The City of Wichita disclosed a data breach after the ransomware attack that hit the Kansas’s city earlier this month.

On May 5th, 2024, the City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat. The city immediately started its incident response procedure to prevent the threat from spreading and announced an investigation into the attack.

Wichita is the most populous city in the U.S. state of Kansas and the county seat of Sedgwick County. As of the 2020 census, the population of the city was 397,532

The investigation was conducted with the help of third-party security experts and the city also notified federal and local law enforcement authorities.

“We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network.” reads the initial security breach notification. “This decision was not made lightly but was necessary to ensure that systems are securely vetted before returning to service.”

The City warned that some services may be temporarily unavailable while systems are offline, it did not disclose the family of ransomware that infected its systems and the name of the extortion gang behind the attack.

However, the LockBit ransomware gang claimed responsibility for the cyberattack on the City of Wichita.

A new update provided by the City of Wichita revealed that threat actors copied certain files containing personal information from its network. Copied files included incident and traffic information.

Copied files included incident and traffic information.

“As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.” reads the Notice of Data Event updated on May 14, 2024.

“We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world.”

The notice also revealed that threat actors exploited a recently disclosed vulnerability to gain access to the city’s network.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)

A new report from XM Cyber has found – among other insights - a dramatic gap between where most organizations focus their security efforts, and where the most serious threats actually reside. The new report, Navigating the Paths of Risk: The State of Exposure Management in 2024, is based on hundreds of thousands of attack path assessments conducted by the XM Cyber

Cybersecurity researchers have shed more light on a remote access trojan (RAT) known as Deuterbear used by the China-linked BlackTech hacking group as part of a cyber espionage campaign targeting the Asia-Pacific region this year. "Deuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as including support for shellcode plugins, avoiding handshakes

CISA adds two D-Link DIR-600 and DIR-605 router vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following D-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2014-100005 Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.
• CVE-2021-40655 An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by June 6, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

CISA adds two Chrome zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1,2] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

CVE-2024-4761 Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.

“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.

CVE-2024-4671 Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

The flaw was reported by an anonymous researcher on May 7, 2024.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild.” reads the advisory published by Google. As usual, the IT giant has not revealed details about the attacks exploiting this vulnerability.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by: 

CVE-2024-4671 June 3rd, 2024.

CVE-2024-4761 June 6, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea's Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations. The backdoor, codenamed Gomir, is "structurally almost identical to GoBear, with extensive sharing of code between

North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware.

Researchers at Genius Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. The nation-state actor attack used a fake account posing as a South Korean public official in the North Korean human rights sector. The APT group aimed at connecting with key individuals in North Korean and security-related fields through friend requests and direct messages.

The attack chain starts with the theft of the identity of a real person in South Korea, then the victims were contacted via Facebook Messenger.    

Threat actors pretended to share private documents they had written with the victims. 

“The initial individual approach is similar to an email-based spear phishing attack strategy. However, the fact that mutual communication and reliability were promoted through Facebook Messenger shows that the boldness of Kimsuky APT attacks is increasing day by day.” reads the report published by GSC. “The Facebook screen used in the actual attack has a background photo that appears to have been taken at a public institution. Threat actors disguised as public officials try to win the favor of their targets by pretending to share private documents they have written.”

The messages included a link to a decoy document hosted on OneDrive. The file is a Microsoft Common Console document that masquerades as an essay or content related to a trilateral summit between Japan, South Korea, and the U.S. One of the decoy documents (‘NZZ_Interview_Kohei Yamamoto.msc’) employed in the attacks was uploaded to the VirusTotal from Japan on April 5, 2024.

The malware had zero detection rate on VT at the upload time.

The experts speculate the APT group was targeting people in Japan and South Korea.

“This is the first time that a suspected attack against Japan was first observed, and then a variant was detected in Korea shortly after.” reads the analysis. “And if you compare the two malicious file execution screens, you can see the same pattern. Although the file name leading to execution is different, both used the name ‘Security Mode’.”

Upon launching the MSC file and allowing it to open it using Microsoft Management Console (MMC), victims are displayed a console screen containing a Word document. If the victims launch it the multi-stage attack chain starts.

The malicious file, named “Console Root task window ‘Security Mode’,” hid certain window styles and tabs. It misled users by labeling a task as “Open” with a description “My_Essay.docx,” making it appear as a document execution screen. Clicking “Open” triggers a malicious command. This command line involves ‘cmd.exe’ with various parameters and attempts to connect to the C2 host ‘brandwizer.co[.]in,’ registered by Whiteserver hosting in India and linked to the IP address ‘5.9.123.217’ in Germany.

The malware maintains persistence by registering a scheduled task named ‘OneDriveUpdate,’ which repeats every 41 minutes indefinitely. This interval is consistent with the timing used in previous Kimsuky group campaigns, such as ‘BabyShark‘ and ‘ReconShark.’

The malware gathered information and exfiltrated it to the C2 server, it can also harvest IP addresses, User-Agent strings, and timestamp information from the HTTP requests. The malware can also drop additional payloads on the infected machines.

“Among the APT attacks reported in Korea in the first quarter of this year, the most representative method is spear phishing attack. In addition, the method of combining shortcut (LNK) type malicious files is steadily becoming popular. Although not commonly reported, covert attacks through social media also occur.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2014-100005 - A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an

Electronic prescription provider MediSecure in Australia suffered a ransomware attack likely originate from a third-party vendor.

MediSecure is a company that provides digital health solutions, particularly focusing on secure electronic prescription delivery services in Australia.

The company was forced to shut down its website and phone lines following a cyber attack, but it did not mention a ransomware attack.

Threat actors gained access to the personal and health information of an undisclosed number of individuals.

“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.” reads the statement published by the company. “While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.”

The company is still investigating the security breach with the help of the National Cyber Security Coordinator, however, it revealed that early indicators suggest the incident originated from one of its third-party vendors.

Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident.

I am working with agencies across the Australian Government, states and territories to coordinate a whole-of-government… pic.twitter.com/mool7LNLRZ

— National Cyber Security Coordinator (@AUCyberSecCoord) May 16, 2024

The electronic prescription provider also notified the Office of the Australian Information Commissioner and other relevant authorities.

The Australian broadcaster ABC reported that MediSecure “is the health organisation at the centre of the large-scale ransomware data breach announced by the national cyber security coordinator on Thursday.”

“MediSecure was one of two companies awarded contracts by the federal government to provide PBS e-script services until late last year, when the tender was granted exclusively to another company, eRx.” reported ABC. “In October last year, the ACCC granted authorisation for MediSecure to transfer all publicly- funded electronic prescriptions and data to eRx.”

In November 2022, Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed due to a ransomware attack that occurred in October 2022.

Medibank is one of the largest Australian private health insurance providers with approximately 3.9 million customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Researchers have discovered a new security vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic. The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on

Google released security updates to address a new actively exploited Chrome zero-day vulnerability, the third in a week.

Google has released a new emergency security update to address a new vulnerability, tracked as CVE-2024-4947, in the Chrome browser, it is the third zero-day exploited in attacks that was disclosed this week.

The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.

“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.

This week the IT giant fixed other two actively exploited Chrome zero-day issues, respectively tracked CVE-2024-4671 and CVE-2024-4761.

Below is the list of actively exploited zero-day vulnerabilities in the Chrome browser that have been fixed this year:

• CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
• CVE-2024-2887:  a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
• CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
• CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)
• CVE-2024-4671: a use-after-free issue that resides in the Visuals component (May 2024). 
• CVE-2024-4761: an out-of-bounds write issue that resides in the V8 JavaScript engine (May 2024). 

Google also addressed the following vulnerabilities:

• [TBD][333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
• [$7000][326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
• [$1000][40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

The North Korea-linked Kimsuky hacking group has been attributed to a new social engineering attack that employs fictitious Facebook accounts to targets via Messenger and ultimately delivers malware. "The threat actor created a Facebook account with a fake identity disguised as a public official working in the North Korean human rights field," South Korean cybersecurity company Genians

Security researchers have disclosed almost a dozen security flaws impacting the GE HealthCare Vivid Ultrasound product family that could be exploited by malicious actors to tamper with patient data and even install ransomware under certain circumstances. "The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of

The Spanish bank Santander disclosed a data breach at a third-party provider that impacted customers in Chile, Spain, and Uruguay.

The Spanish financial institution Santander revealed a data breach involving a third-party provider that affected customers in Chile, Spain, and Uruguay.

The bank recently became aware of unauthorized access to one of its databases hosted by a third-party provider.

The company announced that it immediately implemented measures to contain the incident. The company blocked the compromised access to the database and established additional fraud prevention controls to protect affected customers.

“We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider.” reads the statement published by the bank. “Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed. Customer data in all other Santander markets and businesses are not affected.”

The compromised database contained information on all current and some former employees. 

The bank pointed out that the database did not store transactional data, online banking details, passwords, or other data that would allow someone to conduct transactions. 

“No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank’s operations and systems are not affected, so customers can continue to transact securely.” continues the statement.

The financial institution hasn’t provided technical details of the incident or what kind of data was exposed. It’s unclear how many individuals are impacted.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The Microsoft Threat Intelligence team said it has observed a threat actor it tracks under the name Storm-1811 abusing the client management tool Quick Assist to target users in social engineering attacks. "Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware," the company said in a report published on May 15, 2024. The

Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild. Assigned the CVE identifier CVE-2024-4947, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris

An international law enforcement operation coordinated by the FBI led to the seizure of the notorious BreachForums hacking forum.

BreachForums is a cybercrime forum used by threat actors to purchase, sell, and exchange stolen data, including credentials, and personal and financial information. The authorities also seized the Telegram page for the hacking forum

The website currently displays a message that informs visitors it was seized by law enforcement. The site also shows the logos of the law enforcement agencies that ware involved in the operation, including the UK NCA, the Australian Federal Police, the New Zealand Police, and the Swiss police.

“This website has been taken down by the FBI and DOJ with assistance from international partners,” reads the message published on the seized site. “We are reviewing the site’s backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us.”

According to the statement published by law enforcement on the site breachforums.ic3.gov, the FBI states that it is investigating the criminal hacking forums known as BreachForums and Raidforums.

From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc) was run by the notorious actor ShinyHunters.

From March 2022 until March 2023, a separate version of BreachForums (hosted at breached.vc/.to/.co) was run by the threat actor Pompompurin. In July 2023, the owner of the BreachForums Conor Brian Fitzpatrick, aka Pompompurin, pleaded guilty to hacking charges.

In March 2023, U.S. law enforcement arrested Pompompurin, the agents spent hours inside and outside the suspect’s home and were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices. Fitzpatrick was released on a $300,000 bond signed by his parents.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET. pompompurin always declared that he was ‘not affiliated with RaidForums in any capacity,’

Raidforums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.

People who have information to assist in any of the investigations against BreachForums v2, BreachForums v1, or Raidforums can fill out the questionnaire on the website.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

One of the developers of the Tornado Cash cryptocurrency mixer has been sentenced to 64 months in prison.

Alexey Pertsev (29), one of the main developers of the Tornado Cash cryptocurrency mixer has been sentenced to 64 months in prison for helping launder more than $2 billion worth of cryptocurrency.

The mixers are essential components for cybercriminals that use them for money laundering, it was used to launder the funds stolen from the victims.

The FIOD arrested the man in Amsterdam in August 2022, it is accused of concealing criminal financial flows and facilitating money laundering using Tornado Cash. The FIOD aims to ensure financial safety in the Netherlands and investigates the impact of cryptocurrency-related activities.

The Financial Advanced Cyber Team (FACT) speculates Tornado Cash has been used to conceal large-scale criminal money flows.

According to the indictment published in August 2023, Tornado Cash service allowed crooks to launder high volumes of criminal proceeds.

Tornado Cash was used to launder more than $7 billion worth of virtual currency since its creation in 2019, reported the OFAC. The Lazarus APT group laundered over $455 million stolen during the largest known virtual currency heist to date. Tornado Cash was also used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the recent Nomad crypto heist.

In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash used by North Korean-linked Lazarus APT Group.

Pertsev argued that his work at the Tornado Cash platform aimed to offer privacy to the cryptocurrency community and avoid involvement in criminal activities. However, the court dismissed his claims, noting that Tornado Cash lacked anti-abuse measures and the developers failed to prevent money laundering. The court also criticized Pertsev’s behavior who did not cooperate with authorities regarding the illegal activities. He also claimed an inability to address the issue.

“Research shows that 1.2 billion U.S. dollars were laundered this way in so called Ether (a cryptocurrency). These Ether are derived from 36 different thefts (hacks). Because of the used parameters in selecting these hacks, 36 is the lower limit.” reported de Rechtspraak. “Without using these parameters it becomes clear that 2.2 billion U.S. dollars, proceeding from criminal Ether, have been laundered. Furthermore, the court does not rule out that cryptocurrency has also been laundered deriving from other crimes.”

The court has sentenced the defendant to 5 years and 4 months in prison, in accordance with the prosecutor’s request. The court additionally decided not to return the defendant’s seized Porsche and approximately 1.9 million euros worth of cryptocurrency.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, mixer)

Law enforcement agencies have officially seized control of the notorious BreachForums platform, an online bazaar known for peddling stolen data, for the second time within a year. The website ("breachforums[.]st") has been replaced by a seizure banner stating the clearnet cybercrime forum is under the control of the U.S. Federal Bureau of Investigation (FBI).  The operation is the

An unnamed European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East were targeted by two previously undocumented backdoors tracked as LunarWeb and LunarMail. ESET, which identified the activity, attributed it with medium confidence to the Russia-aligned cyberespionage group Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous

Here’s How to Enhance Your Cyber Resilience with CVSS In late 2023, the Common Vulnerability Scoring System (CVSS) v4.0 was unveiled, succeeding the eight-year-old CVSS v3.0, with the aim to enhance vulnerability assessment for both industry and the public. This latest version introduces additional metrics like safety and automation to address criticism of lacking granularity while

Adobe addressed multiple code execution vulnerabilities in several products, including Adobe Acrobat and Reader.

Adobe addressed multiple code execution vulnerabilities in its products, including Adobe Acrobat and Reader software

The software giant released its Patch Tuesday updates to fix 35 security vulnerabilities 12 of these issues impact Adobe Acrobat and Reader software.

The arbitrary code execution issues fixed by the company includes Use After Free, Improper Input Validation, and Improper Access Control.

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-30284
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-30310
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34094
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34095
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34096
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34097
Improper Input Validation (CWE-20)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34098
Improper Access Control (CWE-284)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34099
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-34100
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-30311
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-30312
Out-of-bounds Read (CWE-125)	Memory leak	Moderate	3.3	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	CVE-2024-34101

The vulnerabilities were reported by the following experts and research team:

• Mark Vincent Yason (markyason.github.io) working with Trend Micro Zero Day Initiative – CVE-2024-30284, CVE-2024-34094, CVE-2024-34095, CVE-2024-34096, CVE-2024-34097
• Cisco Talos (ciscotalos)  – CVE-2024-30311, CVE-2024-30312
• Bobby Gould of Trend Micro Zero Day Initiative – CVE-2024-30310, CVE-2024-34101
• AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa) – CVE-2024-34098, CVE-2024-34099
• Suyue Guo and Wei You from Renmin University of China (ruc_se_sec) – CVE-2024-34100

Adobe PSIRT is not aware of attacks in the wild exploiting the above vulnerabilities.

The vulnerabilities impact versions: 24.002.20736 and earlier, and 20.005.30574 and earlier for Windows and macOS operating systems.

Adobe also fixed issues in Adobe Illustrator (APSB24-30), Adobe Aero (APSB24-33), Adobe Dreamweaver (APSB24-39), Adobe Substance 3D Painter (APSB24-31), Adobe Substance 3D Designer (APSB24-35), Adobe Animate (APSB24-36), Adobe FrameMaker (APSB24-37).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Acrobat)

A malware botnet called Ebury is estimated to have compromised 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023. The findings come from Slovak cybersecurity firm ESET, which characterized it as one of the most advanced server-side malware campaigns for financial gain. "Ebury actors have been pursuing monetization activities [...],

While cloud adoption has been top of mind for many IT professionals for nearly a decade, it’s only in recent months, with industry changes and announcements from key players, that many recognize the time to make the move is now. It may feel like a daunting task, but tools exist to help you move your virtual machines (VMs) to a public cloud provider – like Microsoft Azure

A Dutch court on Tuesday sentenced one of the co-founders of the now-sanctioned Tornado Cash cryptocurrency mixer service to 5 years and 4 months in prison. While the name of the defendant was redacted in the verdict, it's known that Alexey Pertsev, a 31-year-old Russian national, had been awaiting trial in the Netherlands on money laundering charges.

Microsoft has addressed a total of 61 new security flaws in its software as part of its Patch Tuesday updates for May 2024, including two zero-days which have been actively exploited in the wild. Of the 61 flaws, one is rated Critical, 59 are rated Important, and one is rated Moderate in severity. This is in addition to 30 vulnerabilities&

The Singing River Health System revealed that the ransomware attack that hit the organization in August 2023 impacted 895,204 people.

At the end of August 2023, the systems at three hospitals and other medical facilities operated by Singing River Health System (SRHS) were hit by a Rhysida ransomware attack.

The Singing River Health System runs 3 hospitals and 10 clinics and is the second largest employer on the Mississippi Gulf Coast.

“The Singing River Health System’s three hospitals – Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, as well as its dozen-plus medical clinics – are affected by the incident, which began over the weekend. The health system employs about 3,800 people.” reported BankInfoSecurity.

Several services at the impacted hospitals, including laboratory and radiology testing, suffered a significant IT systems outage. At the time, Singing River said it was working to process all paper-ordered lab tests and radiology exams as quickly as possible, based on priority.

On September 13, 2023, the healthcare organization disclosed a data breach and in December 2023, it announced that the incident impacted 252,890 individuals.

In a new update shared by the company with the Maine Attorney General, the organization declared that the total number of persons affected is 895,204.

Potentially compromised information includes name, date of birth, address, Social Security number, medical information, and health insurance information.

SRHS is offering impacted individuals access to credit monitoring services provided by IDX identity theft protection for twelve months at no cost. The company is also providing guidance on preventing identity theft and fraud, including steps to report suspicious incidents and placing fraud alerts or security freezes on credit files. Additionally, they are sharing information on safeguarding against tax fraud, contacting consumer reporting agencies, and obtaining free credit reports. Singing River Health System recommends the impacted individuals to be vigilant by reviewing account statements and monitoring credit reports. Individuals are encouraged to report any incidents of identity theft or fraud to relevant authorities, including the Federal Trade Commission, state Attorney General, and law enforcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Rhysida)

Microsoft Patch Tuesday security updates for May 2024 fixed 59 flaws across various products including an actively exploited zero-day.

Microsoft Patch Tuesday security updates for May 2024 addressed 59 vulnerabilities in Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband.

Only one of the vulnerabilities addressed by the IT giant this month is rated Critical, 57 are rated Important, and one is rated Moderate in severity.

Two of the vulnerabilities fixed by Microsoft this month are actively exploited, and one was a publicly disclosed zero-day.

The two actively exploited zero-day vulnerabilities are:

CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability

This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.

An attacker can trigger this issue by tricking a user into loading a malicious file onto a vulnerable system, often through deceptive means like email or instant messenger messages. The attacker then convinces the user to manipulate the file, without necessarily requiring them to click or open it directly.

“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.” reads the advisory.

CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability

An attacker can exploit this vulnerability to gain SYSTEM privileges.

Microsoft doesn’t share details about the attacks exploiting the above vulnerabilities.

The full list of flaws addressed by Microsoft with the release of Patch Tuesday security updates for May 2024 is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.