Brent Forrest's Cybersecurity News Update 1-17-2024

After a long weekend and a bit of cold weather, it was good to get back into the office this morning and see people through my glass door! Ok, all jokes aside it was really nice to get out of the house after being self-confined to our four walls. The best part is, I had a traveler with me this morning. My 8-year-old daughter came into the office with me today to have a "homeschool field trip" to work alongside a couple of our wonderful ladies in the office. She even brought along her notebook to take notes in preparation to "do cybersecurity" when she gets older. Start them young! 

On that note, let’s jump into this week's cybersecurity news update. 

HMG, Texas healthcare provider suffers data breach 

MHG Healthcare, LLC has confirmed that the PHI of up to 80k individuals has been exposed and potentially stolen in a cyberattack that occurred in November of 2023 

• After investigation, it was found that the initial compromise occurred in August 2023 
• It was also confirmed that unencrypted files were copied but it "was not feasible" to identify exactly what types of information were obtained by the hackers 
• This statement is still unclear why it was decided upon (Insufficient logging or was a comprehensive review that would prove too timely and costly) 
• Lastly, the nature of the attack has not been disclosed either and that HMG "worked diligently to ensure the stolen files were not further shared by hackers" 
• This statement suggests that HMG paid the threat actors to prevent publication/sale of the stolen data (pure assumption based on the statements made and past experiences with other ransomware engagements) 

Link (1): https://www.hipaajournal.com/hmg-healthcare-data-breach/#:~:text=HMG%20Healthcare%2C%20LLC%2C%20a%20Texas,was%20detected%20in%20November%202023. 

Decryptor for Babuk Tortilla ransomware released 

Babuk ransomware emerged in 2021 targeting industries such as healthcare, manufacturing, logistics and public services, including critical infrastructure 

• The Tortilla campaign was discovered by Cisco Talos on Oct 12, 2021, targeting vulnerable Exchange servers exploiting ProxyShell vulnerabilities 
• Cisco Talos obtained the executable code capable of decrypting, which has allowed Talos to extract and share the private decryption key used by the threat actor 
• This decryptor was shared with Avast to be included in their Avast Babuk decrypted that was originally released in 2021 
• Dutch Policy were able to identify, apprehend, and prosecute the threat actors behind Babuk Tortilla operations based on threat intel provided by Cisco Talos 

Link (1): https://blog.talosintelligence.com/decryptor-babuk-tortilla/ 

Akira targeting backups 

Finish National Cybersecurity Center (NCSC-FI) has been seeing increased activity by Akira in December of targeting companies in Finland and wiping backups 

• Most larger organizations utilize backup solutions such as a SAN, however smaller organizations utilize systems such as a NAS (Network Attached Storage) and Akira has been targeting to delete these to further eliminate options on restoring data without paying the ransom 
• Here recently, I ran across Akira targeting a small organization in the North Texas region - interesting enough, the threat actor did not respond to correspondences and the organization decided it best to just wipe and start completely over on their system (this was base don the size of their organization and access to offline backups / SaaS services) 

Link (1): https://www.bleepingcomputer.com/news/security/finland-warns-of-akira-ransomware-wiping-nas-and-tape-backup-devices/ 

Sensitive school data accidentally exposed online 

Raptor Technologies, a firm that provides software that allows schools to track student attendance, monitor visitors, and manage emergency situations 

• Jeremiah Fowler, a security researcher, discovered that 800GB of files and logs were linked to Raptor Technologies - which included more than 4 millions records 
• This disclosure was not due to a cyberattack, but 3 unsecured web buckets that dated between 2022 and 2023 
• More than 75% of the exposed documents appeared to be threat reports, details on safety drills, or related emergency procedures 
• No evidence to show the files were accessed by a malicious threat actor, however, the details they included could potentially be exploited by someone planning to attack a school 

Link (1): https://www.wired.com/story/us-school-shooter-emergency-plans-leak/ 

ManageEngine ADSelfService Plus Patch  
 

CVE-2024-0252: an authenticated remote code execution vulnerability in the load balancer component of ADSelfService Plus 

• All ADSelfService Plus installations, regardless of load balancer configurations, are vulnerable 
• To remediate, update the instance to build 6402 using a service pack provided by Zoho 

Link (1): https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html 

Google patches first Chrome zero-day vulnerability of the year 

This marks the 1st Zero-Day for Chrome being exploited in the wild since the start of the year (17 days in) 

• CVE-2024-0519 is due to a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript Engine, allowing a Threat Actor to exploit it to gain access to data beyond the memory buffer, providing access to sensitive information or triggering a crash 
• For those that like to keep your Chrome browser up, expecting it to be patched - you still need to click the "apply update" in the top right corner or it won't take affect 

Link (1): https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/ 

Urgent warning from Citrix to patch two zero-day vulnerabilities 

CVE-2023-6548: Citrix NetScaler ADC and Gateway Authenticated Remote Code Execution (RCE) Vulnerability, an authenticated attacker with low level privileges could exploit this vulnerability if they were able to access NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with access to the appliance's management interface 

• CVE-2023-6549: Citrix NetScaler ADC and Gateway Denial of Service Vulnerability, an attacker could exploit this vulnerability when a vulnerable appliance has been configured as a Gateway (e.g., VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server 
• At this point in time, no public Proof-of-Concepts (POC) have been identified for either vulnerabilities - but given historical exploitation of Citrix Netscaler ADC and Gateway it is anticipated that exploit code may become available soon 
• Citrix has released patches, see the Link above for a matrix of the patches necessary to install 

Link (1): https://www.tenable.com/blog/cve-2023-6548-cve-2023-6549-zero-day-vulnerabilities-netscaler-adc-gateway-exploited 

Ivanti Vulnerability Widespread Scanning  

Ivanti Connect Secure VPN has started to see global exploitation - over 1,700 compromised devices worldwide 

• All verticals appear to be present: military, defense, government, financial, & technology 
• CVE-2024-21887: Command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specifically crafted requests and execute arbitrary commands on the appliance 
• CVE-2023-46805: an authentication bypass vulnerability in the web component of Ivanti ICS (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks 
• Ivanti has published a workaround, but a patch is still in development at this point in time 

Link(1): https://isc.sans.edu/diary/Scans%20for%20Ivanti%20Connect%20%22Secure%22%20VPN%20%20Vulnerability%20%28CVE-2023-46805%2C%20CVE-2024-21887%29/30562 

Link (2): https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/ 

Link (3): https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends! 

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program. 

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. 

He lives in Dallas, Texas with his wife and children. 

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and cyber security services in Plano,  TX.