Top news stories this week
- Prickly. CACTUS ransomware group targets victims with triple extortion tactics.
- Operation Medusa. NCSC and FBI lead takedown of Russian Snake malware infrastructure.
- Law enforcement bytes back. US Department of Justice and National Police of Spain crackdown.
- Patch o’clock. Microsoft addresses three zero-day vulnerabilities and Iranian nation state group exploits unpatched PaperCut vulnerability.
- A tale of two breaches. NextGen Healthcare and Sysco suffer data breaches.
- TechnologyOne breached. Australian trading platform hit by cyber attack.
- NodeStealer malware. Meta disrupts new information-stealing malware.
1. New ransomware group alert: CACTUS
A new ransomware group dubbed CACTUS has emerged, targeting organisations by exploiting Fortinet VPN vulnerabilities. CACTUS uses a unique method of encrypting its ransomware binary, making its detection by antivirus and network monitoring tools more challenging.
S-RM’s Incident Response Team has also observed an increase in CACTUS ransomware cases with the following tactics being witnessed:
- Exploitation of vulnerabilities affecting Zoho ManageEngine products to gain initial network access.
- The employment of triple extortion. In addition to encrypting and stealing victims’ data, CACTUS directly communicates with relevant stakeholders to increase the perceived urgency of ransom demands.
Organisations using Fortinet VPN clients and ManageEngine’s products should update any vulnerable software immediately and review unpatched systems for signs of compromise.
2. NCSC and FBI lead takedown of Snake malware infrastructure
The National Cyber Security Centre (NCSC) and FBI have led the takedown of the Snake malware infrastructure. The Snake malware, which has been attributed to Russia's Federal Security Service (FSB), gave operators the ability to steal sensitive documents and information from infected devices.
Organisations should follow CISA's advisory to help detect Snake malware infections.
3. International crackdown on cyber crime
The US Department of Justice has taken down 13 domains used to facilitate DDoS-for-hire services. DDoS attacks allow attackers to flood a website with malicious traffic to the point that they are unable to respond. 10 of the seized domains were revived versions of similar sites captured by the FBI in December 2022.
Separately, the National Police of Spain arrested over 40 individuals in connection with a cyber crime operation that defrauded 300,000 people of an estimated EUR 700,000 through email and SMS-based phishing attacks.
Whilst law enforcement has made substantial victories in the fight against cyber crime, DDoS-for-hire websites and large-scale phishing scams are likely to reappear. User awareness training and analysing traffic patterns for DDoS are helpful in mitigating these risks.
4. Patch Tuesday and PaperCut vulnerability continues to be exploited
Microsoft has patched 38 vulnerabilities, including three zero-day vulnerabilities. Threat actors are actively exploiting two of the zero-day vulnerabilities, allowing them to conduct privilege escalation and remote code execution attacks.
Separately, the Iranian-backed group Mango Sandstorm is exploiting unpatched systems containing the PaperCut vulnerability (CVE-2023-27350). This is despite the print management company releasing urgent patches to mitigate attacks.
Threat actors use known vulnerabilities to guarantee the success of their attacks. Timely identification and deployment of patches is crucial in protecting your organisation against widely exploited vulnerabilities.
5. NextGen Healthcare and Sysco experience data breaches
NextGen Healthcare has confirmed a recent data breach affecting 1 million patients. NextGen confirmed that the incident did not impact any health or medical data. The company has also provided victims with fraud detection and identity theft protection.
Sysco, a leading global food distribution company, also confirmed a security breach where attackers stole sensitive business, customer, and employee data. Business operations and customer service reportedly remain unaffected.
It is vital that organisations understand and track the data types they store and process. Organisations should classify their data assets by sensitivity to help assign appropriate security controls and access restrictions.
6. Australian trading platform hit with cyber attack
TechnologyOne, an Australian provider of enterprise resource planning (ERP), has reported a cyber security incident involving unauthorised access to its Microsoft 365 platform. TechnologyOne has requested a trading halt, which it expects to lift by the end of the week.
Organisations should maintain stringent security measures to prevent users from being compromised, including enabling multi-factor authentication, monitoring account activity, and conducting regular phishing awareness training.
7. Meta defuses new NodeStealer malware
Meta has disrupted the operation behind the new information-stealing malware, NodeStealer. The malware allowed threat actors to hijack accounts by stealing browser information, usernames, and passwords. Due to the way the malware is executed, online malware scanning tools failed to identify it as malicious.
Organisations should be proactive when threat hunting and not solely rely on pre-existing malware detections.