To summarise this month's cyber security news, attackers hit the NHS, FortiGate Systems, and Life360, new vulnerabilities were discovered, ransomware gangs were arrested, and more.
On a more exciting note, TryHackMe released a new partnership module with Snyk!
Continue reading to discover the latest news.
NEW module: TryHackMe partners with Snyk!
On 20th June, TryHackMe released a game-changing module in partnership with Snyk, developed by Snyk experts.
The Snyk module consists of two free rooms (with another two rooms coming soon!), covering free Snyk tooling and basic training for Snyk tools! The TryHackMe and Snyk collaboration marks a significant step in the world of DevSecOps, whether you're a seasoned developer or just starting out in cyber security!
Find out more about the partnership, or click the button below to launch the Snyk module!
Major cyber attack on NHS hospitals causes widespread disruption
A significant cyber attack has caused extensive disruptions to NHS hospitals in London, affecting patients with cancer and those requiring emergency operations. Guy’s and St Thomas’ Foundation Trust and King’s College University Hospital NHS Foundation Trust cancelled over 200 urgent and life-saving procedures due to a ransomware attack on their pathology services provider, Synnovis. This attack has led to the postponement of more than a third of procedures, including 3,000 non-surgical appointments and urgent cancer diagnoses.
The shortage of type-O blood has compounded the crisis, prompting NHS leaders to urge donations. Hospitals have declared critical incidents, with the disruption potentially lasting months. Synnovis is working with the National Cyber Security Centre to restore services, while NHS staff strive to minimise the impact on patient care.
Critical remote code execution vulnerability discovered in PHP
A new critical remote code execution vulnerability has been identified in the widely used PHP programming language. This vulnerability, CVE-2024-4577, is related to the previously patched CVE-2012-1823, allowing arbitrary code execution. Discovered in the Best-Fit feature of encoding conversing within Windows, this flaw enables threat actors to bypass existing protections and execute remote code via specific character sequences through an argument injection attack.
The vulnerability affects multiple PHP versions, including PHP 5, PHP 7, PHP 8.0, and even the latest PHP versions prior to 8.3.8, 8.2.20, and 8.1.29. PHP has issued a patch as of June 6, 2024, and released necessary security advisories.
Users are advised to update to the newest version of PHP if possible.
Key developer for Conti and LockBit ransomware groups arrested
Ukrainian cyber police have arrested a 28-year-old man from Kyiv, a critical figure in the development of cryptors for the notorious Conti and LockBit ransomware groups. The arrest occurred after an international law enforcement operation called ‘Operation Endgame’ took place. The suspect, originally from the Kharkiv region, is accused of creating specialised software that disguises malicious code as secure files, evading antivirus detection.
This software played a pivotal role in the operations of Conti and LockBit, enabling numerous significant cyber attacks globally. The investigation, supported by Dutch police, uncovered that the suspect sold his crypting services for cryptocurrency, facilitating ransomware attacks that crippled computer networks in the Netherlands and Belgium.
During the operation, authorities conducted searches in Kyiv and Kharkiv, seizing computer equipment, mobile phones, and handwritten notes. The suspect's cryptors enhanced the effectiveness of ransomware by bypassing security defences, contributing to widespread disruption and financial losses.
Ticketmaster falls victim to cyber attack
At the beginning of June, publishers reported a cyber attack that led to the data of 560 million Ticketmaster customers stolen.
Ticketmaster confirmed 'unauthorised activity' on its database, following an incident whereby a group of hackers claimed to have stolen the personal details of 560 million customers.
ShinyHunters, the group claiming responsibility, says the stolen data includes names, addresses, phone numbers and partial credit card details from Ticketmaster users worldwide.
The hacking group reportedly demanded a $500,000 (£400,000) ransom payment, before publicly advertising the data for sale. Ticketmaster refused to confirm the attack to reporters or customers and instead notified shareholders.
While we aren't certain how many customers were affected by the data breach, we do know that Live Nation has filed the incident to the US Securities and Exchange Commission.
Critical vulnerabilities disclosed in VLC Media Player
VideoLAN, the developer of VLC Media Player, has disclosed multiple critical vulnerabilities that could enable attackers to execute arbitrary code remotely. These vulnerabilities impact both the desktop and iOS versions of VLC.
SB-VLC3021: Desktop Version Vulnerabilities
A potential integer overflow in VLC Media Player's desktop version could be triggered by a maliciously crafted MMS stream, leading to a heap-based overflow. This vulnerability could cause the player to crash or allow arbitrary code execution with the target user's privileges.
While ASLR and DEP offer some protection, they can potentially be bypassed. Users should avoid opening MMS streams from untrusted sources and disable VLC browser plugins.
The issue is addressed in VLC Media Player version 3.0.21. Users should update to this version to safeguard against this vulnerability.
SB-VLC-iOS359: iOS Version Vulnerabilities
A path traversal vulnerability in VLC for iOS's WiFi file-sharing feature could allow malicious actors on the local network to upload arbitrary data to hidden storage locations within the application.
This could lead to a denial-of-service (DoS) condition due to exceeded storage space. However, no read access by third parties or write access outside the application container is possible. No known exploits have been reported for this vulnerability.
VLC-iOS version 3.5.9 addresses this issue. Users should update to this version to protect their devices.
How to Update VLC Media Player
Desktop Version:
- Open VLC Media Player.
- Go to “Help” > “Check for Updates.”
- Follow the prompts to download and install the latest version.
iOS Version:
- Open the App Store on your iOS device.
- Search for VLC Media Player.
- Tap “Update” if an update is available.
Extensive cyber espionage campaign targets FortiGate Systems
At the beginning of 2024, reports emerged of threat actors targeting FortiGate systems with COATHANGER malware. However, recent investigations have revealed that the cyber espionage campaign had significantly more extensive capabilities.
The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have issued a security advisory highlighting the abuse of vulnerabilities in edge devices. These actors exploited the CVE-2022-42475 vulnerability, compromising at least 20,000 FortiGate systems globally, including those of dozens of governments, international organizations, and numerous defence industry companies.
The threat actor had knowledge of the CVE-2022-42475 vulnerability at least two months before its public disclosure. During this period, over 14,000 devices were infected with malware. Victims remain vulnerable even after installing security updates, indicating that the actors still maintain access to many compromised systems.
Critical zero-click RCE vulnerability discovered in Microsoft Outlook
A critical zero-click remote code execution (RCE) vulnerability, designated CVE-2024-30103, has been discovered in Microsoft Outlook. This vulnerability allows attackers to execute arbitrary code by sending a specially crafted email, which compromises the system when opened by the recipient.
The zero-click nature of CVE-2024-30103 makes it particularly alarming. Unlike traditional phishing attacks requiring user interaction, this exploit is triggered merely by opening the malicious email. This significantly lowers the barriers to successful exploitation, making it a potent tool for cybercriminals.
According to Morphisec, the vulnerability stems from how Microsoft Outlook processes certain email components. Opening a specially crafted email triggers a buffer overflow, enabling the attacker to execute arbitrary code with the same privileges as the user running Outlook. This can result in a full system compromise, data theft, or further malware propagation within a network.
As of the latest updates, there are no known attacks exploiting the Microsoft Outlook vulnerability CVE-2024-30103 in the wild. Nonetheless, it is crucial for all users to apply the recommended security measures promptly to mitigate the risk.
Life360 falls victim to criminal extortion attempt
Life360, a company known for its family safety services, recently fell victim to a criminal extortion attempt. The popular family safety company began receiving emails from an unknown actor claiming to possess Tile customer information and later detected unauthorised access to the Tile customer support platform.
Unfortunately, data including names, addresses, email addresses, phone numbers, and Tile device identification numbers were compromised. Life360 confirms that sensitive information such as credit card numbers, passwords, log-in credentials, location data, and government-issued identification numbers was not affected.
In a statement following the incident, a Life360 spokesperson claimed: “We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors.”
While law enforcement authorities have opened an investigation, Life360 advises its customers to remain vigilant and report any suspicious activity related to their Tile accounts.
Check back again next month for our monthly roundup of cyber security news!
Jabba