MSP cybersecurity news digest, July 23, 2024

 A recent mishap involving cybersecurity firm CrowdStrike led to significant global IT disruptions on July 19, 2024, resulting from a routine sensor configuration update to CrowdStrike's Falcon platform, triggering widespread system failures. The incident affected 8.5 million Windows devices globally, causing chaos for businesses and organizations reliant on these systems. Airports like Schiphol, Melbourne and Zurich faced severe delays and cancellations, impacting airlines such as KLM and Jetstar. Emergency services in New York, Alaska, Arizona and parts of Canada experienced outages, forcing some to rely on manual operations. Hospitals in the Netherlands and Spain also reported issues but began recovering as the fix was implemented. News outlets like Sky News and ABC faced disruptions as well.

Two days later, Microsoft launched a Windows repair tool to remove a problematic CrowdStrike driver causing issues for users. The problem was traced to a channel file update that triggered an error in a kernel driver which CrowdStrike can't quickly revert. They provided a workaround that involved deleting a specific file in safe mode. But despite a fix being available, organizations continue to face challenges due to the scale of the disruption.

Malicious actors quickly capitalized on the confusion, setting up typosquatting domains and distributing phishing emails to trick users into downloading malware under the guise of CrowdStrike fixes. In some cases, threat actors took advantage of the situation to distribute the Remcos RAT malware. The flawed update, which caused Windows devices to crash, prompted cybercriminals to spread a fake "crowdstrike-hotfix.zip" archive containing malicious software. This archive, targeting Latin American customers, included a text file with Spanish instructions, urging users to run an executable file to resolve the issue.

The advanced persistent threat (APT) group Void Banshee, known for targeting North American, European and Southeast Asian regions, has exploited a recently disclosed security flaw in the Microsoft MHTML browser engine to deliver an information stealer called Atlantida. Researchers observed this activity in mid-May 2024, identifying the vulnerability as CVE-2024-38112, used in a multistage attack chain with specially crafted URL files.

Variations of the Atlantida campaign have been active throughout 2024, evolving to use CVE-2024-38112 as part of Void Banshee's infection chains. This vulnerability, described as a spoofing issue by Microsoft but a remote code execution flaw by the zero-day Initiative, was addressed in recent Patch Tuesday updates.

The attack involves spear-phishing emails with links to .zip files containing URL files that exploit CVE-2024-38112, leading to the execution of a malicious HTML Application (HTA) and subsequent download of a PowerShell script and the Atlantida stealer.

The Iranian-backed MuddyWater hacking group has recently shifted tactics by deploying a novel malware implant, BugSleep, diverging from their previous use of legitimate remote monitoring and management (RMM) tools.

Previously, MuddyWater, also known as TA450 or Mango Sandstorm, relied on tools like Atera Agent for persistent access, but has now introduced BugSleep, a custom backdoor capable of file management, reverse shell execution, and persistence. Discovered by researchers, BugSleep was first noted in June 2024 and is being spread through phishing emails masquerading as invitations to webinars or online courses, directing victims to malicious payloads hosted on Egnyte. This shift away from known RMM tools is believed to be a response to increased scrutiny of those tools by security vendors.

The new backdoor represents a significant evolution in MuddyWater's tactics, focusing attacks on government entities, municipalities, airlines and media outlets across multiple countries including Israel, Türkiye and Portugal. The group, which has been active since 2017 and is linked to Iran's Ministry of Intelligence and Security, continues to refine its malware arsenal, with recent updates to BugSleep indicating ongoing development. The increased sophistication of MuddyWater's attacks underscores the persistent threat posed by this state-sponsored actor.

Rite Aid, the third-largest drugstore chain in the U.S., reported a data breach affecting 2.2 million customers' personal information last month. The incident occurred after attackers used an employee's credentials to access the network. The stolen data included purchaser names, addresses, dates of birth and driver's license numbers from transactions between June 2017 and July 2018. Rite Aid confirmed that Social Security numbers, financial information, and health information were not compromised.

The RansomHub ransomware gang claimed responsibility for the attack, stating they obtained over 10 GB of customer data and threatened to leak it after ransom negotiations failed. In a separate case, the LockBit ransomware gang has threatened to publish over 40,000 files stolen from the Wattle Range Council.

A South Australian council fell victim to the gang, which posted details and sample images of the stolen documents on their darknet site. The stolen data, amounting to 103 gigabytes in over 7,000 folders, includes personal documents such as complaint notices, rate notices, and banking applications. The council, Wattle Range Council, confirmed the breach, stating their investigation is ongoing and primarily involves legacy server files. The council urged the public not to access the stolen data and has informed the Australian Cyber Security Centre.

AT&T has warned of a massive data breach where threat actors stole call logs for approximately 109 million customers from the company's Snowflake account. The data was stolen between April 14 and April 25, 2024, and includes call and text records made from May 1 to October 31, 2022, and on January 2, 2023.

The stolen data contains telephone numbers, interaction counts and aggregate call durations, but no personal information like names or Social Security numbers. Despite the lack of direct personal data, the metadata can potentially be used to identify individuals.

After discovering the breach, AT&T collaborated with cybersecurity experts and law enforcement, and the U.S. Department of Justice permitted a delay in public notification due to national security concerns.