Welcome to the latest edition of the Cyber Safe Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, and malware including Ransomware, to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

‘CitrixBleed’ Linked to Ransomware Hit on China’s State-Owned Bank

A major ransomware attack recently targeted the Industrial and Commercial Bank of China (ICBC), the world’s largest bank, revealing a potential link to a critical Citrix vulnerability known as “CitrixBleed” (CVE-2023-4966).

This vulnerability affects various Citrix NetScaler platforms, allowing attackers to steal sensitive information and hijack user sessions. Despite Citrix releasing updates in October, threat actors began exploiting the flaw in August, leading to an ongoing surge in attacks.

Security researchers identified over 5,000 organisations that have yet to patch the vulnerability, with at least four organised threat groups actively targeting it. The ICBC ransomware incident, attributed to LockBit ransomware cyber hackers, underscored the real-world consequences of unpatched vulnerabilities.

In response to the widespread exploitation, the US Cyber Security and Infrastructure Security Agency (CISA) issued urgent guidance for organisations to update their Citrix appliances to mitigate the threat promptly.

Australian Ports Resume Operation After Crippling Cyber Disruption

Over the weekend, four major ports in Australia experienced a cyber-induced downtime, disrupting operations for Dubai-based international shipping and logistics company DP World. The affected ports included critical locations in Sydney, Melbourne, Brisbane, and Fremantle. It reached national news and Government level clearance, as Clare O’Neil, Australia’s cyber security and home affairs minister, underscored the magnitude of the attack, noting that DP World manages approximately 40% of the country’s freight.

The details of the cyber attack are yet to be fully disclosed, with the company indicating that a critical focus of the ongoing investigation is understanding the nature of data access and potential theft. While some speculation points towards ransomware involvement, conflicting reports suggest that the incident may have been characterised by unauthorised access rather than ransomware. Cyber threat researcher Kevin Beaumont has suggested a link to Citrix Bleed, a vulnerability in Citrix NetScaler devices, although details remain unconfirmed.

DP World proactively shut down local systems throughout the weekend to contain the attack’s impact. This decision, however, resulted in delays for around 30,000 shipping containers.

Notably, despite the disruption, the cyber security incident primarily affected landside operations, with DP World cranes continuing to load and unload ships at Fremantle. Another company operating at the same port reported uninterrupted functions.

As of Monday afternoon, the affected ports have resumed normal function. Nevertheless, Australia’s national cyber security coordinator, Darren Goldie, cautioned on Twitter that the incident’s resolution does not imply its conclusion. Ongoing remediation efforts and lingering supply chain concerns underscore the broader impact of such cyber incidents on critical infrastructure and national logistics.

BlackCat ransomware group says it stole 35TB of sensitive data from Henry Schein’s network

The BlackCat ransomware group has asserted responsibility for a significant cyber threat against Henry Schein, a prominent U.S. healthcare solutions provider, resulting in the theft of 35 terabytes of sensitive data from the company’s network. Henry Schein disclosed the cyber attack in a security incident notice on its website, revealing that it identified the security breach on October 14, impacting sections of its manufacturing and distribution operations.

In response, the company initiated an investigation with third-party cybersecurity experts to comprehend the incident’s nature and extent. As a precautionary measure, portions of its internal network were taken offline, causing temporary disruptions to some business operations.

Despite the cyber security incident, Henry Schein assured that its clients’ practice management software remained unaffected. However, the BlackCat/ALPHV ransomware group claimed responsibility for the attack, listing Henry Schein as a victim on its data leak site and demanding a ransom by November 3. The threat actors alleged that, despite ongoing discussions, Henry Schein had not shown a commitment to prioritising the security of clients, partners, and employees.

In response to the healthcare provider’s perceived lack of cooperation, the ransomware group announced its intention to publish a portion of Henry Schein’s internal payroll data and shareholder folders on its collections blog. The group declared its intent to release more data daily, further escalating the cyber threat.

This incident follows the BlackCat/ALPHV ransomware group’s involvement in a major cyber attack on MGM Resorts International in September, where they claimed responsibility for disrupting 31 MGM property websites and the company’s mobile rewards app. The group highlighted the ease with which they compromised MGM Resorts, citing a 10-minute conversation with an employee they identified on LinkedIn.


Contact Neuways to help your business become

Cyber Safe

If you need any assistance with cyber security assistance, then please contact Neuways and we will help you where we can. Just get in touch with our team today.