely by Black Basta.
  2. Mid-May 2024: Black Basta claims to have stolen a significant amount of data (around 530GB) from Keytronic, including:
    • Human Resources documents
    • Financial information
    • Potentially employee and even home user personal information (exact details unclear)
    • Black Basta leaks this data on their dark web leak site.
  3. June 19, 2024: Keytronic officially confirms the data breach after the Black Basta leak.

Keytronic has confirmed a data breach after a ransomware group leaked allegedly stolen personal information from its systems. The company did not provide any info on the ransomware operation that hit its network, however Black Basta ransomware group leaked over 500 gigabytes of data allegedly stolen from the company. Black Basta ransomware group claims to have stolen ≈530 GB of data, including HR, Finance, Engineering documents, Corporate data, and home user’s data.

Reference: https://securityaffairs.com/164642/data-breach/keytronic-blackbasta-ransomware.html

7. Ratel RAT targets outdated Android phones in ransomware attacks

Date: June 22, 2024

Ratel RAT, short for Remote Access Trojan – Ratel, is a malicious program targeting outdated Android devices.

An open-source Android malware named ‘Ratel RAT’ is widely deployed by multiple cybercriminals to attack outdated devices, some aiming to lock them down with a ransomware module that demands payment on Telegram.

Ratel RAT is spread via various means, but threat actors are typically seen abusing known brands like Instagram, WhatsApp, e-commerce platforms, or antivirus apps to trick people into downloading malicious APKs.

The most important of those based on their potential impact are: 

  1. ransomware: Starts the process of file encryption on the device.
  2. wipe: Deletes all files under the specified path.
  3. LockTheScreen: Locks the device screen, rendering the device unusable.
  4. sms_oku: Leaks all SMS (and 2FA codes) to the command and control (C2) server.
  5. location_tracker: Leaks live device location to the C2 server.

    Reference: https://www.bleepingcomputer.com/news/security/ratel-rat-targets-outdated-android-phones-in-ransomware-attacks/

    APT Groups

    APT29, also known by various aliases, is a highly sophisticated cyber threat group believed to be affiliated with the Russian Foreign Intelligence Service (SVR). They’ve been active since at least 2008 and have a history of targeting high-profile organizations.

    Date: June 30, 2024

    Attack target: TeamViewer’s corporate IT network, not the product environment or customer data.

    Attack method: Likely compromised credentials of a standard TeamViewer employee account.

    TeamViewer discovered that a threat actor has breached its corporate network and some reports attribute the intrusion to the Russia-linked APT group APT29 (aka SVR groupBlueBravoCozy BearNobeliumMidnight Blizzard, and The Dukes).

    APT29 aimed to steal internal data, and according to TeamViewer, they were able to copy employee directory information including names, contact details, and encrypted employee passwords for the internal IT environment

    Reference: https://securityaffairs.com/165025/hacking/russia-linked-group-apt29-teamviewer.html

    Vulnerabilities

    CVEPublished DateBase ScoreDescription
    CVE-2024-3727306/04/20249.8-CriticalAn arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
    CVE-2024-2717406/14/20249.8-CriticalRemote Command program allows an attacker to get Remote Code Execution. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the “Base Score” of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point.
    CVE-2024-3890206/24/20249.8-CriticalH3C Magic R230 V100R002 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
    CVE-2024-632306/26/20247.5-HighImproper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.
    CVE-2024-488506/25/20249.8CriticalIn WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability is in Progress WhatsUpGold.  The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows the execution of commands with iisapppool\nmconsole privileges.
    CVE-2024-3008006/11/20249.8CriticalMicrosoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
    CVE-2024-3010306/11/20248.8-HighMicrosoft Outlook Remote Code Execution Vulnerability
    CVE-2024-3007806/11/20248.8-HighWindows Wi-Fi Driver Remote Code Execution Vulnerability
    CVE-2024-3716606/10/20248.9-Highghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue.
    CVE-2024-3356006/04/20249CriticalImproper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in 8theme XStore allows PHP Local File Inclusion.This issue affects XStore: from n/a through 9.3.8.
    CVE-2024-36673 06/07/20249.8CriticalSourcecodester Pharmacy/Medical Store Point of Sale System 1.0 is vulnerable SQL Injection via login.php. This vulnerability stems from inadequate validation of user inputs for the email and password parameters, allowing attackers to inject malicious SQL queries.
    CVE-2024-580506/25/20249.8CriticalImproper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0.
    CVE-2024-039706/27/20249.8CriticalThe race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
    CVE-2023-3838906/21/20249.8CriticalIncorrect Authorization vulnerability in Artbees JupiterX Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JupiterX Core: from n/a through 3.3.8.
    CVE-2024-122806/10/20249.3CriticalThe use of hard-coded passwords to the patients’ database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations. This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed).
    CVE-2024-183906/26/202410.0CriticalIntrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an unauthenticated remote attacker to execute malicious code, exfiltrate data, or manipulate the database.
    CVE-2024-094906/27/20249.8CriticalThis vulnerability refers to a vulnerability in Talya Informatics’ Elektraweb software, impacting versions before 17.0.68.pen_spark
    CVE-2024-201206/11/20249.1Criticalvulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior
    CVE-2024-3161106/10/20249.1CriticalSeaCMS 12.9 has a file deletion vulnerability via admin_template.php.
    CVE-2024-3383606/19/20249.8CriticalThis is a vulnerability in the JA Marketplace module (jamarketplace) for PrestaShop versions up to 9.0.1. This vulnerability allows a guest user to upload files with the extension “.php”.
    CVE-2024-3567706/10/20249.8CriticalImproper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in StylemixThemes MegaMenu allows PHP Local File Inclusion.This issue affects MegaMenu: from n/a through 2.3.12.
    CVE-2024-602806/25/20249.8CriticalThe Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘ays_questions’ parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
    CVE-2024-3455106/04/20249.8CriticalImproper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion. This issue affects Stockholm: from n/a through 9.6.
    CVE-2024-515306/06/20249.1CriticalThe Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the ‘dropzone_hash’ parameter.
    CVE-2024-3667306/07/20249.8CriticalSourcecodester Pharmacy/Medical Store Point of Sale System 1.0 is vulnerable SQL Injection via login.php. This vulnerability stems from inadequate validation of user inputs for the email and password parameters, allowing attackers to inject malicious SQL queries.
    vulnerabilities