In today’s cybersecurity news…
CDK Global outage caused by BlackSuit ransomware attack
In an update to one of last week’s biggest stories, BleepingComputer has learned that the operation behind CDK Global’s massive IT outage and disruption to car dealerships across North America is BlackSuit, an operation launched in May 2023 and which is believed to be a rebrand of the Royal ransomware operation, and therefore the direct successor of the Conti cybercrime syndicate. CDK is believed to be negotiating with the gang to receive a decryptor and for the gang to not leak stolen data. Car and truck dealerships and individual customers are being forced in to pen-and-paper transactions, if they are able to do anything at all, and to make matters worse, CDK is also warning that threat actors are contacting dealerships posing as CDK agents or affiliates in order to gain access to their systems.
Bug allows Microsoft corporate email account spoofing
A security researcher by the name of Vsevolod Kokorin (@Slonser) claimed on X that he has discovered a bug that “allows anyone to impersonate Microsoft corporate email accounts.” This of course comes in very handy for deploying phishing attacks. He says that he had reported the bug to Microsoft, but that the company replied that it couldn’t reproduce his findings. He explained that “the vulnerability works when an attacker sends an email to Outlook accounts.” At this time the vulnerability appears to be unaddressed.
UK’s largest nuclear site pleads guilty over cybersecurity failures
The company that manages the Sellafield nuclear site in northern England has pleaded guilty to three criminal charges over cybersecurity failings. Sellafield is no longer a functioning nuclear plant, but is currently houses more plutonium than any other location on earth, and also has a number of facilities for nuclear decommissioning and waste processing and storage. As such it is considered “one of the most complex and hazardous nuclear sites in the world.” The criminal charges focus on failures to comply with approved security plans between 2019 and early 2023. In admitting these failures Sellafield management is also denying stories placed in The Guardian news outlet that the facility might also have been compromised by hacking groups linked to both China and Russia.
And now a word from our sponsor, Prelude
Forklift manufacturer Crown Equipment suffers cyberattack
The Ohio-based company, one of the largest manufacturers of forklifts in the world and a major player in the defense industry, in a statement made on Wednesday, attributed the attack to an “international cybercriminal organization.” The attack started on June 8 as ransomware operation and has brought operations to a halt. According to The Record, hourly workers have lost out on pay due to the shutdown with some reporting that they have told to file for unemployment insurance while the company tries to restore its operations. An email sent to employees, a copy of which was obtained by BleepingComputer, claimed the attack originated from an employee that “failed to adhere to our data security policies by allowing unauthorized access to their device.”
US government bans Kaspersky and sanctions twelve executives
These sanctions were issued by the Treasury Department ’s Office of Foreign Assets Control (OFAC), and involve twelve senior executives. This means that the OFAC has frozen all property and interests in property of the designated individuals and entities under U.S. jurisdiction. These actions come on the heels of an announcement made by the Biden administration on June 20, regarding a ban on selling Kaspersky antivirus software due to it being a Russian organization. The ban itself starts on July 20, and software updates to its U.S. customers will be prohibited on September 29. In a briefing call with the media held on Thursday, Commerce Secretary Gina Raimondo said “Russia-linked actors can abuse the software’s privileged access to a computer’s systems to steal sensitive information from American computers or spread malware.” She added that now would be a good time for companies to find an alterative to Kaspersky for their security needs, but that “U.S. individuals and businesses that continue to use or have existing Kaspersky products and services are not in violation of the law.”
Patch alert: SolarWinds Serv-U vulnerability under active attack
A high severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. The vulnerability, that has a CVSS score of 8.6, affects a directory transversal bug that could allow attackers to read sensitive files on the host machine. It was patched earlier this month as Serv-U 15.4.2. Cybersecurity firm Rapid7 describes the vulnerability as “trivial to exploit”. It allows access to any arbitrary file on disk, assuming the path is known and that it’s not locked.
Upgraded Gh0st RAT appears to be active
Researchers at Cisco Talos are warning of a customized version of remote access trojan (RAT) malware known as Gh0st RAT. They have dubbed the upgraded version SugarGh0st and they say it is delivered through scanned documents that appear normal but are infected with the malicious code. They have also named the RAT’s operators SneakyChef and they say it has been observed in ministries of foreign affairs and embassies in at least nine countries across Africa, the Middle East, Europe, and Asia. The scanned documents currently take the form of government-themed decoy documents, as well as malicious application forms to register for a conference and research paper abstracts. They believe this to be a to Chinese state-backed operation.