Security Roundup June 2024

June 2024: Biden Administration Bans Kaspersky, Polyfill Attack Impacts 110,000 Sites, FBI Finds 7,000 LockBit Keys, Ransomware Attack Impacts London Hospitals, and More!

Biden Administration Bans Kaspersky

The Biden administration has announced an impending ban on Kaspersky antivirus software and the distribution of software updates to US businesses and individuals, giving users until September 29, 2024, to find alternative security software.

The Department of Commerce’s Bureau of Industry and Security (BIS) announced a final determination prohibiting Kaspersky Lab, Inc., the US subsidiary of Russia-based antivirus software and cyber security company, from directly or indirectly providing antivirus software and cyber security products or services in the United States or to US persons.

The restriction prohibits the sale of Kaspersky products. It stops the business from providing antivirus and security updates to clients, requiring users to produce replacement software by the end of September. While Kaspersky has denied any links to the Russian government, the US government believes that owing to the Russian government’s cyber capabilities and capacity to influence Kaspersky’s activities, there is no way to reduce the risk short of altogether banning the company’s services in the United States.

Much of this stress stems from Kaspersky’s acquisition of classified security tools and exploits related to the Equation Group, considered the NSA’s cyber-operations section. Kaspersky said that its antivirus software had automatically retrieved the NSA files after discovering previously unknown but potentially harmful items. Antivirus providers frequently submit files suspected of being malicious to their servers for further analysis. However, the US government suspects Russian FSB operatives or other Kaspersky insiders utilised Kaspersky antivirus as an interactive search engine to scan computers worldwide for files of interest.

Since then, the US government has gradually restricted using Kaspersky software within federal agencies and, with today’s declaration, across the country. At midnight ET on September 29, 2024, Kaspersky or its agents will be forbidden from distributing software and antivirus updates to customers and running its Kaspersky Security Network (KSN) in the United States or on any US person’s devices.

Polyfill Attack Impacts 110,000 Sites

Polyfill, a code library created a decade ago to provide modern functionality on older browsers, was recently used by suspected Chinese attackers to hijack websites and redirect users to malicious scam sites. On June 25, 2024, the Sansec Forensics Team published research that the Polyfill project had been compromised by a foreign actor, which was identified as a Chinese-based company.

On February 24 2024, a company named ‘Funnull’ purchased the polyfill[.]io domain and service, and then began to deploy malicious JavaScript code to websites. Developers who had embedded the cdn[.]polyfill[.]io domain into scripts on their websites enabled attackers to pull the code directly from Funnull’s website and then redirect visitors to unwanted sites. Both Cloudflare and Fastlyset up mirrors would ensure that sites get code from a trusted source to prevent a potential supply-chain attack. Andrew Betts, the creator of the Polyfill service, now advises removing it immediately.

The domain is currently pointed at Cloudflare; however, this does not guarantee that the owners cannot point the domain elsewhere. Google has also started to warn advertisers that their landing pages feature malicious code.

FBI Finds 7,000 LockBit Keys

The FBI is urging former victims of LockBit ransomware attacks to come forward after announcing that it has received over 7,000 LockBit decryption keys that they may use to retrieve encrypted data for free. FBI Cyber Division Assistant Director Bryan Vorndran announced on Wednesday, June 5, 2024, during the Boston Conference on Cyber Security.

In a presentation, the FBI Cyber Assistant Director, Bryan Vorndran, stated, “From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online”. This appeal to action comes after law authorities shut down LockBit’s infrastructure in February 2024 in a multinational operation known as “Operation Cronos.” At the time, investigators confiscated 34 servers storing more than 2,500 decryption keys, which were used to produce free LockBit 3.0 Black Ransomware decryptor.

After examining the obtained data, the UK’s National Crime Agency and the US Justice Department believe that the gang and its associates collected up to $1 billion in ransoms from 7,000 assaults on organisations worldwide between June 2022 and February 2024. Despite law enforcement efforts to take down its activities, LockBit remains online and has migrated to new servers and dark web domains. They are continuously seeking victims all over the world. In retribution for the recent infrastructure takedown by US and UK authorities, they have continued to release enormous volumes of old and fresh stolen data onto the dark web.

LockBit most recently claimed responsibility for the April 2024 hack on Canadian pharmaceutical business London Drugs following another law enforcement operation that doxxed the gang’s leader, a 31-year-old Russian national named Dmitry Yuryevich Khoroshev, who goes by the online handle “LockBitSupp”. In subsequent years, more Lockbit ransomware operators have been detained and charged, including Mikhail Vasiliev (November 2022), Ruslan Magomedovich Astamirov (June 2023), Mikhail Pavlovich Matveev alias Wazawaka (May 2023), Artur Sungatov, and Ivan Gennadievich Kondratiev nicknamed Bassterlord (February 2024). The US State Department is now offering a $10 million reward for any information that leads to the arrest or conviction of LockBit leadership and an additional $5 million reward for tips that lead to the arrest of LockBit ransomware affiliates.

Ransomware Attack Impacts London Hospitals

Following a ransomware attack on Synnovis, a third-party pathology service provider, operations at five major London hospitals were halted, and a serious incident was declared. The attack, discovered on Monday, June 3, prevented healthcare personnel from accessing critical pathology services, causing substantial disruptions in blood transfusions and other medical procedures.

Many healthcare organisations rely on Synnovis for critical services such as blood tests for transfusions. Ian Ebbs, CEO of Guy’s and St Thomas’ NHS Foundation Trust, confirmed the incident in internal correspondence, noting that the hospitals are currently cut off from Synnovis IT systems. The disruption has also affected the Royal Brompton and Harefield hospitals, King’s College Hospital NHS Foundation Trust, and primary care services throughout southeast London. The attack has resulted in appointment cancellations and patients being routed to other physicians, putting pressure on resources and perhaps leading to further serious events.

Ebbs expressed remorse for the situation, recognising the grief and frustration patients and their families felt. He stated that only urgent blood transfusions would be performed when essential, emphasising the severe implications for trauma patients.

Government authorities responded by coordinating efforts between the Department of Health and Social Care, NHS England, and the National Cyber Security Centre to investigate the cyber intrusion and assist affected organisations. The attack is among several ransomware instances targeting the UK healthcare industry, with 215 documented since January 2019.

The healthcare sector is especially vulnerable to such attacks, as proven by recent cases in which confidential patient data was publicised to extract money from healthcare organisations. Notable examples include the 2022 ransomware assault on Australian health provider Medibank, which compromised and then leaked confidential patient information.

In a statement, Mark Dollar, Synnovis’ CEO, confirmed the ransomware attack, admitting its impact on patients at Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust, and GP services in multiple London districts. Dollar stated that IT Security specialists are working to assess and mitigate the impact. He apologised for the inconvenience and highlighted the company’s commitment to cybersecurity despite the terrible fact that such assaults can harm anyone.

Some of This Month’s Other Vulnerabilities

Microsoft Patch Tuesday

Our partners at CrowdStrike reported that Microsoft’s latest Patch Tuesday rollout, in June 2024, contained security updates for 51 vulnerabilities. These patches address one previously disclosed zero-day vulnerability affecting the DNS protocol (CVE-2023-50868) and one Critical vulnerability (CVE-2024-30080) affecting Microsoft Message Queuing (MSMQ).

Progress Software MOVEit Transfer and MOVEit Gateway

Progress has issued a security update addressing two critical vulnerabilities in the SFTP module of its MOVEit Transfer and MOVEit Gateway. MOVEit, a secure file transfer management tool, was found to have an improper authentication flaw in MOVEit Transfer, identified as CVE-2024-5806, with a CVSSv3 score of 9.1, allowing for authentication bypass. Similarly, the vulnerability CVE-2024-5805 in MOVEit Gateway also scored 9.1, which can result in an authentication bypass due to improper authentication.

Progress Software has released guidance for CVE-2024-5805 and CVE-2024-5806.

PHP Critical Vulnerability

DEVCORE has identified a critical security vulnerability in PHP versions running on the Microsoft Windows operating system. PHP, a popular open-source scripting language commonly used in web development and easily embedded into HTML, is affected by the CGI argument injection vulnerability CVE-2024-4577, which has a CVSSv3.1 score of 9.8. This flaw could allow attackers to execute arbitrary PHP code on compromised systems. Proof-of-concept code has been released, which exploits the vulnerability.

Impacted organisations are advised to review the DEVCORE security alert and implement the recommended remediation measures.

That wraps up this month’s security roundup!