Flair Data Systems Cybersecurity News Update 4-10-2024

Hope everyone enjoyed the Eclipse! A few of us watched from the office, and the rest of our team was working remotely. We shared some pictures of our views with each other! It was a pretty awesome event!  

Sadly, today is not such a fun day in cyber news - specifically around Microsoft patches. It seems this was the one of the highest number of patches released by Microsoft in a given day (150). 

Microsoft Releases patches for two Zero Day 

CVE-2024-26234: Proxy driver spoofing vulnerability, originally reported by Sophos X-Ops in December 2023 and is currently being exploited in the wild and publicly disclosed 

• CVE-2024-29988: SmartScreen prompt security feature bypass vulnerability caused by a protection mechanism failure weakness, which is a bypass for CVE-2024-21412 flaw 
• Since last months patch release, there has been a total of 172 vulnerabilities (150 today alone) 
• Another patch that was pulled into this month dealt with Xbox Gaming Service, which unless you are performing a golden image on systems prior to deployment (which removes this plus other bloatware) systems are affected by it 
• CVE-2024-28916: Xbox gaming Services Elevation of Privilege Vulnerability 

Link (1): https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-two-windows-zero-days-exploited-in-malware-attacks/ 

Over 90,000 LG Smart TVs exposed to remote attack 

Four (4) vulnerabilities have been discovered to enable unauthorized access and control over affected models, including authorization bypass, privilege escalation, and command injection 

• The vulnerabilities affect the LG WebOS service, where it should reside only on the LAN network - however, Shodan is seeing over 91k devices exposed to the internet 
• CVE-2023-6317 allows attackers to bypass the TV's authorization mechanism by exploiting a variable setting, enabling the addition of an extra user to the TV set without proper authorization 
• CVE-2023-6318 is an elevation of privilege vulnerability that allows attackers to gain root access following the initial unauthorized access provided by CVE-2023-6317 
• CVE-2023-6319 involves operating system command injection via manipulation of a library responsible for displaying music lyrics, allowing execution of arbitrary commands 
• CVE-2023-6320  permits authenticated command injection by exploiting the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint, enabling command execution as the dbus user, which has similar permissions to the root user 

Link (1): https://www.bleepingcomputer.com/news/security/over-90-000-lg-smart-tvs-may-be-exposed-to-remote-attacks/ 

Microsoft exposed internal passwords in security lapse 

SOCRadar researchers have found an open and public storage server hosted on Azure that was storing internal information related to Microsoft Bing search engine 

• This information housed code, scripts, and config files containing passwords, keys, and credentials used by Microsoft employees for accessing other internal databases and systems 
• The storage server was not protected with a password and was accessible by everyone on the internet - which as since been taken down 
• Reported to Microsoft on Feb 6, 2024 
• Removed by Microsoft on March 5, 2024 
• Currently unknown as to how long it was online nor who had accessed the data while it was publicly available 

Link (1): https://techcrunch.com/2024/04/09/microsoft-employees-exposed-internal-passwords-security-lapse/ 

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts 

Tycoon 2FA,  active since August 2023, is a Phishing-as-a-Service platform that targets Microsoft 365 and Gmail accounts to bypass two-factor authentication protections 

• Found to have 7 distinct stages 
• Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages. 
• Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site. 
• Stage 2 – Background scripts extract the victim's email from the URL to customize the phishing attack. 
• Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page. 
• Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration. 
• Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures. 
• Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack's success. 

Link (1): https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/ 

Omni Hotels confirms cyberattack 

Omni Hotels & Resorts was affected by a cyberattack since March 29th 

• Omni shutdown systems to protect data, which resulted in a nationwide outage that weekend 
• The scope of the event and data impacted is currently still unknown and being reviewed by third party response teams 

Link (1): https://www.cybersecuritydive.com/news/omni-hotels-cyberattack/712452/#:~:text=Omni%20Hotels%20%26%20Resorts%20properties%20were,that%20began%20this%20past%20weekend. 

Classified Five Eyes data theft announced 

IntelBroker has taken credit for the breach where the Five Eyes Intelligence Group data has been obtained by breaching into Acuity Inc, which is a third party company that works directly with the Us Government and its allies 

• Acuity is a Virginia-based federal tech consulting firm 
• Supposedly this breach has contained data around classified information including full names, government and miliary email addresses, office and personal phone numbers - along with classified information and communications between the Five Eyes, 14 Eyes, and US allies. 

Link (1): https://www.infosecurity-magazine.com/news/threat-actor-classified-five-eyes/ 

Cancer center data breach affects 800,000 

City of Hope has disclosed a data breach of 827k patients personal and health information 

• City of Hope is a cancer hospital operator and clinical research organization 
• The incident was discovered almost 6 months ago (Oct 13, 2023) but did not post the information until April 2nd 
• The intrusion appears to have occurred between Sept 19th and Oct 12th 
• Data stolen included patient names, contact information (email, phone #s), date of birth, SS#, DL#, financial details (bank account # and/or CC#), health insurance information, medical records, and information about medical history and/or associated conditions, and/or unique identifiers to associated individuals with City of Hope (medical record numbers) 

Link (1): https://www.fiercehealthcare.com/health-tech/city-hope-discloses-data-breach-impacting-827k-patients-personal-and-health-information#:~:text=City%20of%20Hope%20discloses%20data,patients'%20personal%20and%20health%20information&text=City%20of%20Hope%2C%20a%20cancer,of%20nearly%201%20million%20patients. 

Government warns hospitals of hackers targeting IT help desks 

Much like what happened at MGM, what feels like Scattered Spider is now starting to occur at hospitals 

• Just because a threat actor targets someone outside of those with access to critical systems does not mean they cannot pivot to those accounts once in the environment 
• The health sector is being advised: 
• Require callbacks to verify employees requesting password resets and new MFA devices. 
• Monitor for suspicious ACH changes. 
• Revalidate all users with access to payer websites. 
• Consider in-person requests for sensitive matters. 
• Require supervisors to verify requests. 
• Train help desk staff to identify and report social engineering techniques and verify callers' identities. 

Link (1): https://www.bleepingcomputer.com/news/security/us-health-dept-warns-hospitals-of-hackers-targeting-it-help-desks/ 

New York City becomes latest in municipal government hack attempts 

NYC has taken their city payroll website offline and remove it from public view after a phishing incident 

• This incident took place during a time people were submitting information for their taxes 

Link (1): https://therecord.media/new-york-city-government-smishing-attack 

Home Depot third party breach of employee data 

IntelBroker (yet again) has leaked data for approximately 10k Home Depot employees 

• Home Depot has confirmed this was due to one of its third-party SaaS vendors mistakenly exposed sample employee data (names, work email addresses, and User IDs) during a systems test 
• Taking into consideration how third-parties are handling data is key when building out relationships and contracts 

Link (1): https://www.bleepingcomputer.com/news/security/home-depot-confirms-third-party-data-breach-exposed-employee-info/ 

Change healthcare targeted again - a different threat actor 

RansomHub has claimed to have stolen 4TB of data from Change Healthcare in February 

• This is coming off of another incident where AlphV ransomed their systems for $22 million 
• The data is said to include medical/dental records, payment/claims information, patient PII (including SS#) along with source code files of their software solutions 

Link (1): https://thecyberwire.us16.list-manage.com/track/click?u=9f0cab23b3ee44f3bc482be80&id=af9eb66c93&e=75c345233e 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends! 

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business.  With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program. 

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children. 

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S.  We are a trusted cyber security company in Plano, TX.