Cyber Risk Update 20 OCT 2023

Discord Server Name Change

We are searching for a new server name! Our aim is to foster broader participation. The team supporting this server handles all aspects of critical infrastructure. While the majority pertains to SLTT (State, Local, Tribal, and Territorial), we're actively seeking collaboration opportunities across various other critical infrastructure sectors. So, we're reaching out to you for suggestions on a fresh server name. We thought something with CIRK in the name could be a fitting choice. 'CIKR' (Critical Infrastructure and Key Resources). Join the discord server and vote or suggest t new name. You will find the poll under the general channel. (TLP Clear Only) Invite: https://discord.gg/PGz3NDKb5V

Advisory

• State Department advises all Americans overseas ‘to exercise increased caution’ in worldwide alert. Due to increased tensions in various locations around the world, the potential for terrorist attacks, demonstrations or violent actions against U.S. citizens and interests, the Department of State advises U.S. citizens overseas to exercise increased caution. U.S. citizens should: Stay alert in locations frequented by tourists. Enroll in the Smart Traveler Enrollment Program (STEP) to receive information and alerts and make it easier to locate you in an emergency overseas. Follow the Department of State on Facebook and Twitter. https://travel.state.gov/content/travel/en/traveladvisories/traveladvisories/worldwide-caution.html

AI

• AI oversight: Bridging technology and governance https://www.grantthornton.com/insights/articles/audit/2023/bridging-technology-and-governance

Privacy

• https://www.forbes.com/sites/garydrenik/2023/10/12/data-privacy-and-ai-governance-an-outlook-on-tech-industry-trends

Incidents

• Qubitstrike Attacks Rootkit Jupyter Linux Servers to Steal Credentials https://www.bleepingcomputer.com/news/security/qubitstrike-attacks-rootkit-jupyter-linux-servers-to-steal-credentials/

• Kansas Courts to Operate on Paper After Cyberattack. A Kansas judge said courts in the state will be down for at least two weeks because of an “unauthorized incursion” into a new statewide computer system, Kake.com reported on Sunday. He said Sedgwick County Court will be open Monday, but operations will likely be slower, and the court won’t accept online applications or filing of court motions. An administrative court in the state said on Friday that court clerk offices in Topeka were inaccessible for electronic filings through Sunday. https://www.kake.com/story/49834282/kansas-courts-to-operate-on-paper-for-at-least-2-weeks-judge-says-ransomware-attack-may-be-to-blame

• Casio discloses data breach impacting customers in 149 countries https://www.bleepingcomputer.com/news/security/casio-discloses-data-breach-impacting-customers-in-149-countries/

• The Register: Cybercrime claims fresh 23andMe batch takes leaked records to 5 million https://www.theregister.com/2023/10/19/latest_23andme_data_leak_takes/

Good News

• In an ongoing operation conducted by law enforcement, Ragnar Locker's Tor negotiation and data leak sites were taken down and replaced with a notice stating that the websites had been seized in a "coordinated international law enforcement action." https://www.darkreading.com/threat-intelligence/europol-strike-ragnar-locker-ransomware

Guidance

• Today, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published version 3 of the #StopRansomware Guide, an update to our one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The update incorporates additional recommended actions to reduce internet-facing vulnerabilities and strengthen security of web browsers and server message block (SMB) protocols. Also, the ransomware and data extortion checklist that organizations should use when dealing with a potential or actual ransomware incident was updated. https://www.cisa.gov/stopransomware

Vulnerabilities

• Thousands of devices exposed to critical Cisco IOS XE software bug. As the number of exposed devices tops 74,000, according to some reports, security pros say short of a patch, the workaround of disabling the HTTP feature in IOS XE is the best bet for now. https://www.scmagazine.com/news/thousands-of-devices-exposed-to-critical-cisco-ios-xe-software-bug

• Security Week: Microsoft Improving Windows Authentication, Disabling NTLM (10/16) https://www.securityweek.com/microsoft-improving-windows-authentication-disabling-ntlm/

Financial

Budget impact cyber risk.

• Underfunding presents operations and cybersecurity challenges for FLRA in fiscal 2024, OIG says the independent agency tasked with overseeing labor issues within the federal government is currently operating at the same budget level it was 20 years ago, while its unfair labor practice case load has risen 62% in the last four years. https://www.govexec.com/management/2023/10/underfunding-presents-operations-cybersecurity-challenges-flra-fiscal-2024-oig-says/391065/

TTP & Malware

• This is a tactic to match the current cybersecurity awareness month campaign asking people to remember to update. Watch Out: Attackers Are Hiding Malware in 'Browser Updates' https://www.darkreading.com/threat-intelligence/watch-out-attackers-hiding-malware-browser-updates

• Unraveling Real-Life Attack Paths – Key Lessons Learned https://thehackernews.com/2023/10/unraveling-real-life-attack-paths-key.html

• One of the oldest malware tricks in the book -- hacked websites claiming visitors need to update their Web browser before they can view any content -- has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain. https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/

• Cybercriminals register .AI domains of trusted brands for malicious activity https://www.csoonline.com/article/655785/cybercriminals-register-ai-domains-of-trusted-brands-for-malicious-activity.html

Reports

• Microsoft Digital Defense Report 2023 https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023

• The Most Popular IT Admin Password Is Totally Depressing. Analysis of more than 1.8 million admin portals reveals IT leaders, with the highest privileges, are just as lazy about passwords as everyone else. https://www.darkreading.com/application-security/the-most-popular-it-admin-password-is-totally-depressing

Cybersecurity Awareness Month

• Don't Wait, Update https://www.learnsecurity.org/single-post/don-t-wait-update

• Spooktacular Cybersecurity: Stay Safe with Multifactor Authentication (MFA) This Halloween https://www.learnsecurity.org/single-post/spooktacular-cybersecurity-stay-safe-with-multifactor-authentication-mfa-this-halloween

• 4 Easy Ways to Stay Safe Online https://www.learnsecurity.org/single-post/4-easy-ways-to-stay-safe-online

• Cybersecurity Awareness Month Kick Off https://www.learnsecurity.org/single-post/cybersecurity-awareness-month-kick-off

• San Diego Business Journal: Phishing Is Best Caught Early (10/16) https://www.sdbj.com/cyber-security/phishing-is-best-caught-early/

• CISA, in coordination with the National Security Agency, FBI and Multi-State Information Sharing and Analysis Center, published guidance Wednesday to assist organizations with preventing phishing attacks. The joint document, titled "Phishing Guidance: Stopping the Attack Cycle at Phase One," outlines common phishing techniques used by threat actors and instructs organizations at all levels on how to protect themselves. CISA covered two primary phishing objectives: obtaining login credentials and installing malware... TechTarget Editorial contacted CISA for additional information regarding why the agency decided that now was the right time for phishing guidance, but the agency declined to comment. However, some context can be found in a Wednesday blog post written by CISA Senior Technical Advisor Bob Lord. https://www.techtarget.com/searchsecurity/news/366556412/CISA-NSA-FBI-publish-phishing-guidance

Nation States

• Additional Guidance on the Democratic People's Republic of Korea Information Technology Workers https://www.ic3.gov/Media/Y2023/PSA231018

• Chinese APT group ToddyCat launches new cyber-espionage campaigns. The new campaigns target Asian and European organizations using refined tools and tactics to improve persistence. https://www.csoonline.com/article/655709/chinese-apt-group-toddycat-launches-new-cyber-espionage-campaigns.html

• Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears. It's been a year since its last communication and attack on Iran — but the conflict with Hamas appears to have reactivated the group. https://www.darkreading.com/dr-global/pro-israeli-hacktivist-group-predatory-sparrow-reappears

• Pro-Iranian Hacktivists Set Sights on Israeli Industrial Control Systems. The hacktivists known as SiegedSec identify ICS targets, but there's no evidence of attacks yet. https://www.darkreading.com/dr-global/pro-iranian-hacktivists-sights-israeli-industrial-control-systems

• Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw https://thehackernews.com/2023/10/google-tag-detects-state-backed-threat.html

• Cyber Scoop: Hamas-linked app offers window into cyber infrastructure, possible links to Iran (10/19) https://cyberscoop.com/hamas-app-telegram-iran/

GRC

• EPA Cancels Water Cybersecurity Initiative https://www.pcmag.com/news/is-your-local-water-system-vulnerable-to-cyberattacks-we-may-never-know

Phishing

• Phishing Guidance: Stopping the Attack Cycle at Phase One https://www.cisa.gov/resources-tools/resources/phishing-guidance-stopping-attack-cycle-phase-one

Privacy

• Federal agencies falling behind on privacy. Many federal agencies still don’t incorporate privacy into their risk-management framework, five years after a standards-setting body published a framework for how to do so, CyberScoop reports. The Government Accountability Office a year ago said that 14 agencies had failed to do so, leading to concerns that the government is ill-positioned to manage a growing body of sensitive information it collects. https://cyberscoop.com/federal-agencies-data-privacy-concerns-risk-management-strategies/

• Threat Actor "Golem" who hacked 23andMe posting antisemitic statements and Golem posted a link to what was advertised as a trove of 1 million records of 23andMe profiles including Ashkenazi Jewish markers to BreachForums on October 2. https://www.theregister.com/2023/10/19/latest_23andme_data_leak_takes/

Things that are generally increasing cyber risk

• Cyber Scoop: House cybersecurity subcommittee chairman says GOP speaker drama is impacting cyber legislation (10/19) https://cyberscoop.com/house-speaker-chaos-garbarino-cyber-funding-bills/