Full Report
For the latest discoveries in cyber research for the week of 2nd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Supply chain software provider Blue Yonder was hit by a ransomware attack, disrupting services for clients like Starbucks and UK grocery chains Morrisons and Sainsbury’s. The incident affected operations such as employee […] The post 2nd December – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Weekly Threat Landscape Summary (Week of December 2nd)
## Executive Summary
This summary details multiple significant security incidents reported during the week of December 2nd, primarily featuring ransomware attacks targeting critical infrastructure, supply chain providers, and public services, resulting in operational disruptions and data compromises. Additionally, advanced persistent threat (APT) groups were observed exploiting zero-day vulnerabilities and leveraging novel malware delivery mechanisms across various global targets.
## Incident Details
- Discovery Date: Throughout the week of December 2nd (Specifics vary per incident below)
- Incident Date: Varies (September for Great Plains; others concurrent with reporting)
- Affected Organization: Blue Yonder, Uganda Central Bank, City of Hoboken (NJ), Wirral University Teaching Hospital (UK), Great Plains Regional Medical Center (OK), IGT, Bologna FC
- Sector: Software Supply Chain, Financial Services, Municipal Government, Healthcare, Gaming Technology
- Geography: Global (US, UK, Italy, Uganda)
## Timeline of Events
*Note: Specific timestamps are not available; progression is based on reported impact.*
### Initial Access
- **Blue Yonder:** Ransomware attack targeting the supply chain software provider. Vector implied through typical ransomware entry points, leading to client disruption.
- **Uganda Central Bank:** Unauthorized transfer of $16.8 million. Initial access potentially leveraged by an external group ("Waste") potentially aided by internal collusion.
- **Hoboken, NJ:** Ransomware attack forcing temporary closure of City Hall.
- **Bologna FC:** Ransomware attack claimed by RansomHub leading to data theft.
### Lateral Movement
- This information is not detailed for most ransomware attacks, but the impact on widespread clients (Blue Yonder) suggests successful internal network traversal.
- **Salt Typhoon (APT):** Uses legitimate tools for lateral movement after gaining initial access via web vulnerabilities.
- **RomCom (APT):** Chained zero-day exploits to achieve Remote Code Execution (RCE) without user interaction, allowing deployment of the RomCom backdoor.
### Data Exfiltration/Impact
- **Blue Yonder:** Disruption of client services (e.g., scheduling, payroll).
- **Uganda Central Bank:** Theft of approximately $16.8 million, partially recovered.
- **Great Plains Regional Medical Center:** Compromise of personal and medical information for over 130,000 individuals, including Social Security numbers.
- **Bologna FC:** Theft of sponsorship contracts, personal information of players/staff, confidential medical data threatened for publication.
- **Wirral University Teaching Hospital:** IT system outages, forcing manual processes and delaying patient services.
### Detection & Response
- **Great Plains:** Incident discovered in September, investigation initiated with cybersecurity experts, patient notification underway.
- **IGT:** Detected the cyberattack and proactively took certain systems offline to protect the network.
- **General Response:** Affected organizations engaged cybersecurity firms to investigate, recover systems, and notify clients/authorities. Over half of the stolen funds were recovered in the Uganda incident.
## Attack Methodology
| Category | Method(s) Observed |
| :--- | :--- |
| **Initial Access** | Ransomware deployment (various groups), Exploitation of ProjectSend CVE-2024-11680 (Unauthenticated RCE/Webshell upload), Exploitation of Web Vulnerabilities (Salt Typhoon), Chaining of Firefox (CVE-2024-9680) and Windows (CVE-2024-49039) zero-days (RomCom). |
| **Persistence** | Deployment of the modular GhostSpider backdoor (Salt Typhoon), Deployment of the RomCom backdoor. |
| **Privilege Escalation** | Exploitation of ProjectSend flaw to create accounts, Exploitation of Widget Options Plugin (CVE-2024-8672, affecting contributors) to execute arbitrary code. |
| **Defense Evasion** | Use of Godot Engine (GodLoader) to deliver malware across multiple OS platforms while evading most AV solutions; Use of legitimate tools for lateral movement (Salt Typhoon). |
| **Credential Access** | Not explicitly detailed, but implied necessary for ransomware spread and central bank theft. |
| **Discovery** | Not explicitly detailed, but implied by APT activity stages (Salt Typhoon). |
| **Lateral Movement** | Use of legitimate tools (Salt Typhoon); Inherent spread of ransomware post-initial compromise. |
| **Collection** | Theft of sensitive data (financial records, patient PII/PHI, contract details). |
| **Exfiltration** | Data theft linked to RansomHub operation; Fund transfers involving accounts in Japan (Uganda incident). |
| **Impact** | Denial of Service via encryption (Ransomware), Data exposure/extortion, Financial loss ($16.8M). |
## Impact Assessment
- **Financial:** $16.8 million misappropriated from Uganda's Central Bank; significant recovery costs for Blue Yonder clients and other victims.
- **Data Breach:** Data on over 130,000 individuals compromised at Great Plains (SSNs, medical info); Sponsorship details, player/staff personal info leaked at Bologna FC.
- **Operational:** Major disruptions for Blue Yonder clients (scheduling, payroll); Temporary shutdown of Hoboken City Hall; IT outages and postponed procedures at Wirral Hospital.
- **Reputational:** Negative impact on public trust for government/healthcare entities and major software vendors.
## Indicators of Compromise
- **Network indicators:** (None provided defanged)
- **File indicators:** GodLoader malware (using GDScript exploitation), GhostSpider backdoor, RomCom backdoor.
- **Behavioral indicators:** Active exploitation of ProjectSend (CVE-2024-11680), Unauthenticated configuration modification in ProjectSend applications, Chaining of Firefox/Windows zero-days for RCE.
## Response Actions
- **Containment:** IGT took certain systems offline proactively; Hoboken closed City Hall; Systems secured at Great Plains Regional Medical Center.
- **Eradication:** Cooperation with cybersecurity firms commenced at multiple locations (IGT, Hoboken, Blue Yonder).
- **Recovery:** Collaboration with cybersecurity experts ongoing to restore systems (Hoboken, Wirral); Over half of stolen funds recovered (Uganda).
## Lessons Learned
- **Unpatched Vulnerability Risk:** Widespread exploitation of ProjectSend (CVE-2024-11680) highlights that patches available for a year are often ignored, leaving 99% of instances vulnerable.
- **Supply Chain Exposure:** Attacks on providers like Blue Yonder immediately cascade risk across numerous downstream clients (Starbucks, Grocery Chains).
- **Sophistication of APTs:** Groups like RomCom are chaining zero-days (Firefox/Windows) to achieve RCE without user interaction, representing a high-end threat capability.
- **Internal Complicity:** Reports suggesting insider involvement in financial theft at the Central Bank highlight the need for stringent internal access controls.
## Recommendations
- **Vulnerability Management:** Implement aggressive patching schedules, especially for known critical vulnerabilities (e.g., ProjectSend CVE-2024-11680).
- **Application Security:** Audit deployed open-source software (like ProjectSend or Godot Engine based systems) for unpatched configurations.
- **Defense in Depth:** Enhance endpoint protection capable of detecting malware delivered via less conventional means, such as gaming engine scripting (GodLoader technique).
- **Access Control:** Review and enforce Principle of Least Privilege, particularly concerning external-facing services and financial systems, to mitigate risks associated with potential insider collaboration.