Reading view
Weekly Vulnerability Report: Critical Flaws Identified by Cyble in Microsoft, Adobe, MOVEit & More
The Week’s Top Vulnerabilities
These are the 10 high-severity and critical vulnerabilities Cyble researchers focused on this week.CVE-2024-5276
Impact Analysis: This critical SQL Injection vulnerability in Fortra FileCatalyst Workflow, a web-based file transfer platform accelerating large file exchanges, allows an attacker to modify application data, with likely impacts including the creation of administrative users and deletion or modification of data in the application database. It is worth noting that data exfiltration via SQL injection is not possible by leveraging the vulnerability; further successful unauthenticated exploitation requires a Workflow system with anonymous access enabled; otherwise, an authenticated user is required. Internet Exposure? No Patch Available? YesCVE-2024-5806
Impact Analysis: This critical improper authentication vulnerability impacts Progress MOVEit Transfer (SFTP module), which can lead to authentication bypass in the secure managed file transfer application. With successful exploitation, an attacker could access sensitive data stored on the MOVEit Transfer server; upload, download, delete, or modify files; and intercept or tamper with file transfers. Within a day of the vendor disclosing the vulnerability, security researchers started to observe exploitation attempts targeting it due to its vast exposure and impact, Cyble researchers noted. Patch Available? YesCVE-2024-0762
Impact Analysis: This high-severity buffer overflow vulnerability impacts unsafe UEFI variable handling in Phoenix SecureCore, an advanced UEFI firmware solution developed for client PCs, notebooks, and IoT/embedded devices. The vulnerability could be exploited to execute code on vulnerable devices. Furthermore, given the enormous number of Intel CPUs that use this firmware, the vulnerability might affect hundreds of models from vendors, including Lenovo, Dell, Acer, and HP, Cyble researchers noted. Internet Exposure? No Patch Available? YesCVE-2024-34102
Impact Analysis: This critical improper restriction of XML external entity reference ('XXE') vulnerability impacts Adobe Commerce, a leading digital commerce solution for merchants and brands. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities, leading to arbitrary code execution. Patch Available? YesCVE-2024-28995
Impact Analysis: The high severity directory transversal vulnerability impacts SolarWinds Serv-U, a secure managed file transfer (MFT) solution. Successful exploitation of the vulnerability could allow threat actors access to read sensitive files on the host machine. Recently researchers have observed active exploitation of vulnerability leveraging publicly available proof-of-concept (PoC) exploits. Patch Available? YesCVE-2017-11882
Impact Analysis: The high-severity vulnerability impacts Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016. It could allow an attacker to run arbitrary code in the context of the current user by failing to handle objects in memory properly. Recently, researchers uncovered that this 7-year-old vulnerability was leveraged in cyberespionage campaigns orchestrated by alleged state-sponsored groups. Internet Exposure? No Patch Available? YesCVE-2024-6027
Impact Analysis: The high-severity vulnerability impacts the Themify WooCommerce Product Filter plugin for WordPress, which could lead to time-based SQL Injection via the ‘conditions’ parameter. Exploiting the vulnerability makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Internet Exposure? Yes Patch Available? Yes – upgrade to version 1.5.0CVE-2024-37079
Impact Analysis: Cyble also addressed this vulnerability in last week’s vulnerability report. The critical severity heap-overflow vulnerability impacts the VMware vCenter Server, a central management platform for VMware vSphere that enables the management of virtual machines and ESXi hosts. Given the global usage of the impacted product and the history of leveraging the flaws impacting vCenter, Cyble said there are possibilities that threat actors (TAs) could also leverage this critical vulnerability. Internet Exposure? Yes Patch Available? YesCVE-2024-30103
Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body, requiring no further interaction from the user, there are high possibilities for TAs to weaponize the vulnerability in targeting government and private entities. Internet Exposure? No Patch Available? YesCVE-2024-30078
Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure? No Patch Available? YesDark Web Exploits
Cyble’s scans of customer environments found nearly a million exposed assets for just 7 vulnerabilities this week. Nearly 200,000 assets were exposed to the the VMware vCenter Server vulnerability, while a PHP vulnerability (CVE-2024-4577) reported two weeks ago continues to dominate, affecting nearly 600,000 exposed assets. Cyble researchers also observed five instances of alleged zero-day vulnerabilities being offered on sale on underground forums, plus a number of exploits/proof of concepts/custom scripts observed over underground forums. The full report available for clients covers all these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses.![Weekly Vulnerability Report](https://thecyberexpress.com/wp-content/uploads/Weekly-Vulnerability-Report-1.jpg)
Polyfill Supply Chain Attack Could Affect 4% of the Web; Shutdowns, DDoS Attacks Among Spillover
![extent of Polyfill supply chain attack](https://thecyberexpress.com/wp-content/uploads/extent-of-Polyfill-attack-300x273.png)
Extent of Polyfill Supply Chain Attack Unknown, But Big Names Among Users
Some of the biggest names turning up in a search for cdn(.)polyfill(.)io include Intuit, JSTOR, the World Economic Forum, a Coldwell Banker real estate site, major educational sites like Brandeis University, the technical standards organization ASTM, the Bank of Ireland, Live Nation sites for Spain and the UK, the RAINN anti-sexual violence organization, data management vendor AvePoint, investment company MSCI, industrial network company Moxa, the Environmental Defense Fund, and the Dubai Airports Company. The extent of the Polyfill supply chain attack may be unknown for some time. In February, a Chinese company bought the Polyfill domain and the Github account, and concern about the deal surfaced almost immediately. The Sansec researchers who initially publicly disclosed the threat two days ago noted that since the acquisition, “this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed from the Github repository.” The researchers said that the polyfill code is dynamically generated based on the HTTP headers, “so multiple attack vectors are likely.” Sansec decoded one particular malware strain that redirects mobile users to a sports betting site using a fake Google analytics domain (googie-anaiytics(.)com). The researchers said they were subsequently hit by a DDoS attack after publishing their initial report. [caption id="attachment_79278" align="alignnone" width="400"]![Polyfill DDoS attack](https://thecyberexpress.com/wp-content/uploads/polyfill-ddos-attack-300x205.png)
Google Started Blocking Ads in Mid-June
It’s not clear how long the threat has been known – it is standard practice for threat researchers to wait to reveal their findings until affected parties have had a chance to fix vulnerabilities – but Google has apparently been rejecting ads that link to the googie-anaiytics domain since at least mid-June. In a letter to advertisers this week (reprinted below), Google cited redirects coming from “a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org” for the rejected ads. [caption id="attachment_79305" align="alignleft" width="260"]![Google ads Polyfill letter](https://thecyberexpress.com/wp-content/uploads/Google-ads-polyfill-189x300.jpg)
Mitigations Set Up By Cloudflare, Fastly
To mitigate supply chain risk, Cloudflare released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill(.)io found in a website proxied by Cloudflare to a link to the company’s mirror under cdnjs. Cloudflare also charged that Polyfill was falsely misusing the Cloudflare name and logo on its website. Fastly – which hosted the CDN for free before it was sold – had also set up an alternative service based on the Polyfill open source project. Developer Andrew Betts, who had created the Polyfill service project, said in an X post at the time of the sale in February that "No website today requires any of the polyfills in the polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."Polyfill Owner Responds
The Polyfill(.)io owners took to X to respond to the malware charges. “Someone has maliciously defamed us,” said a post to the Polyfill_Global account. “We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize (sic) our own reputation.” [caption id="attachment_79275" align="alignnone" width="400"]![Polyfill disputes claims](https://thecyberexpress.com/wp-content/uploads/polyfill-claims-300x231.png)
GrimResource: New Microsoft Management Console Attack Found in Wild
GrimResource Attack Uses Old XSS Flaw
GrimResource is a “a novel, in-the-wild code execution technique leveraging specially crafted MSC files,” the researchers wrote. “GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings, ideal for gaining initial access and evading defenses.” The key to the attack technique is an old XSS flaw present in the apds.dll library. “By adding a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute arbitrary javascript in the context of mmc.exe,” they said. Attackers can combine the technique with DotNetToJScript to gain arbitrary code execution. The sample begins with a TransformNode obfuscation technique, which was recently reported by open source tool developer Philippe Lagadec in unrelated macro samples. The obfuscation technique helps evade ActiveX security warnings and leads to an obfuscated embedded VBScript, which sets the target payload in a series of environment variables before leveraging the DotNetToJs technique to execute an embedded .NET loader. The researchers named that component PASTALOADER. PASTALOADER retrieves the payload from environment variables set by the VBScript and “spawns a new instance of dllhost.exe and injects the payload into it. This is done in a deliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the final payload is Cobalt Strike.” Using the DotNetToJScript technique triggers another detection looking for RWX memory allocation from .NET on behalf of a Windows Script Host (WSH) script engine. The researchers created a rule in Elastic’s Event Query Language (EQL) to detect execution via the .NET loader.GrimResource Detection Rules Provided
Those detections can be bypassed with stealthier methods, the researchers noted: Using apds.dll to execute Jscript via XSS, which can create detectable artifacts in the mmc.exe Procmon output as a CreateFile operation (apds.dll is not loaded as a library), and the creation of a temporary HTML file in the INetCache folder, named redirect[*] as a result of the APDS XSS redirection. In addition to EQL rules, the researchers also provided a YARA detection rule: [caption id="attachment_78894" align="alignnone" width="500"]![GrimResource YARA detection rule](https://thecyberexpress.com/wp-content/uploads/GrimResource-YARA-detection-rule-300x203.png)
Weekly Vulnerability Report: Critical Security Flaws Identified by Cyble in Microsoft, VMware, Veeam, ASUS Products
The Week’s Top Vulnerabilities
Cyble’s weekly report focused on 9 of the vulnerabilities in particular; they are:CVE-2024-37079, CVE-2024-37080 and CVE-2024-37081: VMware
Impact Analysis: These critical and high severity heap-overflow and privilege escalation vulnerabilities impact the VMware vCenter Server, a central management platform for VMware vSphere, enabling the management of virtual machines and ESXi hosts. With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors (Tas) to leverage these critical vulnerabilities also. Internet Exposure: Yes Available Patch? YesCVE-2024-3080: ASUS Router Bypass
Impact Analysis: This critical authentication bypass vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to log in to the device. Recently, the Taiwan Computer Emergency Response Team informed users about the vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? YesCVE-2024-3912: ASUS Arbitrary Firmware Upload Vulnerability
Impact Analysis: This critical arbitrary firmware upload vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to execute arbitrary system commands on the device. The Taiwan Computer Emergency Response Team also informed users about this vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? YesCVE-2024-29855: Veeam Recovery Orchestrator
Impact Analysis: This critical authentication bypass vulnerability impacts the Veeam Recovery Orchestrator. The recovery solution extends the capabilities of the Veeam Data Platform by automating recovery processes and providing comprehensive reporting and testing features. The availability of a recent publicly available proof-of-concept (PoC) exploit for this vulnerability elevates the risk of exploitation in attacks by TAs. Internet Exposure: No Patch Available? YesCVE-2024-30103: Microsoft Outlook RCE Vulnerability
Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the zero-click RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body of the email, requiring no further interaction from the user, there are high possibilities for the weaponization of the vulnerability by TAs in targeting government and private entities. Internet Exposure: No Patch Available? YesCVE-2024-30078: Windows Wi-Fi Driver RCE Vulnerability
Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure: No Patch Available? YesCVE-2024-37051: JetBrains GitHub Plugin Vulnerability
Impact Analysis: This critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories. Internet Exposure: No Patch Available? YesCISA Adds 5 Vulnerabilities to KEV Catalog
Five of the vulnerabilities in the Cyble report were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:- CVE-2024-32896, an Android Pixel vulnerability with a 7.8 CVSSv3 criticality score
- CVE-2024-26169, a Microsoft Windows error reporting service elevation of privilege vulnerability with a 7.8 criticality rating
- CVE-2024-4358, a Progress Telerik Report Server vulnerability with a 9.8 rating
- CVE-2024-4610, an Arm Mali GPU Kernel Driver vulnerability with a 5.5 rating
- CVE-2024-4577, a PHP remote code execution flaw, a 9.8 vulnerability that Cyble addressed in last week’s report
![Weekly Vulnerability Report](https://thecyberexpress.com/wp-content/uploads/Weekly-Vulnerability-Report-1.jpg)
Linux Malware Campaign Uses Discord Emojis in Attack on Indian Government Targets
Threat Actor ‘UTA0137’ Linked to Campaign
Volexity researchers connected the campaign to a Pakistan-based threat actor they call UTA0137. The researchers said they have “high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.” The researchers say they have “moderate confidence” that UTA0137 is a Pakistan-based threat actor because of the group’s targets and a few other reasons:- The Pakistani time zone was hardcoded in one malware sample.
- There are weak infrastructure links to SideCopy, a known Pakistan-based threat actor.
- The Punjabi language was used in the malware.
Attack Starts With DSOP PDF
The malware is delivered via a DSOP.pdf lure, which claims to be a beneficiary document of India’s Defence Service Officer Provident Fund (screenshot below). [caption id="attachment_77503" align="alignnone" width="750"]![DSOP phishing lure](https://thecyberexpress.com/wp-content/uploads/DSOP-phishing-lure-750x544.png)
Discord Emojis Used for C2 Communication
C2 communication uses an emoji-based protocol, “where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable.” A Clock emoji in the command message lets the attacker know a command is being processed, while a Check Mark emoji confirms that the command was executed. The researchers summarized the emoji commands in a table: [caption id="attachment_77505" align="alignnone" width="750"]![Discord emoji malware](https://thecyberexpress.com/wp-content/uploads/Discord-emoji-malware-750x719.png)
BreachForums Returns With a New Owner After ShinyHunters Retires
ShinyHunters Alludes to BreachForums Issues
ShinyHunters alluded to those issues in a post announcing the forum’s new owner (screenshot below). “It's hard to maintain motivation when you're constantly getting accused of being a honeypot and at this point I'm burned out, hollow is burned out and we just want to move on to bigger things rather than the constant onslaught of users complaining about how we ran our forum,” ShinyHunters wrote. “Baphomet has done an incredible job of building new features for everyone, keeping everything together and maintaining the forum. Couldn't have done it without him. We hope the forum can live on without us for a long time. Thank you all for your support. Goodbye.” [caption id="attachment_77484" align="alignnone" width="750"]![BreachForums returns with new owner](https://thecyberexpress.com/wp-content/uploads/BreachForums-ownership-transfered-750x210.png)
BreachForums Returns, Hackers Raise Suspicions
BreachForums was seized by the FBI and the U.S. Department of Justice in mid-May, with help from international law enforcement agencies, and Baphomet was allegedly arrested in that action. However, just two weeks later, the forum returned, leading to suspicion among some threat actors that the site was operating as a “honeypot” or a sting operation under the control of the FBI. To further complicate matters, the site went down again last week, possibly due to technical issues, and its associated Telegram channels disappeared too amid reports that ShinyHunters was retiring. A few days later came the announcement that Anastasia would take over the forum. It remains to be seen what direction the forum will take under new ownership, but given the site’s volatile history, whatever is in store is certain to be eventful.Microsoft Delays Recall Following Security, Privacy Backlash that Started on The Cyber Express
Recall Controversy Took Off After a Report on The Cyber Express
Calls to overhaul Recall’s security and privacy features started with the work of security researcher Kevin Beaumont, who called the lack of controls the “dumbest cybersecurity move in a decade.” Beaumont’s work demonstrating Recall’s security holes was first reported in a Cyber Express article that landed on the front page of tech news aggregator Slashdot, where it received 140 comments, and the story took off from there, creating something of a PR nightmare for Microsoft. Further proofs supporting Beaumont’s work emerged, and Microsoft belatedly tried to address the security and privacy concerns, but apparently not in time for the release of Copilot+ PCs planned for June 18. In a blog post update late on June 13, Microsoft said Recall will now become “a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon. “We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security.”Beaumont Welcomes Microsoft Recall Delay, Awaits Changes
In a post on a Mastodon cybersecurity instance, Beaumont welcomed the Microsoft Recall delay. “Good on Microsoft for finally reaching a sane conclusion,” he wrote. “When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature. “Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.” Beaumont said it’s his understanding that Recall was developed without input from security and privacy staff. “I've also been told Microsoft security and privacy staff weren't provided Recall, as the feature wasn't made available broadly internally either,” he said.Microsoft’s Very Bad Day: Congress Members Express ‘Shock’ at Lax Security
Congressional Leaders Call for ‘Responsibility’ and ‘Accountability’
In his opening remarks, House Homeland Security Chairman Mark Green (R-TN) called the CSRB report “extremely concerning,” and spoke of the need of “restoring the public trust” in the security of Microsoft products. “China and Russia, Beijing and Moscow, are watching us right now,” he cautioned, underscoring the stakes of the hearing while offering to move any sensitive questions to a secure environment. Ranking member Bennie Thompson (D-MS) stressed that “It is not the committee’s goal to shame or discredit” Smith and Microsoft, but to improve security and accountability at the vendor that supplies 85% of federal government productivity tools. Thompson noted the Recall rollout and Pro Publica article in his comments, calling “even more troubling” Smith’s 2021 claim before Congress that no Microsoft vulnerability was exploited in the SolarWinds attack. Green and Thompson weren’t the only committee members taking a firm tone with Microsoft, as almost every member did the same in their allotted time for questioning. Lou Correa (D-CA), for example, said he was “beyond shocked” at the security revelations in the CSRB report and elsewhere.Microsoft President Smith Pledges Action
Perhaps anticipating a rough reception from lawmakers, Smith struck a conciliatory tone in his written and spoken testimony to the committee. “Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said. “Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.” Smith said the company is making cybersecurity part of senior executive bonus calculations and employee reviews as part of the its goal of “empowering and rewarding every employee to find security issues, report them, help fix them, and encourage broader learning from the process and the results. This requires that we incorporate this security work as an indispensable and integrated element in every aspect of the company’s engineering processes.” [caption id="attachment_77142" align="alignnone" width="750"]![Brad Smith testifying on Microsoft security](https://thecyberexpress.com/wp-content/uploads/Brad-Smith-Microsoft-750x389.png)
Microsoft Security Plans
Smith said Microsoft has mapped all 16 of the CSRB recommendations applicable to Microsoft “to ensure that we are addressing them” as part of the company’s Secure Future Initiative. The company is “actively in the process of transitioning both our consumer and enterprise identity systems to a new hardened key management system that leverages hardware security modules for the storage and generation of keys. We are rolling out proprietary data and corresponding detection signals at all places where tokens are validated. And we have made significant progress on Automated and Frequent Key Rotation, Common Auth Libraries, and Proprietary Data used in our token generation algorithm.” Smith’s written testimony outlined six “pillars” for improving security: Protect Identities and Secrets: Microsoft plans to implement and enforce “best-in-class standards across our infrastructure that manages identities and sensitive information such as passwords ('secrets'), to ensure that only the right people and applications access the right resources.” Protect Tenants and Isolate Production Systems: The company pledges to “continuously validate isolation of production systems – including those upon which we operate the Microsoft Cloud.” Protect Networks: Microsoft will “Continuously improve and implement best-in-class practices to protect Microsoft production networks.” Protect Engineering Systems: The company said it will work to “Continuously improve our software supply chain and the systems that enable Microsoft engineers to develop, build, test, and release software, thereby protecting software assets and improving code security.” Monitor and Detect Threats: This initiative calls for Microsoft to improve “coverage and automatic detection of ever evolving threats to Microsoft production infrastructure and services, accelerating actioning against those threats.” Accelerate Response and Remediation: Speeding incident response and remediation is the final pillar, so “when we learn of vulnerabilities in our offerings or our infrastructure, to be even more comprehensive and timely and better prevent exploitation of those vulnerabilities.” Updated to reflect the delay in the Recall rollout.Ukraine National Police Arrest Conti and LockBit Ransomware Cryptor Developer
Cryptor Developer Worked with Conti, LockBit
Ukraine cyber police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"]![Ukraine ransomware arrest seized items](https://thecyberexpress.com/wp-content/uploads/Ukraine-arrest-seizure-300x167.png)
LockBit Remains Active Despite Repeated Enforcement Activities
The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”Cleveland Closes City Hall After Unspecified Cyberattack
Cleveland Essential Services Functioning
City Hall and offices at Erieview Plaza are closed to the public and non-essential employees, but the city sought to reassure residents that key services and data remain safe. Emergency services, such as 911, Police, Fire, and EMS are operational, along with other essential services such as water, pollution control, power services, ports and airports. The update said that “certain City data is confirmed to be unaffected, including: - Taxpayer information held by the CCA. - Customer information held by Public Utilities.” That still leaves other data sources that could be affected, however, such as city employees’ personal data. In its initial announcement on X, the city said, “We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available.” The city hasn’t said whether the incident is ransomware or another cyber attack type, but that will presumably be revealed in later updates. Cleveland itself is home to 362,000 residents, while the surrounding metropolitan area has a population of more than 2 million.Cleveland Cyberattack Follows Wichita Ransomware; Healthcare Network Hit
Cleveland isn’t the biggest U.S. city to be hobbled by a cyber attack, as at least a few bigger cities have been hit by cyber incidents. The 394,000-resident city of Wichita, Kansas was hit by a ransomware attack last month in an attack linked to the LockBit ransomware group, but Baltimore was perhaps the biggest U.S. city hit by a cyberattack in a crippling 2019 incident that closely followed an Atlanta cyberattack. All of that pales in comparison to the U.S. government, which got hit by more than 32,000 cybersecurity incidents in fiscal 2023, up 10% from fiscal 2022, according to a new White House report on federal cybersecurity readiness. Threat actors seemingly have no end of targets, as a healthcare network in Texas, Arkansas and Florida is also reporting recent cyber troubles that the BlackSuit ransomware group is claiming responsibility for. The Special Health Resources network posted a notice on its website (copied below) that states, “We are currently experiencing a network incident that has caused a temporary disruption to our phones and computer systems. During this time, we are STILL OPEN and ready to serve our patients and community!” [caption id="attachment_76662" align="alignnone" width="750"]![Special Health Resources website notice](https://thecyberexpress.com/wp-content/uploads/Special-Health-Resources-750x209.png)