SonicWall Firewalls Targeted in Ransomware Exploits
Ransomware groups are actively exploiting a critical vulnerability in SonicWall SonicOS firewalls, identified as CVE-2024-40766. This flaw, initially believed to affect only management access interfaces, also compromises SSLVPN features, exposing networks to attacks. SonicWall issued a patch on August 22, urging users to secure Gen 5, Gen 6, and Gen 7 devices. Despite these efforts, cybercriminals—particularly Akira ransomware affiliates—have begun leveraging this weakness to breach organizations. Investigations reveal that compromised devices often lack multi-factor authentication (MFA) and are not integrated with centralized authentication services like Microsoft Active Directory. Federal agencies have been directed by CISA to patch these vulnerabilities by September 30, 2024. Experts advise users to restrict access to trusted sources, disable unnecessary internet access, and enable MFA to prevent unauthorized entry. SonicWall’s vast global customer base makes these exploits a significant concern across multiple sectors.
NoName Gang Deploying RansomHub and ScRansom in Recent Attacks
The NoName ransomware gang, tracked as CosmicBeetle by cybersecurity researchers, has been active for over three years, targeting small and medium-sized businesses with various ransomware strains. Recently, NoName has been linked to deploying the RansomHub malware, along with its previously used ScRansom variant, which replaced the Scarab encryptor. ScRansom, part of the Spacecolon malware family, is a Delphi-based file encryptor that supports versatile encryption methods, including a destructive “ERASE” mode. Despite being less sophisticated than other ransomware families, it remains a growing threat.
NoName has also experimented with LockBit 3.0’s leaked ransomware builder, replicating its data leak site and ransom notes. In recent attacks, NoName has been seen using RansomHub’s EDR killer for privilege escalation, further signaling its potential affiliation with the RansomHub ransomware group. The group’s evolving tactics, including the switch between ScRansom and LockBit variants, showcase its ongoing attempts to solidify a reputation amongst ransomware variants.
Arrests in Singapore Linked to Global Cybercrime Syndicate
Singaporean authorities have arrested six Chinese nationals and one Singaporean for their involvement in malicious cyber activities connected to a global cybercrime syndicate. During coordinated raids, 160 officers seized electronic devices containing hacking tools, stolen personal data, and credentials for servers controlled by known hacker groups.
Among the arrested were key individuals with ties to sophisticated cybercrime tools such as the PlugX malware, a backdoor remote access trojan often associated with Chinese state-sponsored groups like APT10, APT41, and Mustang Panda. Authorities also confiscated over $1.3 million in cash and cryptocurrency.
Although specific ties to any Chinese advanced threat actor were not disclosed, the arrested individuals were equipped with resources and tools typically used in cyber espionage campaigns. The Singaporean police continue to investigate the full scope of the syndicate’s operations.
Transport for London Confirms Customer Data Breach After Cyberattack
Transport for London (TfL) has confirmed that a cyberattack on September 1 has resulted in the theft of customer data, including names, contact details, and home addresses. Initially, TfL reassured the public that no evidence of data compromise had been found. However, recent investigations revealed that hackers accessed sensitive information, including Oyster card refund data and bank account details of around 5,000 customers.
Though no ransomware gang has yet claimed responsibility for the attack, the possibility of a ransomware group being involved remains a concern. TfL continues to face system outages, impacting services such as contactless payment refunds and Oyster card applications. Affected customers are being notified via personalized emails.
Mitigation measures are in place, but some services remain unavailable. Customers are advised to track fares, as refunds may be possible once the incident is resolved. The cyberattack highlights the increasing threat posed by ransomware gangs targeting critical infrastructure systems.
Hackers Exploiting SQL Injection Flaws in WhatsUp Gold
Hackers have been actively exploiting two critical SQL injection vulnerabilities in the WhatsUp Gold network monitoring solution, tracked as CVE-2024-6670 and CVE-2024-6671, since August 30, 2024. These vulnerabilities allow attackers to retrieve encrypted passwords without authentication, posing a severe security risk. Despite the vendor, Progress Software, releasing patches on August 16, many organizations have not yet updated their systems, providing hackers with an opportunity to launch attacks.
The flaws were initially discovered by security researcher Sina Kheirkhah, who published proof-of-concept (PoC) exploit code on August 30. Kheirkhah’s technical write-up details how improper sanitization of user inputs can be leveraged to exploit SQL injection, enabling attackers to manipulate administrator accounts. Trend Micro reported that these vulnerabilities are being actively exploited, with attackers using PowerShell scripts and deploying various remote access tools (RATs) to gain persistence.
The ongoing exploitation highlights the risks posed by unpatched SQL injection vulnerabilities and the importance of timely security updates.
RansomHub Claims Cyberattack on Kawasaki, Threatens Data Leak
Kawasaki Motors Europe is recovering from a cyberattack allegedly carried out by the RansomHub ransomware gang, which now threatens to leak 487 GB of stolen data. The attack targeted Kawasaki’s EU headquarters in early September, causing temporary service disruptions. Kawasaki responded by isolating servers and collaborating with external cybersecurity experts to cleanse systems of any suspicious material.
RansomHub, which claimed responsibility for the attack on September 5, operates as a ransomware-as-a-service (RaaS) platform, a model popularized by groups like BlackCat/ALPHV before its shutdown. Many affiliates of BlackCat have reportedly moved to RansomHub, contributing to its rapid rise in successful attacks. The gang has set a timer to expire tomorrow, threatening to release the stolen data if their demands are not met.
RansomHub’s increasing prominence follows its involvement in over 210 attacks on critical U.S. infrastructure sectors, a trend recognized in a joint advisory by the FBI, CISA, and HHS. The attack on Kawasaki further highlights the growing threat posed by ransomware-as-a-service operations.
TfL Requires In-Person Password Resets for 30,000 Employees After Cyberattack
Transport for London (TfL) has mandated in-person password resets for its 30,000 employees following a cybersecurity breach disclosed earlier this month. Staff must attend appointments at designated TfL locations to verify their identities and reset their passwords. This approach is similar to measures taken by DICK’S Sporting Goods after a cyberattack in August, where employees’ identities were manually validated before system access was restored.
The TfL cyberattack, while not disrupting London’s transportation services, impacted internal systems, causing outages and delays in processing refunds and responding to customer requests. More concerningly, TfL confirmed that customer and employee directory data, including names, email addresses, and job titles, was compromised. However, there is no evidence that sensitive data such as banking details or home addresses was stolen.
This incident follows a May 2023 data breach, where the Clop ransomware gang stole data from approximately 13,000 TfL customers. Clop remains a significant threat, frequently targeting organizations with large-scale data theft campaigns.
The UK’s National Crime Agency recently arrested a 17-year-old suspect linked to the TfL attack, who may also be involved in the MGM Resorts ransomware attack attributed to the BlackCat and Scattered Spider hacking groups. TfL continues to reassure the public of the safety of its network while taking steps to secure both employee and customer data.
Windows Vulnerability Exploited in Zero-Day Attacks by Void Banshee APT
Microsoft has confirmed that the recently patched Windows MSHTML vulnerability, tracked as CVE-2024-43461, was exploited in zero-day attacks before being fixed. Initially unmarked as exploited, the flaw was later tied to attacks by the Void Banshee APT group, known for targeting organizations across North America, Europe, and Southeast Asia. This group leveraged the vulnerability to install information-stealing malware, particularly the Atlantida info-stealer.
The CVE-2024-43461 zero-day, discovered by Peter Girnus from Trend Micro’s Zero Day Initiative (ZDI), allowed attackers to hide malicious HTA files by using encoded braille whitespace characters, tricking victims into thinking they were opening a PDF. This technique, combined with another zero-day, CVE-2024-38112, created a sophisticated attack chain that bypassed security features like Mark of the Web.
These vulnerabilities were part of a broader campaign of zero-day attacks by Void Banshee, emphasizing the growing threat posed by undiscovered flaws. Microsoft’s September 2024 Patch Tuesday addressed several actively exploited zero-days, further highlighting the importance of timely patching to prevent such sophisticated attacks.
FBI Warns Public to Disregard False Claims of Hacked Voter Data
The FBI and CISA have issued a public warning regarding disinformation campaigns falsely claiming that U.S. voter registration data has been compromised in cyberattacks. According to the agencies, malicious actors are spreading these claims to manipulate public opinion and erode confidence in U.S. democratic institutions. These disinformation campaigns often misuse publicly available voter registration data as “evidence” of alleged hacks.
The agencies emphasize that voter registration data can be accessed from official sources and does not indicate a breach of election infrastructure. The FBI and CISA reiterate that there is no current evidence of any cyberattack, including distributed denial-of-service (DDoS) attacks, affecting U.S. elections. While DDoS attacks may temporarily disrupt some election-related services, they have no impact on the voting process or the integrity of election results.
Citizens are urged to be cautious of misleading claims and to rely on official state and local election websites for accurate information.
Conclusion
In conclusion, the cyber landscape continues to be rife with threats, from ransomware exploits to sophisticated SQL injection attacks and phishing campaigns. With each new vulnerability, businesses face increased risks to their data and operations, making proactive cybersecurity measures more critical than ever.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or needs help strengthening its defenses, contact us today.