Columbus Ransomware Incident Update
In July 2024, the City of Columbus, Ohio faced a significant ransomware attack that compromised the personal and financial information of approximately 500,000 individuals. The attack on Ohio’s capital, which boasts a population of over 905,000, led to widespread disruptions in city services and inter-agency IT communications. Initially, city officials assured that no systems were encrypted; however, the Rhysida ransomware gang later claimed responsibility, stating they had exfiltrated 6.5 terabytes of data, including sensitive employee and infrastructure information.
Despite efforts to contain the situation, the gang began leaking 45% of the data on a dark web portal when their extortion attempts failed. In response, Columbus Mayor Andrew Ginther downplayed the severity of the leak, which was contradicted by security expert David Ross, who demonstrated that the data was neither encrypted nor corrupted as claimed. The city subsequently took legal action against Ross and announced free credit monitoring services for affected residents, while urging them to stay vigilant for signs of identity theft.
New Phishing Campaign Installs Backdoored Linux VMs on Windows Devices
A newly identified phishing operation, dubbed “CRON#TRAP,” introduces a novel tactic: deploying a Linux virtual machine (VM) with a pre-installed backdoor on Windows systems. Unlike typical ransomware gang attacks that manually install virtual environments after breaching networks, this campaign automates the process via phishing emails.
The emails lure victims with a fake “OneAmerica survey” and include a 285MB ZIP file containing a Windows shortcut that launches a hidden QEMU-based Linux VM installation. Once active, the custom Linux VM, named “PivotBox,” facilitates persistent access to corporate networks through a backdoor using the Chisel network tunneling tool. This enables stealthy communication with command-and-control servers.
By leveraging QEMU’s legitimate, digitally signed status, attackers bypass security alarms while engaging in surveillance, file management, and data exfiltration. As ransomware gangs increasingly explore such tactics, organizations are urged to monitor for QEMU activity, restrict virtualization tools, and enforce BIOS-level virtualization controls to thwart similar threats.
Schneider Electric’s Developer Platform Compromised in Major Data Breach
Schneider Electric recently experienced a significant cybersecurity breach, with attackers accessing a developer platform within an isolated environment. The intrusion involved unauthorized access to Schneider Electric’s project execution tracking system, reportedly exploiting exposed credentials. Once inside, the hackers, identified as the “Hellcat” ransomware group, allegedly used a REST API to collect 400,000 rows of user data, including 75,000 unique email addresses and full names linked to employees and customers. Schneider Electric’s incident response team has been mobilized to investigate and contain the breach. While the company assures that its core products and services remain secure, the extent of compromised project and user information highlights the seriousness of the incident. The Hellcat group is demanding $125,000 to prevent further data exposure, signaling a shift to extortion tactics following a recent rebranding from the “International Contract Agency”.
Google Patches Actively Exploited Android Vulnerabilities in Latest Update
Google’s November security update resolves two actively exploited Android zero-day vulnerabilities, CVE-2024-43047 and CVE-2024-43093, alongside 49 other security flaws. These zero-day exploits were utilized in targeted attacks, prompting swift action to mitigate potential risks. CVE-2024-43047, a use-after-free vulnerability in Qualcomm components, allows privilege escalation and was initially reported by Qualcomm in October. Meanwhile, CVE-2024-43093 impacts the Android Framework and Google Play system updates, affecting the Documents UI. While Google has not disclosed specifics about these exploits, they may have been leveraged in spyware operations.
The updates address vulnerabilities in Android versions 12 to 15, with two patch levels released: November 1 for core Android issues and November 5 for additional vendor-specific fixes. Users of older Android versions, no longer supported officially, are advised to upgrade their devices or seek third-party distributions to ensure protection against zero-day threats. Regular updates remain crucial for safeguarding against such exploits.
Cisco Fixes Critical Command Injection Vulnerability in Industrial Access Points
Cisco has patched a critical zero-day vulnerability, CVE-2024-20418, in its Unified Industrial Wireless Software affecting Ultra-Reliable Wireless Backhaul (URWB) access points. This flaw, caused by improper input validation in the web-based management interface, allows unauthenticated attackers to execute arbitrary commands with root privileges by sending crafted HTTP requests. The vulnerability impacts Catalyst IW9165D and IW9165E Rugged Access Points and Catalyst IW9167E models when running vulnerable software in URWB mode.
While there is no evidence of active exploitation or publicly available exploit code, the potential for brute-force attacks to exploit similar flaws remains a concern. Cisco has previously faced brute-force attacks targeting VPN devices, emphasizing the critical need to address command injection vulnerabilities. Admins are advised to verify URWB mode status by checking the availability of the “show mpls-config” command. Ensuring timely updates is vital to protecting devices from exploitation through brute-force or other attack vectors.
Unpatched Mazda Connect Vulnerabilities Enable Persistent Malware and DDoS Risks
Multiple unpatched vulnerabilities in Mazda Connect infotainment systems, found in models like the Mazda 3 (2014–2021), expose vehicles to potential malware installation and security breaches. These flaws, including SQL injection and command injection vulnerabilities, allow attackers to execute arbitrary code with root privileges, raising concerns about vehicle safety and network integrity.
Among the issues, CVE-2024-8355 exploits SQL injection to manipulate databases or execute malicious code by spoofing Apple devices. Similarly, command injection flaws (CVE-2024-8359, CVE-2024-8360, CVE-2024-8358) enable attackers to inject OS commands via file paths, compromising the system. The lack of a root of trust (CVE-2024-8357) and allowance for unsigned code (CVE-2024-8356) further enable persistent malware and unauthorized firmware installation.
While these vulnerabilities require physical access, scenarios like valet parking or service visits present opportunities for exploitation. Successful attacks could lead to database manipulation, persistent malware, DDoS threats, or even control over critical vehicle systems like brakes and engines.
Veeam Vulnerability Exploited in Akira, Fog, and Frag Ransomware Attacks
A critical remote code execution (RCE) vulnerability in Veeam Backup & Replication (VBR), tracked as CVE-2024-40711, has been exploited by multiple ransomware groups, including Akira ransomware, Fog ransomware, and the newly emerged Frag ransomware. This flaw, caused by a deserialization weakness, allows unauthenticated attackers to execute arbitrary code on unpatched Veeam VBR servers, providing an entry point for ransomware deployment.
Despite delayed disclosure efforts by security researchers and vendors, ransomware operators like Akira and Fog quickly exploited the flaw, often alongside stolen VPN credentials. They leveraged these tactics to create rogue administrator accounts, gaining full control of compromised systems. Frag ransomware has since followed a similar strategy, utilizing CVE-2024-40711 to breach networks and deploy malicious payloads.
Ransomware gangs, including Akira, Fog, and Frag, increasingly target unpatched vulnerabilities in widely used solutions like Veeam. Their operations often involve exploiting misconfigurations and employing stealthy Living Off The Land binaries (LOLBins), complicating detection and mitigation efforts.
Conclusion
In conclusion, the threat landscape is evolving rapidly with diverse and sophisticated cyber-attacks such as ransomware, data breaches, and critical vulnerabilities across different platforms. It is imperative for organizations to stay ahead by adopting proactive security measures and maintaining rigorous incident response strategies.
As specialists in ransomware recovery and cybersecurity, we offer comprehensive services tailored to your needs, including Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires expert assistance in recovering from a ransomware attack or enhancing its cybersecurity defenses, do not hesitate to contact us.