November 2023 was a busy month for cybersecurity, with many incidents and insights reported by various sources. Here are some of the highlights of what happened in the cyber world in the past month.
Widespread Ransomware Attacks
November 2023 started with a series of ransomware attacks targeting a diverse range of victims from healthcare organizations to educational institutions. Among the notable incidents, the TransForm Shared Service Organisation experienced a significant data breach affecting five Canadian hospitals, with the Daixin Team claiming responsibility.
A massive ransomware attack paralyzed local government services across 70 municipalities in Germany. The attack encrypted servers of the local municipal service provider Südwestfalen IT, demonstrating the increasing risk to public sector infrastructure.
In a turn of events, Dallas County successfully interrupted a data exfiltration attempt during a ransomware attack, preventing file encryption and highlighting the importance of proactive cybersecurity measures.
Boeing confirmed a cyberattack impacting its parts and distribution business. The LockBit ransomware group claimed responsibility for the attack, underscoring the vulnerability of even the largest global corporations. Meanwhile, the American Airlines pilot union faced a ransomware attack, with sensitive information of thousands of pilots and applicants accessed, raising serious privacy concerns.
Toyota Financial Services, a subsidiary of the Toyota Group that provides financial services to customers and dealers, was attacked by Medusa ransomware, a malware group that encrypts data and demands payment for decryption. The operators of Medusa ransomware threatened to leak the data of Toyota Financial Services if the ransom was not paid. The company confirmed that it detected unauthorized access to some of its systems in Europe and Africa, and that it was working to resolve the issue and protect its customers’ data.
Yamaha Motor Co., Ltd. confirmed that one of the servers managed by its motorcycle manufacturing and sales subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH), was accessed without authorization by a third party and hit by a ransomware attack. According to the information that was disclosed, some employees’ personal information stored by YMPH had been leaked. The news release also states that Yamaha Motor and YMPH have set up a countermeasures team and have been working to prevent further damage, investigate the scope of the impact, and recovering the systems with the help of an external internet security company. Yamaha Motor apologized for the inconvenience and worry caused by the incident and reported it to the Philippine authorities.
Major Data Breaches
Marina Bay Sands, a luxury resort and casino in Singapore, has disclosed a data breach that affected 665,000 customers who visited the property between January 2014 and March 2020. The breach exposed personal information such as names, contact details, loyalty program numbers, and government-issued identification numbers. The resort said it had notified the affected customers and offered them free identity theft protection services. It also said it had enhanced its security measures and was cooperating with the authorities to investigate the incident.
McLaren Health Care, a Michigan-based health system, has announced a data breach that impacted 2.2 million people who received medical services at its facilities between February 2019 and October 2020. The breach occurred when an unauthorized party gained access to a third-party vendor’s systems that stored McLaren’s patient data. The data included names, dates of birth, medical record numbers, insurance information, and limited treatment information. McLaren said it had notified the affected individuals and offered them free credit monitoring and identity protection services. It also said it had terminated its relationship with the vendor and was working with law enforcement to investigate the incident.
Samsung Electronics has notified some of its UK customers of a data breach that exposed their personal information to an unauthorized individual. The breach occurred between July 1, 2019, and June 30, 2020, and affected customers who made purchases from the Samsung UK online store. The data included names, contacts, dates of birth, and product registration data. Samsung said it had fixed the issue, notified the authorities, and offered free identity theft protection services to the affected customers
Vulnerabilities and Patches
Four zero-day vulnerabilities (ZDI-23-1578 to ZDI-23-1581 ) were identified in Microsoft Exchange, enabling attackers to execute arbitrary code or steal sensitive information remotely on vulnerable Exchange servers. These vulnerabilities underscore the ongoing risks in widely used communication platforms and the necessity of immediate updates.
CISA warned federal agencies to secure Juniper devices against four vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) that are being exploited by hackers to launch remote code execution attacks. The vulnerabilities affect the Junos OS web server, which runs on various Juniper products, such as routers, switches, and firewalls. The advisory underscored the need for heightened security in network infrastructure, as the hackers can send malicious requests or headers to the web server and execute arbitrary commands on the unprotected device without needing any authentication.
In another advisory, CISA highlighted three vulnerabilities (CVE-2023-36033, CVE-2023-36025, and CVE-2023-36036) disclosed by Microsoft during its Patch Tuesday updates. They affect Microsoft Exchange Server, Microsoft Office, and Microsoft Windows and their inclusion in CISA’s vulnerability list reflected the significance of these bugs and the need for rapid patching.
November also marked the addition of three actively exploited vulnerabilities (CVE-2023-36584, CVE-2023-1671, CVE-2020-2551) to CISA’s KEV catalog. The flaws are affecting Microsoft devices, a Sophos product, and an Oracle solution, underlining the ongoing threat landscape in these software and hardware products.
A critical vulnerability tracked as CVE-2023-36052 was addressed by Microsoft, this time in Azure CLI, a tool that allows users to manage Azure resources from the command line. The vulnerability, which was discovered by a security researcher from Palo Alto Networks, could expose the credentials of users who run Azure CLI commands in GitHub Actions or Azure DevOps pipelines. Microsoft has fixed the vulnerability and advised users to update their Azure CLI version to 2.31.0 or later, and to revoke and regenerate any compromised credentials.
This is how the cybersecurity landscape looked like in November 2023 through our lenses. It was a month that presented a dynamic and evolving set of security challenges that highlighted the importance of adopting robust security practices because, in times when cyber threats continue to advance, the best defense is an informed and proactive approach.