Monatliches Briefing: Sicherheitsvorfälle durch ungepatchte Schwachstellen
30.09.2024
ENTRYZERO
32% der Sicherheitsvorfälle durch Ransomware-Angriffe starten mit ungepatchten Schwachstellen , die zu geschäftskritischen Folgen führen. In unserem wöchentlichen Briefing zu den fünf relevantesten Schwachstellen für Hacker haben wir über Schwachstellen berichtet, die für Bedrohungsakteure von Bedeutung sind. In dieser fortlaufenden Serie werden wir monatliche Rückblicke auf ausgewählte Sicherheitsvorfälle geben, die mit den gemeldeten Schwachstellen in Zusammenhang stehen.
September 2024
Zusammenfassung: Deloitte, eines der weltweit größten Beratungsunternehmen, wurde im dritten Quartal 2024 durch eine ungeschützte und öffentlich zugängliche Apache Solr-Instanz gehackt, wodurch Angreifer sensible Informationen wie E-Mail-Adressen, interne Einstellungen und Intranet-Kommunikation erlangten. Die Schwachstellen resultierten aus ungepatchten Sicherheitslücken sowie Fehlkonfigurationen, wie der Verwendung von Standard-Anmeldeinformationen
Breach Victim: Deloitte
Victim Whois: Deloitte is one of the world’s largest professional services firms, providing consulting, audit, tax, and advisory services to businesses and governments globally. It operates across various industries, helping clients address challenges in areas like technology, strategy, and operations. In 2023, Deloitte generated approximately $64.9 billion in global revenue
Breach Date: Q3 2024
Impact: The threat actor claims to have compromised sensitive information such as email addresses, internal settings, and communications between intranet users
Attack Entry Point: An exposed Apache Solr to the Internet with default configurations leading to unauthorized access up to remote code execution
Threat Relevant Vulnerabilities: Selected vulnerabilities affecting Apache Solr: Default credentials, CVE-2021–44228, CVE-2019-17558, CVE-2019-12409
August 2024
Zusammenfassung: Die Abteilung für Bildung der Stadt Helsinki wurde im zweiten Quartal 2024 Ziel eines Cyber-Angriffs. Die Hacker missbrauchten eine nicht gepatchte Sicherheitslücke eines Remote Access Servers als Angriffspunkt in die Systeme. Nach einer offiziellen Stellungnahme von Hannu Heikkinen, Chief Digital Officer der Stadt, heißt es: „Ein HotfixPatch war verfügbar, um diese Sicherheitslücke zu schließen, jedoch ist es derzeit nicht bekannt, warum dieser Hotfix nicht auf dem Server installiert wurde.“
Breach Victim: City of Helsinki
Affected Unit: Education division
Breach Date: Q2 2024
Official Statement About Root Cause: “A hotfix patch has been available to eliminate this vulnerability, but it is not currently known why this hotfix was not installed on the server”, says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen
Attack Entry Point: Unpatched vulnerability in a remote access server. Details regarding the specific product and vulnerability have not been made public
Threat Relevant Vulnerabilities: Selected vulnerabilities affecting remote access products like VPNs and OpenSSH: CVE-2024-21887, CVE-2024-6387, CVE-2024-21888, CVE-2024-24919, CVE-2023-27997
July 2024
Breach Victim: U.S. Cyber Defense Agency
Affected Unit: CISA, the Cybersecurity and Infrastructure Security Agency, which is a component of the United States Department of Homeland Security responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers
Breach Date: Q1 2024
Impact: Access to critical information about the interdependency of U.S. infrastructure, and the chemical security assessment tool, which houses private sector chemical security plans
Vulnerability: Ivanti Connect Secure and Policy Secure Gateway | Authentication Bypass and Command Injection Vulnerabilities Leading to Remote Code Execution, Unauthenticated Remote Attack | CVE-2023-46805, CVE-2024-21887, CVE-2024-21893
June 2024
Breach Victim: United Health Group
Affected Business Unit: United Health Group’s subsidiary Optum. United Health Group is a health insurance company with a presence across all 50 U.S. states. The organization is the world’s largest healthcare company by revenue. United Health Group formed Optum by merging its existing pharmacy and care delivery services into the single Optum brand. In 2017, Optum accounted for 44 percent of UnitedHealth Group’s profits and as of 2019, Optum’s revenues have surpassed 100 billion $
Breach Date: Q1 2024
Impact: Service outage (a.o. in billing) affecting payment processing, care coordination, and data analytics systems in U.S. hospitals, clinics, and pharmacies
Vulnerability: ConnectWise ScreenConnect | Path Traversal and Authentication Bypass Vulnerabilities Leading to Remote Code Execution, Unauthenticated Remote Attack | CVE-2024-1708 & CVE-2024-1709
May 2024
Breach Victim: Schneider Electric
Affected Business Unit: Schneider Electric’s sustainability division. The latter provides software and consulting services to enterprises and serves a broad swath of organizations in more than 100 countries, including 30% of the Fortune 500, as of 2021
Breach Date: Q1 2024
Impact: Data breach involving terabytes of data and ransom demand
Vulnerability: Fortinet VPN | Fortinet FortiOS Heap-Based Buffer Overflow, Authentication Bypass, and Path Traversal Vulnerabilties | CVE-2023-2799 & CVE-2022-41328 & CVE-2022-42475 & CVE-2022-40684, Qlik Sense Enterprise | Improper Validation of HTTP Request Handler in Qlik Sense Enterprise on Windows Leading to Arbitrary Code Execution, Unauthenticated Remote Attack | CVE-2023-41265 & CVE-2023-41266 & CVE-2023-48365