Many healthcare entities face significant challenges when it comes to configuration management, particularly vulnerability patching. Of late, an examination of a Veterans Affairs healthcare system in Arizona revealed different types of unaddressed security issues. Meanwhile, more attacks have come from the operators of the LokiBot trojan. An infection campaign has been spotted abusing a pair of RCE vulnerabilities via infected Microsoft Office documents. Active since 2015, the malware is a well-known information-stealing trojan that brings capabilities to extract confidential data.

Back to vulnerabilities, SonicWall is urging customers to patch multiple high-severity bugs impacting its Global Management System (GMS) firewall management and Analytics network reporting engine software suites. No reports of a PoC were made public.

Top Breaches Reported in the Last 24 Hours

EY’s 62 clients suffer breach

The list of MOVEit cyberattack victims now includes 62 clients of the Big Four accounting firm Ernst & Young. Cybercriminals have allegedly leaked 3TB of stolen data pertaining to its clients that includes documents ranging from financial reports, accounting documents, Visa scans, passport scans, and risk and asset management documents to contracts and agreements, credit agreements, audit reports, and account balances.

ZooTamps under ransomware attack

A cyberattack crippled the systems of Florida’s ZooTampa and compromised employee data and vendor information. While informing the victims, it clarified that it doesn’t store or save personal or financial information of visitors or members on its servers. The BlackSuit ransomware group claimed responsibility for the attack. The group is believed to have ties with the Royal ransomware gang.

Top Malware Reported in the Last 24 Hours

LokiBot campaign abuses known bugs

FortiGuard Labs claimed to have found several Office maldocs purposed to exploit known vulnerabilities, specifically CVE-2021-40444 and CVE-2022-30190 (Follina). The operation utilized two variations of Word documents. The first type contained an external link embedded in an XML file called "word/_rels/document.xml.rels." The second type involved a VBA script that triggered a macro as soon as the document was opened. Attackers drop LokiBot info-stealer as their final payload.

Top Vulnerabilities Reported in the Last 24 Hours

Security gaps in a VA healthcare system

During a routine security inspection at the Northern Arizona VA Health Care System, security researchers pointed at security control areas vulnerable to attack. A number of devices were identified to have sensitive and critical security flaws for which available patches were not applied. Out of the 80 healthcare system network switches, 71 were operating on systems that did not comply with the IT baseline requirements and were no longer supported by the vendor.

Rockwell Automation bug abused

An unnamed APT group was observed abusing a vulnerability in industrial technology from Rockwell Automation. The company has reported two bugs, identified as CVE-2023-3595 and CVE-2023-3596, to the CISA that have CVSS scores of 9.8 and 7.5. Adversaries could abuse these to take control of a device, pilfer operational data or manipulate devices for disruptive consequences. Experts said, “Customers using affected products could face serious risk.”

Strong recommendation for bug fix

SonicWall has fixed a total of 15 security flaws. It strongly advises organizations using GMS 9.3.2-SP1 or earlier and Analytics 2.5.0.4-R7 or earlier to upgrade to the latest version. It will subsequently patch systems for web service authentication bypass (CVE-2023-34124), multiple unauthenticated SQL injection issues & security filter bypass (CVE-2023-34133), password hash read via web service issue (CVE-2023-34134) and a CAS authentication bypass issue (CVE-2023-34137).

Exploitable QuickBlox flaws

A joint research by Check Point Research (CPR) and Claroty Team82 uncovered multiple security flaws in the popular QuickBlox software development kit and API. It contained vulnerabilities that, if chained, could lead to the exposure of the entire user database for applications using the framework. Besides, researchers detailed a range of distinctive attacks that could enable a malicious actor to gain unauthorized access to smart intercoms to remotely unlock doors, expose critical data, and more.

17 advisories by Juniper Networks

Juniper Networks addressed multiple sensitive security vulnerabilities in Junos OS, Junos OS Evolved, and Junos Space through 17 advisories. The company claims to have no knowledge of any instances where these vulnerabilities have been exploited. In addition, the company has made an announcement regarding software updates for SRX series and MX series devices. These updates aim to address a high-severity issue found in the Intrusion Detection and Prevention (IDP) system.