Welcome to Cyber Watch series for today, November 17, 2023. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. You can read the full story by clicking on each headline. We encourage you to review these stories and take steps to protect your organization.
FBI and CISA Warn Organizations of Emerging Rhysida Ransomware Campaign Across Sectors
A new alert from American cyber authorities cautions organizations about an opportunistic ransomware threat targeting a wide range of sectors. The ransomware strain, called Rhysida, compromises victims across education, manufacturing, IT, and government using common intrusion vectors like phishing and remote service exploitation. Operated as ransomware-as-a-service, the cybercriminal developers work with affiliates to encrypt data and extort ransoms from organizations via double extortion tactics.
“According to statistics compiled by Malwarebytes, Rhysida has claimed five victims for the month of October 2023, putting it far behind LockBit (64), NoEscape (40), PLAY (36), ALPHV/BlackCat (29), and 8BASE (21)”, explains a recent Hacker News report.
First detected in May, Rhysida shows similarities in tactics with the notorious Vice Society ransomware group. The joint advisory from CISA, FBI, and MS-ISAC aims to spur mitigations like patching, securing external services, and maintaining offline data backups to limit damage from this unfolding campaign.
21 Critical Flaws Uncovered in Industrial Routers Bridging OT Networks to Internet Across Sectors
A concerning new report from cybersecurity researchers reveals the discovery of 21 vulnerabilities in a commonly deployed brand of industrial router. The flaws, found in both internal components and integrated open source code, open the door to serious risks like remote code execution, denial of service, and authentication bypass.
These routers play a vital role in bridging operational technology and Internet of Things networks to the wider internet via cellular in sectors like healthcare, transportation, and manufacturing. Their compromise could enable espionage or disruption of essential services. According to a recent Dark Reading report, “Seven of the newly discovered vulnerabilities lie in internal components of the routers. Fourteen of them derive from open source components, specifically, a captive portal for Wi-Fi networks and an XML processing library.”
The vulnerabilities stem largely from hard-coded credentials or mishandling of malicious inputs. The range of critical to high-severity flaws underscores the need for enhanced security hardening by vendors. Quick patching and added monitoring by end-users across affected sectors are also recommended.
Google Uncovers Exploits of Zimbra Zero-Day to Steal Government Emails Before Disclosure
A cyberespionage campaign has been revealed after Google’s Threat Analysis Group detected active exploits of a Zimbra collaboration platform vulnerability prior to its public disclosure. The reflected XSS flaw allowed threat actors to execute malicious code via crafted links sent in emails to authenticated users.
Exploits first spotted in late June targeted a government organization in Greece, enabling the theft of sensitive emails and attachments. A Security Week report explains further, “The flaw, described as a reflected cross-site scripting (XSS) bug, allows an attacker to execute malicious code by sending emails containing specially crafted URLs to the targeted organization.”
Zimbra patched the high-severity vulnerability, tracked as CVE-2023-37580, in late July. But Google found in-the-wild attacks had already begun weaponizing it against government sectors weeks prior. This underscores the impact of zero-days before vulnerabilities or patches become known. The attack also leveraged an email theft and auto-forwarding framework, posing further risks of stealthy data exfiltration.
CISA Unveils Roadmap to Operationalize AI Cybersecurity Directives from White House Executive Order
According to a Wired News report, The Cybersecurity and Infrastructure Security Agency has announced a new roadmap laying out plans to execute key artificial intelligence security tenets from the recent United States executive order. The CISA roadmap focuses on five areas, including guidance for responsible AI use in critical infrastructure and identifying vulnerabilities in AI systems. It also promotes public-private partnerships to build AI expertise and ethics principles.
According to CISA Director Jen Easterly, the roadmap aims to uphold accountability for executive order mandates while ensuring AI’s benefits are not outweighed by adversary misuse. As AI adoption accelerates, so do associated cyber risks.
Post-Takedown, Ransomware Group ‘Hive’ Evolves into ‘Hunters International’
Following the FBI’s successful takedown of the notorious ransomware group Hive, responsible for extorting $100 million from over 1,500 victims, a new player named Hunters International has surfaced. Despite utilizing a similar code, the group adamantly asserts no affiliation with its predecessor. The FBI’s infiltration and capture of decryption keys prevented a substantial $130 million in ransom payments.
Security experts, noting the adaptability of cybercriminal networks, reveal that Hive’s operators have swiftly transitioned into this new venture. Cyber News reports that “the groups’ ransomware still includes an aggressive mode aimed at disabling backup and restore functionality by executing a series of commands and attempting to terminate specific services and processes.” This development underscores the persistent and dynamic nature of cyber threats, showcasing how criminal groups evolve to circumvent law enforcement actions.
World’s Biggest Bank ICBC Hit By Ransomware Attack, Trading Disruption Ensues
The U.S. financial services arm of the Industrial and Commercial Bank of China (ICBC), the world’s largest lender, faced a ransomware attack, disrupting Treasury trading. According to a recent CNBC report, ICBC swiftly responded by isolating affected systems and initiating a comprehensive investigation with cybersecurity experts.
While the assailants remain undisclosed, ICBC affirmed the successful clearance of U.S. Treasury trades during the incident, showcasing resilience. The attack underscores the pervasive threat of ransomware in the financial sector, emphasizing the need for robust cybersecurity measures and collaborative efforts with law enforcement.
Major Cyber Attack on McLaren Health Care Exposes 2.2 Million Patient Records
In a significant cybersecurity breach, McLaren Health Care, a prominent Michigan-based healthcare provider, fell victim to a cyber attack in August, compromising 2.2 million individual records. The attackers, claiming to have accessed a staggering 6 terabytes of sensitive patient information, have raised alarming concerns about privacy and data security. McLaren Health Care Corporation, valued at $6.6 billion, encompasses a comprehensive healthcare system with a vast network of physicians, advanced imaging centers, ambulatory surgical clinics, and 14 top-tier hospitals.
As one of Michigan’s leading healthcare institutions, McLaren is committed to delivering exceptional and affordable medical care. However, this breach has exposed vulnerabilities, leading to a surge in federal cases against the healthcare system in the past month.
Sandworm Behind Unprecedented Cyber Assault on Danish Critical Infrastructure
In a historic cyber attack, the notorious Russian hacking group Sandworm has been identified as the perpetrator of the largest-ever assault on Danish critical infrastructure. SektorCERT, a non-profit safeguarding such sectors, revealed that the May 2023 attack targeted 22 companies, exploiting Zyxel firewall vulnerabilities.
Sandworm’s association with Russia’s GRU and its track record of high-profile attacks emphasize the urgency for bolstered cybersecurity measures and international collaboration to thwart such sophisticated threats, underlining a new era of cyber threats to essential systems.
Massive Cybersecurity Breach Exposes Health Data of 9 Million Americans
In one of the most significant health-related data breaches of the year, Perry Johnson & Associates (PJ&A) experienced a cyberattack compromising the personal and health information of 9 million Americans. The breach, ranking as the second-largest in 2023, occurred between March and May, targeting PJ&A, a medical transcription service provider.
Despite the breach being disclosed in October, the full scope was only recently revealed, bringing attention to the critical issue of securing sensitive health data. PJ&A has notified affected individuals, outlining the accessed information, including names, dates of birth, addresses, medical records, and treatment details.
Black Friday: Credit Card Skimming and Malvertising on the Rise
As the Black Friday holiday season approaches, a Malwarebytes report warns of escalating cyber threats, highlighting a 50% month-over-month increase in credit card skimming incidents, exemplified by the Kritec campaign. Known for its realistic payment templates, Kritec has compromised numerous websites, posing a significant risk to online shoppers.
Simultaneously, malvertising incidents have surged by 42% in the U.S. over the past two months. The sophistication of malicious ads, some impersonating renowned brands, indicates a growing threat landscape. This heightened risk demands increased cybersecurity measures for both organizations and individuals engaging in holiday shopping.
That’s all for today. Stay tuned for our next episode. See you next week!
