MSP cybersecurity news digest, May 3, 2024

Washington, D.C. city agency says LockBit data theft and leak tied to third-party attack

A Washington, D.C. government agency confirmed that data stolen and leaked by the LockBit ransomware gang originated from a third-party technology provider, Tyler Technologies, affecting the D.C. Department of Insurance, Securities and Banking (DISB), which safeguards consumers from financial institution abuses. Tyler Technologies, a publicly traded corporation, provides services to government agencies and educational institutions worldwide, reported a revenue of $1.95 billion in 2023.

LockBit disclosed its attack on DISB, announcing its intention to release data to pressure the agency into paying a ransom after negotiations faltered. DISB, redirected inquiries to a statement attributing the breach to Tyler Technologies, acknowledging unauthorized access to their cloud storing DISB's STAR system client data.

Tyler Technologies, a government services provider, reported unauthorized activity in their cloud hosting DISB's data, launching an investigation and contacting affected clients while maintaining communication with law enforcement. This incident highlights the fact that LockBit has continued their attacks despite law enforcement efforts, impacting various organizations globally, with recent victims including a Nasdaq-listed pharmaceutical company and a prominent South African manufacturing company.

Synlab Italia is hit by ransomware attack and suspends operations 

Following a ransomware attack, Synlab Italia has suspended all medical diagnostic and testing services, impacting its extensive network of 380 labs and medical centers across Italy. The company is a part of the Synlab group operating in 30 countries worldwide and generating an annual turnover of $426 million while conducting 35 million analyses annually.

The attack prompted the company's IT department to isolate the entire corporate infrastructure from the network and shut down all machines as a security measure, though the extent of potential data exposure remains uncertain. Consequently, laboratory analysis and sample collection services are suspended indefinitely, with ongoing efforts to gradually restore services and eradicate malware from the IT infrastructure. 

Customers were advised to monitor Synlab's official channels for updates on service restoration and recovery progress amid the absence of any claims of responsibility by ransomware groups.

CoralRaider malware campaign exploits CDN cache to spread infostealers

Researchers have uncovered an ongoing campaign operated by threat actors distributing three well-known infostealer malware variants, including CryptBot, LummaC2, and Rhadamanthys, since at least February 2024. Targets of the campaign span multiple industries and regions, including the U.S., Nigeria, Pakistan, Ecuador, Germany, the U.K., Poland, the Philippines, Norway, Japan and more, with users being lured into downloading files disguised as movie files via web browsers.

Researchers have linked this activity to the CoralRaider threat actor group, attributing the campaign to several shared tactics with CoralRaider's Rotbot campaign, including the use of Windows Shortcut files and PowerShell decryptors. Researchers also identified a new PowerShell command-line argument embedded in the LNK file, enabling the bypass of antivirus products to download the final payload onto victims' hosts.

The threat actor employs a content delivery network (CDN) cache to store malicious files, using it as a download server to evade detection, with initial access likely occurring through phishing emails leading to malicious ZIP archives. Once executed, the malware steals various data, including system information, credentials, cryptocurrency wallets and financial details, with an updated version of CryptBot targeting password manager and authenticator application data.

Patch now: CrushFTP, Microsoft issue warnings on vulnerabilities

CrushFTP issues urgent warnings to customers about a zero-day vulnerability, CVE-2024-4040, prompting immediate patching to address potential risks. This exploit enables unauthenticated attackers to bypass the virtual file system (VFS) and access system files, though DMZ perimeter network setups offer some protection. Versions 10.7.1 and 11.1.0 of CrushFTP include patches for this vulnerability, and users of version 9 are advised to upgrade to secure releases. The exploit has been observed in targeted attacks, primarily against U.S. entities.

Meanwhile, Microsoft has raised alarms regarding the exploitation of a Windows Print Spooler vulnerability by the Russian APT28 threat group, using a previously unknown hacking tool dubbed GooseEgg. This tool allows the threat actors to launch and deploy additional malicious payloads with SYSTEM-level privileges.

Despite Microsoft fixing the CVE-2022-38028 vulnerability reported by the U.S. National Security Agency during the October 2022 Patch Tuesday, the company has not yet classified it as actively exploited in its advisory. Attackers use GooseEgg to drop malicious DLL files, gain persistence on compromised systems, and execute various commands, posing a significant threat to government, nongovernmental, education, and transportation sector organizations in Ukraine, Western Europe and North America, as observed by researchers.

United Nations agency investigates ransomware attack, data theft  

The United Nations Development Programme (UNDP) is investigating a cyberattack following a breach of its IT systems that compromised human resources data. The UNDP operates in over 170 countries and territories with a goal to help eradicate poverty and fight inequality and exclusion.

The incident occurred in late March when threat actors infiltrated the local IT infrastructure at U.N. City, Copenhagen, as confirmed in a statement released by the organization, revealing the theft of human resources and procurement information. Immediate actions were undertaken to contain the breach, assess the extent of data exposure, and identify affected individuals, with ongoing investigations to determine the incident's nature and impact. 

While the UNDP has yet to attribute the attack to a specific threat group, the 8Base ransomware gang has claimed responsibility, posting UNDP-related documents on their dark web data leak site, exposing a wealth of sensitive information.