MSP cybersecurity news digest, May 30, 2024

Ascension, a major U.S. health care system with 140 hospitals and 40 senior care facilities, has temporarily shut down some systems due to a detected cybersecurity event. The organization, reporting $28.3 billion in revenue in 2023, initiated an immediate investigation and urged business partners to disconnect from its environment as a precaution. 

Clinical operations have been disrupted, prompting an ongoing investigation to assess the extent of the impact. Ascension has alerted authorities, engaged third-party experts, and plans to provide updates as the situation unfolds.

Although the specifics of the attack remain undisclosed, the Black Basta ransomware group is believed to be responsible, with the Health Information Sharing and Analysis Center (Health-ISAC) additionally cautioning about their increased targeting of the health care sector.

Microsoft's May 2024 Patch Tuesday addressed 61 flaws, including three zero-day vulnerabilities either actively exploited or publicly disclosed. Among these, the updates address one critical vulnerability in Microsoft SharePoint Server for remote code execution. The vulnerabilities encompass various categories, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing. Notably, this count excludes two Microsoft Edge flaws patched on May 2 and four fixed on May 10.

Additionally, the Patch Tuesday also covers two actively exploited zero days and one publicly disclosed vulnerability, including a security feature bypass flaw and an elevation of privilege issue in Windows DWM Core Library. One of these updates address threats such as the Qakbot malware, leveraging vulnerabilities to gain system privileges in recent phishing attacks. 

Google has released emergency security updates for Chrome, addressing a high-severity zero-day vulnerability, CVE-2024-4761, exploited in attacks, following the recent fix for CVE-2024-4671. This latest vulnerability affects Chrome's V8 JavaScript engine, presenting an out-of-bounds write issue that can lead to unauthorized data access or code execution. The update, versions 124.0.6367.207/.208 for Mac / Windows and 124.0.6367.207 for Linux, will roll out gradually to users, with fixes for the ‘Extended Stable’ channel available in version 124.0.6367.207 for Mac and Windows.

FIN7, a financially motivated threat group, has been employing deceptive tactics such as malicious Google ads spoofing trusted brands to distribute malware, particularly leveraging MSIX installers to deploy NetSupport RAT.

These attackers have a history of evolving tactics, shifting from point-of-sale device attacks to ransomware campaigns, utilizing various custom malware families like BIRDWATCH, Carbanak, and DICELOADER.

Recently, they have been observed using malvertising techniques to initiate their attacks, relying on Google ads to lure users into downloading malicious MSIX packages. Once downloaded, these packages execute PowerShell scripts, allowing the deployment of NetSupport RAT and other malware, highlighting the ongoing threat posed by FIN7 and the abuse of MSIX files.

Have I Been Pwned has included data from over 26 million individuals affected by the recent breach of The Post Millennial conservative news website, owned by the Human Events Media Group, which also operates the American news platform “Human Events.” 

The attack, which occurred earlier this month, defaced both the Canadian and American platforms, with the threat actors claiming to have accessed mailing lists, subscriber databases and staff details. The exposed data, comprising names, emails, usernames, passwords, IP addresses, phone numbers, physical addresses and genders, poses significant privacy risks to the affected individuals. 

Despite the breach, neither The Post Millennial nor Human Events has publicly addressed the incident, emphasizing the importance of resetting passwords and remaining vigilant for potential security threats.

Firstmac Limited, a major nonbank lender in Australia, revealed a data breach after the Embargo extortion group leaked over 500 GB of allegedly stolen data. The breach affected customers' personal information, including names, contact details, date of birth and bank account information. Firstmac Limited engaged cybersecurity experts to investigate and secure its systems immediately after detecting the incident. 

In another case, the City of Helsinki suffered a data breach in its education division affecting tens of thousands of individuals. An unauthorized actor exploited a vulnerability in a remote access server to access a network drive, with the breach impacting millions of files, including sensitive information like usernames, email addresses, personal IDs and physical addresses. City officials expressed regret over the breach's severity, emphasizing the potential impact on over 80,000 students, guardians and personnel.

In a separate case, IT giant Dell Technologies experienced a data breach involving a customer portal, exposing names, physical addresses and hardware purchase details, prompting an investigation by the company. Despite the breach, Dell assured affected customers that no financial or highly sensitive information, such as payment details or email addresses, was compromised.