CVE-2024-30080 is the only critical issue in Microsoft's June 2024 Patch Tuesday update, but many others require prompt attention as well.

Source: SuPatMaN via Shutterstock

Microsoft has issued fixes for a total of 49 vulnerabilities in its Patch Tuesday security update for June, including a critical bug in Microsoft Message Queuing (MSMQ) technology that could open vast swathes of companies to remote code execution (RCE) and server takeover.

The issue (CVE-2024-30080, CVSS score of 9.8 out of 10) is remotely exploitable, with low attack complexity, requires no privileges, and takes no user interaction; and it carries high impacts on confidentiality, integrity, and availability, according to Microsoft. Attackers can use it to completely take over an affected server by sending a specially crafted malicious MSMQ packet. To check vulnerability, confirm users should whether the 'Message Queuing' service is running and if TCP port 1801 is open on the system. The bug affects all versions of Windows starting from Windows Server 2008 and Windows 10.

Its impact could be felt in the threat landscape sooner rather than later, so patching quickly is a must: "A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for 'msmq'," said Tyler Reguly, associate director security R&D at Fortra, in an emailed statement. "Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future."

This is the only bug that Microsoft has rated as critical this month, but there are several others in the update that merit prompt attention as well, according to security analysts.

**High-Priority Microsoft Bugs for June 2024**

Among the high-priority bugs to put at the top of the patching list are: CVE-2024-30103, a remote code execution (RCE) vulnerability in Microsoft Outlook in which the Preview Pane is an attack vector; CVE-2024-30089, a vulnerability in Microsoft Streaming Services that gives attackers a way to gain system level access; CVE-2024-30085, a privilege escalation bug in Windows Cloud Files Mini Filter Driver that Microsoft has identified as more likely to be exploited; and CVE-2024-30099, an elevation-of-privilege (EoP) vulnerability in Windows Kernel Driver that attackers can abuse to take over an affected system.

In all, Microsoft categorized 11 of the 49 vulnerabilities in this month's update as flaws that threat actors were more likely to exploit because of factors like low attack complexity and the fact that adversaries need no special privileges or user interaction to take advantage of them.

**RCE Bugs to Prioritize**

This month's collection of noteworthy RCE bugs include CVE-2024-30101, a use-after-free bug in Microsoft Office that requires active user interaction for an attack to succeed; CVE-2024-30104 in Microsoft Office; and the previously mentioned CVE-2024-30103 in Microsoft Outlook, which an attacker can trigger via the Preview Pane in an email.

The latter is potentially especially dangerous because an attacker can use it to bypass Outlook registry block lists and enable the creation of malicious DLL files.

"This Microsoft Outlook vulnerability can be circulated from user to user, and doesn't require a click to execute," Morphisec researchers said in a blog. "Rather, execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook’s auto-open email feature."

Microsoft itself has assessed the flaw as something that attackers are less likely to exploit.

**High Number of Elevation-of-Privilege Bugs**

Somewhat unusually, there were more EoP flaws this time around than there were RCE bugs, accounting for nearly half of the CVEs patched.

Satnam Narang, senior staff research engineer at Tenable, pointed to CVE-2024-30089, the bug in Microsoft Streaming Services, as one of the privilege escalation flaws that organizations need to prioritize the most.

"These types of flaws are notoriously useful for cybercriminals seeking to elevate privileges on a compromised system," Narang said. "When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat (APT) actors or as part of targeted attacks."

CVE-2024-30089 is one of two EoP vulnerabilities in Streaming Service that Microsoft disclosed this month. The other is CVE-2024-30090, which also gives attackers a way to gain system-level privileges but is harder to exploit.

In prepared comments, Kev Breen, senior director threat research at Immersive Lab, identified CVE-2024-30085 as another EoP flaw that will likely draw attacker interest. The bug in Windows Cloud Mini Files Driver allows for system level privileges on a local machine.

"This type of privilege-escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like Mimikatz," for lateral movement and further compromise, he said. Microsoft's description of the flaw suggests it is identical to CVE-2023-36036, a zero-day bug in Cloud Files Mini Filter that attackers actively exploited last year, Breen said.

CVE-2024-30099 is another EoP vulnerability that Microsoft has listed in its more category of more exploitable bugs. What makes the bug especially noteworthy is that it exists in the NT OS kernel. The vulnerability allows an attacker that can trigger — and win — a race condition within the kernel to take over an affected system. However, the Windows Message Queuing Service must be enabled for an attacker to be successful.

"This vulnerability should be on everyone's patch list due to it being so central to the operating system," said Ben McCarthy, lead cyber security engineer at Immersive Labs, in emailed comments.

There are several other kernel-related EoP vulnerabilities that organizations would do well to prioritize, McCarthy noted. These include CVE-2024-35250, CVE-2024-30084, CVE-2024-30064, CVE-2024-30068, and CVE-2024-35250.

"These sorts of vulnerabilities are often what attackers will try to weaponize after the patch day," he said. "So, it is always wise to patch kernel-related vulnerabilities because successful exploitation of these vulnerabilities mean they get complete access to a computer's resources and run as SYSTEM privileges."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical MSMQ RCE Bug Opens Microsoft Servers to Complete Takeover

Lacework has been looking for a buyer for some time. The deal gives Fortinet a boost in the cloud security space.

Fortinet announced Monday its plans to acquire cloud security firm Lacework to enhance its secure access service edge (SASE) offerings with cloud-native security services.

Lacework integrates cloud-native application protection platform services to safeguard what's happening inside the cloud infrastructure. The data-powered cloud security platform collects and analyzes data from across cloud environments so that customers can manage and secure their cloud workflows. The platform identifies and shares details about abnormal or unexpected activities that could indicate a security problem. Lacework offers artificial intelligence and machine-learning technology, data collection capabilities, a data lake, and code security tools, wrote John Maddison, chief marketing officer at Fortinet, in a blog post announcing the acquisition.

Fortinet plans to integrate capabilities from Lacework's cloud-native application protection platform into its SASE portfolio. According to Maddison, combining Lacework with Fortinet's firewall and Web application and API protection (WAAP) capabilities will allow customers to protect what's happening inside the cloud application, as well as what's happening between the application and outside the network.

Back in 2021, Lacework was valued at $8.3 billion. Earlier this year, there were reports that Wiz was in talks with Lacework for a small fraction of the company's valuation. The terms of Fortinet's deal, expected to be completed in the second half of the year, were not disclosed.

**About the Author(s)**

Fortinet Plans to Acquire Lacework

PRESS RELEASE

PARAMUS, NJ – JUNE 11, 2024  – Checkmarx, the industry leader in cloud-native application security for the enterprise, has released Checkmarx Application Security Posture Management (ASPM) and Cloud Insights to provide organizations with unmatched visibility into their application security posture stretching from code to cloud. Available on the Checkmarx One AppSec platform, ASPM and Cloud Insights empower enterprises developing cloud-native applications to dramatically reduce application and business risk by delivering end-to-end insights into their application security posture, helping them better correlate, prioritize and triage remediation efforts.

“Developers and AppSec teams are looking to consolidate the vulnerabilities and insights they get from security scanners and tools so they can identify and work on what are truly the most important to remediate in order to prevent issues in cloud runtime.  With the increase in complexity inherent with cloud-native applications, and the various solutions required to detect vulnerabilities in every aspect of the applications, development and application security teams are simply lost,” said Kobi Tzruya, Chief Product Officer at Checkmarx. “Checkmarx Cloud Insights revolutionizes the way that teams approach application security by bringing runtime context back into the development life cycle, where Checkmarx helps them prioritize. Now developers can focus on what matters most, allowing them to make the most effective remediation efforts in less time.”

Checkmarx ASPM correlates and prioritizes security signals from every application security solution in the enterprise development environment, to improve visibility, reduce risk, and better manage overall application security posture. ASPM is built on Checkmarx’ award-winning Fusion correlation engine and Application Risk Management, which already extracted unique insights from our consolidated AppSec platform, such as identifying reachable vulnerabilities. It now adds a new capability to Bring Your Own Results (BYOR) to expand coverage beyond Checkmarx’ award-winning solutions by importing SARIF and OSCF results from any third-party solution, including those from Checkmarx partners such as Zimperium, Onapsis and others.

With Checkmarx Cloud Insights, developers and AppSec leaders benefit from:

*   Correlation and integration of Checkmarx data with data from cloud service providers (CSPs) and cloud-native application protection platforms (CNAPP).
    
*   New ways to prioritize remediation, including through open-source libraries called in the runtime environment (via integration with Sysdig) and by internet-facing network exposure when deployed in the cloud environment (through partnerships with Wiz and Amazon Web Services.) The information is integrated within Checkmarx Application Risk Management.
    
*   The ability to track remediation of a vulnerability through the software development life cycle (SDLC) by way of the attack path. For example, if a vulnerability is found in a running application, Cloud Insights:
    
    *   Identifies the repository and the developer to speed the process of remediation
        
    *   Pinpoints the container image to verify that the fix is reflected there
        
    *   Lists the running container clusters to enable verification that the running application was rebooted with fixed images and is no longer in the running environment.
        
    
*   Improved developer experience with the delivery of prioritized risk intelligence that focuses developers on remediating vulnerabilities that are most critical, are most at risk of exploitation or represent the greatest risk.
    

 “Checkmarx One is the leading enterprise application security platform. By opening it to third-party results, our joint customers can easily extend their coverage and get a unified view within Checkmarx ASPM. We’re excited to partner with Checkmarx, which brings Zimperium’s leading mobile security threat insights directly into the Checkmarx Application Security Posture Management (ASPM) platform,” said Nitin Bhatia, Chief Strategy Officer at Zimperium. “This collaboration empowers an organization to manage and secure their entire mobile application landscape more effectively, ensuring comprehensive protection against emerging threats.”

For more information on the Checkmarx One platform, ASPM and Cloud Insights, visit this page.

**About Checkmarx**

Checkmarx has been trusted by enterprises worldwide to secure their application development from code to cloud. Our consolidated platform and services balance the dynamic needs of enterprises by improving security and reducing TCO, while simultaneously building trust between AppSec, developers, and CISOs. At Checkmarx, we believe it’s not just about finding risk, but remediating it across the entire application footprint and software supply chain with one seamless process for all relevant stakeholders. We are honored to serve more than 1,800 customers, including 40 percent of all Fortune 100 companies.

Follow Checkmarx on LinkedIn, YouTube, and Twitter/X.

You May Also Like

Checkmarx Application Security Posture Management and Cloud Insights Offer Enterprises Code-to-Cloud Visibility

PRESS RELEASE

WASHINGTON, D.C. – June 6, 2024 – DNSFilter announced today that it has hired TK Keanini as Chief Technology Officer (CTO). In his new role, Keanini will lead product management, customer experience, engineering, and security intelligence toward ongoing innovation and growth, focusing on customer needs and feedback to determine product direction.

Keanini brings to his new role more than 30 years of experience in network security. Prior to joining DNSFilter, he was the Vice President of security architecture and CTO of Cisco Secure. During his time there, he led Cisco’s Encrypted Traffic Analytics security solution, where he saw revolutionary potential in the ability to gain insights through existing network telemetry. He has also held leadership roles at security startups Lancope and nCircle Network Security, as well as at Morgan Stanley Dean Witter Online. 

Keanini is driven by a goal to do right by his customers and ensure their voice is present in product decisions. He brings this passion to DNSFilter, where he will build on the company’s commitment to customer experience in everything it does. 

TK Keanini, CTO, DNSFilter, said: “Cybersecurity companies that grow and succeed long-term have a few consistent properties. First, these solutions have an inherently simple design. Second, the layer protected is one critical (not optional) to both businesses and adversaries alike. And third, these solutions intercept as early in the lifecycle as possible, often the first to detect and respond to a threat. DNSFilter has all three of these properties, and I knew I wanted to join a company where I saw the potential for scale and success.”

Ken Carnesi, CEO and co-founder, DNSFilter, said: ‘We are thrilled to welcome TK to our team. A great CTO bridges the gap between technical innovation and business strategy, ensuring technology drives success. TK brings decades of experience and a passion for his work. He views engineers and developers as creative artists and aims to harness their inventiveness to go beyond the industry standard. With TK on board, we are enhancing our focus on security and driving innovation. Together, we will deliver features that excite our customers and strengthen our position as a key player within the cybersecurity landscape.”

About the company

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the internet safer and workplaces more productive, by actively blocking an average of 12M threat queries every single day. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world’s fastest protective DNS powered by machine learning that uniquely identifies 61% more threats than competitors on an average of ten days earlier, including zero-day attacks.

Over 35 million monthly users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats. DNSFilter’s brands include Webshrinker, its next generation web categorization software, and Guardian, a consumer app focused on privacy protection.

DNSFilter Welcomes Cisco Veteran TK Keanini As CTO

PRESS RELEASE

TEL AVIV, Israel, June 06, 2024 (GLOBE NEWSWIRE) -- Backslash Security, today unveiled expansive new platform capabilities. With a broad roster of new on-premises integrations, security team workflow integrations and automation features, CI/CD integrations, and bolstered language support, Backslash now serves the full software development lifecycle and further supports the application security needs of large enterprises.

“There are two core elements that make AppSec teams successful – one is cutting through the noise to prioritize truly reachable and exploitable vulnerabilities; the other is building confidence with our developers to trust that the risks we flag are real, and worth their effort to investigate and fix,” said Shane Garoutte, Head of Security & Compliance at Capital Rx. “Backslash’s focus on reachability analysis enables us to achieve both, and with the platform’s expanded capabilities, we can also work seamlessly with DevOps to integrate security throughout the software development lifecycle.”

Backslash combines SCA, SAST, SBOM, VEX, and secrets detection to replace outdated legacy SAST and SCA tools with a single, enterprise-ready platform that uncovers the most critical risks through reachability analysis. Newly released enhancements to the Backslash platform include:

Extended support for large enterprise use cases: 

*   Integrations with Github Enterprise On-Premise, Github Enterprise Server, Gitlab On-Premise and Bitbucket On-Premise enable seamless connection to enterprise on-premises codebases.
    
*   Extended language support adds C, C++, Ruby, Rust and Scala to Backslash’s existing language portfolio to serve diverse technology stacks and secure the entire codebase, including third party libraries and dependencies.
    
*   Role-based access controls enable enterprises to easily manage access to the Backslash platform for large and varied user bases across the organization.
    

Security team workflow enhancements: New automation policies and actions features enable Backslash users to specify security workflows and automatically create tickets and notifications with the following collaboration platforms: Jira, Monday.com, ServiceNow, Slack and Microsoft Teams.

CI/CD integrations for DevSecOps support: Integrations with Gitlab Pipelines, Github Actions and Azure Pipelines enable DevOps teams to implement DevSecOps processes and prevent new issues from being introduced in the pull request and CI/CD stages.

Reachability analysis enhancements:

*   Phantom packages are packages not defined or controlled by the app developer but introduced by a transitive one, escaping the developer's control and potentially introducing vulnerable versions into the application. Backslash detects these phantom packages in OSS code, even if they are not declared in manifest files.
    
*   Backslash Security’s reachability analysis identifies vulnerable transitive packages, helping developers understand which vulnerabilities are actually in use and therefore exploitable within their codebase, allowing them to prioritize what to fix.
    
*   New UI features bolster reachability evidence by showing code references for each reachable path.
    

"Backslash enables enterprises to prioritize truly critical code risks and facilitate trust among the many teams and stakeholders within the software development lifecycle," said Yossi Pik, co-founder and CTO of Backslash Security. "These latest enhancements automate key AppSec tasks, ensure issues are handled according to the correct priorities, and integrate smoothly into organizational workflows, all while strengthening our reachability analysis to provide enterprise security teams with incomparable results."

Start a free trial with full access to the Backslash platform via a pre-configured demo environment that includes SAST, SCA, phantom packages, VEX, SBOM, secrets, and more, now available at backslash.security/trial.

About Backslash  
Backslash's fusion of SAST and SCA empowers enterprise AppSec teams to focus on fixing only the reachable, exploitable code vulnerabilities. By identifying authentic attack paths pointed at reachable code, Backslash empowers security teams to focus on rectifying only the code and open-source software (OSS) components that are actively in use and accessible to potential attackers. Thanks to this precision, Backslash enables teams to fix only the vulnerable code and OSS that indeed needs addressing – the reachable, exploitable components.

Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, Backslash has been deployed across leading technology organizations and Fortune 100 companies. Learn more at https://www.backslash.security/.

Backslash Unveils Enterprise-Grade Capabilities to its Reachability-Based AppSec Platform

PRESS RELEASE

Darktrace, a global leader in cybersecurity AI, today announces the launch of its new service offering, Darktrace Managed Detection & Response (MDR). The service combines its best-in-class detection and response capabilities spanning across the enterprise, with the expertise of its global analyst team. This powerful combination augments internal security teams with AI-powered threat containment and expert alert management across Darktrace environments, allowing them to focus resources on more strategic security efforts, like improving cyber resilience.

Over 40% of security leaders cite enhancing and optimizing technology and processes in the security operations center (SOC) as a top priority for improving defenses against the rise of AI powered threats according to the Darktrace State of AI Cybersecurity 2024 report. As a leader in applying AI to the challenge of cybersecurity, Darktrace has transformed security operations for thousands of customers for more than a decade. Building upon this expertise Darktrace introduced its MDR service in March 2024, empowering customers to maximize the benefits of effective human-AI collaboration. The service offers customers expanded hands-on analyst support with 24/7 managed detection and response, featuring SOC investigation and action on Darktrace alerts, across network, cloud, operational technology (OT), endpoints and software-as-a-service (SaaS) applications.

With MDR, Darktrace’s SOC team will monitor customer environments for high priority alerts indicative of an attack, conduct investigations to alert customers of potentially severe incidents and begin initial triage with human engagement on the AI’s actions. The SOC will carefully review the response measures the autonomous AI has taken and subsequently take proactive steps on behalf of the customer to contain threats, which may include extending or escalating response actions. By doing so, the SOC buys valuable time for internal teams to prepare for engagement while also gathering essential context for effective remediation efforts.

Darktrace’s existing global SOC team comprised of 100+ world-class cybersecurity analysts support the service, offering a breadth of real-time knowledge, threat analysis and containment expertise, and extensive field experience. Darktrace’s SOC offers 24/7 support, utilizing a follow-the-sun model with operations headquartered in the United Kingdom, United States and Singapore, to ensure analysts are available and ready to support around-the-clock.

The service builds upon Darktrace’s leadership and expertise with best-in-class detection and response capabilities. The Darktrace ActiveAI Security Platform utilizes its unique self-learning AI engine to detect known, unknown, and novel threats in real-time and provide an autonomous response to contain active threats without disrupting business operations. However, high-priority threats often require humans to engage and make decisions following the initial containment. Darktrace Managed Detection & Response now enables the Darktrace SOC to immediately step in, conduct the initial triage, and gather context for internal teams, buying them added time to coordinate an effective response to remove the threat. Additional features and benefits of Darktrace Managed Detection & Response include:

*   Expansive coverage across network, cloud, OT, endpoints, or SaaS applications offering one of the broadest vendor MDR services available today.
    
*   Unlimited access to Darktrace’s analyst team providing 24/7 support for expert assistance during live threat investigations or even day-to-day operations.
    
*   Semi-annual operational efficiency reports featuring consultancy insight with objectives and recommendations for optimizing and tuning deployments for maximum operational efficiency, and suggestions on improving overall cybersecurity hygiene.
    
*   Quarterly analyst MDR reviews ensuring deployments are reaching their full potential, with tailored advice on streamlining workflows, model optimization and custom use cases.
    
*   Regular MDR service reports summarizing all alerts raised as well as those resolved by Darktrace’s SOC for full transparency of service.
    

> “As cyberthreats become more sophisticated and frequent, organizations are looking for ways to help improve their security outcomes without adding to their team’s existing workloads,” said Denise Walter, Chief Revenue Officer, Darktrace. “Our AI-powered MDR service gives our customers added peace of mind that a Darktrace human expert is monitoring their environment 24/7 to keep them protected. Darktrace Managed Detection & Response brings not only the power of our technology, but the power of our people directly into our customers’ environments.”

Darktrace Managed Detection & Response is available now to customers using Darktrace DETECT™ and RESPOND™, across Network, Cloud, OT, Endpoints, or SaaS applications. Darktrace partners can re-sell the service, helping to deliver added value for customers with a complementary offering for their existing portfolio.

> “At Grove, we are excited to partner with Darktrace to offer their Managed Detection & Response (MDR) service to our clients. This collaboration seamlessly integrates our services and together, Darktrace's MDR service and our dSOC service, offer unparalleled security through skilled analysis and consistent oversight," said James Vintin, CEO at Grove Group, a global partner, reseller and distributor focused on defending customers with advanced cybersecurity solutions. “Combining Darktrace's 24/7 AI-driven threat containment and immediate intervention with Grove's proactive daily analysis, Indicator of Compromise reports, and continuous customer interaction ensures that potential threats are promptly identified and addressed. Our partnership enhances our clients' overall security posture and delivers the best of both worlds: immediate and long-term protection against evolving cyber threats.”

To learn more about Darktrace Managed Detection & Response, register for the upcoming webinar on June 6th at 2pm BST, 3pm AEST, or 3pm ET. 

ABOUT DARKTRACE

Darktrace (DARK.L), a global leader in cybersecurity artificial intelligence, is on a mission to free the world from cyber disruption. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands have resulted in over 175 patent applications filed. Rather than study historic attacks, Darktrace's technology continuously learns and updates its knowledge of your business data and applies that understanding to help transform security operations to a state of proactive cyber resilience. The Darktrace ActiveAI Security Platform™ provides a full lifecycle approach to cyber resilience that can autonomously spot and respond to known and unknown in progress threats within seconds across the entire organization, including cloud, apps, email, endpoint, network and operational technology (OT). Darktrace, which listed on the London Stock Exchange in 2021, employs over 2,300 people around the world and protects over 9,400 customers globally from advanced cyber threats. To learn more, visit https://darktrace.com/.

Darktrace Launches Managed Detection &amp; Response Service to Bolster Security Operations

The two jurisdictions will work together to investigate the credential-stuffing attack that put the personal data of millions at risk.

Source: michelmond via Alamy Stock Photo

Authorities in Canada and the UK have launched a joint investigation into a 23andMe data breach that occurred last October. 

That's when a threat actor posted on the Dark Web claiming possession of 23andMe profile information, ultimately releasing roughly 4 million company records. 23andMe launched an investigation, discovering that the breach was a credential-stuffing attack that affected around 7 million people.

The discovery of the attack led the company to blame the victims of the breach, saying they were negligent in reusing their passwords that had previously been exposed in past data breaches.

The joint investigation now seeks to protect the "fundamental right to privacy of individuals across jurisdictions," as 23andMe is considered to be "a custodian of highly sensitive personal information" such as genetic history, health, ethnic background, and biological relationships. 

The countries will investigate the scope of the breached information, whether 23andMe had safeguards in place to protect that sensitive information, and whether the notifications the company provided to the regulators was adequate.

"People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place," said UK Information Commissioner John Edwards. "This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Edwards and Canadian Privacy Commissioner Philippe Dufresne will be jointly investigating the breach.

Canada &amp; UK Partner in Joint 23andMe Data Breach Investigation

Operations at Synnovis medical labs have been disrupted for more than a week, prompting the NHS to implore the public to donate blood.

Source: Cavan Images via Alamy Stock Photo

England's most senior physicians appealed to the public for help in the aftermath of a cyberattack that has threatened the ability of London's National Healthcare Service hospitals to provide life-saving treatment.

Since a ransomware cyberattack against UK pathology lab services provider Synnovis knocked the company offline on June 3, hospitals across London have been struggling with delays in matching patient blood types, among other critical pathology functions.

Pathology labs provide tests on blood and other bodily fluids to diagnose, treat, and prevent a wide variety of illnesses. Synnovis is operated in partnership with Guy's and St Thomas' NHS Foundation Trust and King's College Hospitals NHS Trust, and SYNLAB, Europe's largest provider of medical testing and diagnostics, according to the NHS.

A week later with services still not restored, Dr. Gail Miflin, chief medical officer, NHS Blood and Transplant, decided to put out a call to the public for blood donations.

"When hospitals do not know a patient's blood type or cannot match their blood, it is safe to use O type blood," Miflin said a statement. "To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability."

Synnovis is working with law enforcement as well as the National Cyber Security Centre, the company said.

"We are incredibly sorry for the inconvenience and upset this is causing to patients, service users, and anyone else affected," Synnovis said in a statement. "We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments."

Synnovis did not respond to Dark Reading's request for comment.

Blood Shortages Hit London Hospitals After Ransomware Attack

The fresh-baked malware is being widely distributed, but still specifically targets individuals with tailored lures. It's poised to evolve into a bigger threat, researchers warn.

Source: Weyo via Alamy Stock Photo

A purpose-built Windows backdoor appears to be the new flavor of the month for giving attackers entry into targeted systems; after initial access, they pivot to ransomware delivery and system compromise in a wave of recent attacks.

Dubbed WarmCookie by researchers at Elastic Security Labs, the backdoor has been distributed widely in a spate of phishing emails starting in late April by a campaign called REF6127. It uses recruitment and potential jobs as lures, the researchers revealed in a blog post today.

While the malware itself isn't particularly sophisticated — it's mainly an initial backdoor tool for scouting out victim networks and deploying additional payloads — "it shouldn't be taken lightly as it's actively being used and impacting organizations at a global scale," Daniel Stepanic, Elastic Security principal security research engineer, wrote in the post.

The backdoor's code overlaps with a sample that was previously reported by eSentire, suggesting that WarmCookie may be an update to malware that already was in circulation since 2022. However, the latest version of the backdoor represents a different, more pervasive threat, Stepanic noted.

"While some features are similar, such as the implementation of string obfuscation, WarmCookie contains differing functionality," he wrote. "Our team is seeing this threat distributed daily with the use of recruiting and job themes targeting individuals.

**Targeting Specific Appetites**

Phishing lures that use job recruitment are a common theme for attackers, which have found success previously in targeting various professionals with fake promises of new employment positions. North Korean APT Lazarus is among attackers that has been particularly active with this tactic.

The emails in the REF6127 campaign put a twist on this with lures that are specific to the individuals that the attackers are targeting, the researchers said. Indeed, the campaign uses info about targets' current employers attempt to lure them with a type of position that might pique their interest, "enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description," Stepanic wrote.

In terms of the infection routine, one screenshot included in the post shows a message telling the recipient there is an "exciting opportunity" in the form of a new position open with one of the recruiter's clients. The message includes a "View Position Details" link which eventually leads to the process for deploying WarmCookie.

If a target clicks on the link, it goes to a landing page that looks like a legitimate page specifically targeted for the intended victim using his or her name, and that prompts the user to download a document by solving a CAPTCHA challenge. The landing pages used in the campaign resemble previous campaigns discovered by Google Cloud's security team in a campaign used to spread a new variant of the URSNIF malware, Stepanic noted.

Solving the CAPTCHA challenge downloads an obfuscated JavaScript file that runs PowerShell, kicking off the first task to load WarmCookie. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download the malware and run the DLL with the Start export.

To keep defenders on their toes, attackers continuously generate new landing pages rapidly on IP address 45.9.74\[.\]135, targeting different recruiting firms in combination with keywords related to the job search industry with their malicious activity. Moreover, before hitting each landing page, "the adversary distances itself by using compromised infrastructure to host the initial phishing URL, which redirects the different landing pages," Stepanic noted.

**How the Cookie Crumbles**

WarmCookie is a two-stage "lightweight backdoor" that ultimately provides "relatively straightforward" functionality — such as retrieving victim info and screenshot recording — for monitoring victims and further deploying more damaging payloads, such as ransomware, according to the post.

In the first stage, which occurs after the PowerShell download of the malware, the backdoor sets itself up to run with System privileges from the Task Scheduler Engine. "A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection," Stepanic noted. "The task name (RtlUpd) is scheduled to run every 10 minutes every day."

The malware's second stage contains the backdoor's core functionality and is one in which the DLL is combined with the command line (Start /p) to set execution in motion.

Along the way, WarmCookie uses several tactics to avoid detection. One is to protect its strings using a custom string decryption algorithm in which "the first four bytes of each encrypted string in the .rdata section represent the size, the next four-bytes represent the RC4 key, and the remaining bytes represent the string," Stephanic wrote. Developers also made the "interesting" choice not always to rotate the RC4 key between the encrypted strings.

WarmCookie also uses dynamic API loading to prevent static analysis from identifying its core functionality, and includes a few anti-analysis checks commonly used to target sandboxes "based on logic for checking the active number of CPU processors and physical/virtual memory values," he added.

**Evolving Recipes for Malware**

Elastic is urging organizations to be on the lookout for WarmCookie, which will likely evolve over time as its developers enhance it with advanced functionality.

"Our team believes this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims," Stepanic wrote.

The post includes a screenshot of YARA rules that organizations use to identify the presence of WarmCookie in an environment. Elastic also specifically addresses various behavior of the backdoor — including its Powershell download and execution and Scheduled Task creation — to provide insight on how to detect this activity on an organization's network.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

June 11, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

When a company gets hacked, the real costs often land on consumers. The company's stock price typically rebounds quickly, but end users are left with their identities stolen, accounts locked, money lost, or children exposed to harm.

The consumers who are harmed from breaches rightfully expect our governments to protect us. The contract between people and their governments is simple: We contribute some of our wealth and you keep us safe. That model has worked pretty well for centuries.

But things have gotten a lot more complicated in the Internet age. Our digital fingerprints are held in the hands of private companies. In the name of personal privacy, we don't want our governments to have that level of access to and control of that information. So, the government can't solely protect us, and companies aren't properly incented to do it either. It's a unique catch-22: No single entity has the power to protect us on the Internet.

Something must give, which is why we're experiencing a movement toward regulation by enforcement. The trend has been developing over the past decade, since the Obama administration developed a policy instructing prosecutors to expand enforcement actions against "responsible corporate officers,” on the theory that the best way to encourage better corporate behavior is to bring actions directly against executives.

The Biden administration has now taken that approach to cyberspace. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. Realizing it cannot stop cyber harm by asking for voluntary cooperation from companies, it is also using the enforcement tools it believes it has under existing law to force changes in behaviors. A current example is the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was sued personally.

**Why the CEO Is Next**

Inside every major company is a security team full of smart, technically savvy professionals dedicated to fighting criminals and despotic governments to protect their customers. Most are understaffed and push hard for more investments to make their jobs easier. Leading those teams are senior security practitioners, many of whom are not given the title of chief information security officer (CISO). And recently, our government has turned its enforcement eye toward those team leaders.

As the government digs into these types of cases more deeply, it's inevitable it will conclude it was a mistake to target the greatest champion for the public inside a company. The current focus on security leaders is flawed because it assumes that rather than delivering security at the highest standards, these leaders have instead chosen to mislead. In response, nearly every CISO I talk to is worried about being held personally accountable for a lack of corporate investment. Some great CISOs are now stepping out of the role because their desire to help others is losing out to their desire for self-preservation.

With very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

The government's attention has already started to shift toward the CEO. At the final hearing in the case in which I was charged with covering up a security incident at Uber, the judge made it a point to challenge the Department of Justice and ask why the CEO was not brought to court. The Federal Trade Commission (FTC) reached the same conclusion and entered into a settlement with the CEO of Drizly for failing to invest adequately in security. The Cybersecurity and Infrastructure Security Agency (CISA) now asks that CEOs, not CISOs, sign its pledge to use secure by design principles when selling software when selling software. And the SEC will see it when it peels back the layers and reviews what happened during budget time at SolarWinds. It will realize it is not enough to look at how a security team responded to an incident or tried to prevent it. To assign culpability, it must look at how the company allocated resources from the top down. Sen. Ron Wyden (D-Ore.), in his recent letter to the FTC and SEC, also asked them to focus on the CEO level when investigating the United Health Group over the Change Healthcare ransomware case.

Security leaders are starting to ask more forcefully for resources. When they fail to receive them, they are documenting those budget decisions clearly. They are also pushing forward policies that bring CEOs and other executives more directly into cyber-incident response processes and deploying new products like those from BreachRx (full disclosure: I've recently joined the company as a senior advisor) that document how security incidents are handled in a cross-functional manner. All these steps will make it easier to show that the security leader wasn't standing alone or, in many cases, even involved in the decisions that led to consumers getting hurt.

Ultimately, the only way the CEO avoids being the target of government enforcement actions is if he or she takes a personal interest in ensuring that the corporation invests properly in cybersecurity.

**About the Author(s)**

CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

Joe Sullivan provides security, AI safety, and leadership advice to executives across various industries and serves as the CEO of Ukraine Friends, a nonprofit providing humanitarian aid to Ukrainian children in a war zone. Joe spent eight years with the US Department of Justice, including as the first federal prosecutor dedicated to prosecuting technology-related crimes. He then spent seven years in senior roles at eBay and PayPal, before joining Facebook in 2008 as its chief security officer, building its safety and security team from a handful of people to hundreds. In 2015, he joined Uber as its first CSO, and in 2018, Cloudflare as its first CSO, helping it blossom from pre-IPO to a thriving public company. Joe has advised many companies, including AirBnB, DoorDash, and Whoop, and currently advises nine pre-IPO companies. He has testified before global government bodies, and served on President Obama’s Commission on Enhancing National Cybersecurity.

Source

DARKReading