Welcome to the Cyber Watch series for today, October 27, 2023. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. You can read the full story by clicking on each headline. We encourage you to review these stories and take steps to protect your organization.
In a recently released report by OpenText Cybersecurity, the year 2023 has witnessed a significant shift in the world of cyber threats, with the rise of four formidable ransomware groups. Among them, Cl0p, a newcomer, has garnered attention by exploiting a zero-day vulnerability in MOVEit Transfer file software, pushing the average ransom payments towards an alarming three-quarters of a million dollars, according to a recent Security Magazine report.
Black Cat, built on the Rust programming language, made headlines for its takedown of MGM Casino Resorts. Akira, believed to be a descendant of Conti, targets small and medium-sized businesses with remarkable efficiency. Royal, suspected to be an heir to Ryuk, stands out for its lateral movement within networks and its unique partial encryption approach.
A recent SC Media report revealed that the recent Okta breach has taken a concerning turn as three prominent companies, Cloudflare, 1Password, and BeyondTrust, have confirmed that their systems were also targeted in the wake of the breach. All three organizations have emphasized that no customer data was compromised during these security incidents.
BeyondTrust detected an identity-centric attack on an in-house Okta administrator account, resulting from a compromise in Okta’s support system. The company acted swiftly, employing its identity security tools to detect and mitigate the attack effectively. This proactive response prevented any impact on their infrastructure or customer data.
Cloudflare disclosed that threat actors exploited an authentication token compromise at Okta, enabling them to pivot to Cloudflare’s Okta instance. Despite this, Cloudflare assured that their systems remained secure, with no compromise of customer data.
The Washington, DC Board of Elections (DCBOE) has provided an update on a recent data breach that has raised concerns regarding the security of voter information. On October 5, 2023, the DCBOE became aware of a breach, reportedly carried out by a hacking group called RansomVC. This breach led to the unauthorized access of approximately 600,000 lines of US voter data, including voter records from the District of Columbia.
According to a recent Cyber Wire report, the breach occurred through the compromise of the web server of DataNet Systems, which serves as the hosting provider for DCBOE’s website. It’s crucial to note that no internal DCBOE databases or servers were directly compromised.
The update discloses that DataNet Systems’ breached database server contained a copy of the DCBOE’s voter roll, which includes sensitive personal information such as partial social security numbers, driver’s license numbers, dates of birth, and contact details like phone numbers and email addresses. The extent of potential data access and the number of affected voter records remain unclear.
A collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has resulted in the release of the “Cybersecurity Toolkit for Healthcare and Public Health.” According to an Infosecurity Magazine report, this toolkit offers a comprehensive set of resources to empower IT security leaders in the healthcare sector, addressing the increasing cybersecurity threats targeting the industry.
Healthcare organizations are under constant threat from cyberattacks due to the sensitive nature of patient data and their critical role in public health. The newly launched toolkit is designed to equip healthcare professionals with valuable information, practical guidance, and tools to reduce cyber risks and bolster their cybersecurity defenses. The collaborative effort between government agencies and industry experts aims to safeguard patient data and enhance the overall cybersecurity posture of healthcare organizations.
In a decisive move to protect its network-attached storage (NAS) devices, QNAP, a prominent networking hardware company, has thwarted a surge of brute-force attacks that aimed to exploit weak passwords. The attacks posed a significant risk to Internet-exposed NAS devices, a concern for countless individuals and organizations worldwide.
According to a Cybersecurity News report, QNAP’s swift response involved its Product Security Incident Response Team (PSIRT), which rapidly blocked multiple compromised IPs within just seven hours. This agile action successfully prevented the intrusions from spreading further and damaging more NAS devices. Moreover, PSIRT’s quick efforts led to the identification of the source Command & Control (C&C) server within 48 hours, a critical step in neutralizing the threat.
In a recent speech reported by CNBC, UK Prime Minister Rishi Sunak underscored the potential transformative power of artificial intelligence (AI) but has also cautioned about its associated risks. As the UK prepares to host a global summit focused on shaping AI safety standards, Sunak likened the impact of AI to historic shifts, such as the industrial revolution, the introduction of electricity, and the birth of the internet.
While recognizing AI’s positive potential, Sunak pointed out that the technology could make it easier to develop chemical or biological weapons, offering criminals new tools for exploitation. In an extreme scenario, he warned about the risk of humanity losing control over superintelligent AI.
These remarks come as the UK positions itself to lead in crafting international AI safety standards. By striking a balance between celebrating AI’s transformative capabilities and acknowledging the need for stringent safeguards, the UK seeks to foster responsible AI development and global cooperation in managing the challenges posed by advanced AI systems.
A recent report from NCC Group highlights a troubling surge in ransomware attacks, reaching an all-time high in September. The report discloses that leak sites exposed 514 ransomware victims, marking a significant 153% year-on-year increase in such incidents. This surpasses the previous record established in July 2023, which saw 502 large-scale attacks.
The appearance of new threat actors in the ransomware landscape has significantly contributed to this increase. Notably, the recently formed group, LostTrust, known for its double extortion tactics, ranked as the second most active group in September, responsible for 10% of all attacks.
Additionally, a new entrant, RansomedVC, secured fourth place, contributing to 9% of the attacks. North America remained the epicenter of cybercriminal activity, experiencing 258 attacks in September, followed by Europe with 155 attacks and Asia in third place with 47.
According to a recent Security Week report, security experts and analysts are sounding alarm bells as the Chinese government-backed hacking group, Volt Typhoon, shifts its focus to target critical infrastructure in Guam and the United States. John Hultquist, Chief Analyst at Mandiant Intelligence, emphasized the unprecedented nature of this campaign, marking a significant departure from the group’s prior involvement in economic espionage and IP theft.
Speaking at the 2023 ICS Cybersecurity Conference in Atlanta, Hultquist urged the defenders of critical infrastructure to take immediate and decisive action in identifying and eliminating traces of Volt Typhoon’s activities. He pointed out that this campaign is a “brand-new thing” for Chinese hacking groups, as it demonstrates a determined effort to infiltrate critical infrastructure in a way that remains under the radar.
Airbnb, a prominent name in the hospitality industry, is grappling with a potential data breach that may have compromised the personal details of approximately 1.2 million users. An individual identifying as ‘Sheriff’ on the dark web has come forward, asserting responsibility for the breach, which reportedly includes sensitive information such as names, email addresses, residential countries, and cities.
According to a recent Cyber Express report, the threat actor has initiated the sale of this pilfered information on the shadowy corners of the internet, demanding an unsettling starting price of $7,000. This revelation raises serious concerns about the security and privacy of Airbnb’s extensive user base, although Airbnb itself has yet to officially confirm the breach.
In a significant international operation, Europol has successfully dismantled the infrastructure linked to the notorious Ragnar Locker ransomware and arrested a key figure in France. According to a recent Hacker News report, the operation, which took place between October 16 and 20, involved searches and actions across Czechia, Spain, and Latvia. The suspected mastermind, believed to be a developer for the Ragnar group, is now facing legal proceedings in the Paris Judicial Court.
Additionally, five other individuals associated with this ransomware gang were interrogated in Spain and Latvia, and servers, as well as a data leak portal, were seized in the Netherlands, Germany, and Sweden. This extensive effort showcases a remarkable level of international collaboration, involving authorities from several countries, including Czechia, France, Germany, Italy, Japan, the Netherlands, Spain, Sweden, Ukraine, and the U.S.
This latest success follows the previous arrests of two individuals associated with the Ragnar Locker crew in Ukraine in 2021, and another member in Canada a year later.
That’s all for today. Stay tuned for our next episode. See you next week!