High impact vulnerability affects Cisco switches, BT targeted by ransomware, cyber attack affects Liverpool hospitals...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Veeam Releases Updates for Service Provider Console and Backup & Replication
Veeam has released updates addressing one critical and one high severity vulnerability in Service Provider Console. Nine further high severity vulnerabilities, eight in Backup & Replication and one in Veeam Agent for Microsoft Windows, were also addressed. A few vulnerabilities of note are listed below. Two vulnerabilities affect Veeam Service Provider Console:
- CVE-2024-42448 has a CVSSv3 score of 9.9 and could allow an attacker with low privileges to achieve remote code execution (RCE) on the VSPC server machine.
- CVE-2024-42449 has a CVSSv3 score of 7.1 and could allow an attacker with low privileges to leak the NTLM hash of the VSPC server service account and delete files on the VSPC server.
Eight further high severity vulnerabilities affect Veeam Backup & Replication out of which four are highlighted:
- CVE-2024-40717 has a CVSSv3 score of 8.8 and could allow an authenticated attacker with a role assigned in the ‘Users and Roles settings’ on the backup server to execute a script with elevated privileges.
- CVE-2024-42452 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to remotely upload files to connected ESXi hosts.
- CVE-2024-42453 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to modify the configuration of connected virtual infrastructure hosts.
- CVE-2024-42456 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to gain access to privileged methods and control critical services.
One further vulnerability affects Veeam Agent for Microsoft Windows.
- CVE-2024-45207 has a CVSSv3 score of 7.0 and could lead to a DLL injection attack when the PATH environment variable is altered to include directories where an attacker can write files.
Bootloader Vulnerability Impacts Over 100 Cisco Switches
Cisco on Wednesday announced patches for a vulnerability in the NX-OS software’s bootloader that could allow attackers to bypass image signature verification. Tracked as CVE-2024-20397, the high-impact security defect exists due to insecure bootloader settings that enable an attacker to execute specific commands to bypass the verification process and load unverified software. While authentication is not required for the successful exploitation of the flaw, physical access is, Cisco notes in its advisory. The bug can also be exploited by an authenticated, local attacker that has administrative privileges. According to Cisco, the issue is only relevant for its MDS, Nexus, and UCS Fabric Interconnect products that support secure boot, and not for legacy devices without the feature. In total, the company’s advisory lists more than 100 device models that are impacted. The tech giant says that this vulnerability affects all MDS 9000 series multilayer switches, Nexus 3000 and 7000 series switches, Nexus 9000 series fabric switches in ACI mode, Nexus 9000 series switches in standalone NX-OS mode, and UCS 6400 and 6500 series fabric interconnects. Cisco notes that there are no workarounds available for this security defect. However, the company has released several NX-OS software updates to patch the flaw across the affected product series and plans to roll out updates for all devices by the end of this month.
Cyber Attacks
BT unit took servers offline after Black Basta ransomware breach
British telecommunications behemoth BT Group confirmed that it was recently targeted by the ransomware actors known as Black Basta. The group targeted its Conferencing business division, and even forced it to shut down parts of its infrastructure. The results of the attack are up for debate, however, since BT claimed very little damage was done, with Black Basta saying the exact opposite. “We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated,” BT told BleepingComputer in a statement. “The impacted servers do not support live BT Conferencing services, which remain fully operational, and no other BT Group or customer services have been affected”. But Black Basta begs to differ. The group claims to have stolen 500GB of sensitive data in the attack, including financial and organizational data, “users and personal docs,” NDA agreements, confidential information, and then some. To support their claims, the group released document screenshots, folder listings, and more. It also said it would be leaking the files soon if the company does not pay the ransom demand. We don’t know how much money Black Basta is asking for. “We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response,” the BT Group spokesperson concluded.
Single cyberattack impacted three Liverpool hospitals
The cyberattack that hit Alder Hey Children’s NHS Foundation Trust last week impacted three different NHS organisations through a shared service. As well as Alder Hey, Liverpool Heart and Chest Hospital (LHCH) and the Royal Liverpool University Hospital (RLUH) were both impacted. The attack, which occurred on 28th November, targeted a shared digital gateway used by Alder Hey and LHCH. Preliminary findings suggest that a small amount of data from RLUH was also compromised. “Criminals gained unlawful access to data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest Hospital,” the Trust said. “This has resulted in the attacker unlawfully getting access to systems containing data from Alder Hey Children’s NHS Foundation Trust, Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital”. The Trust said it is working to uncover the full extent of the breach, which was announced last week, including the specific data that was accessed. However, the investigation is expected to take “some time,” raising concerns that the attackers could release the data publicly in the interim. The ransomware group INC, known for targeting healthcare organisations, has claimed responsibility for the attack. Screenshots allegedly showing sensitive information extracted from the breached systems have already been published online. The leaked data includes a range of personal information, such as names, addresses, medical records, and financial details.
In Other News...
Abuse of Cloudflare domains for phishing doubled in 2024, report says
Cloudflare developer domains are actively abused by the threat actors for several illicit malicious purposes, as reported by the security analysts at FORTRA. Recent investigations have uncovered a significant surge in attacks targeting Cloudflare Pages and Cloudflare Workers, two popular platforms used by developers for web deployment and serverless computing. The abuse of Cloudflare’s services has seen a dramatic increase, with phishing attacks on Cloudflare Pages rising by 198% from 2023 to mid-October 2024. Similarly, FORTRA analysts noted that Cloudflare Workers experienced a 104% surge in phishing incidents during the same period. Attackers are leveraging Cloudflare’s infrastructure to create convincing phishing sites and execute various malicious activities:-
- Phishing Redirects: Cybercriminals use Cloudflare Pages to host deceptive links that redirect victims to credential theft pages.
- Human Verification Pages: Attackers deploy fake verification pages using Cloudflare Workers to add a layer of legitimacy to their phishing attempts.
- Email Concealment: The use of BCC foldering in phishing campaigns helps mask the scale of attacks.
As the cyber threat landscape evolves, it’s crucial for both users and service providers to stay informed and proactive in combating these sophisticated attacks targeting trusted platforms.
AWS Launches Incident Response Service
AWS on Sunday announced a new service that provides organizations with quick and effective security incident management capabilities. The new Security Incident Response, AWS says, relies on automation to triage and analyze security signals from Amazon GuardDuty and integrated third-party detection solutions through the AWS Security Hub cloud security posture management service. With Security Incident Response, customers receive comprehensive support across the incident response lifecycle, benefiting from communication and coordination, and continuous assistance from the AWS Customer Incident Response Team (CIRT). “The service is purpose-built to help customers prepare for, respond to, and recover from various security events, including account takeovers, data breaches, and ransomware attacks,” AWS explains. The new service, AWS says, automatically triages security findings and filters them based on customer-specific information to identify incidents that require immediate attention and deliver critical alerts to security teams. To simplify incident response, it provides preconfigured notification rules and permission settings and offers access to a central console with integrated features accessible through the service APIs or the AWS Management Console.