CISA Issues Advisories on “Royal” Ransomware and Three New Vulnerabilities

• CISA published a few recent advisories about threat actors and new vulnerabilities on its website.
• According to the advisory, cyber criminals related to notorious ransomware have rebranded themselves.
• The cybersecurity agency also identified three vulnerabilities-CVE-2024-36971, CVE-2024-32113, and CVE-2024-42493.

The Cybersecurity and Infrastructure Security Agency (CISA) recently published announcements and advisories about threat players and new vulnerabilities. CISA regularly releases these advisories so that organizations take preventive and mitigation measures to protect themselves from cyberattacks.

The following are a few key announcements by the FBI and CISA:

Ransomware Actors Rename Themselves

In their updated advisory on August 7, CISA and the FBI jointly notified network defenders that “Royal” ransomware actors rebranded as “BlackSuit.” Royal ransomware was used from approximately September 2022 through June 2023. BlackSuit shares several coding similarities with Royal ransomware and has displayed improved capabilities.

The joint advisory also disseminated the known BlackSuit ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP) identified through the FBI’s threat response activities and third-party reporting. According to the advisory, BlackSuit conducts data exfiltration and extortion before encryption and then publishes victim data if the ransom is not paid. Phishing emails are among the most common vectors for initial access by BlackSuit cyber criminals. After gaining access to the victim’s network, the gang disables the antivirus and exfiltrates massive amounts of data before ultimately deploying ransomware and encrypting the systems.

The threat actors’ demands typically range from about $1 million to $10 million, with payments demanded in Bitcoin. The threat actors have demanded over $500 million, and the largest single demand was $60 million. That said, BlackSuit actors have been open to negotiating payment amounts. Ransom amounts are not usually part of the initial ransom notes but need direct interaction with the threat actor using a .onion URL received after encryption.

Recently, there has been an uptick in the number of occasions on which victims received email and telephone communications from BlackSuit actors regarding the ransom.

See more: July 2024 Patch Tuesday: Microsoft Releases Fixes for 142 Vulnerabilities

Two Vulnerabilities Added To CISA’s Catalog

CISA added two new vulnerabilities to its Known Exploitable Vulnerabilities Catalog: CVE-2024-36971 Android Kernel Remote Code Execution Vulnerability and CVE-2024-32113 Apache OFBiz Path Traversal Vulnerability. Both are frequent attack vectors and pose massive risks to the federal enterprise.

The Binding Operations Directive (BOD) 22-01 requires the Federal Civilian Executive Branch (FCEB) agencies to rectify and mitigate the impact of these vulnerabilities to protect FCEB networks against active threats. That said, CISA has also recommended that organizations reduce their exposure to attacks by prioritizing remediation of Catalog vulnerabilities as part of their vulnerability management efforts.

CISA Releases Industrial Control Systems Advisory

The agency released an Industrial Control Advisory (ICA), which provides timely information about the current security problems, vulnerabilities, and exploits surrounding industrial control systems (ICS). The alert code ICSA-24-221-01 Dorsett Controls InfoScan discusses vulnerabilities whose successful exploitation would allow attackers to expose sensitive information, leading to data theft and credential misuse. The affected products include InfoScan versions 1.32, 1.33, and 1.35. The vulnerability and its exposure are expected to impact water and wastewater systems.

The Dorsett Controls InfoScan is vulnerable due to a leak of possibly sensitive information through the response headers and the rendered JavaScript before user login. CVE-2024-42493 has been assigned to the vulnerability.

Mitigation steps

Dorsett Controls recommends users update their InfoScan system to v1.38 or later. To install the new release, admins need to:

• Login to InfoScan and select “System Prefs” from the menu.
• Once the System Prefs application is open, select Maintenance.
• Click the Install Now button in the Ready To Install section.
• If internet access isn’t available, download the update from the Dorsett Controls Consumer Portal by selecting the InfoScan Update tile. After downloading the update, follow the instructions on the portal.

Takeaway

Businesses and organizations should be on the lookout for the advisories issued by CISA. Identifying these vulnerabilities, taking mitigation actions recommended by CISA and the product/solution provider, and following best practices help businesses protect themselves against cyberattacks and vulnerability exploitation.

MORE ON VULNERABILITY MANAGEMENT

• Atlassian Releases Patches for Critical Vulnerabilities in Server and Data Center Products
• RADIUS Protocol Vulnerability Exposes Networks To Attack
• Eldorado Ransomware Affects VMware ESXi, Windows VMs
• Google Launches kvmCTF Vulnerability Rewards Program to Improve KVM Hypervisor Security