Weekly Top 10 – 5.13.2024 – Law Enforcement Seizes LockBit Group’s Website Again, LockBit Ransomware Gang Claims City of Wichita Breach, Ohio Lottery Ransomware Attack Impacts Over 538,000, and More.

WEEKLY TOP TEN: May 13, 2024, 09:00 GMT

1. Law Enforcement Seizes LockBit Group’s Website Again
   
   Ransomware attacks and breaches reached a record high this week. First up, law enforcement has once again seized LockBit’s Tor website. They have also revealed the identity of LockBitSupp, offering a $10 million bounty for information that will lead to an arrest. A few days later, LockBit relaunched its operation and threatened to carry out more attacks against governments.
2. LockBit Ransomware Gang Claims City of Wichita Breach
   
   LockBit is continuing with its threats of attacking governments, and the City of Wichita is the latest LockBit target where systems have been disrupted. Many services have been shut down and are unavailable while the city attempts to repair its systems. Investigations into the stolen data are still ongoing.
3. Ohio Lottery Ransomware Attack Impacts Over 538,000
   
   The Ohio Lottery has also been attacked, with the DragonForce gang claiming the attack. This attack impacts roughly 538,000 people, with information containing names, SSNs, and other protected personal information (PPI).
4. Ascension Healthcare Takes Systems Offline After a Cyberattack
   
   Ascension Healthcare is also under cyberattack, after detecting unusual activity on their network systems. Some systems in the hospitals are currently unavailable as their team works on remediating the attacks. Due to the ongoing situation, more details are currently unavailable.
5. Dell Discloses a Security Breach That Exposed Millions of Customers’ Names and Physical Mailing Addresses
   
   The final breach story this week involves Dell. Dell states their Dell portal has been breached, which contains a database of customer information, including names, physical addresses, and order information. Security Affairs notes that these impact millions of customers. Dell has not shared further information about the breach.
6. Abusing Windows’ Container Isolation Framework to Avoid Detection by Security Products
   
   Researchers have a proof-of-concept showcasing how an attacker can abuse the Windows Container Isolation Framework (wcifs) to bypass EDR. Attackers can use the wcifs to redirect file I/O operations and read/write to the system. These I/O operations will often bypass EDR due to the low-level altitude of these operations. One exception is that this attack involves kernel primitives, which do require administrative privileges. 
7. Researchers Uncover ‘LLMjacking’ Scheme Targeting Cloud-Hosted AI Models
   
   Sysdig researchers have discovered a novel attack that leverages stolen cloud credentials to access LLM models. It seems that attackers are infiltrating cloud providers, and once verifying credentials, they deploy a reverse proxy on the LLM, which allows them to provide access to the compromised accounts. This access can then be sold to other threat actors, giving them access to the LLM. Sysdig stated that this type of attack could cost thousands of dollars in LLM token fees.
8. Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671)
   
   On Thursday, Google released a security update for Chrome, patching CVE-2024-4671, a use-after-free vulnerability. This vulnerability requires a specially crafted HTML page which could allow for arbitrary code execution. It’s highly recommended to update Chrome and ensure automatic updates are applied.
9. New BIG-IP Next Central Manager Bugs Allow Device Takeover
   
   Two new high-severity vulnerabilities were fixed with F5’s BIG-IP Next Central Manager. These vulnerabilities allowed unauthenticated attackers to gain admin privileges and create additional accounts for persistence. The two vulnerabilities allowed for SQL injection (CVE-2024-26026) and OData injection (CVE-2024-21793). Rogue accounts created from this vulnerability are not visible to the Next Central Manager. Shodan currently tracks over 10,000 devices with management ports exposed online; updating these devices is crucial.
10. Malicious Android Apps Pose as Google, Instagram, WhatsApp to Steal Credentials
    
    A new malware campaign is spreading on Android devices. Once a device is infected, it will demand excessive permissions, which allows for data theft as well as the ability to install additional malware. Additionally, it will open phishing pages in the phone’s browser; these pages look identical to popular logins for services such as WhatsApp, Google, Snapchat, and more. These phishing pages are used for credential harvesting, allowing the attacker to steal even more data. The researchers who have reported this vulnerability note that the initial attack vector is currently unclear.