Federal authorities charged two individuals with operating the dark web marketplace Empire Market that facilitated over $430 million in illegal transactions.

Two men, Thomas Pavey (aka “Dopenugget”) and Raheim Hamilton (aka “Sydney” and “Zero Angel”), have been charged in federal court in Chicago for operating the dark web marketplace “Empire Market” from 2018 to 2020.

According to the indictment, the duo was previously involved in selling counterfeit U.S. currency on AlphaBay before starting Empire Market.

The two men are accused of having facilitated over four million transactions for a total value of more than $430 million, involving illegal goods and services. The authorities charged them with various crimes, including drug trafficking, computer fraud, access device fraud, counterfeiting, and money laundering, which carry a maximum sentence of life in federal prison. Pavey and Hamilton are currently in U.S. law enforcement custody, with arraignments yet to be scheduled.

“THOMAS PAVEY, also known as “Dopenugget,” 38, of Ormond Beach, Fla., and RAHEIM HAMILTON, also known as “Sydney” and “Zero Angel,” 28, of Suffolk, Va., owned and operated Empire Market from 2018 to 2020, during which time they facilitated approximately four million transactions between vendors and buyers valued at more than $430 million, according to a superseding indictment returned Thursday in U.S. District Court in Chicago.” reads the press release published by DoJ. “They began operating Empire Market on Feb. 1, 2018, the indictment states.”

The dark web marketplace Empire Market featured multiple categories of illicit goods such as illegal drugs, counterfeit items, Software & Malware, and credit card numbers, it allowed its users to pay using Bitcoin (BTC), Monero (XMR), and Litecoin (LTC).

The dark web marketplace shut down in 2020, leaving users without time to withdraw funds from their escrow accounts, at the time some users blamed a prolonged denial-of-service (DDoS) attack, while others suspected an exit scam.

The two operators used cryptocurrency to conceal the nature and identities involved in the illicit transactions and encouraged users to use “tumbling” services, which mix and exchange cryptocurrencies to obscure their origin and connection to the marketplace.

During the investigation, the feds seized $75 million worth of cryptocurrency at the time of the seizures, as well as cash and precious metals.

Pavey and Hamilton face charges for five counts:

• Conspiracy to sell counterfeit U.S. currency on AlphaBay.
• Conspiracy to distribute controlled substances through Empire Market.
• Conspiracy to possess unauthorized access devices.
• Conspiracy to sell counterfeit currency on Empire Market.
• Conspiracy to commit money laundering to conceal proceeds from illegal activities.

The two men can face a maximum sentence of life in federal prison.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Empire Market)

Chinese cyberespionage group Velvet Ant was spotted using custom malware to target F5 BIG-IP appliances to breach target networks.

In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to a China-linked threat actor tracked as ‘Velvet Ant.’

The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.

The investigation revealed that the threat actor had been present in the organization’s on-premises network for about three years, aiming to maintain access for espionage purposes. They achieved persistence by establishing multiple footholds within the company’s environment. One method used was exploiting a legacy F5 BIG-IP appliance exposed to the internet, which served as an internal Command and Control (C&C). When one foothold was discovered and remediated, the threat actor quickly adapted and pivoted to another. This demonstrated their agility and deep understanding of the target’s network infrastructure.

The investigation revealed that the Chinese hackers had been present in the organization’s on-premises network for about three years. They achieved persistence by establishing multiple footholds within the company’s environment. One method used was exploiting a legacy internet-facing F5 BIG-IP appliance, which was also used by attackers as an internal Command and Control (C&C). After the researchers discovered and remediated one foothold, the APT group quickly pivoted to another. This demonstrated their agility and deep understanding of the target’s network infrastructure.

“The compromised organization had two F5 BIG-IP appliances which provided services such as firewall, WAF, load balancing and local traffic management. These appliances were directly exposed to the internet, and both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances.” reads the analysis published by Sygnia. “As a result, a backdoor hidden within the F5 appliance can evade detection from traditional log monitoring solutions.”

Once the attackers had compromised the F5 BIG-IP appliances, they gained access to internal file servers and deployed the PlugX RAT. The PlugX RAT was used by multiple Chinese APT groups in cyberespionage campaigns over the years.

Forensic analysis of the F5 appliances revealed that the Velvet Ant group also used the following malware in their attacks:

Forensic analysis of the F5 appliances identified four binaries deployed by the threat actor:

1. VELVETSTING – a tool that connects to the threat actor’s C&C once an hour, searching commands to execute. Once the tool received a command, it was executed via ‘csh’ (Unix C shell).
2. VELVETTAP – a tool with the ability to capture network packets.
3. SAMRID – identified as ‘EarthWorm’, an open-source SOCKS proxy tunneller available on GitHub. The tool was utilized in the past by multiple China-linked APT groups, including ‘Volt Typhoon’, ‘APT27’ and ‘Gelsemium’.
4. ESRDE – a tool with similar capabilities to that of ‘VELVETSTING’, but with minor differences, such as using bash instead of ‘csh’.

Researchers provided the following recommendations for organizations to mitigate attacks of groups like Velvet Ant:

• Limit outbound internet traffic.
• Limit lateral movement throughout the network.
• Enhance security hardening of legacy servers.
• Mitigate credential harvesting.
• Protect public-facing devices.

The report also includes indicators of compromise for the attack analyzed by the researchers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Velvet ANT APT)

The County of Los Angeles’ Department of Public Health (DPH) disclosed a data breach that impacted more than 200,000 individuals.

The LA County’s Department of Public Health announced that the personal information of more than 200,000 was compromised after a data breach that occurred between February 19 and February 20, 2024.

Threat actors obtained the log-in credentials of 53 Public Health employees through a phishing campaign.

“Between February 19, 2024, and February 20, 2024, the Los Angeles County Department of Public Health experienced a phishing attack in which a hacker was able to gain log-in credentials of 53 Public Health employees through a phishing email, compromising the personal information of more than 200,000 individuals.” reads the notice of data breach published by DPH.

Upon discovering the phishing attack, Public Health disabled the impacted email accounts, and reset and reimaged the user’s device. The organization also blocked websites that was the origin of the attack and quarantined all suspicious incoming emails.

Potentially compromised e-mail accounts may have included DPH clients/employees/other individuals’ first and last name, date of birth, diagnosis, prescription, medical record number/patient ID, Medicare/Med-Cal number, health insurance information, Social Security Number, and other financial information.

“Affected individuals may have been impacted differently and not all of the elements listed were present for each individual.” continues the notice.

LA County’s Department of Public Health is notifying impacted individuals by mail.

The company is informing the U.S. Department of Health & Human Services’ Office for Civil Rights and other relevant agencies.

In response, Public Health has implemented numerous enhancements to reduce exposure to similar e-mail attacks in the future.

At the time of this writing, DPH cannot confirm if any information has been accessed or misused. The company recommends that impacted individuals review the content and accuracy of their medical records with their medical providers.

DPH announced it has implemented several enhancements to reduce exposure to similar email attacks in the future.

The agency is also offering entitled individuals free credit and identity monitoring services.

In April, the Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.

Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.

The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.

“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”

The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

Social Security Numbers (SSN) or financial information was not compromised.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LA County’s Department of Public Health)

A joint law enforcement operation led to the arrest of a key member of the cybercrime group known as Scattered Spider.

Spanish police arrested a 22-year-old British national who is suspected of being a key member of the cybercrime group known as Scattered Spider (also known as UNC3944, 0ktapus). The man was arrested in Palma de Mallorca while attempting to fly to Italy, during the arrest, police confiscated a laptop and a mobile phone. The arrest resulted from a joint operation conducted by the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

“A 22-year-old British man has been arrested in Palma de Mallorca in a joint effort by Spanish police and the FBI on suspicion of being the ringleader of a hacking group which targeted 45 companies and people in the United States.” reported the Murcia Today. “He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds.”

The cybercrime group Scattered Spider is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.

While Murcia Today did not provide info about the arrested man, vx-underground states that the individual was involved in “several other high-profile ransomware attacks performed by Scattered Spider.”

vx-underground also added that the man arrested is a SIM-swapper known by the alias “Tyler.”

June 14th a 22-year-old British man was arrested in Palma de Mallorca, Spain.

Per the official report: the currently unidentified male is alleged to be behind a series of large-enterprise 'hacks' which resulted in the theft of corporate information and allowing an unidentified… pic.twitter.com/jygRdfCUpu

— vx-underground (@vxunderground) June 15, 2024

Previously on Dragon Ball Z, the Spanish media reported a 'hacker' was arrested via the Spanish Police working in conjunction with the United States Federal Bureau of Investigation.

The individual arrested as a 22-year-old male from the United Kingdom. He was not immediately…

— vx-underground (@vxunderground) June 15, 2024

According to the Spanish police, the man once controlled Bitcoins worth $27 million. According to the malware research team, a judge in Los Angeles, California, has issued a warrant for the arrest of the British citizen. Spanish police tracked the suspect to Mallorca after he entered Spain via Barcelona in late May. The investigation is still ongoing. The police have yet to disclose the suspect’s identity.

The popular journalist Briand Krebs reported that sources familiar with the investigation told KrebsOnSecurity the man is a 22-year-old from Dundee, Scotland named Tyler Buchanan.

“Sources familiar with the investigation told KrebsOnSecurity the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.” states KrebsOnSecurity.

In January 2024, U.S. authorities arrested Noah Michael Urban, a 19-year-old from Palm Coast, Florida, suspected of being a member of the Scattered Spider cybercriminal group. He is accused of stealing at least $800,000 from five victims between August 2022 and March 2023. Urban, known online as “Sosa” and “King Bob,” is linked to the same group that hacked Twilio and other companies in 2022.

Scattered Spider members are part of a broader cybercriminal community called “The Com,” where hackers brag about high-profile cyber thefts, typically initiated through social engineering tactics like phone, email, or SMS scams to gain access to corporate networks.

“One of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.” continues Krebs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Scattered Spider)

Offers that promise easy earnings can also bring with them a host of scams that deceive those who are genuinely seeking income opportunities.

Often, behind these enticing offers are pyramid schemes in which profits are generated through the recruitment of new participants, rather than through actual service, sometimes even causing significant financial losses. Other false offers may require initial investment without ever seeing a significant return or promise job opportunities with hidden fees. t is into this scenario that illicit practices such as moneny mules and reshipping scams can fit.

Money mules

This practice is illegal and encourages money laundering and other criminal activities. The term money mules refers to those individuals who are recruited by criminals to transfer illicit money through their bank accounts in exchange for a commission. Money mules are often unaware that they are committing a crime and think they are doing regular work.

In this regard, the State Police’s latest operation “EMMA 9,” a vast action to combat cyber money laundering coordinated by Europol and conducted in 28 countries, uncovered 2,729 fraudulent transactions, identified 879 money mules and foiled fraud worth more than 6 million euros.

“The phenomenon of money mules certainly represents one of the established and ever-present aspects of online fraud. These individuals constitute the last link in the chain through which criminals monetize the proceeds of crime.” comments the State Police, “In the context of countering FinancialCybercrime, the prevalence of these figures is alarming and is endemic worldwide.”

“Drops for stuff” service

This common practice consisted of receiving high-value products purchased online by criminals and reselling them on the black market by relying on residents (willingly or unwillingly) in those regions under embargo because they were associated with credit card fraud (Eastern Europe, North Africa, and Russia). The SWAT systems breach a criminal service laundering expensive goods purchased with stolen credit cards exposed its operations, structure, and earnings. This provided information on operations, finances and organizational structure, revealing the modus operandi of the redemption scams and the financial strength of the criminals involved.

The service employed more than 1,200 people in the United States who, knowingly or unknowingly, participated in drop-off scams. The structure of this service, also known as “Drops for Stuff,” distinguished “drops,” people who responded to job ads from home to drop off packages, from “stuffers,” individuals in possession of stolen credit card numbers who paid a fee for drop-off to the Swat service.

As Brian Krebs  explained, most redelivery scams promised drops a monthly stipend with possible bonuses that were never actually received. In practice, packages arrived with prepaid shipping labels with stolen credit cards. The drops were responsible for inspecting and verifying the contents of the shipments, putting the correct shipping label on each package, and sending it through the appropriate shipping company. Once the stolen parcels were received and successfully returned, the traffickers could proceed to sell them on the local black market, dropping them.

“It’s not hard to see how reshipping can be a profitable venture for card fraudsters,” Krebs explains. “For example, a stuffer buys a stolen payment card on the black market for $10 and uses it to purchase over $1,100 worth of goods. After the reshipping service has taken its cut (about $550) and the stuffer has paid its reshipping label (about $100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He just turned a $10 investment into more than $700.”

What to do to avoid running into these scams

It is critical to be careful when exploring offers that promise easy earnings. Offers that do not provide clear details about products, earning patterns, or company structure may hide pitfalls. Victims of these scams not only lose money, but can also be charged with receiving stolen goods or aiding and abetting criminal activity. To avoid problems, beware of job offers that are too tempting or require you to make money transfers, check the legitimacy of companies that offer abnormal redelivery opportunities.

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, money laudering)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

London hospitals canceled over 800 operations in the week after Synnovis ransomware attack

DORA Compliance Strategy for Business Leaders

City of Cleveland still working to fully restore systems impacted by a cyber attack

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Google fixed an actively exploited zero-day in the Pixel Firmware

Multiple flaws in Fortinet FortiOS fixed

CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog

Ukraine Police arrested a hacker who developed a crypter used by Conti and LockBit ransomware operation

JetBrains fixed IntelliJ IDE flaw exposing GitHub access tokens

Microsoft Patch Tuesday security updates for June 2024 fixed only one critical issue

Cylance confirms the legitimacy of data offered for sale in the dark web

Arm zero-day in Mali GPU Drivers actively exploited in the wild

Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. Patch it now!

Japanese video-sharing platform Niconico was victim of a cyber attack

UK NHS call for O-type blood donations following ransomware attack on London hospitals

Christie’s data breach impacted 45,798 individuals

Sticky Werewolf targets the aviation industry in Russia and Belarus

Frontier Communications data breach impacted over 750,000 individuals

PHP addressed critical RCE flaw potentially impacting millions of servers

International Press – Newsletter

Cybercrime  

O positive and O negative donors asked to urgently book appointments to give blood following London hospitals IT incident  

BlackBerry Cylance Data Offered for Sale on Dark Web  

They attacked a leading enterprise in the Netherlands and Belgium: the police exposed an accomplice of Russian hackers   

City of Cleveland Scrambling to Restore Systems Following Cyberattack

 

Malware

Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day   

Operation Celestial Force employs mobile and desktop malware to target Indian entities

Dissecting SSLoad Malware: A Comprehensive Technical Analysis      

DISGOMOJI Malware Used to Target Indian Government   

Arid Viper poisons Android apps with AridSpy  

Hacking

Bypassing Veeam Authentication CVE-2024-29849   

Updates for security issue affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin   

Challenges in red teaming AI systems

The mystery of an alleged data broker’s data breach  

GPT-4 autonomously hacks zero-day security flaws with 53% success rate

EmailGPT Exposed to Prompt Injection Attacks           

Intelligence and Information Warfare 

Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks  

Two Ukrainians suspected of helping Russia spread propaganda, hack military phones

Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says  

Insights on Cyber Threats Targeting Users and Enterprises in Brazil        

Cybersecurity  

Security Alert: CVE-2024-4577 – PHP CGI Argument Injection Vulnerability  

What Snowflake isn’t saying about its customer data breaches

Why are hospitals becoming more of a target for ransomware attacks  

Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers

THE JUNE 2024 SECURITY UPDATE REVIEW  

Update on cyber incident: Clinical impact in south east London – Friday 14 June 2024  

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, newsletter)

Taiwanese manufacturer giant ASUS addressed a critical remote authentication bypass vulnerability impacting several router models.

ASUS addresses a critical remote authentication bypass vulnerability, tracked as CVE-2024-3080 (CVSS v3.1 score: 9.8), impacting seven router models.

The flaw is an authentication bypass issue that a remote attacker can exploit to log into the device without authentication.

The flaw impacts the following models:

• ZenWiFi XT8 3.0.0.4.388_24609 (inclusive) previous versions
• ZenWiFi Version RT-AX57 3.0.0.4.386_52294 (inclusive) previous version
• ZenWiFi Version RT-AC86U 3.0.0.4.386_51915 (inclusive) previous version
• ZenWiFi Version RT-AC68U 3.0.0.4.386_51668 (inclusive) previous version

The company released the following firmware update to address the issue:

• Update ZenWiFi XT8 to 3.0.0.4.388_24621 (inclusive) and later versions
• Update ZenWiFi XT8 V2 to 3.0.0.4.388_24621 (inclusive) and later versions
• Update RT-AX88U to 3.0.0.4.388_24209 (inclusive) and later versions
• Update RT-AX58U to 3.0 .0.4.388_24762 (inclusive) and later versions
• update RT-AX57 to 3.0.0.4.386_52303 (inclusive) and later versions
• update RT-AC86U to 3.0.0.4.386_51925 (inclusive) and later versions
• update RT-AC68U to 3.0.0.4.386_51685 ( (including) later versions

The vendor also addressed a critical upload arbitrary firmware flaw, tracked as CVE-2024-3912 (CVSS score 9.8) impacting multiple devices. An unauthenticated, remote attacker can exploit the flaw to execute system commands on the vulnerable device.

Carlos Köpke from PLASMALABS discovered the flaw. Impacted products are: DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U, DSL-N14U, DSL-N14U_B1, DSL-N12U_C1, DSL-N12U_D1, DSL-N16, DSL-AC51, DSL-AC750, DSL-AC52U, DSL- AC55U, DSL-AC56U.

Some impacted models will not receive the firmware updates because they have reached the end-of-life (EoL).

The following versions address the flaw:

• Update the following models to 1.1.2.3_792 (inclusive) and later versions:
  DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U
• Update the following models to 1.1.2.3_807 (inclusive) and later versions:
  DSL-N12U_C1, DSL -N12U_D1, DSL-N14U, DSL-N14U_B1
• Update the following models to 1.1.2.3_999 (inclusive) and later versions:
  DSL-N16, DSL-AC51, DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U
• and following models No longer maintained, it is recommended to replace
  DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, ,DSL-N16P, DSL-N16U, DSL-AC52, DSL-AC55.
  If it cannot be replaced in the short term, it is recommended to close it. Remote access (Web access from WAN), virtual server (Port forwarding), DDNS, VPN server, DMZ, port trigger

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, routers)

NHS England confirmed that multiple London hospitals impacted by the ransomware attack at Synnovis were forced to cancel planned operations.

NHS England confirmed that the recent ransomware attack on Synnovis had a severe impact of multiple London hospitals, forcing them to cancel more than hundreds of scheduled operations.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

The pathology and diagnostic services provider has launched an investigation into the security breach with the help of experts from the NHS. The experts are working to fully assess the impact of the attack and to take the appropriate action to contain the incident. The company also announced they are working closely with NHS Trust partners to minimise the impact on patients and other service users.

Law enforcement suspects that Qilin extortion group is behind the attack. The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement published by NHS London.

“All urgent and emergency services remain open as usual and the majority of outpatient services continue to operate as normal.” continues the NHS. “Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning some patients have had phlebotomy appointments cancelled.”

On Friday 14, June, NHS London confirmed that King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust canceled more than 800 planned operations and 700 outpatient appointments. According to the statement from NHS London, the majority of planned activity were not interrupted, but the incident specifically impacted some specialities more than others.

“The data for the first week after the attack (3-9 June) shows that, across the two most affected Trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – more than 800 planned operations and 700 outpatient appointments needed to be rearranged. The majority of planned activity has continued to go ahead, with some specialities impacted more than others.” reads statement from the NHS England. “Trusts are working hard to make sure any procedures are rearranged as quickly as possible, including by adding extra weekend clinics.”

Synnovis is working on recovering impacted systems, planning to restore some functionality in the coming weeks. Full restoration will take longer, and the need to reschedule tests and appointments will cause ongoing disruptions over the next few months.

Early this week, the UK National Health Service (NHS) issued an urgent call for O-type blood donations due to the recent ransomware attack on Synnovis that disrupted operations at several healthcare organizations in London.

The NHS confirmed that the ransomware attack has disrupted blood matching tests, for this reason, affected hospitals are using O Negative and O Positive blood for patients who can’t wait for alternative matching methods. For this reason, the NHS is calling for O-type blood donations.

“England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London.” reads the announcement published by the NHS Blood and Transplant.

“The IT incident affecting a pathology provider means the affected hospitals cannot currently match patients’ blood at the same frequency as usual. For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished. That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients.”

O Negative blood is a universal blood type, anyone can receive it, for this reason, it is crucial in emergencies or when a patient’s blood type is unknown. Despite only 8% of the population having O Negative, it accounts for about 15% of hospital orders. O Positive, the most common blood type, can be given to anyone with a positive blood type, benefiting 76% of the population. 35% of blood donors have O Positive blood.

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.” said Dr Gail Miflin, Chief Medical Officer, NHS Blood and Transplant. “We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, London hospitals)

In January 2025, European financial and insurance institutions, their business partners and providers, must comply with DORA.

In January 2025, financial and insurance institutions in Europe and any organizations that do business with them must comply with the Digital Operation Resilience Act, also known as DORA. This regulation from the European Union (EU) is intended to both strengthen IT security and enhance the digital resilience of the European financial market. Much like GDPR, this act promises to exert significant influence on the activities of organizations around the world. Its official launch date of January 17, 2025, means there are some pretty stringent deadlines.

Can this be done? Will organizations be ready? These were questions posed in a recent podcast with guest Romain Deslorieux, Strategic Partners Director, Global System Integrators at Thales. He suggested that it might be a “tough call for any organization to follow and to reach as a compliance deadline.” But he also pointed out that the European Supervisory Authority (ESA) is busy defining some of the regulatory technical standards that will provide precise and technical guidelines for organizations to follow. He added that most financial entities have already started to investigate DORA, including defining a roadmap, although it may be time for them to accelerate these activities.

Companies that operate in the world of finance and insurance are no strangers to broad regulations, both internal and international. Still, DORA is a reminder of just how agile they must remain, given that speed is all around them. The incredible rate at which AI technologies were discovered and embraced by end users and then deployed into workplaces everywhere shows just how difficult it can be for an organization to keep on a safe and even keel. The challenge doubles when we factor in the relentless creativity and determination of a criminal element that is always keen to exploit new technologies before adequate safeguards are implemented.

Third-Party Risk

Perhaps one of the most striking elements of DORA is its focus on third-party risk management, which is one of its key pillars. Additional podcast guest Mark Hughes, Global Managing Partner, Cybersecurity Services, IBM Consulting, pointed out how events such as Colonial Pipeline clearly showed how a single piece of a supply chain can have a disproportionate impact on all the other parts. He says this is why DORA places such focus on third-party risk management – not just in conducting risk assessments but also monitoring them.

In a single word, the DORA initiative is about resilience. That’s what the “R” stands for, after all. It’s an updated effort to enhance a fortress while still allowing the free movement of the vital data that keeps economies going.

Sticking with the supply chain in the context of resilience, Romain suggests we take a lesson from cloud technology. Cloud systems and services, he says, represent an essential part of operational resilience, and being a central point of an organization’s data, they must remain up and available. Yet, at the same time, they are also subject to challenges of territoriality in terms of where data can be stored, where the most influential cloud organizations come from, and how sovereignty can be maintained.

The Resilience Clock Is Ticking

The fact is there’s not much time for companies to get their various ducks in a row. Therefore, financial organizations based in Europe that will be at the forefront of compliance preparation must fully assess their current digital systems and processes to find vulnerabilities and resilience gaps. They must also strengthen cybersecurity measures, including encryption, firewalls, and regular security audits, and have incident response plans in place. The same type of requirements should be made for operational risk management and business continuity planning, both of which help ensure they can maintain critical operations in the event of disruptions or cyberattacks.

Strategic activities to be built into this very short timeline include ongoing vigilance of DORA itself within an evolving regulatory landscape, increased or improved collaboration and information sharing, investment in technology and talent, and improved board oversight and governance.

Organizations based outside the areas where DORA directly applies (most of Europe plus Iceland and Norway), should also ensure they understand DORA Requirements and open communication channels with their European partners. In addition to staying informed, they may also consider adopting other internationally recognized cybersecurity and operational resilience standards and frameworks, such as ISO 27001 for information security management and ISO 22301 for business continuity management.

It is virtually guaranteed that similar sets of regulations will be imposed by other economic areas of the world, creating challenges for companies either in finance or working with them. This promises to generate sets of economic blocks at the same time as it opens new areas of commerce. However, these changes are best seen as opportunities to finetune an organization’s information security systems and to reaffirm relationships with vendors and experts to ensure continued security and compliance.

About the author: Steve Prentice

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Europe financial industry)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability
• CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability
• CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability

CVE-2024-32896 is an elevation of privilege vulnerability in the Pixel Firmware, which has been exploited in the wild as a zero-day.

CVE-2024-26169 is an elevation of privilege issue in the Microsoft Windows Error Reporting Service that can be exploited to could gain SYSTEM privileges.

CVE-2024-4358 is an authentication bypass vulnerability that an unauthenticated attacker can exploit to gain access to Telerik Report Server restricted functionality.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by July 4, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Android Pixel)

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services. The City is working to restore impacted systems.

On Monday, the City of Cleveland announced it was the victim of a cyber attack and was forced to take some of its systems offline to contain the threat.

The City is still working to restore impacted services, it added that emergency services and utilities were not affected. The incident did not expose taxpayer information held by the CCA and customer information held by Public Utilities.

𝗖𝗶𝘁𝘆 𝗼𝗳 𝗖𝗹𝗲𝘃𝗲𝗹𝗮𝗻𝗱 𝗖𝘆𝗯𝗲𝗿 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗨𝗽𝗱𝗮𝘁𝗲

(1/7) We are still investigating the nature and scope of the incident. The City is collaborating with several key partners who provide expert knowledge and deep experience in this work. pic.twitter.com/fyJWllidMj

— City of Cleveland (@CityofCleveland) June 10, 2024

City Hall and Erieview are closed today June 10, except for essential staff, as we investigate a cyber incident. We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available. pic.twitter.com/3yAHoz7Ae2

— City of Cleveland (@CityofCleveland) June 10, 2024

City Hall and Erieview will be closed for the entire week, the City Hall reopened only for the employees on June 12, 2024.

“Basic City services are functioning normally. Despite adapting to limited IT capabilities, public safety, public works, public utilities, and airport teams are actively working for City residents.” the City wrote on X, the platform used to provide updates on the incident to the citizens.

The City of Cleveland is investigating the incident with the help of law enforcement and key partners to determine the scope of the security incident.

The city did not share information about the attack; however, the shutdown of the IT systems in response to the incident suggests the involvement of ransomware. As of this writing, no ransomware group has claimed responsibility for the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attack)

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda and hacking soldiers’ phones.

Ukraine’s security service, the SBU, detained two individuals who are accused of supporting Russian intelligence in spreading pro-Russia propaganda. They are also accused of hacking the phones of Ukrainian soldiers.

The arrests result from an investigation conducted by SBU officers in collaboration with the Ministry of Defense’s Intelligence Directorate and the National Police.

The SBU uncovered two bot farms in Zhytomyr and Dnipro that were spreading Russian propaganda and hacking soldiers’ phones. The bot farms spread Russian propaganda posing as Ukrainian citizens.

The SBU discovered that a Zhytomyr resident registered over 600 virtual mobile numbers and anonymous Telegram accounts that were used by Russian operatives. Then the accounts were sold or rented through Russian online platforms, the suspect received payments in cryptocurrency. According to the Ukrainian security service, Russian agents employed the numbers in phishing campaigns targeting Ukrainian military personnel to deliver spyware on their phones.

The second man (30), a Dnipro resident, registered nearly 15,000 fake social media and messenger accounts using Ukrainian SIM cards.

Then he sold the fake accounts on dark web forums to Russian intelligence. The Ukrainian authorities charged the man with violating Ukraine’s territorial integrity.

In July 2023, the Cyber ​​Police Department of the National Police of Ukraine dismantled a massive bot farm and seized 150,000 SIM cards.

A gang of more than 100 individuals used fake social network accounts to conduct disinformation and psychological operations in support of the Russian government and its narrative on the invasion of Ukraine.

The gang used a massive bot farm to distribute illegal content, personal data of Ukrainian citizens and commit frauds. 

The cyber police discovered that the group used special equipment and software to register thousands of bot accounts in multiple social networks. 

In August 2022, the Ukrainian cyber police (SSU) dismantled a massive bot farm composed of 1,000,000 bots that was spreading disinformation and Russian propaganda through social networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Russian propaganda, bot farm)

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively exploited in the wild as a zero-day.

Google warned of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.

“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” reads the advisory.

As usual, the IT giant did not provide technical information about attacks exploiting the above issue.

The Pixel Update Bulletin provides details of security vulnerabilities and functional improvements for supported Google Pixel devices. The company addressed all the flaws detailed in the bulletin with the release of the security patch levels of 2024-06-05 or later and the June 2024 Android Security Bulletin.

Seven out of 50 security vulnerabilities are rated as critical:

CVE	References	Type	Severity	Subcomponent
CVE-2024-32891	A-313509045 *	EoP	Critical	LDFW
CVE-2024-32892	A-326987969 *	EoP	Critical	Goodix
CVE-2024-32899	A-301669196 *	EoP	Critical	Mali
CVE-2024-32906	A-327277969 *	EoP	Critical	avcp
CVE-2024-32908	A-314822767 *	EoP	Critical	LDFW

The company addressed multiple information disclosure flaws impacting GsmSs, ACPM, and Trusty and multiple DoS issues in the modem.

In April, Google addressed 28 vulnerabilities in Android and 25 flaws in Pixel devices. Two issues fixed by the IT giant, tracked as CVE-2024-29745 and CVE-2024-29748, were actively exploited in the wild.

CVE-2024-29745 is a High severity Information disclosure issue in the bootloader, while CVE-2024-29748 is a High severity elevation of privilege issues in the Pixel Firmware.

“There are indications that the following may be under limited, targeted exploitation.” reads the advisory.

The company did not provide details about the attacks, but in the past, such kinds of bugs were actively exploited by nation-state actors or commercial spyware vendors.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google Pixel)

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution security issue.

Fortinet addressed multiple vulnerabilities in FortiOS and other products, including some code execution flaws.

The company states that multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS [CWE-121], collectively tracked as CVE-2024-23110 (CVSS score of 7.4), can be exploited by an authenticated attacker to achieve code or command execution via specially crafted command line arguments

“Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments” reads the advisory published by the company.

Gwendal Guégniaud of Fortinet Product Security team discovered the vulnerabilities.

The flaws impact the following versions of the Fortinet FortiOS :

Version	Affected	Solution
FortiOS 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiOS 7.2	7.2.0 through 7.2.6	Upgrade to 7.2.7 or above
FortiOS 7.0	7.0.0 through 7.0.13	Upgrade to 7.0.14 or above
FortiOS 6.4	6.4.0 through 6.4.14	Upgrade to 6.4.15 or above
FortiOS 6.2	6.2.0 through 6.2.15	Upgrade to 6.2.16 or above
FortiOS 6.0	6.0 all versions	Migrate to a fixed release

The company also addressed the following medium-severity issues:

• CVE-2024-26010 – A stack-based overflow vulnerability [CWE-124] in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager could allow a remote attacker to execute arbitrary code or commands by sending crafted packets to the fgfmd daemon. However, the exploitability of this vulnerability depends on specific conditions that are not controllable by the attacker.
• CVE-2024-23111 – A cross-site scripting vulnerability [CWE-79] in the reboot page of FortiOS and FortiProxy could enable a remote attacker with super-admin access to execute JavaScript code through specially crafted HTTP GET requests.
• CVE-2023-46720 – Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiOS could permit an authenticated attacker to execute arbitrary code by using specially crafted CLI commands.

The company also fixed a low-severity issue tracked as CVE-2024-21754.

The company did not reveal if one of the above issues was actively exploited in the wild.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Fortinet FortiOS)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
• CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability

The vulnerability CVE-2024-4610 is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0).

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”

Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.

A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.

The company recommends users upgrade if this issue impacts them.

The vulnerability CVE-2024-4577 resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.

Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by July 3rd, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)

The Ukraine cyber police arrested a Russian man for having developed the crypter component employed in Conti and LockBit ransomware operations.

The Ukraine cyber police arrested a Russian man (28) for his role in developing a crypter used in Conti and LockBit ransomware operations.

The man was arrested in Kyiv on April 18, 2024, as part of the international law enforcement operation called ‘Operation Endgame.’ 

A crypter is a software used to obfuscate or encrypt malicious code to prevent detection by antivirus programs and other security tools. Crypters achieve this by converting the malware into an unreadable form and then packaging it with a decryption routine that will restore the original malicious code when executed. Crypters play a significant role in the cybercrime ecosystem by enabling malware authors to bypass security defenses.

“The police found out that the young man specialized in the development of cryptors (from the English crypt – hiding place) – special software for masking computer viruses under the guise of safe files.” reads the report published by Ukraine cyber police. “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses.”

The Ukrainian law enforcement was supported by the Dutch police who responded to a ransomware attack that hit a Dutch company.

The police identified the Russian hacker group who was paid with cryptocurrency to disguise the “Conti-malware” encryptor. By the end of 2021, a cybercrime gang deployed the ransomware in the network of companies in the Netherlands and Belgium and demanded a ransom for decrypting the infected systems.

“The police were tipped off by the NCSC (National Cyber ​​Security Center) and, after further investigation, discovered that the Ukrainian man infected the computer networks of a company in the Netherlands with Conti’s malware in 2021; a hacker group that offers ransomware for sale. As a result, company data was encrypted and made inaccessible.” states the Dutch Police. “The group then demanded a ransom for making the company data accessible again and not leaking it. The Dutch company filed a report with the police in 2021 and on this basis Team High Tech Crime was able to continue with the investigation.”

The cyber police discovered that the Russian hacker helped the Russian cybercrime groups “LockBit” and “Conti.” The police, along with the “TacTeam” special unit, conducted a search in Kyiv and, following an international request from Dutch law enforcement, another search in the Kharkiv region. The police seized computer equipment, mobile phones, and draft records.

The investigation is still ongoing, the man was charged under part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. The man can face up to 15 years of imprisonment. Additional legal qualifications are possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit ransomware)