Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 11 - 17 May
Universidad Complutense of Madrid suffers a cyber-attack
Last Friday, several digital media published articles reporting that the Universidad Complutense of Madrid (UCM) had communicated by email to its students that it had suffered an intrusion, leaving their personal information exposed. Specifically, the incident affected the application that manages external internships in companies, so names, addresses, email addresses, ID numbers and various documentation may have been compromised by the malicious actors behind these events.
Due to this incident, the platform managed by the university remains inoperative and the University has assured that they are not aware that user credentials have been leaked, but they recommend students to modify them. UCM reported that it has reinforced security and is working with cybersecurity experts and the relevant authorities to address the situation after filing the corresponding complaint.
https://www.elmundo.es/madrid/2024/05/10/663e4244e9cf4a2e3d8b4599.html
Microsoft's Patch Tuesday for May
Microsoft has launched its Patch Tuesday for the month of May in which it has corrected a total of 61 vulnerabilities, of which one is considered critical risk, 59 as important and the remaining one classified as moderate risk. It should also be noted that, of the total, two are 0-day vulnerabilities that have been actively exploited.
Specifically, these security flaws are those registered as CVE-2024-30040, CVSSv3 of 8.8 according to the vendor, which is an error of omission of the Windows MSHTML platform, and CVE-2024-30051, CVSSv3 of 7.8 according to the vendor, which is an elevation of privilege vulnerability of the main library of the Windows Desktop Window Manager (DWM). Finally, the vulnerability CVE-2024-30044, a remote code execution flaw in Microsoft SharePoint Server, is particularly relevant due to its nature.
https://msrc.microsoft.com/update-guide/releaseNote/2024-May
CISA and FBI post an analysis of Black Basta ransomware
In a joint report by the FBI, CISA, HHS (Department of Health and Human Services) and MS-ISAC (Multi-State Information Sharing and Analysis Center), an analysis of the Black Basta ransomware has been published. As part of the #StopRansomware advisories, the research reveals that Black Basta is a Ransomware-as-a-Service (RaaS) that has been active since 2022, having attacked more than 500 entities throughout its history up to May 2024. Black Basta gains initial access to victims' systems mostly through spearphishing, but has also used the Qakbot malware, valid credentials and the exploitation of ConnectWise vulnerabilities.
The ransomware operators then perform network scans, lateral movements and privilege escalation, avoiding detection by security solutions, before finally exfiltrating and encrypting the data. Black Basta is characterised by using a double extortion model, threatening to post the exfiltrated data on its Tor website if the affected company does not pay the requested ransom.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
Vulnerability in Apple products
Apple has issued security updates for several of its products, including a vulnerability that is believed to have been actively exploited. Specifically, among the security flaws is the one registered as CVE-2024-23296, CVSSv3 of 7.8, which was patched last March, but which it is believed may have been exploited prior to its update.
The vulnerability is a memory corruption flaw in RTKit, which is an operating system built into most Apple devices that could allow an attacker with arbitrary kernel read/write capabilities to bypass the kernel's memory protections. As previously noted, Apple fixed the memory corruption bug with improved validation in iOS 16.7.8 and iPadOS 16.7.8.
https://www.securityweek.com/apple-patch-day-code-execution-flaws-in-iphones-ipads-macos/
New Darkgate malware campaign
Forcepoint's X-Labs research team has identified a recent Darkgate campaign. This malware is primarily distributed through phishing emails, using common attachments such as XLSX, HTML and PDF files. Darkgate is designed to be stealthy and persistent, which complicates detection and removal. Its effects can include loss of personal data, financial loss due to fraud or extortion, and exposure of sensitive information.
The detected campaign begins with phishing emails pretending to be QuickBooks invoices, prompting users to install Java. Upon clicking the embedded link, users are directed to a geolocated URL, where they unknowingly download a malicious JAR file.
https://www.forcepoint.com/blog/x-labs/phishing-script-inside-darkgate-campaign
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
