Ukraine hackers strike Moscow based internet provider in retaliation for Kyivstar attack
Hackers associated with Ukraine's intelligence agency have penetrated the systems of a Moscow-based internet provider, M9 Telecom, in response to a Russian cyber assault on Ukraine's largest mobile operator, Kyivstar. The group, known as "Blackjack" and linked to Ukraine's Security Service (SBU), reportedly erased 20 terabytes of data from M9 Telecom, disrupting internet services in parts of Moscow. This act was described as a precursor to a more significant cyber operation intended as "serious revenge for Kyivstar." The exact timing of the attack remains unclear.
M9 Telecom's response to inquiries about the incident was not available, and its website remained operational despite the hackers' claims of its destruction. The CEO of M9 Telecom, Andrey Pavolvsky, declined to comment when contacted.
Meanwhile, Kyivstar suffered a major disruption last month, attributed to Russian espionage activities. Ukrainian cyber spy chief Illia Vitiuk revealed that Russian hackers had infiltrated Kyivstar's network for months, resulting in substantial damage. Additionally, Ukraine’s military intelligence disclosed receiving sensitive Russian military information from the Special Technology Centre (STC), a Russian entity sanctioned for supplying drones and intelligence tools to Moscow.
Warnings issued over Apache OFBiz Authentication Bypass Vulnerability
Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system, recently faced critical security vulnerabilities, identified as CVE-2023-49070 and CVE-2023-51467. These vulnerabilities, with a high CVSSv3 Base Score of 9.8, signify critical severity.
CVE-2023-49070, discovered in versions prior to 18.12.9, was initially addressed on December 4, 2023. This vulnerability stemmed from an obsolete XML-RPC component in Apache OFBiz 18.12.09, allowing pre-authentication Remote Code Execution (RCE). The patch removed the XMLRPC endpoint and the OFBiz XMLRPC Library, but it didn't entirely resolve the underlying issue. Attackers could still bypass authentication, leading to Server-Side Request Forgery (SSRF).
CVE-2023-51467 emerged, targeting versions prior to 18.12.10. This subsequent patch, released on December 26, 2023, aimed to fully address the authentication bypass issue left unresolved by the previous fix.
Both vulnerabilities are critically severe, enabling unauthenticated attackers to execute code remotely, potentially leading to full server control, data theft, service disruptions, or malware deployment.
Users are urged to upgrade to Apache OFBiz version 18.12.11 or newer immediately, as these versions contain necessary patches and fixes for these vulnerabilities.
Decryptor for Babuk ransomware variant released
Cyber security researchers in collaboration with the Dutch police, made a significant breakthrough in combating the Tortilla variant of Babuk ransomware, with the collaboration leading to the acquisition of a decryption tool and the arrest of the ransomware's operator in Amsterdam.
Tortilla, a variant that surfaced after the Babuk malware's source code leaked online, has been exploiting Microsoft Exchange servers using ProxyShell vulnerabilities. Unlike the original Babuk, which researchers had developed a decrypter for, Tortilla used a unique private key, rendering the existing tool ineffective.
The decisive moment came when researchers, in partnership with Dutch authorities, obtained a decryptor directly from the ransomware operator, designed for victims who had paid the ransom. This tool contained a single key pair used across all attacks. Cisco Talos shared this key allowing an update for the Babuk decryptor to include the Tortilla decryption key among the existing fourteen ECDH-25519 keys from the 2021 leak.
This development has broader implications in the fight against ransomware. Since December 2021, several operations utilizing the Babuk code, such as Rook, Night Sky, Pandora, Nokoyawa Cheerscrypt, AstraLocker 2.0, ESCiArgs, Rorschach, RTM Locker, and the RA Group, have emerged. Cisco Talos emphasizes that Tortilla is not an isolated case, and the ongoing battle against ransomware operations continues.
Victims of the Babuk variant can now access Avast's updated generic decryption tool for free, offering relief and a way to recover encrypted data without succumbing to ransom demands.
Lockbit claims responsibility for November’s Capital Health attack
The LockBit ransomware group has claimed responsibility for the November 2023 cyberattack on US based Capital Health, a major healthcare provider in New Jersey and Pennsylvania. The attack led to significant IT disruptions, with Capital Health confirming an IT systems outage last November. Although operations have since resumed with enhanced security measures, the investigation into potential data theft continues.
LockBit listed Capital Health on their data leak site, threatening to publish seven terabytes of stolen medical data if their ransom demands aren't met. Interestingly, LockBit states they avoided encrypting files to not disrupt patient care, instead opting for data theft.
Despite general ransomware policies against targeting healthcare providers, LockBit has been implicated in similar attacks on healthcare institutions, including SickKids and hospitals in Germany and New York.
These incidents highlight the threat of ransomware in healthcare, posing risks like data breaches and financial strains, even without direct operational disruption.
