MSP cybersecurity news digest, July 19, 2024

A ransomware attack on Patleco Credit Union prompted a shutdown of several banking systems to contain the issue. Patelco, a California-based credit union with over $9 billion in assets, serves more than 400,000 members through 37 branches.

The attack has disrupted online banking, their mobile app, call center services and electronic transactions, although ATM withdrawals remain unaffected. The organization is working with cybersecurity experts to investigate and recover but has not specified when normal operations will resume.

In a separate case, Evolve Bank & Trust notified 7.6 million Americans of a data breach from a LockBit ransomware attack. In June, LockBit falsely claimed it breached the U.S. Federal Reserve, but the leaked data was actually from Evolve. An investigation revealed that an employee clicked on a malicious link, allowing the attacker to access and download Evolve's database. Although customer funds remained safe, several fintech customers, including Affirm, Wise and Bilt, were affected.

Microsoft's July 2024 Patch Tuesday included security updates for 142 flaws, with five critical remote code execution vulnerabilities.

Among these, two are actively exploited zero days: CVE-2024-38080 (Windows Hyper-V Elevation of Privilege) and CVE-2024-38112 (Windows MSHTML Platform Spoofing). Additionally, two publicly disclosed zero days were fixed: CVE-2024-35264 (.NET and Visual Studio RCE) and CVE-2024-37985 (FetchBench side-channel attack).

The update addressed various vulnerabilities, including 26 elevation of privilege, 24 security feature bypass, 59 remote code execution, 9 information disclosure, 17 denial of service and 7 spoofing issues.

The malware ViperSoftX is now being distributed as e-books over Torrent sites. Researchers noted that this variant uses the Common Language Runtime (CLR) to load and run PowerShell commands within AutoIt, evading detection mechanisms.

Recent campaigns have used ViperSoftX to deliver Quasar RAT and TesseractStealer via cracked software and torrent sites, with eBook lures being a new tactic. The infection process involves a deceptive Windows shortcut file that sets up a persistent AutoIt script, decrypting and running a secondary PowerShell script. ViperSoftX can harvest system information, scan for cryptocurrency wallets and download additional payloads while using self-deletion mechanisms to avoid detection.

In a separate investigation, it was revealed that the malware ViperSoftX isn't the only malicious activity linked to torrents. South Korean internet provider KT installed malware on over 600,000 subscribers' computers to interfere with BitTorrent traffic, aiming to manage network congestion and reduce costs. While global internet providers have improved their network management, KT's aggressive tactic stands out, involving a dedicated team to develop, distribute and operate the malware. This malware significantly disrupted users of popular Webhard services in South Korea, which rely on BitTorrent for efficient file-sharing. KT's actions, currently under police investigation, highlight the extreme measures taken by ISPs to curb torrent traffic, purportedly for cost-saving reasons but with significant privacy violations and operational disruptions for users.

In a large-scale fraud campaign dubbed "Ticket Heist," over 700 domains have been set up to target Russian-speaking users seeking tickets for the Paris Summer Olympics and other major events. Researchers discovered that these domains, created since 2022, offer overpriced fake tickets, with some sites charging up to €1,000. The campaign uses a consistent user interface across its websites, aiming to steal money through legitimate payment platforms rather than collecting credit card information.

Researchers identified that the fraudulent websites are hosted on a single IP address, with 98% of them deemed clean of malware, supporting the theory of direct monetary theft. The domains often contain keywords like "ticket" and "Paris," and use subdomains and SSL certificates to maintain a façade of legitimacy. Additionally, fake tickets for the UEFA European Championship and concerts in Russia have been offered, predominantly targeting Russian-speaking users with websites featuring Russian phone numbers and language.

In another incident, the auto racing governing body FIA (Fédération Internationale de l'Automobile) reported a data breach following phishing attacks that compromised email accounts. The FIA, which oversees Formula 1 and other racing championships, reportedly took immediate action to cut off unauthorized access and notified relevant data protection authorities. The organization stated it is enhancing its security measures to prevent future breaches but has yet to disclose the scope of the data compromised or the number of individuals affected.

South Africa's National Health Laboratory Service (NHLS) is recovering from a ransomware attack that disrupted diagnostic systems and deleted backups, causing delays in lab testing across public health facilities.

While all laboratories are now functional and processing samples, physicians cannot access test results via the online portal, impacting emergency patients and intensive care units nationwide. The NHLS assured the public that no patient data was compromised and that breached data would be restored within weeks, but the incident has severely hindered health care delivery, with over 6.3 million unprocessed blood tests delaying major operations.

In response, urgent test results are being communicated via telephone to clinicians, raising concerns among health care centers, NHLS staff, and patients about operational continuity. The NHLS, operating over 265 laboratories, faces a long recovery process with no clear timeline for full restoration.