This Week in Cyber 07th June 2024

Analyst Insight

This week in cyber security saw a range of significant threats impacting various sectors. Microsoft warned of a surge in cyber-attacks on internet-exposed operational technology (OT) devices, urging improved security practices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted an actively exploited Oracle WebLogic Server flaw used by the 8220 Gang for cryptojacking. TikTok faced a zero-day exploit targeting celebrity accounts, adding to its security woes. The Muhstik botnet resurfaced, exploiting Apache RocketMQ vulnerabilities to infect IoT devices. Lastly, a ransomware attack on Synnovis disrupted London hospitals, emphasising the severe impact of cyber-attacks on healthcare. These events underscore the critical need for robust cyber security measures across all industries.

Microsoft Warns of Surge in Cyber Attacks Targeting Internet-Exposed OT Devices

Microsoft has raised concerns about a significant increase in cyber-attacks on internet-exposed operational technology (OT) devices since late 2023. The company emphasises the urgent need to secure OT environments, which are often vulnerable due to inadequate security mechanisms. These attacks can lead to malicious actors tampering with critical industrial processes, causing malfunctions and system outages. The heightened risk is compounded by weak passwords and outdated software, making these systems easy targets. Recent advisories from Rockwell Automation and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlight the global threat, especially considering geopolitical tensions. Microsoft recommends implementing zero trust practices and reducing the attack surface to safeguard OT systems from such threats.

Critical Oracle WebLogic Server Flaw Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The vulnerability, tracked as CVE-2017-3506 with a CVSS score of 7.4, allows attackers to gain unauthorised access and execute arbitrary code on vulnerable servers via specially crafted HTTP requests containing malicious XML documents. This flaw has been notably exploited by the cryptojacking group 8220 Gang, which has used it to infiltrate unpatched devices and integrate them into a cryptocurrency mining botnet. The gang utilises obfuscation techniques and fileless malware to evade detection. CISA urges federal agencies to apply the latest patches by June 24, 2024, to mitigate potential threats.

Zero Click Exploit Targets Celebrity TikTok Accounts

A previously undiscovered zero-day exploit in TikTok's messaging service has been used to compromise targeted accounts. TikTok stated that only a "very small" number of users were affected, primarily celebrities. This incident marks yet another major security breach for the organisation. Following the recent major ruling to ban TikTok in the US, this is another concerning event in the platform's timeline.

Yet Another Major Botnet Detected

In the latest development in the resurgence of botnets, a botnet exploiting security flaws in Apache RocketMQ has been used to infect new servers. Known as Muhstik, this botnet first appeared in 2018 and has been targeting IoT devices ever since. Frequent readers of our cyber report may recall that the UK government recently passed legislation to prevent the exploitation of IoT devices. The recent surge in botnet-related incidents highlights a significant increase in botnet activity. While the Muhstik botnet typically employs sophisticated methods beyond just exploiting default credentials, many active botnets could be dismantled with the simple measures that the UK government has started to implement.

London Hospitals Hit by Ransomware

Earlier this week, a ransomware attack targeted the healthcare provider Synnovis. On Tuesday, the group reported that all its IT systems had been affected, leading to interruptions in their pathology services. Several departments across various London hospitals had to cancel appointments for a range of treatments. While other industries do suffer significant damage from such attacks, the impact on the healthcare sector is particularly severe. The damage isn't just monetary; it directly affects human lives. Due to the critical nature of healthcare, cybercriminals often see higher chances of ransom payouts, making these attacks especially lucrative.