In today’s cybersecurity news…
SAP zero-day vulnerability under widespread active exploitation
Security researchers are observing a widespread exploitation of a zero-day vulnerability affecting SAP NetWeaver systems. This unrestricted file upload vulnerability has a CVE number and scored 10 on the CVSS scale. It “allows attackers to upload files directly to the system without authorization.” Following discovery by ReliaQuest on Tuesday, SAP issued an emergency patch on Thursday, “but the enterprise company’s security advisory is only available to SAP customers with login credentials.” watchTowr is seeing active exploitation by threat actors.
Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
This attack is separate from the DomainKeys Identified Mail (DKIM) OAuth attack that we covered on Tuesday. Since early March, Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees tied to Ukraine and human rights causes. In this campaign the attackers impersonate European officials or Ukrainian diplomats via WhatsApp and Signal, luring targets with fake invitations to private video meetings. Victims are tricked into providing Microsoft authorization codes or clicking phishing links. One communication originated from a compromised Ukrainian government account.
Cybersecurity firm CEO charged with installing malware on hospital systems
Jeffrey Bowie is CEO of the cybersecurity firm Veritaco. He is now facing two counts of violating Oklahoma’s Computer Crimes Act for “allegedly infecting employee computers at the Oklahoma City St. Anthony Hospital,” on August 6 of last year. He was arrested in April based on security footage showing a man attempting to access multiple offices. The malware was designed to capture screenshots every 20 minutes and transmit them to an external IP address. Officials have stated that no patient data was accessed.
That Windows folder “inetpub” might be a problem after all
Two Mondays ago, we reported on an issue following patch Tuesday in which a new, empty folder had been created on Windows subscribers’ hard drives. Microsoft issued a statement telling users the folder was “part of a fix for a Windows Process Activation elevation of privilege vulnerability” and that it should not be removed. However, cybersecurity expert Kevin Beaumont says this folder “can be abused to prevent further Windows updates from being installed if it is created a certain way,” adding “I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates.” This can be achieved by anyone, by simply creating a junction between C:\inetpub and a Windows file by using a simple one-line command. “Beaumont says he reported the bug to Microsoft, who has assigned it a “Medium” severity classification and closed his case, stating they will consider fixing it in the future.”
Thanks to today’s episode sponsor, ThreatLocker
Education clouds hit with AzureChecker that deploys crypto mining containers
Microsoft has identified a threat actor named Storm-1977 that has been conducting password spraying attacks against cloud tenants in the education sector over the past year. The Microsoft Threat Intelligence team stated, in an analysis, “the attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors.” The tool connects to an external server to pull in files containing username and password combinations to carry out the password spray attack. In one instance, the threat actor was able to create more than 200 containers within a victim’s resource group in order to conduct illicit cryptocurrency mining.
Long Beach cyberattack from 2023 affected almost 500,000
The government of Long Beach, California says the November 2023 attack involved sensitive data belonging to just over 470,000 people including “Social Security numbers, financial account information, credit and debit card numbers, biometric information, medical data, driver’s license numbers, passports, tax data, and more.” No ransomware gang has claimed responsibility for the attack.
Africa’s largest telecom suffers cyber incident exposing customer data
Johannesburg-based MTN Group confirmed the attack on Thursday. The company operates in more than 20 countries and has more than 200 million subscribers, making it one of the largest mobile operators in the world. Details as to what information may have been accessed, the number of people affected, or the perpetrators behind the attack are as yet unavailable.
Yale New Haven Health data breach impacted 5.5 million patients
The nonprofit healthcare network headquartered in New Haven, Connecticut, suffered the breach earlier in March, resulting in the theft of patient PII including Social Security numbers, but no financial or medical data. The organization has not yet disclosed technical details about the attack, nor has any ransomware group taken responsibility.