This Week in Cyber 28th March 2024

Analyst Insight

This week's cyber news highlights several concerning developments. The UK's Communications Workers Union, representing pivotal sectors like technology and telecommunications, faces a suspected breach, raising alarms about data security. Additionally, NHS Scotland falls victim to ransomware, with the ransom gang INC claiming a staggering theft of three terabytes of data. Moreover, critical vulnerabilities have surfaced in Fortinet, Ivanti, and Nice systems, prompting urgent calls from CISA and the FBI to address SQL injection risks. Microsoft's SharePoint also draws attention due to a critical flaw; Microsoft have stated that this vulnerability has been patched however there has been evidence of ongoing exploitation. Further compounding the security landscape is 'ShadowRay,' exposing insufficient authorisation protocols in the Ray Jobs API. Notably, the Ray framework developers have yet to acknowledge this threat, resulting in prolonged exploitation. This week's focus on new vulnerabilities underscores the critical need for robust patch management protocols across organisations.

Cyberattack Hits UK's Communications Workers Union: Evaluation and Response Underway

The Communications Workers Union (CWU), representing various sectors including tech and telecoms in the UK, is grappling with a cyberattack initially mistaken for an IT outage. The extent of the attack is still under evaluation. Third-party cybersecurity experts are on-site since March 21, investigating the incident. While the CWU confirmed the attack, the full scope, including potential data breaches, remains unclear. The ICO has been notified, and investigations are ongoing. Despite claims of compromised data and corrupted backups, regional CWU secretaries were unaware of any security breach beyond email outages. The incident underscores the importance of robust backup protocols. 

NHS Scotland Targeted in Ransomware Attack by INC Ransom Cybercriminal Gang

NHS Scotland, a vital healthcare system serving 5.4 million residents, has reportedly fallen victim to a ransomware attack by the INC Ransom gang. The cybercriminals claim to have stolen three terabytes of sensitive data and have posted evidence, including hospital reports and clinical documents, on their dark web blog. Despite the breach, NHS Scotland has not yet provided a response. This attack follows a recent breach of the Dumfries and Galloway health board, highlighting the vulnerability of the Scottish public healthcare system. INC Ransom, a known multi-extortion group, has targeted various sectors, including healthcare, education, and government, with at least 65 organisations affected in the past year.

Critical Cybersecurity Vulnerabilities: Recent Exploits and Mitigation Urgency

CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalogue, including CVE-2023-48788 affecting Fortinet FortiClient EMS, CVE-2021-44529 affecting Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA), and CVE-2019-7256 affecting Nice Linear eMerge E3-Series. Fortinet confirmed active exploitation, Ivanti's flaw may have originated as an intentional backdoor, and Nice addressed the flaw after exploitation by threat actors. Federal agencies must apply vendor-provided mitigations by April 15, 2024. CISA and FBI issued a joint alert urging software manufacturers to mitigate SQL injection flaws, citing the exploitation of CVE-2023-34362 by the Cl0p ransomware gang. Despite awareness, manufacturers continue to develop products with SQL injection vulnerabilities, putting customers at risk.

CISA Alert: Active Exploitation of Critical Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding an actively exploited vulnerability in Microsoft SharePoint Server, marked as CVE-2023-24955, with a severity rating of 7.2. This critical flaw enables authenticated attackers with Site Owner privileges to execute arbitrary code remotely on the SharePoint Server. Despite Microsoft addressing the vulnerability in its May 2023 Patch Tuesday updates, evidence of ongoing exploitation has prompted CISA to include it in its Known Exploited Vulnerabilities (KEV) catalogue. Notably, this follows CISA's recent addition of CVE-2023-29357, a privilege escalation flaw in SharePoint Server, to its KEV catalogue. While the specific threat actors behind these exploits remain unidentified, federal agencies have been mandated to apply the necessary patches by April 16, 2024, to mitigate the risk of network compromise.

ShadowRay: AI Framework’s Critical Flaw

The ‘ShadowRay’ vulnerability, catalogued as CVE-2023-48022, presents a significant security challenge within the Ray framework, a system pivotal for scaling AI operations. Originating from insufficient authorisation protocols in the Ray Jobs API, this vulnerability opens the door for unauthorised remote code execution and data access. The breach has been exploited in various sectors, including education, cryptocurrency, and biopharma, leading to widespread concern.

Compounding the issue is the disputed nature of CVE-2023-48022, with Anyscale (the developers behind Ray) yet to acknowledge it as a threat. Consequently, the flaw remains unaddressed, leaving numerous Ray servers vulnerable to exploitation. This has resulted in unauthorised control over computational resources and data leaks. The ongoing exploitation, now at seven months, eludes detection by static security scans, creating a critical oversight for security teams.