Versa Networks Fixes Critical Zero-Day Vulnerability in Director Platform
Versa Networks has addressed a critical zero-day vulnerability in its Director platform, exploited in active attacks. The flaw, identified as CVE-2024-39717, involves an unrestricted file upload vulnerability in the platform’s “Change Favicon” feature, enabling attackers with certain administrative privileges to upload malicious files disguised as harmless PNG images. This vulnerability poses a significant risk, especially to organizations that have not followed Versa’s system hardening and firewall guidelines, available since 2017 and 2015, respectively. The vulnerability has already been exploited by at least one Advanced Persistent Threat (APT) actor. Versa has urged customers to update their software to the latest version and implement necessary security measures to mitigate potential risks. The Cybersecurity and Infrastructure Security Agency (CISA) has also flagged this vulnerability, requiring federal agencies to secure their systems by September 13 to prevent further exploitation.
Patelco Notifies 726,000 Customers of RansomHub Data Breach
Patelco Credit Union has alerted over 726,000 customers of a significant data breach following a attack carried out by the RansomHub ransomware gang. The breach, which occurred on June 29, 2024, forced Patelco to shut down its customer-facing banking systems for two weeks to contain the incident. While initially uncertain if any data had been compromised, an investigation confirmed that the attackers accessed sensitive customer information, including full names, Social Security numbers, driver’s license numbers, dates of birth, and email addresses. On August 15, 2024, the RansomHub group claimed responsibility by publishing the stolen data on their dark web extortion portal after failed negotiations with Patelco. In response, Patelco is offering affected customers two years of free identity protection and credit monitoring services, urging them to remain vigilant against potential phishing and social engineering scams.
US Marshals Service Denies Breach Claims by Hunters International Ransomware Group
The U.S. Marshals Service (USMS) has refuted claims made by the Hunters International ransomware gang, who recently listed the agency as a victim on their dark web leak site. According to a USMS spokesperson, the agency has reviewed the materials posted online, which appear to be from a previous incident rather than a new breach. The ransomware group has yet to release the allegedly stolen documents but has shared thumbnail images as supposed evidence.
The data Hunters International claims to possess matches files that were offered for sale in March 2023 on a Russian-speaking hacking forum. These files allegedly include sensitive information such as copies of passports, military base aerial footage, and details on wiretapping and surveillance activities. It’s unclear whether the ransomware group acquired this data from the original seller or is attempting to resell it. The USMS had previously acknowledged a ransomware attack in February 2023, impacting a stand-alone system containing sensitive law enforcement information.
BlackSuit Ransomware Breach Exposes Data of 950,000 from Software Vendor
Young Consulting, now rebranded as Connexure, has begun notifying 954,177 individuals of a significant data breach resulting from a BlackSuit ransomware attack on April 10, 2024. The Atlanta-based software solutions provider, specializing in the employer stop-loss insurance market, discovered the breach three days after the attackers encrypted its systems. Following a thorough investigation, completed on June 28, it was revealed that sensitive information—including full names, Social Security numbers, dates of birth, and insurance claim details—had been compromised.
In response, the company is offering a 12-month complimentary credit monitoring service through Cyberscout to those affected, with enrollment available until November 2024. However, the urgency for affected individuals is heightened as BlackSuit has already leaked the stolen data on its darknet extortion portal, potentially exposing them to further risks such as phishing and scams. BlackSuit, identified as a rebrand of the notorious Royal ransomware, has made substantial ransom demands over the past two years, causing significant financial damage to numerous organizations.
Iranian Hackers Collaborate with Ransomware Gangs to Extort U.S. Organizations
An Iranian hacking group known as Pioneer Kitten is breaching U.S. organizations in sectors like defense, education, finance, and healthcare, collaborating with ransomware gangs to extort victims. Active since 2017 and linked to the Iranian government, Pioneer Kitten monetizes access to compromised networks by selling domain admin credentials on cybercrime marketplaces.
According to a joint advisory from CISA, the FBI, and the Defense Department, Pioneer Kitten has recently worked with ransomware affiliates like NoEscape, Ransomhouse, and ALPHV (BlackCat) to execute encryption operations and strategize extortion, often concealing their Iranian origin. The group is known for exploiting critical vulnerabilities in security devices and has also been involved in selling access on underground forums, aligning with Iran’s geopolitical interests.
U.S. Offers $2.5 Million Reward for Hacker Linked to Angler Exploit Kit
The U.S. Department of State and the Secret Service have announced a $2.5 million reward for information leading to the arrest or conviction of Belarusian national Volodymyr Kadariya. The 38-year-old is wanted for his role in various cybercrime activities, including managing malvertising operations for the notorious Angler Exploit Kit between October 2013 and March 2022.
Kadariya, known online by aliases such as “Stalin” and “Eseb,” was indicted for wire and computer fraud in June 2023, with the indictment unsealed in August 2024. He is connected to global-scale malware distribution operations and worked alongside Maksim Silnikau, who is currently facing multiple charges in the United States. The Angler Exploit Kit was notorious for exploiting outdated software to deliver malware, with Kadariya playing a key role in its distribution through malicious advertising. His current whereabouts are unknown, and the reward remains active.
FBI: RansomHub Ransomware Breached 210 Victims Since February
Since its emergence in February 2024, the RansomHub ransomware-as-a-service (RaaS) operation has compromised over 210 victims across various critical U.S. infrastructure sectors. This RaaS group primarily focuses on data-theft-based extortion, threatening to leak stolen files if ransoms are not paid and selling the data to the highest bidder if negotiations fail. RansomHub affiliates have been linked to breaches of high-profile organizations, including Patelco Credit Union, Rite Aid, Christie’s, Frontier Communications, and Halliburton.
RansomHub, which evolved from earlier iterations known as Cyclops and Knight, has gained traction by attracting affiliates from other prominent ransomware variants such as LockBit and ALPHV. The FBI, CISA, MS-ISAC, and HHS have issued a joint advisory urging organizations to bolster their defenses by patching vulnerabilities, using strong passwords, and enabling multifactor authentication. The agencies also caution against paying ransoms, as doing so could encourage further criminal activity and does not guarantee data recovery.
Halliburton Cyberattack Linked to RansomHub Ransomware Gang
The RansomHub ransomware gang is behind the recent cyberattack on oil services giant Halliburton, disrupting the company’s IT systems and operations. This ransomware-as-a-service (RaaS) operation, active since February 2024, focuses on double-extortion tactics, stealing data and threatening to leak it if ransoms aren’t paid. Halliburton acknowledged the attack in an SEC filing but has provided limited details.
RansomHub is believed to be a rebrand of the Knight ransomware, with connections to former BlackCat/ALPHV affiliates. The FBI recently issued an advisory on RansomHub, highlighting its involvement in over 210 breaches since its launch. This gang has targeted numerous high-profile organizations, escalating their attacks by leveraging expertise from the BlackCat ransomware operation.
Researcher Sued for Sharing Data Stolen by Rhysida Ransomware with Media
The City of Columbus, Ohio, has filed a lawsuit against security researcher David Leroy Ross, known as Connor Goodwolf, for allegedly downloading and disseminating data stolen during a Rhysida ransomware attack. The City suffered the attack on July 18, 2024, with Rhysida later claiming to have stolen 6.5 TB of sensitive data, including police and prosecutor records.
After Rhysida leaked 45% of the stolen data, Goodwolf shared information with the media, contradicting the City’s claim that the data was unusable. The lawsuit accuses Goodwolf of illegally spreading sensitive information, which includes personal data of crime victims and police officers. The City seeks to prevent further dissemination and is pursuing damages over $25,000.
North Korean Hackers Exploit Chrome Zero-Day to Deploy Rootkit
North Korean hackers, attributed to the threat group Citrine Sleet, have exploited a recently patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit. This attack, which targeted the cryptocurrency sector, allowed the hackers to gain SYSTEM privileges by leveraging a Windows Kernel exploit.
Citrine Sleet, also known as AppleJeus and UNC4736, has a history of targeting financial institutions, especially in the cryptocurrency space. The attackers used a type confusion vulnerability in Chrome’s V8 JavaScript engine to gain remote code execution, followed by a Windows Kernel exploit to escalate privileges. The deployed rootkit enabled the hackers to manipulate kernel objects and bypass security mechanisms.
This attack is part of a broader campaign by North Korean state-sponsored actors, who have been targeting cryptocurrency organizations using various advanced techniques, including trojanized software and supply chain attacks.
Cicada3301 Ransomware’s Linux Encryptor Targets VMware ESXi Systems
The newly emerged ransomware-as-a-service (RaaS) operation, Cicada3301, has already claimed 19 victims worldwide, primarily targeting VMware ESXi systems with its Linux encryptor. This group follows a double-extortion strategy, where they breach networks, steal data, and encrypt files using ransomware, pressuring victims to pay by threatening to leak the stolen information.
Notably, Cicada3301 ransomware encrypts files using the ChaCha20 algorithm and appends a random seven-character extension to the file names, similar to the tactics used by the infamous BlackCat/ALPHV ransomware. Victims receive a ransom note named ‘RECOVER-[extension]-DATA.txt,’ warning them of the data leak if the ransom isn’t paid. Cicada3301’s encryptor is capable of shutting down VMware ESXi virtual machines and deleting snapshots before encryption, ensuring maximum disruption and impact on enterprise environments.
This ransomware group’s rapid success and sophisticated operations suggest connections to experienced actors, possibly linked to the former ALPHV group. Cicada3301’s focus on ESXi environments and the use of randomized file extensions underscore its intent to maximize damage, making it a significant threat in the cybersecurity landscape.
Conclusion
The recent surge in cyberattacks, ranging from zero-day exploits to ransomware incidents, highlights the critical need for organizations to fortify their cybersecurity defenses. The increasing collaboration between nation-state actors and ransomware gangs further complicates the threat landscape, making it imperative to stay ahead of these evolving threats.
As specialists in ransomware recovery and cybersecurity, we provide comprehensive services including Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization needs expert assistance in recovering from a ransomware attack or strengthening its security posture, don’t hesitate to contact us today.