Threat actors are using publicly available Proof-of-Concept (PoC) code in their initial attempts to exploit a recently patched SolarWinds Serv-U vulnerability, according to the threat intelligence company GreyNoise. The exploited flaw is a severe directory traversal vulnerability that enables attackers to read sensitive files on the host machine. This article continues to discuss findings regarding threat actors' exploitation of a recent path traversal vulnerability in SolarWinds Serv-U using public PoC code.

The US subsidiary of the Spain-based bank Santander is notifying over 12,000 employees that a third-party data breach compromised their personal information. According to the bank, the hackers accessed employee names, Social Security numbers, and bank account information. The incident is believed to be related to a data breach disclosed by the global banking group in mid-May, which was later revealed to be associated with the massive attack on improperly protected Snowflake customer accounts. This article continues to discuss the Santander data breach linked to the Snowflake attack.

Change Healthcare just started to notify hospitals, insurers, and other customers that they may have had patient information exposed in a massive cyberattack.  The company also said that it expects to begin notifying individuals or patients in late July.  Change Healthcare, a subsidiary of healthcare giant UnitedHealth Group provides technology used to submit and process billions of insurance claims a year.  Hackers gained access to its system in February and unleashed a ransomware attack that encrypted and froze large parts of it.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently revealed that its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor and warned chemical facilities that sensitive data may have been exfiltrated.  CISA noted that the attackers exploited a zero-day vulnerability in an Ivanti Connect Secure appliance to infiltrate CSAT from January 23 to 26, 2024.

The "RansomHub" ransomware operation is using a Linux encryptor designed to encrypt VMware ESXi environments in attacks against organizations. RansomHub, a Ransomware-as-a-Service (RaaS) operation, active since February 2024, has claimed over 45 victims in 18 countries and shares code with "ALPHV/BlackCat" and "Knight" ransomware. This article continues to discuss findings regarding RansomHub's ESXi encryptor.

A cyberattack on CDK Global, a Software-as-a-Service (SaaS) provider for car dealers and auto equipment manufacturers, has temporarily disrupted customer operations. CDK helps about 15,000 car dealerships in North America manage sales, customer relationships, financing, and other operations. Customers use locally installed apps to access the CDK platform. A cloud-based Software-Defined Wide Area Network (SD-WAN) and a Virtual Private Network (VPN) solution make 24/7 access to the platform and CDK data centers possible. This article continues to discuss the CDK Global cyberattack.

According to Symantec, telecommunications companies in an Asian country have been targeted with tools linked to Chinese espionage groups. Since 2021, the campaign has targeted telecommunications operators, a university in another country, and others with "Coolclient," "Quickheal," "Rainyday," and other malware. This article continues to discuss findings regarding the years-long espionage campaign that has targeted telecommunications companies in Asia with tools associated with Chinese groups.

Cyber defenders should prepare for cyberattacks enabled by Artificial Intelligence (AI). At the Infosecurity Europe 2024 conference, cyber threat intelligence professionals discussed which AI-powered cyber threats are being actively exploited, which are likely to emerge, and which are still potential threats. Trend Micro VP of threat intelligence Jon Clay said Large Language Model (LLM) tools enable threat actors to write clear phishing emails and deliver them in different languages. Some LLM tools let them embed URLs in messages.