Daily Brief

A ransomware attack on Synnovis has severely impacted major NHS hospitals in London, compromising pathology and diagnostic services. Major facilities affected include King's College Hospital, Guy's Hospital, and St Thomas' Hospital among others. Healthcare procedures, including some surgeries and blood transfusions, have been canceled or redirected to ensure patient safety. Hospitals advise patients to continue attending appointments unless instructed otherwise, while emergency services remain operational. The attack has disrupted IT systems, rendering urgent and emergency care challenging due to unavailable quick-turnaround blood tests. UK's National Cyber Security Centre and hospital Cyber Operations teams are collaborating to mitigate the impact and understand the full extent of the breach. Synnovis, affected by the attack, is part of a partnership network that includes SYNLAB UK & Ireland and several NHS trusts.

Synnovis, a key provider of pathology and diagnostic services, suffered a cyberattack on June 3, significantly impacting NHS hospitals in London. The incident disrupted IT and clinical services across several hospitals including King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust. Blood transfusion services were particularly affected, causing cancellations and redirections of some medical procedures to other providers. Urgent and emergency care services are compromised due to unavailable timely blood test results. The hospitals’ leadership has described the situation as an "ongoing critical incident" with a major impact on healthcare service delivery. It was confirmed that the cyberattack involved ransomware, complicating the recovery of pathology results, expected to take weeks. Synnovis had previously changed names and is part of a larger network that also experienced similar ransomware attacks in other regions.

London hospitals are facing major disruptions in pathology services due to a ransomware attack targeting their service partner, Synnovis. Synnovis, a partnership between Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust, is critical in providing pathology and testing across multiple labs. The ransomware has significantly impacted blood transfusions and elective surgeries, leading to cancellations and redirections to alternative providers. NHS England's London region is working with the National Cyber Security Centre and their Cyber Operations team to assess and mitigate the impact. Emergency care remains operational; patients are advised to attend scheduled appointments unless informed otherwise. This incident is isolated to London and is not directly connected to the recent ransomware attack on Synlab Italia by the Black Basta group. NHS officials and Synnovis are part of a task force striving to restore services and communicate regularly with patients and the public about updates. Synnovis acknowledges the severity of the cyberattack and confirms ongoing efforts to bolster cybersecurity measures.

Microsoft has officially announced the deprecation of the NTLM authentication protocol in Windows, encouraging a shift to more secure alternatives like Kerberos and Negotiation. NTLM, launched in 1993, has been vulnerable to cyberattacks, including NTLM Relay attacks where attackers force authentication against malicious servers. Despite measures like SMB security signing to combat these vulnerabilities, NTLM's weaker encryption and lack of single sign-on support make it outdated by 2024 standards. Microsoft emphasizes the transition to Negotiate, which prefers Kerberos and reverts to NTLC only if necessary, to enhance security and performance. The company advises system administrators to use auditing tools to assess NTLM usage and develop a comprehensive transition strategy. For most applications, migrating from NTLM to Negotiate requires minimal modification, potentially as simple as a one-line code change. Microsoft provides resources such as a Kerberos troubleshooting guide to assist administrators during this transition period.

Microsoft has officially deprecated the NTLM authentication protocol, urging a transition to more secure methods such as Kerberos or Negotiation authentication. NTLM, first introduced in 1993 with Windows NT 3.1, is criticized for its outdated security measures and susceptibility to various cyberattacks, including NTLM Relay attacks. Despite enhancements like SMB security signing, NTLM remains vulnerable to attacks where attackers can capture and utilize password hashes. The protocol's encryption is weaker compared to modern standards, and it lacks efficiency and support for single sign-on (SSO) technologies. Microsoft recommends that developers and system administrators audit their use of NTLM and plan for migration to the Negotiate protocol, which uses Kerberos as its primary method and NTLM as a fallback. NTLM will still function in the upcoming Windows Server release and next Windows annual release, but further support will gradually decrease. Transitioning from NTLM to Negotiate can typically be managed with minor coding changes, although some scenarios might require more substantial modifications.

Russian power companies, IT firms, and government agencies have been targeted by a malicious cyber campaign delivering a malware known as Decock Dog. The malware campaign, dubbed Operation Lahat, is attributed to an APT group called HellHounds, which has been active since at least 2021. Positive Technologies has documented significant breaches, including 48 compromised entities in Russia, involving critical industries such as space and telecommunications. Decoy Dog, initially targeting Linux systems, now confirmed to possess a Windows variant enabling attackers to efficiently maintain covert communications with infected hosts. The malware features capabilities of DNS tunneling for remote control and covert movement between different control servers to evade detection. HellHounds exploited vulnerabilities in web services and relationships, as well as compromised SSH credentials of contractors, for gaining initial access. Positive Technologies highlights that the attackers have efficiently modified open-source tools to craft their malware, ensuring persistence and avoidance of detection mechanisms.

Progress Software has issued updates for a critical vulnerability in Telerik Report Server, which could let attackers bypass authentication. Tracked as CVE-2024-4358, this flaw has a high severity score of 9.8 and affects versions up to 2024 Q1 (10.0.24.305). The vulnerability enables remote, unauthenticated attackers to create rogue administrator accounts and access restricted server functionalities. The updated version, Report Server 2024 Q2 (10.1.24.514), addresses this vulnerability. Progress Software advises customers to check their servers for unauthorized local users and update their systems immediately. As a part of the mitigation efforts, Progress Software recommends implementing a URL Rewrite technique on IIS servers to reduce vulnerability. This flaw was discovered a little over a month after another significant vulnerability in Telerik Report Server was patched. Given past exploits targeting Telerik servers, updating to secured versions and continuous monitoring are crucial for preventing potential breaches.

Christie's experienced a cyberattack, leading to unauthorized access to certain client data but not financial or transactional records. The attackers, known as RansomHub, initially demanded a ransom, then claimed to have auction-attributed the data to an anonymous buyer. Details exposed included client names and personal identity information from ID documents like passports and driving licenses. RansomHub failed to secure a ransom by the imposed deadline and opted to auction the data as a strategic pivot. Experts believe the actual success of this auction tactic in generating payouts is minimal and often serves more as a symbolic gesture or face-saving measure. There is skepticism about the scale of the breach and the effectiveness of auctioning off stolen data in the cybercrime community.

A privacy group has lodged a complaint with the Austrian data protection authority against Microsoft 365 Education for potential GDPR breaches. Noyb, the privacy organization, alleges that Microsoft imposes data protection responsibilities on schools while shirking its own obligations. The complaint emphasizes that Microsoft’s system lacks transparency in processing children’s data and does not comply adequately with the data access rights of individuals. It is claimed that schools are powerless in negotiating or altering how Microsoft processes user data, resulting in most decision-making and profit going to Microsoft. Additionally, noyb has filed a second complaint stating that Microsoft 365 Education installs cookies without consent, using them for behavioral analysis and advertising purposes. Noyb's actions follow historical successes by its honorary chairman, Max Schrems, in challenging inadequate data protection agreements between the EU and the US. The group is pressing for the Austrian data protection authority to enforce more stringent checks and penalties if GDPR violations are confirmed.

Microsoft Copilot boosts employee productivity by integrating with Microsoft 365 tools like Word, PowerPoint, and Excel, acting as an analyst, copywriter, notetaker, and designer. While enhancing efficiency, there is a significant risk that Copilot could access and share sensitive corporate information unintentionally. Copilot generates content based on the data it can access within the Microsoft suite, potentially exposing sensitive data if not properly controlled. Organizations must implement stringent access controls and label sensitive data to prevent unwanted data exposure through Copilot. Employees with Copilot access should receive training on the risks of inadvertent data sharing and the importance of reviewing materials before sharing externally. Admins need to rigorously define user access and roles concerning file access on corporate drives to mitigate the risk of data leaks through GenAI use. Enterprises should take careful measures to establish security around GenAI tools like Microsoft Copilot to maintain confidentiality and data integrity in their operations.

Malware creators are increasingly leveraging BoxedApp, a legitimate commercial packer, to avoid detection by security systems. Jiří Vinopal from Check Point Research highlights a significant rise in malware using BoxedApp, most commonly with remote access trojans like Agent Tesla, AsyncRAT, and QuasarRat, as well as ransomware and infostealers. The use of BoxedApp allows malicious software to bypass static analysis and stay undetected longer, giving attackers more time to access sensitive data. Despite a spike in usage since March 2023, antivirus solutions show a high false positive rate when scanning applications packed with BoxedApp, sometimes leading to decreased alertness in security operations centers. Check Point Research's analysis of 1,200 malicious samples on VirusTotal revealed that 25% were flagged, indicating that while detections occur, they may not be consistently reliable. Security expert Sean Wright suggests limiting the use of BoxedApp applications and recommends signing applications to reduce false positives. Majority of the malicious samples submitted from Turkey, the US, and Germany were primarily targeting financial institutions and government sectors, exploiting advanced features like Virtual Storage offered by BoxedApp SDK. Check Point Research has developed Yara signatures to improve the detection of malicious use of BoxedApp, aiding in the identification and analysis of packed malware.

Traditional browser isolation has been foundational in protecting against malware and browser exploits but falls short against modern web threats like phishing. Limitations of traditional browser isolation include significant performance degradation, impacting business productivity. The necessity for more advanced solutions has led to the development of Secure Browser Extensions, enhancing both security and user experience. Secure Browser Extensions use machine learning to analyze web components in real-time, identifying threats such as malicious downloads and credential theft. These extensions integrate seamlessly into browsers, require minimal CPU resources, and do not impact browser performance. Easy deployment of Secure Browser Extensions on both managed and unmanaged devices caters to a variety of workplace environments. The shift towards these extensions represents an evolution in cybersecurity strategies, addressing both legacy and emerging threats effectively.

Sophisticated cyber attack in Ukraine using a Microsoft Excel file with a malicious VBA macro to deploy Cobalt Strike. Attack begins with the victim being urged to enable macros in an Excel document, which then triggers malware deployment. The malware, hidden within macro-enabled documents, downloads additional payloads if the system geo-location is confirmed as Ukraine. Malware includes evasion techniques such as process checking for security applications and conditional execution based on geographic location. Final payload involves a Cobalt Strike Beacon, establishing a remote command-and-control channel for further malicious activities. Attackers use encoded and obfuscated files to bypass security measures and ensure persistent presence on the infected systems. Microsoft has taken steps like blocking macros by default to mitigate such threats, impacting how the malware operates post-July 2022.

Snowflake reported a targeted credential theft affecting a limited number of customers. The company, along with CrowdStrike and Google-owned Mandiant, found no evidence of platform vulnerabilities or insider credential compromise. Attackers used credentials obtained from information-stealing malware to access databases set with single-factor authentication. Mandiant highlighted active threats where stolen credentials were used to compromise Snowflake's customer tenants. Snowflake has urged the implementation of multi-factor authentication (MFA) and restricting network traffic to trusted locations only. CISA and the Australian Cyber Security Centre have issued alerts advising organizations to monitor for unusual activity and secure access controls. Indicators of compromise identified include malicious connections from clients with suspicious identifiers. Independent research underlines the urgency of adopting robust multi-factor authentication due to the rising threat from infostealers.

DarkGate malware, active since 2018, shifts from AutoIt to AutoHotkey in its latest update to improve evasion from cybersecurity defenses. The malware update was first observed in version 6 released in March 2024 by its developer RastaFarEye and marketed to around 30 subscribers. This malware variant specializes as a remote access trojan (RAT) with functionalities including command control, rootkits, credential theft, keylogging, and more. Newly added features in version 6 include audio recording and advanced mouse and keyboard control while removing previous features like cryptomining and privilege escalation to reduce detection risks. The switch to AutoHotkey was documented by McAfee Labs in April 2024, exploiting vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen. Attack methods include phishing emails with Excel attachments using macros to execute scripts that trigger the malware payload retrieval and launch. Cyber criminals also leverage Docusign to create legitimate-looking phishing templates sold on underground forums, aimed at facilitating phishing and business email compromise scams.