Monthly Briefing: Breaches Due To Unpatched Vulnerabilities

Image cover for blog post.

Sep 30, 2024

Profile image of ENTRYZERO

ENTRYZERO

32% of ransomware attacks start with an unpatched vulnerability, and these have the greatest business impact. In our weekly top 5 hacker-relevant vulnerabilities, we have been reporting on vulnerabilities, which are pertinent to threat actors. In this ongoing series, we will provide monthly recaps on selected security breaches associated with the reported vulnerabilities.

September 2024

  • Breach Victim: Deloitte

  • Victim Whois: Deloitte is one of the world’s largest professional services firms, providing consulting, audit, tax, and advisory services to businesses and governments globally. It operates across various industries, helping clients address challenges in areas like technology, strategy, and operations. In 2023, Deloitte generated approximately $64.9 billion in global revenue

  • Breach Date: Q3 2024

  • Impact: The threat actor claims to have compromised sensitive information such as email addresses, internal settings, and communications between intranet users

  • Attack Entry Point: An exposed Apache Solr to the Internet with default configurations leading to unauthorized access up to remote code execution

  • Threat Relevant Vulnerabilities: Selected vulnerabilities affecting Apache Solr: Default credentials, CVE-2021–44228, CVE-2019-17558, CVE-2019-12409

August 2024

  • Breach Victim: City of Helsinki

  • Affected Unit: Education division

  • Breach Date: Q2 2024

  • Official Statement About Root Cause: “A hotfix patch has been available to eliminate this vulnerability, but it is not currently known why this hotfix was not installed on the server”, says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen

  • Attack Entry Point: Unpatched vulnerability in a remote access server. Details regarding the specific product and vulnerability have not been made public

  • Threat Relevant Vulnerabilities: Selected vulnerabilities affecting remote access products like VPNs and OpenSSH: CVE-2024-21887, CVE-2024-6387, CVE-2024-21888, CVE-2024-24919, CVE-2023-27997

July 2024

  • Breach Victim: U.S. Cyber Defense Agency

  • Affected Unit: CISA, the Cybersecurity and Infrastructure Security Agency, which is a component of the United States Department of Homeland Security responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers

  • Breach Date: Q1 2024

  • Impact: Access to critical information about the interdependency of U.S. infrastructure, and the chemical security assessment tool, which houses private sector chemical security plans

  • Vulnerability: Ivanti Connect Secure and Policy Secure Gateway | Authentication Bypass and Command Injection Vulnerabilities Leading to Remote Code Execution, Unauthenticated Remote Attack | CVE-2023-46805, CVE-2024-21887, CVE-2024-21893

June 2024

  • Breach Victim: United Health Group

  • Affected Business Unit: United Health Group’s subsidiary Optum. United Health Group is a health insurance company with a presence across all 50 U.S. states. The organization is the world’s largest healthcare company by revenue. United Health Group formed Optum by merging its existing pharmacy and care delivery services into the single Optum brand. In 2017, Optum accounted for 44 percent of UnitedHealth Group’s profits and as of 2019, Optum’s revenues have surpassed 100 billion $

  • Breach Date: Q1 2024

  • Impact: Service outage (a.o. in billing) affecting payment processing, care coordination, and data analytics systems in U.S. hospitals, clinics, and pharmacies

  • Vulnerability: ConnectWise ScreenConnect | Path Traversal and Authentication Bypass Vulnerabilities Leading to Remote Code Execution, Unauthenticated Remote Attack | CVE-2024-1708 & CVE-2024-1709

May 2024

  • Breach Victim: Schneider Electric

  • Affected Business Unit: Schneider Electric’s sustainability division. The latter provides software and consulting services to enterprises and serves a broad swath of organizations in more than 100 countries, including 30% of the Fortune 500, as of 2021

  • Breach Date: Q1 2024

  • Impact: Data breach involving terabytes of data and ransom demand

  • Vulnerability: Fortinet VPN | Fortinet FortiOS Heap-Based Buffer Overflow, Authentication Bypass, and Path Traversal Vulnerabilties | CVE-2023-2799 & CVE-2022-41328 & CVE-2022-42475 & CVE-2022-40684, Qlik Sense Enterprise | Improper Validation of HTTP Request Handler in Qlik Sense Enterprise on Windows Leading to Arbitrary Code Execution, Unauthenticated Remote Attack | CVE-2023-41265 & CVE-2023-41266 & CVE-2023-48365

All Rights Reserved by ENTRYZERO GmbH

Website by Sanico Software

IMPRINT: ENTRYZERO GmbH, Grabenstraße 38, 44787 Bochum, Registered Office: Bochum, Registration Court: Local Court Bochum, Registration number: HRB 21709, VAT ID: DE369315057, Managing Directors: Dr. Mohamad Sbeiti, Samet Gökbayrak, Tel.: +49 151 56561989, Email: info@entryzero.ai

PRIVACY POLICY: This website does not collect any personal data. We do not use cookies, trackers, forms or similar technologies. However, by visiting our website you agree that for every site request the following non-personal information is stored on the webserver for statistical, intrusion detection/prevention and troubleshooting purposes: requested address (URL), request date and time, client IP address, user-agent and referer. No information is given to or shared with third parties