weekly nanalysis- Hack2interesting

Weekly Trend Analysis- June 1st Week 2024: Nation-State Attacks, vulnerabilities, and Ransomware. Receive your weekly summary of the new dangers.

weekly update

Ransomware

Victim sector: Healthcare

Victim: London hospitals(Synnovis)

Date: 3 June 2024

The attack, which was detected on Monday, impacted a company called Synnovis that provides pathology services, such as blood tests for transfusions, to several healthcare organizations, according to reports and internal emails published on social media.

A Russian cyber gang is believed to be behind a ransomware attack that disrupted London hospitals and led to operations and appointments being canceled, the former head of British cybersecurity said Wednesday.

Reference: https://abcnews.go.com/Health/wireStory/russian-cyber-gang-thought-ransomware-attack-hit-london-110854278

Impact:

  • Disrupted lab services,
  • potentially delaying diagnoses and treatment.
  • Inconvenience for patients who rely on Synnovis services.
  • Strained resources at hospitals as they work around the disruption.

Current Report:

  • Synnovis is working to restore services and hasn’t confirmed if they’ll pay the ransom.
  • NHS England – London issued a statement apologizing for the inconvenience and highlighting the ongoing efforts to address the disruption.

London statement:

Following publication, Synnovis chief executive Mark Dollar released a statement confirming that the business — a partnership between the company SYNLAB and two London hospital trusts — had become “the victim of a ransomware attack.”

https://www.england.nhs.uk/london/2024/06/04/nhs-london-statement-on-synnovis-ransomware-cyber-attack

Vulnerabilities

Android:

Google released its June 2024 security update addressing 37 vulnerabilities in the Android operating system. These vulnerabilities ranged from high-severity elevation of privilege flaws to information disclosure.

Reference: https://source.android.com/docs/security/bulletin/2024-06-01

Critical Patch:

1. CVE: CVE-2024-4577: PHP-CGI Argument Injection Vulnerability

Analysis: A significant argument injection vulnerability in PHP, identified as CVE-2024-4577, can be used to obtain remote code execution (RCE). Researchers at DEVCORE claim that this defect, which affects Windows’ “Best Fit” feature, is the consequence of mistakes in character encoding conversions.

PHP maintainers published updates on June 6 to fix a severe vulnerability that affected installations using PHP in CGI mode.

The origins of the vulnerability can be found in character encoding conversion problems, specifically in Windows systems’ “Best Fit” function. This omission gives attackers a way around security protections that are currently in place, particularly those meant to counteract the previous vulnerability known as CVE-2012-1823.

Mitigation Strategies

  • Quick Patching: System administrators should immediately update PHP installations to the 8.3.8, 8.2.20, and 8.1.29 fixed versions that the PHP Group has made available.
  • Disabling PHP CGI Features: This reduces the possibility of exploitation in susceptible environments such as XAMPP.
  • Changing Server Configurations: By using mod_rewrite rules, you can strengthen server defenses against possible attacks and supplement current security protocols.
  • Rewrite Rules: These Rewrite Rules can be used by users who are unable to upgrade PHP to temporarily prevent attacks.

Reference: https://www.tenable.com/blog/cve-2024-4577-proof-of-concept-available-for-php-cgi-argument-injection-vulnerability