SecureFact - Cyber Security News - Week of December 23, 2024

Data Breaches

1. Krispy Kreme breach, data theft claimed by Play ransomware gang

The Play ransomware gang has claimed responsibility for a cyberattack on Krispy Kreme that occurred in November 2024, leading to disruptions in the company's online ordering system. Krispy Kreme reported unauthorized activity on its IT systems on November 29 and subsequently hired external cybersecurity experts to assess the breach's impact and scope. The company acknowledged operational disruptions, particularly affecting online orders, and assured customers that in-store purchases remained unaffected. In an SEC filing dated December 11, Krispy Kreme detailed the incident but has not provided further specifics. The Play ransomware group alleges that they stole sensitive data, including personal and financial information, and threatened to publish this data soon. The Play ransomware operation has been active since June 2022, employing double-extortion tactics to pressure victims into paying ransoms to prevent data leaks.

2. Ascension: Health data of 5.6 million stolen in ransomware attack

Ascension Health, one of the largest private healthcare systems in the U.S., has reported a significant data breach affecting over 5.6 million patients and employees due to a ransomware attack linked to the Black Basta group. The breach, which occurred on May 8, 2024, involved unauthorized access to sensitive personal and health information, including medical records, payment details, insurance information, and government IDs. Following the attack, Ascension is notifying the affected individuals via postal mail and is offering 24 months of free identity theft protection services. The healthcare system's investigation revealed that the breach was initiated by an employee who accidentally downloaded a malicious file. This incident disrupted Ascension’s MyChart electronic health records system and necessitated a temporary shutdown of certain operations, forcing staff to revert to paper records for patient care.

3. BeyondTrust says hackers breached Remote Support SaaS instances

BeyondTrust, a cybersecurity company specializing in Privileged Access Management, reported a cyberattack that occurred in early December 2024, affecting its Remote Support SaaS instances. The breach was detected on December 2, when the company noticed "anomalous behavior" within its network. An investigation revealed that hackers had compromised an API key for Remote Support SaaS, enabling them to reset passwords for local application accounts. Following the discovery, BeyondTrust revoked the compromised API key and notified affected customers while suspending the impacted instances. They also provided alternative Remote Support SaaS instances to those customers. It remains unclear whether the attackers exploited these instances to breach downstream customers. During the investigation, BeyondTrust identified two vulnerabilities: CVE-2024-12356, a critical command injection flaw allowing unauthenticated attackers to execute operating system commands, and CVE-2024-12686, a medium-severity vulnerability that permits admin users to inject commands and upload malicious files.

4. Telecom Namibia Hit by Massive Cyberattack: Over 400,000 Files Leaked

Telecom Namibia experienced a significant cyberattack on December 11, 2024, resulting in the leak of over 400,000 customer files. The attack was attributed to the ransomware group Hunters International, which exfiltrated approximately 626.3GB of data, including sensitive personal information such as identification details and banking information. Following the breach, the attackers threatened to release the stolen data unless their ransom demands were met, leading to the public circulation of hundreds of sensitive records after the ransom deadline passed. In response, Telecom Namibia's CEO, Stanley Shanapinda, assured the public of the company's commitment to addressing the situation responsibly and highlighted ongoing efforts to enhance cybersecurity measures. The Communications Regulatory Authority of Namibia (Cran) expressed serious concerns regarding the incident, emphasizing the need for improved cybersecurity practices in the country.

5. Texas Tech Fumbles Medical Data in Massive Breach

Texas Tech University Health Sciences Center recently experienced a significant data breach, where cyber attackers accessed sensitive patient information. The breach involved the theft of a substantial amount of medical data, prompting the institution to initiate its incident response protocols. The university is now working to mitigate the impact of this breach and protect the affected individuals' data.

Malware and Vulnerabilities

1. Fortinet warns of FortiWLM bug giving hackers admin privileges

Fortinet has issued a warning about a critical vulnerability in its FortiWLM (Fortinet Wireless Manager) software, allowing remote attackers to gain administrator privileges through unauthorized code execution. This flaw, identified as CVE-2023-34990, has a severity score of 9.8 and is classified as a relative path traversal vulnerability. The vulnerability affects FortiWLM versions 8.6.0 to 8.6.5 and 8.5.0 to 8.5.4. Fortinet released fixes in versions 8.6.6 and 8.5.5 in September 2023

2. Apache fixes remote code execution bypass in Tomcat web server

Apache has released a fix for a critical vulnerability in its Tomcat web server that could allow attackers to bypass security measures and execute remote code. The flaw, identified as CVE-2023-42889, affects versions 9.0.0-M1 to 9.0.80, 10.0.0-M1 to 10.0.20, and 11.0.0-M1 to 11.0.4 of Tomcat. Users are encouraged to update to the latest versions to mitigate the risk associated with this vulnerability. The patch addresses the issue by ensuring proper validation of input data, thus preventing unauthorized access and potential exploitation by malicious actors.