More MOVEit victims revealed including Ofcom, Transport for London and Health Service Ireland
Swiss Government hit by a series of cyber attacks
New Phishing campaign discovered targeting Twitter and Discord
Russian hackers were behind Gloucester Council cyber attack
Fortinet releases Critical RCE Vulnerability fix in Fortigate SSL-VPN Devices, Urges Immediate Patching
Fortinet, has released an urgent firmware update for its Fortigate product line. This update aims to rectify a previously undisclosed, critically severe pre-authentication remote execution vulnerability found in all SSL VPN appliances. Identified as CVE-2023-27997, this weakness takes the form of a heap-based buffer overflow issue within FortiOS and FortiProxy SSL-VPN. Alarmingly, it could permit unauthenticated attackers to accomplish remote code execution (RCE).
A malicious actor exploiting this flaw could meddle via the VPN, even if Multi-Factor Authentication (MFA) is activated, illustrating the potential risk. The discovery of this severe vulnerability occurred during a comprehensive code audit of the SSL-VPN module. The audit followed a series of recent assaults against government entities, wherein the CVE-2022-42475 FortiOS SSL-VPN zero-day was exploited.
Promptly responding to the threat, Fortinet rolled out security fixes on Friday, June 9th, in the firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 of FortiOS.
As of June 12th, approximately 210,700 Fortigate devices with the SSL VPN component were found exposed to the public internet, predominantly in the United States, underlining the urgency of the situation and the importance of this firmware update.
More victims of the MOVEit supply chain attack have been revealed with the UK media regulator Ofcom, Transport for London and Health Service Ireland being the most high profile this week.
The Russian-based Clop Ransomware group, notorious for its cyber assaults since it first came onto the scene back in February 2019 has threatened the affected companies that if they did not comply with their demands by June 14, 2023, they will release the stolen data.
Clop asserted in its message to victims that any individual associated with local or national government or law enforcement agencies were not the target of this threat. Speaking directly to these people, the cybercriminals assured them that they needn't be concerned. They further stated, “we've deleted your data; no need for any interaction from your side. We have no intent to disclose such details”. However, the credibility of this proclamation remains a point of debate.
Victims are encouraged not to pay any ransom demands as there is no guarantee that the hackers will not use the data for secondary attacks and any money paid only encourages more attacks in future.
On Monday, a significant cyber-attack resulted in disabling a number of Swiss federal agencies' and state-affiliated corporations' websites with the Swiss finance ministry confirming that a cyber-attack had taken place.
The Swiss authorities revealed that in-house security specialists had promptly detected the cyber intrusion. Not only did they identify the threat swiftly, but they were also promptly "implementing corrective actions to reinstate access to the websites and software applications at the earliest."
The attack was identified as a Distributed Denial-of-Service (DDoS) attack, and was claimed by the group known as NoName. This threat group, renowned for its pro-Russian stance, specialises in launching such cyber-attacks. Their main targets traditionally include organisations based in Ukraine and throughout Europe.
Interestingly, this wasn't the first time NoName had claimed responsibility for a similar attack in Switzerland. A few days earlier, on June 7-8, the group had claimed to launch a corresponding attack against the Swiss Parliament, indicating that the alpine nation is in their sights.
Cyber security experts have identified a new phishing scheme aimed at compromising Twitter and Discord accounts in order to pilfer cryptocurrency.
Security researchers spotted the activities of a hacker collective known as Pink Drainer. The group has reportedly stolen more than $3 million from over 2000 victims, among which include notable figures like OpenAI CTO Mira Murati.
The manipulation tactics employed by the scammers see them impersonate journalists from reputed platforms like Decrypto and Cointelegraph in an attempt to establish trust with their targets.
According to the researchers the scam often takes between one and three days, culminating in a KYC authentication which incorporates Discord-related phishing in the last step. For instance, they manipulate Discord administrators into opening a malicious Carl verification bot and guiding them to add bookmarks containing harmful code.
This code is engineered to steal the victim's Discord token, giving the hackers access to the user's account. They then proceed to remove other administrators, make themselves the new admin, and engage in "violations" that result in Discord blocking the account.
So far the Pink Drainer collective has successfully scammed 2307 victims and pilfered nearly $3.3 million, including $300,000 from a single individual.
The trend of targeting Discord accounts is on the rise amongst hackers. Last year, cyber researchers unearthed malicious npm packages created to steal Discord tokens and card information.
The Russian linked Conti ransomware gang have been confirmed as the orchestrators of the attack that disrupted Gloucester City Council's IT services in 2021.
Post-investigation, the council stated that while resident information might have been compromised, there's no evidence of it being published online.
Although reports linked the attack to Russian hackers, this is the first official confirmation. The council worked with the National Crime Agency, National Cyber Security Centre, and informed the Information Commissioner's Office to mitigate further risks.
Local councils are often targets for hackers due to the significant amount of sensitive data they hold, such as personal, financial, and property information, coupled with typically lower cyber security measures compared to larger organisations.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.