October 14 – Threat Intelligence Report

TOP ATTACKS AND INJURIES

• Non-profit healthcare organization Axis Health System was hit by a ransomware attack by the Rhysida gang, which resulted in the theft of sensitive data, including mental health and substance abuse records. Rhysida is demanding $1.5 million and threatening to release the data within six days if payment is not made. The gang has also begun leaking 102GB of data from Golden Age Nursing Home, including over 35,000 files purportedly containing medical records and discharge summaries.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.Rhysida; Ransomware.Wins.Rhysida)

• Danish toy maker LEGO was hit by a cyberattack that compromised its website, where hackers advertised the purchase of a fake “LEGO Coin” cryptocurrency. The attack had limited success as victims only purchased a few hundred dollars worth of fake tokens.
• American Water, the largest water utility in the United States, has confirmed a cyberattack that disrupted its internal systems, particularly impacting customer billing. The breach resulted in certain systems being shut down, but water and wastewater services were unaffected.
• The Internet Archive’s “The Wayback Machine” suffered a data breach that resulted in the theft of 31 million user records, including email addresses, usernames, and bcrypt hashed passwords. The breach also included website defacement and a distributed denial of service (DDoS) attack.
• Japanese technology giant Casio has disclosed a cyberattack that resulted in a system failure, resulting in service disruptions. The attack resulted in the exposure of more than 91,000 customer records in Japan and 35,000 records from other countries, including names, email addresses and payment method information.
• Russian state media outlet VGTRK was the victim of a cyberattack that resulted in a nearly hour-long disruption to several television channels, including Russia 1 and Russia 24. The attack reportedly resulted in the deletion of data from the company’s servers, including backups. Pro-Ukrainian hacktivist group Sudo rm-RF is believed to be responsible for the breach.
• Fidelity Investments experienced a data breach between August 17 and 19 that resulted in the exposure and compromise of personal information for over 77,000 customers. The breach involved unauthorized access to customer information through two recently created accounts, although no direct accounts or funds from Fidelity were accessed. To date, no threat actor has claimed responsibility.
• American security firm ADT has confirmed a cyberattack that resulted in the exfiltration of encrypted internal company data related to employee user accounts using compromised third-party credentials. The breach resulted in disruptions to some of ADT’s information systems, but no customer data or security systems were compromised.

• Microsoft’s October 2024 Patch Tuesday addresses 117 vulnerabilities, including four zero-day vulnerabilities, two of which are actively exploited (CVE-2024-43572, CVE-2024-43573). Critical patches address critical remote code execution vulnerabilities in Microsoft Configuration Manager (CVE-2024-43468) and Remote Desktop Protocol Server (CVE-2024-43582).
• Google’s October 2024 Android Security Update addresses critical vulnerabilities, including a denial of service flaw in the Android Framework (CVE-2024-40675), local privilege escalation issues, and a remote code execution vulnerability (CVE-2024-40673 ). It also fixes issues in MediaTek and Qualcomm components covering Wi-Fi, display and modem functions.
• Adobe’s October 2024 security update addresses multiple vulnerabilities across the entire family of products, including Adobe Substance 3D Painter, Adobe Commerce, and Adobe Animate. The update fixes memory leaks, privilege escalation, code execution, and security bypasses, including critical bugs that allow unauthorized access.

• Check Point Research has released the September 2024 Most Wanted Malware report, highlighting the shift toward AI-driven malware tactics in the current cyber landscape and the continued dominance of ransomware threats. Threat actors likely used AI to develop a script that delivers AsyncRAT malware, now ranked 10th^Th on the list of the most widespread malware. Joker remains the top mobile malware, while RansomHub is the leader among ransomware groups.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (RAT.Win.Asyncrat; RAT.Wins.AsyncRAT.ta.*; RAT.Win.Asyncrat.glmw.*; Ransomware.Wins.RansomHub.ta.*; Ransomware.Win.RansomHub)

• Check Point Research analyzed the “Operation MiddleFloor” disinformation campaign that targeted Moldova’s government and education sector ahead of the October 2024 elections. The Russia-aligned group Lying Pigeon uses fake emails to spread false information about EU membership and pro-European leadership while collecting data for possible malware attacks.
• Researchers have discovered a campaign by the GoldenJackal APT group that targets air-gapped systems in government and diplomatic facilities across Europe, the Middle East and South Asia. The group used custom toolsets, including GoldenHowl and GoldenRobo, to breach isolated networks, steal sensitive information, and exfiltrate data via USB surveillance and modular backdoors.

Check Point Harmony Endpoint provides protection against this threat (APT.Win.GoldenJackal)

• Researchers have discovered a new phishing-as-a-service (PhaaS) platform called Mamba 2FA, which is designed for adversary-in-the-middle (AiTM) phishing attacks. The platform mimics Microsoft 365 login pages and bypasses multi-factor authentication methods such as one-time codes and app notifications by stealing credentials and cookies, which are then sent to attackers via a Telegram bot.