Microsoft releases fixes for 132 security vulnerabilities including exploited zero-days
Australian and New Zealand Critical Infrastructure services impacted by cyber attack
Trinidad and Tobago government agency disrupted by cyberattack
University of West Scotland impacted by cyber incident
Microsoft issued fixes for 132 security vulnerabilities, including six zero-days actively exploited, on Tuesday. Among these, nine are deemed critical, 122 important, and one minor. This follows the patching of eight issues in its Chromium-based Edge browser last month.
Actively exploited flaws include:
Attackers have targeted North American and European defence and government entities, exploiting CVE-2023-36884 with bogus Microsoft Office documents themed around the Ukrainian World Congress. The culprits are believed to be the Russian cybercriminal group Storm-0978, also known as RomCom, Tropical Scorpius, UNC2596, and Void Rabisu, which is connected to the deployment of Underground ransomware and Industrial Spy ransomware.
The recent campaigns have involved phishing attacks, deploying a remote access trojan called RomCom RAT against Ukrainian and pro-Ukrainian targets. Microsoft aims to secure its customers, possibly through an out-of-band update or its monthly release process. It advises users to use an attack surface reduction (ASR) rule in the absence of a patch for CVE-2023-36884.
The tech giant has also revoked certificates exploited by attackers to install malicious drivers via a Windows policy loophole. This shows an increase in the use of rogue kernel-mode drivers by threat actors to evade detection.
If you need assistance with patching and your overall cyber security get in touch with us regarding our Threat & Vulnerability Management service.
Critical infrastructure services provider Ventia reported a cyberattack over the weekend, leading to certain systems being taken offline as a precaution. Ventia offers long-term management and maintenance services for critical infrastructure entities across defence, electricity, gas, environmental services, and water sectors. The firm operates over 400 sites in Australia and New Zealand with a workforce exceeding 35,000.
Ventia confirmed it had isolated some key systems in reaction to the cyberattack. The company is currently working with external experts and law enforcement to investigate the incident. Ventia's primary concerns during this process are ensuring the safety of its people, customers, and stakeholders.
Ventia stated that its operations were continuing under careful network monitoring for any irregular activity. The company anticipates a return to normal operations within the next few days. While specific details about the incident haven't been revealed, file-encrypting ransomware may have been involved, as system isolation is a common response strategy. Ventia has yet to disclose whether any data was compromised during the cyberattack.
The Trinidad and Tobago Ministry of Legal Affairs (AGLA) is managing the fallout from a recent cyberattack, disrupting their operations. With a population of 1.4 million, the island nation revealed last Friday that the Ministry of Digital Transformation had detected a cyberattack targeting the AGLA.
The specific date of the attack is unknown, but AGLA has reported outages and service disruptions from June 30 onwards, with electronic court documents served after that date going unread. The ministry admitted that the breach has significantly affected its operations and associated divisions.
Following initial threat minimisation actions, an ongoing investigation in conjunction with cyber security experts commenced. Some services were temporarily unavailable due to the cyberattack.
AGLA did not comment on when full services might resume. Government lawyers have reported being unable to access critical documents and emails for upcoming trials. Trinidad and Tobago's Cyber Security Incident Response Team (TT-CSIRT) issued an advisory, urging organisations to prepare against rising ransomware attacks.
Recent months have seen numerous cyberattacks on government agencies and infrastructure in island nations worldwide, including Martinique, Guadeloupe, Vanuatu, and Tonga. Trinidad also fell victim to an attack on its largest supermarket chain last year.
The University of the West of Scotland (UWS) was dealing with a cyber incident that caused their website to be offline for several days. The university is working with the National Cyber Security Centre, Police Scotland, and the Scottish Government to manage the situation.
Despite the disruption, the university reassured that the upcoming graduations would proceed as planned. Police Scotland confirmed that an investigation is underway.
The National Cyber Security Centre provided support to UWS during the incident. The university, which has campuses in Paisley, Ayr, Dumfries, Blantyre, and London, is making steady progress towards resolution through a controlled process in consultation with external support.. The university continues to take all necessary precautions to restore its digital systems.
The fanfiction platform Archive of Our Own (AO3) has recovered from a series of distributed-denial-of-service (DDoS) attacks that had the website offline for over a day. The company confirmed via its Twitter account that the DDoS caused its servers to crash.
AO3 declared it was back online on Tuesday, though it acknowledged further optimisation work was necessary for their newly implemented Cloudflare setup. Despite minor loading delays, the site was accessible.
A group purporting to be Anonymous Sudan took credit for the attack, demanding a ransom to halt the operation. Yet, AO3 reassured users that such attacks don't compromise personal data, eliminating the need for password changes.
AO3 cautioned users to view the group's claims sceptically, citing cybersecurity experts who question the group's affiliations and motives. Although the group threatened a sustained attack and demanded a Bitcoin ransom equivalent to $30k, AO3, a volunteer-run platform reliant on user donations, is unlikely to afford such a ransom, even if the threat proves legitimate.
Cybercriminals stole over $20 million from fintech firm Revolut, exploiting a software loophole within its US payment system.
According to a report by the Financial Times (FT), the cyber security breach persisted undetected for several months in 2022. The issue is yet to be publicly addressed by Revolut.
According to the FT's sources, the software flaw caused communication issues between Revolut's European and US payment systems. Transactions declined were mistakenly reimbursed by the bank rather than from the account holder's funds, a loophole unscrupulously leveraged by cybercriminals to steal about $23 million.
Although the refund issue was flagged intermittently in 2021, organised criminals purposefully made hefty purchases they knew would be declined in 2022, then withdrew the wrongly refunded sums via ATMs.
When Revolut's US partner bank noticed dwindling funds, the company was alerted and the software vulnerability was rectified in spring 2022. Despite some stolen money being recovered, the company endured an overall loss of approximately $20 million. This incident highlights how cyberattacks, can often lurk undiscovered for extended periods of time.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.