Cyber Risk Update 15 DEC 2023

This is a selection of this week's events. For more news and advisories, check out our discord server. CIKR Cyber Sentinels discord server. This server is focused on cybersecurity collaboration with critical infrastructure stakeholders. (TLP Clear Only) Invite: https://discord.gg/PGz3NDKb5V

Incidents

• Kentucky Health System Says May Data Breach Was Due to Ransomware https://www.bleepingcomputer.com/news/security/norton-healthcare-discloses-data-breach-after-may-ransomware-attack/

• Ledger has reported that hackers compromised the code for the Ledger Connect software development kit used by decentralized apps to interface with Ledger wallets. The hackers pushed out a malicious version of the kit. Ledger pushed out an update of the Connect Kit to replace the malicious one within 40 minutes of becoming aware. The attackers have amassed $600,000 in stolen funds. https://techcrunch.com/2023/12/14/supply-chain-attack-targeting-ledger-crypto-wallet-leaves-users-hacked/

• Ransomware gang behind threats to Fred Hutch cancer patients https://www.bleepingcomputer.com/news/security/ransomware-gang-behind-threats-to-fred-hutch-cancer-patients/

• Kraft Heinz investigates hack claims, says systems ‘operating normally https://www.bleepingcomputer.com/news/security/kraft-heinz-investigates-hack-claims-says-systems-operating-normally/

• Delta Dental says data breach exposed info of 7 million people https://www.bleepingcomputer.com/news/security/delta-dental-of-california-data-breach-exposed-info-of-7-million-people/

• UK’s Newsquest media group disrupted by cyberattack https://cybernews.com/news/uks-newsquest-media-group-disrupted-by-cyberattack/

Good News

• Microsoft takes down websites used to create 750 million fraudulent accounts. Following a court order, Microsoft seized websites created by a Vietnam-based threat group that made millions on mass phishing, identity theft, and fraud. https://www.scmagazine.com/news/microsoft-takes-down-websites-used-to-create-750-million-fraudulent-accounts

Awareness

• The 2024 Data Privacy Week Toolkit is HERE! https://staysafeonline.org/programs/data-privacy-week/dpw-champion/

Nation States

• ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware. https://securityintelligence.com/x-force/itg05-ops-leverage-Israel-Hamas-conflict-lures-to-deliver-headlace-malware/

  • As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as a likely Russian state-sponsored group consisting of multiple activity clusters, sharing overlaps with industry-identified threat actor groups APT28, UAC-028, Fancy Bear and Forest Blizzard.

• Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities. Chinese threat actors are taking advantage of the poor state of edge security to breach both small and big fish. https://www.darkreading.com/cloud-security/volt-typhoon-soho-botnet-infects-us-govt-entities

• China to enforce ten-minute response time for data breaches https://cybernews.com/news/china-enforce-ten-minute-data-breach-notification/

• Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over. The prolific APT repeatedly compromised targets in healthcare, manufacturing, and government with new lightweight downloaders that blend into network traffic for evasion. https://www.darkreading.com/ics-ot-security/iran-oilrig-cyberattackers-target-israel-critical-infrastructure

• Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers. SVR-affiliated cybergang CozyBear is exploiting a critical TeamCity vulnerability to deploy back doors in unpatched servers. https://www.scmagazine.com/news/echoes-of-solarwinds-jetbrains-teamcity-servers-under-attack-by-russia-backed-hackers

Legislation

• European lawmakers reached a political deal on regulating artificial intelligence that includes bans on several applications, including untargeted scraping of images for facial-recognition databases, WSJ reports. Penalties for violating the rules could be up to 7% of a company’s global revenue. The legislation still needs final approval from lawmakers. https://www.wsj.com/tech/ai/regulation-of-ai-advances-in-european-union-deal-09d18355

TTP & Malware

• 'LogoFAIL' vulnerabilities may affect 95% of computers, researchers say. Hackers could bypass boot security to execute malicious code due to image parser flaws for hundreds of consumer and enterprise-grade devices. https://www.scmagazine.com/news/logofail-vulnerabilities-may-affect-95-of-computers-researchers-say

• QR-Code Phishing has multiplied: How detection helps security teams win https://www.scmagazine.com/perspective/qr-code-phishing-has-multiplied-how-detection-helps-security-teams-win

• New 'GambleForce' Threat Actor Behind String of SQL Injection Attacks https://www.darkreading.com/cloud-security/gambleforce-threat-actor-sql-injection-attacks

• Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over. The prolific APT repeatedly compromised targets in healthcare, manufacturing, and government with new lightweight downloaders that blend into network traffic for evasion. https://www.darkreading.com/ics-ot-security/iran-oilrig-cyberattackers-target-israel-critical-infrastructure

AI

• US Regulators Add Artificial Intelligence to Potential Financial System Risks https://www.insurancejournal.com/news/national/2023/12/15/752131.htm

• AI enters production systems even as ‘trust’ emerges as a growing concern. Almost four-fifths of the surveyed organizations had already adopted AI in their production, with only a few still testing the technology. https://www.csoonline.com/article/1259919/ai-enters-production-systems-even-as-trust-emerges-as-a-growing-concern.html

• The Financial Stability Oversight Council, an interagency group led by Treasury Secretary Janet Yellen, for the first time recommended financial institutions closely monitor the development of artificial intelligence. https://www.wsj.com/livecoverage/stock-market-today-dow-jones-12-14-2023/card/biden-administration-calls-ai-a-risk-to-financial-system-Iq9EGV4zWUHHkMVHe6cS

• The New York Times: Chatbot Hype or Harm? Teens Push to Broaden A.I. Literacy (12/31) https://www.nytimes.com/2023/12/13/technology/ai-chatbots-schools-students.html

Guidance & Resources

• How Manufacturers Can Protect Customers by Eliminating Default Passwords https://www.cisa.gov/sites/default/files/2023-12/SbD-Alert-How-Software-Manufacturers-Can-Protect-Customers-by-Eliminating-Default-Passwords-508c_0.pdf

• Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment https://www.cisa.gov/sites/default/files/2023-12/aa23-349a-risk-vulnerability-assessment-healthcare-public-health-sector.pdf

• In this post, Microsoft talks about the disruption of Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes. The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, distributed denial-of-service (DDoS), and other types of attacks. https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/

• Recommendations that defenders can use from Talos’ Year in Review Report https://blog.talosintelligence.com/recommendations-that-defenders-can-use-from-talos-year-in-review-report/

• MITRE Debuts ICS Threat Modeling for Embedded Systems https://www.darkreading.com/ics-ot-security/mitre-debuts-ics-cyber-threat-modeling-embedded-systems

Liability

• Home Depot Appeals to Get Defense Costs From CGL Policies for 2014 Breach https://www.insurancejournal.com/news/national/2023/12/15/752161.htm

Compliance

• “I want to reassure companies and their representatives that our Division does not seek to make 'gotcha' comments or penalize foot faults.”— Erik Gerding, director of the SEC's division of corporation finance, on his team's approach to enforcing the commission's new strict cybersecurity disclosure rules that come into force Friday https://www.sec.gov/news/speech/gerding-cybersecurity-disclosure-20231214

In Other News

• Why federal efforts to protect schools from cybersecurity threats fall short. K-12 schools are especially vulnerable to cyberattack because they lack the cybersecurity expertise and funding essential to protecting students' sensitive information. https://www.govexec.com/technology/2023/12/why-federal-efforts-protect-schools-cybersecurity-threats-fall-short/392782/

• LockBit ransomware now poaching BlackCat, NoEscape affiliates https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/