Cyber Security in May 2024
Another month in the world of cyber security! Discover the latest breaches, vulnerabilities, and industry news from May 2024.
Another month in the world of cyber security! This month, we saw the UK armed forces hit by a data breach affecting UK military personnel records, children’s mental health data published in an NHS cyber attack, new vulnerabilities found in Fluent Bit, a GitCaught malware campaign, plus much more.
Keep reading as we dive in!
UK armed forces involved in data breach
On the 6th of May, it was revealed that an unknown number of UK military personnel's personal information had been accessed in a significant data breach.
Hackers are thought to have targeted the Ministry of Defence's payroll system, although it isn’t yet clear who was behind the attack. The personal details accessed include names, bank details, and personal addresses. The data breach affected current and former members of the Royal Navy, Army, and Royal Air Force over several years. From what we know so far, the system was managed by an external contractor.
The Ministry of Defence took immediate action, with their system taken offline while investigations were conducted. Since the breach, all affected individuals have been notified and offered support.
Children’s health records published following cyber attack
This month, NHS Dumfries and Galloway confirmed a cyber attack earlier this year, which has since led to the publishing of children’s mental health data on the dark web.
The ransomware group also leaked data belonging to other patients and staff and is said to have affected thousands across Dumfries and Galloway, although the total number is unknown.
Julie White, the health board’s chief executive, described the data release as an "utterly abhorrent criminal act". She added, "At this point in time we are unable to give an exact figure. However, we are fairly confident that the hackers were unable to access entire patient medical records."
Since the data was leaked, NHS Dumfries and Galloway has begun working with other national agencies, including the Scottish government, police and National Cyber Security Centre, to assess what has been published.
Critical vulnerability in Fluent Bit logging utility exposes systems to DoS and RCE attacks
Cyber security researchers have uncovered a critical security flaw in Fluent Bit, the popular logging and metrics utility. This flaw can be exploited to cause denial-of-service (DoS), information disclosure, or remote code execution (RCE). The vulnerability, designated as CVE-2024-4323 and dubbed Linguistic Lumberjack by Tenable Research, affects versions 2.0.7 through 3.0.3. A fix has been issued in version 3.0.4.
The flaw stems from memory corruption within Fluent Bit's built-in HTTP server, which can be triggered by sending maliciously crafted requests to the monitoring API, particularly through endpoints like /api/v1/traces and /api/v1/trace. Even if no traces are configured, any user with API access can exploit this vulnerability.
Security researcher, Jimi Sebree, noted the issue arises from improper validation of input data types during request parsing at the /api/v1/traces endpoint. The server incorrectly assumes that all input names are strings (MSGPACK_OBJECT_STR). An attacker can exploit this by passing non-string values, leading to memory corruption.
Tenable confirmed that exploiting this flaw can reliably crash the service, causing a DoS condition. Achieving remote code execution is more complex and depends on factors such as host architecture and operating system.
To mitigate these security threats, users are advised to update Fluent Bit to the latest version. The urgency is underscored by the availability of a proof-of-concept (PoC) exploit for this vulnerability.
GitCaught campaign exploits GitHub and FileZilla to spread stealer malware and trojans
A sophisticated cyber campaign, dubbed GitCaught, has been exploiting legitimate services like GitHub and FileZilla to distribute various stealer malware and banking trojans, including Atomic (AMOS), Vidar, Lumma (LummaC2), and Octo. To trick users, the campaign impersonates reputable software such as 1Password, Bartender 5, and Pixelmator Pro.
The campaign involves creating fake profiles and repositories on GitHub to host counterfeit software versions. These malicious files are then distributed via domains linked through malvertising and SEO poisoning campaigns, targeting Android, macOS, and Windows devices.
The threat actors, believed to be Russian-speaking individuals from the Commonwealth of Independent States (CIS), also utilise FileZilla servers for malware management and delivery. Analysis of disk image files on GitHub revealed connections to a larger campaign delivering malware like RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
The campaign also coincides with Microsoft's findings on the macOS backdoor Activator, which targets users by impersonating cracked software versions. This backdoor steals data from Exodus and Bitcoin-Qt wallet applications, prompts users for elevated privileges, disables macOS Gatekeeper and Notification Center, and runs multiple stages of malicious Python scripts for persistence.
$100 million dark web empire dismantled
Rui-Siang Lin, the alleged mastermind behind the notorious Incognito Market, has been apprehended. Lin’s dark web marketplace facilitated over $100 million in illegal transactions, predominantly involving illicit and counterfeit prescription drugs.
This successful capture was the result of a comprehensive global operation involving multiple agencies, including the DEA, NYPD, FDA-OCI, and HSI. FBI Assistant Director in Charge James Smith highlighted the scale of Lin’s enterprise, noting that for nearly four years, Incognito Market was one of the largest online platforms for narcotics sales.
Incognito Market, operational from October 2020 until its shutdown in March 2024, was accessible via the Tor web browser. The platform mimicked legitimate online stores with professional logos, advertisements, and customer service, facilitating the anonymous sale of illegal drugs like cocaine, heroin, LSD, MDMA, and methamphetamines.
Lin, known by the alias “Pharoah,” faces multiple charges, including running a continuing criminal enterprise, drug conspiracy, money laundering, and conspiracy to sell counterfeit or adulterated medicine.
The case is being prosecuted by the Complex Frauds and Cybercrime Unit of the Office, with Assistant U.S. Attorneys Ryan B. Finkel and Nicholas Chiuchiolo leading the charge. The Organized Crime Drug Enforcement Task Forces (OCDETF) initiative continues to target and disrupt major criminal organisations threatening the United States.
FBI seizes BreachForums, major cyber crime hub
Also, this month, we saw the FBI, along with international law enforcement agencies, seize the notorious cyber crime forum BreachForums. This English-language forum has long been a hub for hackers and cyber criminals to trade stolen data. Recent advertisements included Dell customers' personal information and data stolen from a Europol portal.
Despite previous takedowns, BreachForums proved resilient. Authorities seized an earlier version of the site last year following the arrest of its administrator, Conor Brian Fitzpatrick (aka pompompurin). The site was later revived by an individual known as Baphomet, operating under three different domains over the past year.
This time, authorities also seized the forum's official Telegram channel and Baphomet's personal channel, displaying an FBI message announcing the seizure and reviewing the site's backend data. The message encouraged individuals to report cyber criminal activity to a dedicated FBI website.
The forum, run by an administrator called ShinyHunters from June 2023 to May 2024, facilitated the illegal trade of stolen access devices, identification means, hacking tools, and breached databases. Baphomet's fate remains unclear, though it is speculated that the FBI may have arrested him to gain control of the Telegram channels. Telegram has stated that it did not cooperate with law enforcement in this takedown.
Check back again next month for our monthly roundup of cyber security news!