Welcome to our weekly cyber news roundup, where we bring you the latest and most important updates from the world of cyber security.
Top of FormAccording to Microsoft a cybercriminal linked with FIN11 and TA505, notorious for circulating Cl0p ransomware, has been exploiting recently patched PaperCut flaws since mid-April.
These vulnerabilities, impacting the PaperCut MF/NG print management system and tagged as CVE-2023-27350, allow bypassing of authentication and enable remote code execution (RCE) with System privileges.
Updates for PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9, released in March 2023, addressed these flaws and a high-risk bug, CVE-2023–27351, leading to potential data leaks.
Last week, PaperCut alerted that CVE-2023-27350 was being used in malicious activities and urgently advised users to update their systems.
Subsequently, a cyber security firm identified numerous hosts vulnerable to the flaw, noticing that threat actors were installing remote management and maintenance (RMM) tools for continued access.
Microsoft, confirming the observations, noted that the threat actor, known as Lace Tempest (or DEV-0950), linked to both FIN11 and TA505 groups, has been exploiting the PaperCut flaws for the past two weeks.
"Lace Tempest, a Cl0p ransomware affiliate, incorporated PaperCut exploits into their attacks as early as April 13," Microsoft stated.
Huntress also warned that more threat actors are now exploiting the PaperCut vulnerabilities, including attacks that install cryptocurrency miners on infiltrated systems.
Following the cyber-attack in March, data purportedly from Capita started appearing on the dark web, including residential addresses and passport images.
As a result the UK Pensions Regulator has prompted trustees managing funds under Capita's administration to evaluate potential risks to their clients' data.
The letter urged funds to "assess if their scheme's data is at risk" and to verify their communication status with the company.
A representative for the Pensions Regulator stated: "We regard IT security and the threat of cyber-attacks with utmost seriousness." Capita's systems manage the pensions of over four million savers for about 450 organisations, which include Royal Mail and Axa.
Capita disclosed that only a small fraction of its computer servers were breached during the cyber intrusion. The company further confirmed in a statement that it has maintained regular contact with relevant authorities since the attack and will continue to update them as the investigation unfolds.
The National Smallbore Rifle Association (NSRA) has alerted its members about the potential risk of subsequent fraud and cybercrime following a breach of its IT systems.
Currently, the association is liaising with the UK's South East Regional Organised Cybercrime Unit (SEROCU) in response to the incident, which it disclosed last Friday.
"Our IT systems are fully functional, no funds have been lost, and we will fully brief our members upon the conclusion of the police inquiry. We can affirm that this breach has not compromised the membership portal, which remains secure," the NSRA noted in a statement.
"This breach targeted legacy servers that store working documents, not a complete database. At this juncture, we cannot specify who this might affect as we have no access to the servers."
Despite the lack of comprehensive details, the NSRA has encouraged its members to update their account passwords.
Warnings have been issued that should gun owners' data be accessed by unauthorised parties, it could be exploited by criminal gangs to target properties for weapons, which are challenging to acquire in the UK and therefore potentially valuable.
In September 2021, similar concerns were raised when the personal information of 100,000 UK gun owners was leaked online, including details of home addresses where firearms were believed to be kept.
Following a cyber attack, German IT services provider Bitmarck has closed down all customer and internal systems, including whole data centres in some instances.
Bitmarck, a significant service provider for German health insurers, reassured that no customer, patient, or insured person's data had been compromised in the breach, based on "the current state of knowledge," according to a statement on its temporary website.
Patient data "was and is not at risk from the attack," due to the "special protection" offered under Germany's Gematik healthcare data regulations.
The timeframe for reinstating all systems is uncertain. However, certain services, like the digital processing of electronic incapacity for work certificates and access to electronic patient files, are already operational or will be soon. Other key services are expected to be available shortly.
Bitmarck is also exploring a short-term IT environment to restore central processes for health insurers, such as payments. However, the company warned that it might take time before its managed services return to their pre-attack performance levels, due to the extensive shutdowns and potential temporary service failures.
Bitmarck did not provide information on who attacked its network and how.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.