Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services. The City is working to restore impacted systems.

On Monday, the City of Cleveland announced it was the victim of a cyber attack and was forced to take some of its systems offline to contain the threat.

The City is still working to restore impacted services, it added that emergency services and utilities were not affected. The incident did not expose taxpayer information held by the CCA and customer information held by Public Utilities.

City Hall and Erieview will be closed for the entire week, the City Hall reopened only for the employees on June 12, 2024.

“Basic City services are functioning normally. Despite adapting to limited IT capabilities, public safety, public works, public utilities, and airport teams are actively working for City residents.” the City wrote on X, the platform used to provide updates on the incident to the citizens.

The City of Cleveland is investigating the incident with the help of law enforcement and key partners to determine the scope of the security incident.

The city did not share information about the attack; however, the shutdown of the IT systems in response to the incident suggests the involvement of ransomware. As of this writing, no ransomware group has claimed responsibility for the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attack)

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda and hacking soldiers’ phones.

Ukraine’s security service, the SBU, detained two individuals who are accused of supporting Russian intelligence in spreading pro-Russia propaganda. They are also accused of hacking the phones of Ukrainian soldiers.

The arrests result from an investigation conducted by SBU officers in collaboration with the Ministry of Defense’s Intelligence Directorate and the National Police.

The SBU uncovered two bot farms in Zhytomyr and Dnipro that were spreading Russian propaganda and hacking soldiers’ phones. The bot farms spread Russian propaganda posing as Ukrainian citizens.

The SBU discovered that a Zhytomyr resident registered over 600 virtual mobile numbers and anonymous Telegram accounts that were used by Russian operatives. Then the accounts were sold or rented through Russian online platforms, the suspect received payments in cryptocurrency. According to the Ukrainian security service, Russian agents employed the numbers in phishing campaigns targeting Ukrainian military personnel to deliver spyware on their phones.

The second man (30), a Dnipro resident, registered nearly 15,000 fake social media and messenger accounts using Ukrainian SIM cards.

Then he sold the fake accounts on dark web forums to Russian intelligence. The Ukrainian authorities charged the man with violating Ukraine’s territorial integrity.

In July 2023, the Cyber ​​Police Department of the National Police of Ukraine dismantled a massive bot farm and seized 150,000 SIM cards.

A gang of more than 100 individuals used fake social network accounts to conduct disinformation and psychological operations in support of the Russian government and its narrative on the invasion of Ukraine.

The gang used a massive bot farm to distribute illegal content, personal data of Ukrainian citizens and commit frauds. 

The cyber police discovered that the group used special equipment and software to register thousands of bot accounts in multiple social networks. 

In August 2022, the Ukrainian cyber police (SSU) dismantled a massive bot farm composed of 1,000,000 bots that was spreading disinformation and Russian propaganda through social networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Russian propaganda, bot farm)

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively exploited in the wild as a zero-day.

Google warned of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.

“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” reads the advisory.

As usual, the IT giant did not provide technical information about attacks exploiting the above issue.

The Pixel Update Bulletin provides details of security vulnerabilities and functional improvements for supported Google Pixel devices. The company addressed all the flaws detailed in the bulletin with the release of the security patch levels of 2024-06-05 or later and the June 2024 Android Security Bulletin.

Seven out of 50 security vulnerabilities are rated as critical:

The company addressed multiple information disclosure flaws impacting GsmSs, ACPM, and Trusty and multiple DoS issues in the modem.

In April, Google addressed 28 vulnerabilities in Android and 25 flaws in Pixel devices. Two issues fixed by the IT giant, tracked as CVE-2024-29745 and CVE-2024-29748, were actively exploited in the wild.

CVE-2024-29745 is a High severity Information disclosure issue in the bootloader, while CVE-2024-29748 is a High severity elevation of privilege issues in the Pixel Firmware.

“There are indications that the following may be under limited, targeted exploitation.” reads the advisory.

The company did not provide details about the attacks, but in the past, such kinds of bugs were actively exploited by nation-state actors or commercial spyware vendors.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google Pixel)

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution security issue.

Fortinet addressed multiple vulnerabilities in FortiOS and other products, including some code execution flaws.

The company states that multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS [CWE-121], collectively tracked as CVE-2024-23110 (CVSS score of 7.4), can be exploited by an authenticated attacker to achieve code or command execution via specially crafted command line arguments

“Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments” reads the advisory published by the company.

Gwendal Guégniaud of Fortinet Product Security team discovered the vulnerabilities.

The flaws impact the following versions of the Fortinet FortiOS :

The company also addressed the following medium-severity issues:

• CVE-2024-26010 – A stack-based overflow vulnerability [CWE-124] in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager could allow a remote attacker to execute arbitrary code or commands by sending crafted packets to the fgfmd daemon. However, the exploitability of this vulnerability depends on specific conditions that are not controllable by the attacker.
• CVE-2024-23111 – A cross-site scripting vulnerability [CWE-79] in the reboot page of FortiOS and FortiProxy could enable a remote attacker with super-admin access to execute JavaScript code through specially crafted HTTP GET requests.
• CVE-2023-46720 – Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiOS could permit an authenticated attacker to execute arbitrary code by using specially crafted CLI commands.

The company also fixed a low-severity issue tracked as CVE-2024-21754.

The company did not reveal if one of the above issues was actively exploited in the wild.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Fortinet FortiOS)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
• CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability

The vulnerability CVE-2024-4610 is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0).

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”

Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.

A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.

The company recommends users upgrade if this issue impacts them.

The vulnerability CVE-2024-4577 resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.

Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by July 3rd, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)

The Ukraine cyber police arrested a Russian man for having developed the crypter component employed in Conti and LockBit ransomware operations.

The Ukraine cyber police arrested a Russian man (28) for his role in developing a crypter used in Conti and LockBit ransomware operations.

The man was arrested in Kyiv on April 18, 2024, as part of the international law enforcement operation called ‘Operation Endgame.’ 

A crypter is a software used to obfuscate or encrypt malicious code to prevent detection by antivirus programs and other security tools. Crypters achieve this by converting the malware into an unreadable form and then packaging it with a decryption routine that will restore the original malicious code when executed. Crypters play a significant role in the cybercrime ecosystem by enabling malware authors to bypass security defenses.

“The police found out that the young man specialized in the development of cryptors (from the English crypt – hiding place) – special software for masking computer viruses under the guise of safe files.” reads the report published by Ukraine cyber police. “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses.”

The Ukrainian law enforcement was supported by the Dutch police who responded to a ransomware attack that hit a Dutch company.

The police identified the Russian hacker group who was paid with cryptocurrency to disguise the “Conti-malware” encryptor. By the end of 2021, a cybercrime gang deployed the ransomware in the network of companies in the Netherlands and Belgium and demanded a ransom for decrypting the infected systems.

“The police were tipped off by the NCSC (National Cyber ​​Security Center) and, after further investigation, discovered that the Ukrainian man infected the computer networks of a company in the Netherlands with Conti’s malware in 2021; a hacker group that offers ransomware for sale. As a result, company data was encrypted and made inaccessible.” states the Dutch Police. “The group then demanded a ransom for making the company data accessible again and not leaking it. The Dutch company filed a report with the police in 2021 and on this basis Team High Tech Crime was able to continue with the investigation.”

The cyber police discovered that the Russian hacker helped the Russian cybercrime groups “LockBit” and “Conti.” The police, along with the “TacTeam” special unit, conducted a search in Kyiv and, following an international request from Dutch law enforcement, another search in the Kharkiv region. The police seized computer equipment, mobile phones, and draft records.

The investigation is still ongoing, the man was charged under part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. The man can face up to 15 years of imprisonment. Additional legal qualifications are possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit ransomware)