Welcome back to the Consortium Networks monthly newsletter, now sent out on Monday. Hopefully, this change will help out with clearing out that inbox ahead of the weekend! Let us know what you think.
This edition of the newsletter features a threat profile of local governments, malware overviews of Barracuda and an update on MOVEit, and a story about three AGs fight to keep mandatory cyber requirements away. Read on for more!
Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.
The State of Cybersecurity: Local Governments
The City of Dallas fell victim to a crippling ransomware attack on May 3rd, an event which it has only recently recovered from well over a month later. At its worst, the attack impacted a wide variety of city services including the municipal court systems, library networks, emergency services like police and fire rescue, and critical infrastructure systems. Police Sgt. Sheldon Smith said that in the midst of the disruption to emergency services and technology required the department to “work like it’s 1965.”
Dallas is not the only local government facing critical ransomware attacks. In the past few months, San Bernardino County, Oakland, California, Lowell, Massachusetts, and more have been hit by ransomware attacks, often coupled with data leaks. City and local governments are a target-rich option for malicious actors as they often spread across a range of departments with widely varying cybersecurity hygiene. Though it may be more difficult to break into a police department, hacking a library system that is fairly open by nature may prove an easier entry point into a broader network from which an attacker can move laterally.
These governments often have a treasure trove of sensitive information they are expected to keep safe, including information like PII (personally identifiable information), PHI (personal health information), criminal and financial records for individuals and businesses, and many others that can be used by threat actors for malicious activities.
City and local governments face the full gambit of cyber threats: state actors, criminal groups, insider threats, and hacktivists. With such an expansive array of threats, it is necessary for these governments to have a handle on the most pressing concerns for their cyber security so they can best equip themselves to deal with them.
State Actors
State actors in cybersecurity include a range of groups including those which are state-permitted, state-sponsored, and state-run. For our purposes, we will not make a distinction and instead will put them all into the state actor bucket.
State actors are typically more sophisticated threat groups with specific strategic objectives that support the political, military, diplomatic, or economic goals of the state. These groups are often identified by cyber threat research groups as “Advanced Persistent Threats” or APTs. These groups are often the easiest to attribute attacks to because they are established groups that typically stay more-or-less the same over the years, often using and reusing tools, tactics, or procedures (TTPs) that researchers can learn and track.
With a majority of government information technology leaders naming foreign governments as their greatest cybersecurity concern, it is important to understand these threats to be able to combat them. While local governments are not always the primary target of state cyber activity, they provide an excellent vector to accessing affiliated organizations in the critical infrastructure, education, defense, or other space that does significant business and correspondence with a local government. This means that one of the best ways to understand the groups that pose the greatest threat to your organization is to know what industries you interact with the most.
For example, a city with a Navy base in its borders would need to be especially concerned with Chinese threat groups like APT 40, APT 23, and APT 14 which are all seemingly tasked with gathering information via cyber espionage about naval research and capabilities. The parish government for Bossier Parish in Louisiana which is home to a major Air Force base would need to give particular attention to groups like Iran’s APT 33 and China’s APT 31, APT 26, APT 18, and APT 27. Cities like Pensacola, Floria, which is home to a number of military bases for 3 different branches should give attention to all of these groups along with general defense-focused groups like APT 28 (Russia) and APT 12 (China).
Cities and counties with a heavy concentration of energy or oil/natural gas industry should stay up-to-date on any advisories for groups like Iran’s APT 35, APT 34 and APT 33, China’s APT 27, APT 26, APT 15, and APT 1, and the Russian groups Energetic Bear and Sandworm. Cities and counties with ports should focus on groups like APT 17 and APT 40 (China), APT 33 and APT 39 (Iran). Governments covering universities, especially research universities, should heed advisories on all Chinese groups and Russia’s APT 29 and Energetic Bear groups.
Localities with universities, especially those known for research should be aware of groups like Chinese groups Mustang Panda, Deep Panda, and APT40, as well as Iranian Silent Librarian, known for targeting institutions of higher education for espionage and research theft.
Criminal Groups
In 2021. 58% of local governments were victims of a ransomware attack, making up 44% of all ransomware attacks globally. While these numbers are a bit out of date, the trend has not only continued but escalated since the most recent studies were conducted. Criminal ransomware threats are the greatest cyber threat local governments currently face.
Criminal groups’ primary motivation for attacking any organization is financial gain. Because local governments often lack the resources to heavily invest in cybersecurity, they often make up a large part of the “lowest hanging fruit” that ransomware groups target. According to our research, many city and county governments not only have trouble pointing to a primary person responsible for cybersecurity, many do not even have one to point toward.
Unlike with state actors, knowing the enemy in the criminal space does not necessarily give significant insight or aid in preparation against ransomware attacks. Ransomware has become a booming business with different groups specializing in each stage of the process from initial access brokers to intrusion teams to negotiation specialists. The complex web of the ransomware market makes attribution very difficult (unless a group publicly claims the attack) and largely unhelpful. Even when groups become so well known that law enforcement can identify individual actors to arrest or a named group to take down, it is incredibly easy for the individuals within the group to reorganize under a new name and continue operations as usual.
The most important thing for organizations to keep in mind when defending against ransomware is that the vast majority of those hit by these groups are targets of opportunity. Criminal groups’ goal of financial gain means that they are generally target agnostic and will hold any group they can get a foothold in for ransom. This means that to best protect an organization, the main goal is to take care of the aforementioned low hanging fruit: consistently deploy multi-factor authentication, have good asset management and visibility practices, ensure consistent patch management, and backup everything.
Insider Threat
Insider threats are those threats posed by employees and others working within an organization. While there are intentional insider threats, the majority of risk posed by this group is unintentional. Human error, or unintentional insider threat, is the leading cause of cyber attacks accounting for over 80% of incidents, according to the Harvard Business Review. These risks can include anything from clicking on phishing emails to falling into business email compromise schemes to accidental disclosure of confidential information.
Unintentional insider threats are those posed primarily by disgruntled employees or those looking to sell information for personal gain. These insiders may work with a criminal or state group to provide information about the organizations’ intellectual property and/or network vulnerabilities.
The best mitigations for insider threats, both intentional and unintentional, is regular cybersecurity training, data loss prevention (DLP) solutions, and internal network segmentation and properly configured access management. As part of efforts to cut down on accidental leaks, ensuring your organization has clear information sharing guidelines for cloud sites like GitHub and ChatGPT and tracking information shared through these websites is crucial.
Hacktivism
Hacktivists use cyber operations as a way to advance political, religious, or other ideological goals. Many hacktivist activities resemble physical activism threats like defacement of websites or distributed denial of service (DDoS) attacks that prevent users from accessing a website. For the most part, these activities are used to draw attention to an issue the group finds important but will not cause long-term damage.
One of the longstanding hacktivist groups is the worldwide Anonymous Group. Anonymous is a loosely connected group of hacktivism cells that are all working toward similar political goals. The vast majority of Anonymous attacks are DDoS or defacement operations that do not leave lasting damage beyond sending a message.
However, the hacktivism threat landscape has expanded into data leaks, primarily of information that would be embarrassing or damaging to the company or organization that was targeted. Guacamaya is a well-known hacktivism group that was especially active last Fall with releases of information about Chile’s exploration of spyware, Australian police operations, various Central and South American governmental efforts to repress indigenous populations, and much more.
The United States was previously spared significant intrusion by hacktivist groups until recently. This month, the City of Fort Worth became the victim of a hacktivist-backed data breach and leak. The hacktivist group SiegedSec stated that its “intention throughout [the] operation was to make a statement and encourage others to do the same” following the passing of anti-trans legislation in Texas. Fort Worth denies that the information leaked was gathered through a cyber operation and that all of it was accessible via public records requests. Regardless, hacktivism has arrived in the United States and local governments may see an increase in this kind of cyber operation as domestic politics continue to polarize.
It Takes a Village
Private enterprises should lobby for cybersecurity funding for local and state governments where they rely on their critical infrastructure. Imagine the worst case if there is no water, energy, or transportation possible to key facilities. The funding request-to-implementation cycle which may take 18 months is a perfect opportunity to engage with the community and city councils. There should be funding that covers people, process, and technology as well as allows for dynamic decisions to address the threats stated above. Other opportunities are to assist local governments with training, joint cyber exercises, and RFI/RFP development.
Malware in Focus: Barracuda
The Barracuda Software company reported that their ESG (Email Security Gateway) software has been actively exploited since October 2022. This exploitation primarily affects versions 5.1.3001 through 9.2.0.006.
The ongoing attack used a zero-day vulnerability labeled “CEV-2023-2868” and was most likely exploited by the Chinese-affiliated group “UNC4841.” UNC4841 is known for cyber attacks that are aligned with strategic goals of the People’s Republic of China.
This particular cyber espionage attack impacted a number of victims across more than 15 countries. UNC4841 gained initial access through a targeted phishing campaign that contained a malicious attachment exploiting the CVE-2023-2868 vulnerability. The exploit used code families known as SALTWATER, SEASPY, and SEASIDE, disguising themselves as Barracuda services to evade detection.
One of the more clever aspects of this hack was the purposeful misspellings and poorly written parts of the email to trick the ESG into disregarding the email immediately into the spam folders. This would make it more likely to be clicked on than an email that doesn’t make it into an inbox at all. UNC4841 used an aggressive approach to stealing and exporting very specific data sets that aligned with the group’s overall goal of supporting Chinese strategy. Some of the targets include European and Asian government officials and important academics from both Hong Kong and Taiwan.
On June 6th, Barracuda advised all affected customers to immediately isolate and replace the infected Barracuda devices. Although Barracuda released two patches, they eventually recommended total device replacement for their affected customers. The effectiveness of the patches was nullified by modifications made by UNC4941 to SEASPY and SALTWATER, rendering the patching process inadequate.
This is Why We Can’t Have Nice Things
The Best Day
March 3rd, 2023, was an exciting day in the cybersecurity regulatory space. A memo released by the Environmental Protection Agency (EPA) marked the first federal mandatory cyber regulation outside of incident reporting in the United States.
The new requirement was tailored. It narrowly targeted public water systems (PWSs) water filtration systems and only requires that the state survey the networks of these organizations. It did not require a complete overhaul of every water filtration system’s cybersecurity program nor did it require a change in policy or governance for these organizations. These surveys would simply provide “an onsite review of the water source, facilities, equipment, operation, and maintenance of a PWS for the purpose of evaluating the adequacy of such source, 11 facilities, equipment, operation, and maintenance for producing and distributing safe drinking water.”
Regardless of how narrow the rule was, everything had changed with this shift away from the voluntary guidelines many organizations ignore completely toward greater state buy-in for critical infrastructure. As noted in the EPA’s original memo, “PWSs are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack.” This change is a welcome shift in the laissez-faire approach the federal government previously took for cybersecurity in line with the new National Cyber Strategy.
Delicate
Instead of embracing this change that could have a significant positive impact on national security, some are determined to stop these kinds of requirements from being implemented. Three states’ Attorneys General (Iowa, Missouri, and Arkansas) filed a lawsuit against the EPA, claiming that this rule is a federal intrusion on a state issue and that the requirement would be overly costly for small and rural PWSs.
In a press release on the issue, Iowa AG Brenna Bird justified her joining the suit, saying: “At a time of soaring inflation, where it’s hard enough to make ends meet, the federal government insists on making Iowans’ water bills more costly. We’re going to hold the Biden Administration accountable and protect Iowans’ pocketbooks.”
While cost can be justification for striking down a law by a court, it is unlikely the more likely basis of the decision will be the federal overreach argument. Last year, the EPA’s attempt at regulating carbon emissions was struck down by the Supreme Court in a 6-3 decision that ruled that if an agency wants to issue regulations on something big and new, the regulation is presumed invalid unless Congress specifically authorized regulation in the space.
This line of reasoning is the same as that behind the recent student loan forgiveness decision in which it was decided that the Executive Branch was outside of its authority in forgiving student debt. However, according to the decision, Congress would be within its bounds to do the same.
Unfortunately, it is possible that these decisions spell trouble for the mandatory EPA rule as authority has not explicitly been given by Congress for the agencies to govern in this area. Permissions have been given by Congress for rules to be made around incident reporting with provisions such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) but not for other mandatory cybersecurity regulations.
Tell Me Why (it Matters)
In the words of CISA Director Jen Easterly, “We can’t PSA our way out of [cyber risk].” Cyber threats are not going to simply disappear on their own and recommendations, resources, and guidelines can only go so far.
Many organizations, especially those in the public utility or related sectors, don’t want to make room in an increasingly tight budget for cybersecurity. In some sectors, like the financial sector, the economic incentives of ensuring high levels of cybersecurity exist, making recommendations and guidelines useful in this self-governing example. However, when the financial incentives don’t exist, cyber expense is often seen as a bottomless bucket to pour money into rather than as a critical component of doing business.
Mandatory requirements are the way forward for these sectors– and they must be. The National Cyber Strategy requires this shift, particularly for critical infrastructure sectors. For this Administration to follow a core pillar of its cybersecurity strategy, it will have to find a way around the Court.
Update: MOVEit Zero-Day Explainer
Article Update: Since the initial disclosure of the MOVEit zero-day vulnerability, the situation has evolved with significant updates and revelations surrounding the exploitation and the widespread impact of the security vulnerability.
When an application or service that an organization relies on develops an unknown security flaw, the risks of cyberattacks rise dramatically. Hackers exploit these vulnerabilities, known as zero-days, to access unauthorized systems, perform data breaches, and steal personal information. This last week, a new zero-day vulnerability was exploited, affecting hundreds of companies worldwide.
What Happened?
On May 31st, 2023, Progress Software published an advisory to alert their customers of a zero-day vulnerability within their MOVEit Transfer and MOVEit Cloud applications. This vulnerability was actively exploited by attackers and compromised their internet-facing servers. The vulnerability (CVE-2023-34362) involves a critical SQL injection weakness that permits malicious escalation of privileges and unauthorized access to systems. According to a forum community post by a Progress Software representative, “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements”. After the discovery of the zero-day, Progress Software announced two new vulnerabilities in the file transfer product that require urgent remediation in the following weeks.
With more than 1,700 companies and over 3.5 million users worldwide, MOVEit Transfer is one of the largest managed file transfer ecosystems in the world. Some of the largest companies in the world use MOVEit Transfer including ChaseBank, BlueCross, Disney, and the Department of Homeland Security.
The exploitation of the MOVEit Transfer vulnerability began during the U.S. Memorial Day weekend, around May 27th (this vulnerability wasn’t discovered by Progress Software until May 31st). The attackers took advantage of this security flaw and holiday weekend to introduce a webshell program onto servers. The name of the webshell uploaded was “human2.aspx” which is very similar to the legitimate MOVEit file named “human.aspx.” In doing so, the hackers gained unauthorized access, enabling them to view, download files, and extract sensitive information from Azure Blob Storage containers, which are commonly utilized by businesses and customers for cloud-based data storage and management.
Who is Responsible?
Following the discovery of the vulnerability, Microsoft was able to trace the attack back to the Lace Tempest group, a ransomware operator best known for its subgroup, Cl0p, that runs an extortion website. Cl0p is a Russian ransomware gang that has been active since 2019 and has been linked to a wide range of activities in the cybercrime ecosystem. The Cl0p group confirmed their involvement on June 5th by publishing a statement regarding this attack on their blog. On June 16th, the U.S. Justice Department issued a reward of up to $10 million for any information on the whereabouts of Clop ransomware actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a joint advisory regarding the active exploitation of the recently disclosed critical flaw in the MOVEit Transfer application to drop ransomware. Since the vulnerability was identified, Progress Software has released a patch but according to CISA, the Cl0p gang has continued to target systems that are still not updated.
What Is the Damage?
Companies are still scrambling to evaluate what data has been compromised. According to The Hacker News, the Cl0p gang may have been aware of and testing the MOVEit Transfer vulnerability since 2021. In the attacks from July 2021, it appeared that the attackers were conducting manual testing, based on how long the activity lasted. The attackers seemed to switch to automated tools in subsequent activity, which lasted anywhere from a few seconds to minutes.
Payroll service provider Zellis, a company using the MOVEit software, confirmed on June 9th that data belonging to its UK clients (including BBC, British Airways, and Boots) was stolen. Data including home addresses, national insurance numbers, and bank details was taken in the breach.
CISA Director Jen Easterly stated that “several” federal agencies were impacted but would not state specifically how many. It is confirmed that at least three federal U.S. agencies – the Department of Energy, Department of Agriculture, and the Office of Personnel Management – were impacted.
The cyberattack also impacted various state governments in the United States including the Minnesota Department of Education, revealing that the personal data of over 95,000 students had been breached. The Illinois Department of Technology also stated that Cl0p went after various Illinois state agencies. A representative from the state of Illinois stated, “DoIT’s investigation is ongoing and the full extent of this incident is still being determined, but DoIT believes a large number of individuals could be impacted”. The Louisiana Office of Motor Vehicles also announced that they believe all Louisianians with a state-issued driver’s license, ID or car registration likely had their data exposed to threat actors (over 6 million residents). This led to two class action lawsuits being made against Progress Software in Louisiana, alleging the company’s negligence led to the breach, putting their personal financial data at risk. The Oregon DMV released a similar statement and a press release explaining that its MOVEit Transfer data breach impacted approximately 3,500,000 Oregonians with an ID or driver’s license.
As time goes on, we are learning more and more about who is impacted by this breach. As of July 5th, 196 organizations and over 17.5 million individuals have been revealed to be impacted by this vulnerability. Security company Censys said they examined organizations exposed to the internet who use MOVEit Transfer and found that 31% of the hosts running MOVEit are in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military.
Nearly 30% of the companies they observed have over 10,000 employees, indicating that the service is used in a variety of large organizations – the vast majority of which are based in the United States.
With so many organizations in the education sector hit by the zero-day, Brett Callow, a threat analyst at Emsisoft, claims that “it’s possible that pretty much every school in the US will also have been impacted, either directly or indirectly”.
What Should I Do?
In response to this threat, all organizations that are using MOVEit Transfer should take immediate action. Organizations using MOVEit Transfer should upgrade affected systems immediately.
In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Both CISA and Mandiant provide in-depth steps to mitigate cyber threats from CL0P ransomware. If there are signs of MOVEit on the networks, businesses should follow the mitigation guidelines on Progress’s website and initiate an investigation for evidence of any attack. As of June 12th, Progress has also released a second patch for organizations to deploy once the first patch is applied.
The severity and scale of this incident underscores the importance of taking proactive measures to mitigate risks associated with zero-day vulnerabilities and far-reaching software supply chains. In order to prepare for and reduce the effectiveness of zero-day threats to your organization, there are several practices all organizations should consider.
First and foremost, it is vital that vendor agreements are reviewed to include provisions obligating the vendor to notify you of any actual or attempted security incident within a reasonable time period. Implementing a Defense-in-Depth strategy by combining multiple security measures, such as firewalls, antivirus solutions, intrusion prevention systems, secure configurations, and secure coding practices, adds layers of protection against zero-day vulnerabilities. With proactive threat hunting techniques, organizations can identify and respond to potential zero-day attacks before they cause significant damage.
Furthermore, effective asset management practices including maintaining an accurate and up-to-date inventory, classifying assets based on their criticality, and implementing strong access controls allows organizations to have visibility into their valuable resources and can allocate appropriate security measures. Asset management aids in identifying vulnerabilities, implementing timely patches, and monitoring critical assets for any signs of compromise.
In parallel, all organizations must consider implementing SaaS security solutions to identify potential attack surfaces if compromised. Organizations need to identify the assets involved in their SaaS environment, including hardware, software, data, and third-party services. Strong IAM practices are also essential in order to understand the “blast radius” of a zero-day. In addition, data discovery tools are a must for organizations to identify and protect sensitive data. Data discovery helps organizations proactively safeguard their data, preventing unauthorized access, and identifying what data has been exposed in the event of a zero-day.
All of these security measures are recommended to all Consortium Networks clients and associates to remediate effects of the MOVEit zero-day and best protect themselves from similar attacks in the future.
In Other News
Hacks
Wagner Group Cyber Team Attacks Russian Satellite Telecommunications Provider: An unidentified hacker group, allegedly Wagner Group affiliated, hacked into a Russian satellite provider and reportedly damaged user terminals. The provider is a part of Amtel Group which is partly owned by Russia’s state nuclear energy corporation. They also vandalized four unassuming Russian websites with verbiage directly supporting the Wagner Group. The defacements warn that “this is just the beginning, more to come.”
TSMC Reports Data Leak from Cyberattack Hit its IT Supplier: LockBit ransomware group claimed the hack on chip giant TSMC and asked for $70 million in ransom to keep the stolen data private. However, TSMC says that the attack was on one of their hardware suppliers and not the actual company. This attack is one hit in the wave of increasingly popular supply chain attacks.
Petro-Canada Almost Back to Normal After Parent Company Cyber Attack: Petro-Canada’s services are returning to normal after its parent company was hit with a brutal cyber attack. This initially affected card payments to some of Petro-Canada’s stations and impacted payments to suppliers. At this point the majority of its card transactions are back up and running but its mobile app is still impacted.
Largest University in France Hit with Cyber Attack: Aix-Marseille, located in southern France, was hit with a cyber attack Wednesday, June 7th. All networks were shut down and it was described by the university as coming “from a foreign country.” Great damage was reported and as of now the culprit is unknown.
Microsoft Azure Taken Out by DDoS Attacks: After a series of DDoS attacks against Microsoft, there were disturbances across several of their services, including Azure, Onedrive, and Outlook. It is suspected that the series of attacks were done by a single threat group using multiple virtual private servers, along with temporary cloud infrastructure, open proxies, and DDoS tools.
Fayetteville, Arkansas Becomes One More City Hit with a Crippling Cyberattack: Home of the Razorbacks at the University of Arkansas, Fayetteville was forced to take down most digital municipal services following a recent cyberattack. This is forcing all utility bills to be paid in person and no longer provides a zoom meeting option for public meetings. Fayetteville joins Dallas, Augusta, and many others in the swiftly growing pool of cyber-attacked cities in 2023.
The University of Manchester Reports That a Cyber Attack Likely Copied Data: The University of Manchester serves over 40,000 students and 12,000 staff who have now all been warned to stay vigilant for any sort of phishing attacks following a cyber attack in which the perpetrators likely copied university and personnel data. While the perpetrators are currently unknown the University plans on working closely with students in the coming days to keep everyone up to date on their personal information.
Martinique Hit with Debilitating Cyber Attack: The Caribbean island nation of Martinique was hit with a cyber attack for several weeks that disrupted the internet services and other infrastructure. The attack began on May 16th and caused some government offices to be closed until June 1 while other services such as the government website went down for much longer. Victims are recommended to immediately disconnect any device from the infected network to prevent the spread.
Ransomware
Hawai’i Community College Dealing with Ransomware Attack: A Hawaiian community college was forced to take down its network due to a ransomware attack on June 13. The attack was claimed by group NoEscape or N0_Esc4pe who have claimed that they have 65 gigabytes of stolen data. This ransomware group is fairly new and only came on this scene this May.
Development Bank of South Africa Hit by Akira Ransomware Attack: The state-owned Development Bank of South Africa was hit with a ransomware attack from the notorious Akira ransomware gang. Employee data was exposed in the breach and authorities recommend vigilance regarding any sort of phishing email or suspicious activity.
Japanese Pharma Giant Hit by a Ransomware Attack: Eisai, a large Japanese pharmaceuticals company, was hit with a major ransomware attack that began on June 3rd. This 10,000 employee company says, “certain systems both in and outside of Japan, including logistics systems, have been taken offline as a result of the incident and our ongoing response process.”
Patches Needed
Microsoft Fixes Two Dangerous Azure Vulnerabilities: Microsoft resolved two vulnerabilities affecting Azure tools that allowed hackers to access a victim’s personal data and adjust their virtual environment.
Mozilla Releases Updates to Address Firefox Vulnerabilities: Mozillia released updates to fix vulnerabilities in Firefox 114 and Firefox ESR 102.12 which if left unchecked could allow an attacker to take control of the affected system.
Apple Releases New Security Features: Apple released major privacy updates to Safari private browsing, communication safety, and lockdown mode. It also implemented new security features called “Check in, NameDrop, and Live Voicemail.”
CISA Warns of a Cardiac Device System Vulnerability: Medtronic’s cardiac device system has a major vulnerability tracked as CVE-2023-31222 and carries a CVSS score of 9.8 out of 10. If exploited this could allow bad actors to modify data on the cardiac device and penetrate the healthcare system’s network.
Akira Ransomware Group Decryptor Used in Dozens of Attacks Publicly Released: This release has provided a way forward for the massive amount of victims left in the wake of the Akira ransomware attacks. The decryptor works on the windows variant of the ransomware and they are currently working on a Linux version.
Threat Intel
Groups
Chinese Hackers use new tactics for infrastructure attacks: Volt Typhoon, a newly named Chinese nation-state actor, has been active since mid- 2020 and linked to network intrusion operations against the US government, defense, and other critical infrastructure organizations. It has been said that this group “favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives.”
Brazil botnet targets Spanish speakers across Americas: Horabot, the botnet used by hackers in Brazil, is delivering a banking trojan and spam tool into the inboxes of Spanish speakers across the Americas. The attackers seem primarily interested in using this tool to take credentials and financial data from the victims and to send phishing emails to all of the email IDs within the victims mailbox.
US and South Korea Issue Warning over North Korea’s Kimsuky group: The US and South Korea both sent out warnings detailing the spying methods of Kimsuky. Kimsuky is a North Korean nation-state group that has been known to target think tanks, academia, and the media. The group has been around since 2012 and is believed to be controlled by the Reconnaissance General Bureau (the North Korean military intelligence organization).
TTPs
AI linked to business email campaign scams: It is believed that malicious actors are using generative AI to write the emails for their scams at a massive scale. This eliminates the poor spelling and grammar errors that historically have given these campaigns away.
Fake GitHub profiles delivering malware through repositories: Research shows that several hackers started a campaign to trick cybersecurity professionals into downloading malicious software through GitHub repositories. There has been much work put in on the hacker’s side to make these accounts seem legitimate, including an expansive network of twitter accounts to back up their profiles.
Cyber attacks on senior level executives reach beyond the individual: Corporate executives continue to be targeted by cyber criminals and no longer are these hacks limited to the work environment, they have breached the home. 42% of organizations surveyed reported that a senior executive or an executive’s family member was the target of a cyber attack within the last two years. Home office networks are responsible for a third of these cases.
Sector
New UK cyber threat report focused on the legal sector: The newly released UK cyber threat guide contains a refreshed report from the NCSC detailing how UK legal firms can protect themselves from cyber attacks. This report is for firms of all sizes and is intended to help legal professionals understand the modern day cyber threats and the way in which their sector is being targeted.
Canada: a major target for cyberattacks: Anita Anand, the Canadian Minister of Defense, reports that Canada is a growing target for cyber threats. She reports an increase in attacks in North America specifically referencing attacks on Canadian critical infrastructure. These attacks put the world’s largest crude oil producer at risk which could detrimentally impact the world economy.
Investments and Innovations
‘Under Advisement’ Moves to the Private Sector: The “Under Advisement” program overseen by US Cyber Command is doubling in size due to the increase of demand.
Collab Between Rubrik and Microsoft Lets Enterprise Customers use AI to Speed Up Security Response Time: The integration between Rubrik Security Cloud with Microsoft Sentinel and Asure OpenAI Service will help organizations respond faster and more efficiently to cyber security threats. This integration will help to prioritize alerts and conduct faster investigations.
CISA Will Launch New Cyber Supply Chain Resource Hub: To help federal agencies and industry stakeholders acquire practical tools to mitigate cyber supply chain risks a new resource center was created to provide visibility into software supply chains. CISA wants the hub to eventually allow agencies and other organizations to browse through practical C-SCRM information assets provided by the hub.
Google Funds a $20M Effort to Give Students Training for Critical Cybersecurity Jobs: Google is going to give $20 million to train thousands of students on infosec skills. This funding will go to developing clinics at 20 higher education centers in the United States. Google will begin to accept applications for clinics from schools in October of this year.
Google Takes Steps Towards a Passwordless Future: Starting on June 5th, 9 million different organizations will have the ability to use passkeys instead of passwords. This could include a fingerprint on an Android, facial recognition on an Apple device, or even Windows hello. This is a big step towards the passwordless future.
Google Creates a Plan to Implement Basic Security Controls to AI Systems: Google laid out a plan to implement a basic security plan in all artificial intelligence systems. This will hopefully dissuade bad actors from hacking into AI and manipulating the models.
Cryptomining is on the Rise and Google has Put $1M to Covering Customers’ Unauthorized Compute Expenses: Crypominers usually go unnoticed in their host devices and are able to rake in cryptocurrencies using stolen compute resources but Google has a software to fix it. Security Command Center is Google Cloud’s built in security system that has a new service scan that will unearth mining malware. If it doesn’t protect premium customer’s data then Google will now reimburse them up to a million dollars.
The New Cyber 311 Hotlines: UT-Austin will become one of many to start cybersecurity clinics for towns and small businesses that are falling through the cracks. These clinics are modeled around law school legal clinics and are run to train students as digital security consultants to help patch the hole left when the FBI and CISA are stretched too thin.
Switzerland’s Federal Intelligence Service Warns the West of Cyber Espionage Increase: Swiss intelligence organization FIS warns that cyber attacks with the purpose of espionage will become more and more frequent as a result of the West’s attempt to weaken Russia’s human intelligence work in Europe.
Guidance
CISA and the NSA Released a Joint Cybersecurity Information Sheet for Organizations: CISA and NSA worked together to create a Cybersecurity Information Sheet or CSI to provide recommendations for organizations to maintain the cyber hygiene of their networks.
Warnings of Wide Scale Credential Stealing Attacks by Russian Hackers Come to Light: Microsoft said that there has been a spike in credential stealing attacks thought to be associated with Russian affiliated hacker group ‘Midnight Blizzard.’ This group has also been known as Nobelim, Cozy Bear, APT29, and Iron Hemlock and made its appearance with the 2020 SolarWinds attack. Microsoft reported that these kinds of credential attacks use password spray, brute-force, and token theft strategies to get the information they are seeking.
Warnings Sent Out to British Law Firms to Upgrade Their Cyber Defenses Against Ransomware Attacks: The National Cyber Security Centre (NCSC) created this report for the British legal sector following an increase in financially motivated hacks within the industry. This warning reminds companies that the NCSC itself has many resources to help a company maintain its cybersecurity posture and mitigate cyber incidents.
CISA and NSA Work Together on Guidance on Strengthening Baseboard Management Controllers: On June 14th CISA and the NSA released a cybersecurity information sheet that highlighted the threats to Baseboard Management Controller implementation. BMCs are parts designed into a computer’s hardware that are different from the operating system. Because it’s not a part of the operating system, it tends to be overlooked when maintaining the rest of the cybersecurity landscape.
Several Agencies Worked Together to Create an Advisory on Threat Adversary LockBit: LockBit was the most frequently deployed ransomware in 2022 and continues to be a threat in 2023. This guide was created by CISA in collaboration with the FBI, MS-ISAC, and various international partners and includes commonly exploited vulnerabilities and exposures along with other TTPs used by LockBit affiliates.
Policy and Politics
Domestic
Congress
Bipartisan Data Privacy Bill Renewed: A bipartisan, bicameral bill was reintroduced this month that would establish a system that would force data brokers and private companies to stop collecting user information. The bill, the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act, is sponsored by Representatives Lori Trahan (D-MA) and Chuck Edwards (R-NC) and Senators Bill Cassidy (R-LA) and Jon Ossoff (D-GA).
Bipartisan International Cybersecurity Cooperation Bill Introduced: Senator Gary Peters (D-MI) introduced bipartisan legislation that would strengthen international cooperation on cybersecurity issues.
Cyber Incident Reporting Council to Issue Findings Soon: The Cyber Incident Reporting Council, a federal council charged with harmonizing cyber incident reporting requirements, will issue its report to Congress “in the next month or two.”
Bill Introduced to Give CISA Greater Power in Public-Private Partnerships: A bipartisan bill (The Cybersecurity Awareness Act) was introduced last month that would require CISA to launch a public-private partnership campaign to promote cybersecurity best practices.
Executive
FCC Privacy Task Force Aims at Data Breaches: The Federal Communications Commission (FCC) will launch its privacy and data protection task force soon. The task force will work to coordinate rulemaking and guidance around data privacy and data breaches.
DOJ Unit to Prioritize Prosecuting State Cybercrime: The Department of Justice created a new section to its National Security Division that will work to prosecute state-backed cybercrime.
SEC Incident Reporting Rule Delayed: The Securities and Exchange Commission (SEC) delayed the launch of its new cyber incident reporting rule until October of this year following continued industry pushback.
International
Big Tech Critics Silenced by Proposed Law by Irish Government: A last minute addition to Ireland’s Courts and Civil Law Bill of 2022 has the ability to silence citizens speaking out about the misuse of personal data by Big Tech. This amendment proposed a section, 26A, in the Data Protection Act of 2018 that would “prohibit the disclosure of confidential information.” This would stop anyone who filed a complaint from sharing any findings or information gathered as a result of the complaint.
European Commission Tells Members to Restrict ZTE and Huawei from 5G Networks: The EU told its members to quickly restrict high risk equipment suppliers from their 5G networks. Both ZTE and Huawei were highlighted with materially higher risk. Bart Groothuis, the cyber rapporteur for the European Parliament said to the Record, “It is unthinkable that we allow our adversaries in such critical networks.”
Cultivating a World Where Salespeople are Allies, not Adversaries