Welcome to Cyber Watch series for today, February 2, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
CISA Urges Federal Agencies to Disconnect Ivanti VPNs Amid Active Exploitation, Zero-Day Threats, and State-Suspected Actors
In response to severe vulnerabilities in Ivanti Connect Secure and Policy Secure VPNs, CISA issued a directive mandating federal agencies to disconnect affected devices. Ivanti released patches on Jan. 31, including fixes for exploited zero-days. Threat actors targeted authentication bypass and command injection flaws, posing grave risks to federal systems. The emergency directive reflects the imminent danger, with CISA emphasizing national security concerns.
While specific to federal agencies, the underlying security issues are deemed relevant to all using Ivanti products, urging non-federal organizations to adopt preventive measures. Mandiant’s identification of broad exploitation, involving a suspected China-nexus espionage threat actor, adds geopolitical dimensions to the cybersecurity landscape.
Ransomware Surges 68% in 2023 More Than 2022
A Corvus Insurance report reveals a 68% surge in ransomware attacks in 2023. Despite a Q4 dip, a record-breaking year with 4,496 victims signals a persistent threat landscape. The takedown of the Qakbot malware network in Q3 impacted Q4, contributing to fewer victims and a shift in tactics. The rise of active ransomware groups by 34% throughout the year is attributed to the fragmentation of established groups sharing encryptors.
Notably, the ALPHV/BlackCat group’s decline in the legal sector and the consistent targeting of the transportation industry underscore evolving threat dynamics. Industries sensitive to business interruption, such as transportation, logistics, and storage, become attractive targets for groups like Lockbit 3.0 and ALPHV/BlackCat.
Schneider Electric Hit by Ransomware Attack; Cactus Group Claims Responsibility
Energy giant Schneider Electric falls prey to a ransomware assault by the Cactus group, exposing its Sustainability Business division’s data, including terabytes of corporate information. The incident, occurring on January 17, 2024, has prompted Schneider’s swift response, involving the shutdown of specific systems and engagement of its global incident response team. Customers of the affected Sustainability Business, encompassing notable brands like Hilton, Pepsico, and Walmart, have been notified of the breach.
While the investigation is ongoing, Schneider emphasizes the accessed data, with no clarity on the extent or nature of the compromise. This recurrence of a ransomware attack, following a previous incident involving LockBit’s MOVEit campaign in 2023, raises concerns about the energy sector’s cybersecurity resilience. The Cactus group, increasingly active in recent months, adds to the urgency of fortifying critical infrastructure against evolving and persistent cyber threats.
Russian State-Sponsored Cyber Campaign ‘The Bear and the Shell’ Targets Dissidents Globally with Spear-Phishing Tactics
A spear-phishing campaign named “The Bear and the Shell” has been uncovered by threat intelligence firm Cluster25, revealing a targeted effort against entities critical of the Russian government and aligned with dissident movements. The campaign utilizes sophisticated social engineering tactics, deploying seemingly legitimate lures, including a NASA-themed email disguising a job offer ZIP file.
Once opened, the file deploys a multiplatform reverse shell named HTTP-Shell, granting remote access to victims’ systems. The attackers employ a shared command and control (C&C) server disguised as a PDF editing site for evasion. Cluster25’s investigation uncovered multiple campaigns with similar kill chains, lure themes, and shortcut icons, indicating a coordinated effort against various targets globally.
The attackers expanded their tactics, incorporating themes like USAID and targeting organizations like Bellingcat and independent Russian media outlets. While definitive attribution is challenging, evidence suggests a Russian state-sponsored threat actor, raising concerns about cyberattacks suppressing dissent and silencing critics.
Sophisticated Nation-State Actor Breaches Cloudflare in Advanced Attack; Incident Linked to Okta Data Breach
Cloudflare, a global IT services and cloud provider, disclosed a security incident where a sophisticated nation-state actor infiltrated its network. Discovered on Thanksgiving Day in 2023, the threat actor had been moving within Cloudflare’s systems for nearly two weeks. Engineering teams swiftly mitigated the threat within three days, emphasizing that no customer data or systems were impacted. The security lapse was connected to the massive Okta breach from last fall, where attackers compromised sensitive customer data, including login credentials for Cloudflare’s enterprise support services customers.
The threat actor, utilizing stolen Okta credentials, accessed Cloudflare’s Atlassian server, gaining limited access to documentation and source code. Cloudflare acknowledged a security blunder, revealing that compromised login credentials meant to be rotated were mistakenly overlooked. The attacker breached Atlassian products, Cloudflare’s AWS environment, Cloudflare Apps Marketplace, and a Bitbucket service account.
Despite unsuccessful attempts to access data centers, repositories, and the dashboard, the threat actor displayed a keen interest in various aspects of system access. Cloudflare’s swift response and robust security measures limited lateral movement and prevented any impact on customer data or configurations.
Arrests Made in $400 Million Crypto Heist Linked to FTX’s Bankruptcy
The US Department of Justice has indicted three individuals—Robert Powell, Carter Rohn, and Emily Hernandez—for allegedly operating a cybercriminal theft ring known as the “Powell SIM Swapping Crew.” The group is accused of using SIM swap techniques to trick phone companies into redirecting users’ mobile phone registrations to their own SIM cards, enabling access to authentication codes and stealing hundreds of millions of dollars.
Notably, the crew is charged with siphoning $400 million in virtual currency from a company referred to as “Victim Company-1” on the night of November 11, 2022—the exact timing of FTX’s cryptocurrency theft during its bankruptcy declaration.
Blockchain analysis firm Elliptic supports the inference that FTX is likely “Victim Company-1.” The indictment details how the crew executed the SIM swap, involving obtaining a fake ID and presenting it at an AT&T retail store in Texas. This allowed the theft of authentication codes, essential for account access.
Albania’s Institute of Statistics Faces Cyberattack; Authorities Investigate Source
Albania’s Institute of Statistics (INSTAT) reported a sophisticated cyberattack on Wednesday, emphasizing that while some of its systems were affected, those related to a recent census remained unharmed. After detecting the attack, INSTAT promptly closed internet links and activated emergency protocols to safeguard data. The institute is actively cooperating with authorities to identify the source and motives behind the cyberattack. The incident comes after a similar attack on the country’s Parliament website in December.
Notably, Albania faced a cyberattack in July 2022, attributed to the Iranian Foreign Ministry, targeting the nation for sheltering members of the Iranian opposition group Mujahedeen-e-Khalq (MEK). This led to a diplomatic fallout between Albania and Iran. In this recent incident, the government and international technology companies are working to strengthen cybersecurity measures and restore normal functioning.
GM’s Cruise Faces DOJ and SEC Investigations Over Autonomous Vehicle Incident
General Motors’ autonomous vehicle division, Cruise, is under investigation by the Department of Justice (DoJ) and Securities and Exchange Commission (SEC) following an October 2023 incident involving a jaywalking pedestrian. The pedestrian was struck by a Cruise autonomous vehicle, dragged for 20 feet, and suffered exacerbated injuries. Cruise recently released findings admitting it “failed to live up to the justifiable expectations of regulators” and is fully cooperating with investigators.
A third-party report alleges that Cruise withheld crucial details during a briefing with officials, specifically the fact that the vehicle dragged the victim for 20 feet after the initial collision. The report criticizes Cruise’s leadership, citing poor judgment, lack of coordination, and a fundamental misunderstanding of obligations to accountability and transparency.
Former Cruise CEO Kyle Vogt resigned, revealing the company’s struggles with recognizing children and the frequent need for human intervention. GM, the owner of Cruise, expressed support for Cruise’s mission despite the challenges. Cruise’s California operating license remains suspended, and it faces not only federal investigations but also a lawsuit from San Francisco over the incident.
UK Accounting and Security Bodies Launch Taskforce to Enhance Cybersecurity in Corporate Finance Deals
Institute of Chartered Accountants in England and Wales (ICAEW) and the National Cyber Security Centre (NCSC), alongside leading organizations in banking, law, and consulting, are forming a task force to address cybersecurity in corporate finance deals. This initiative aims to guide companies involved in activities like fundraising, mergers and acquisitions (M&A), and initial public offerings (IPOs) to mitigate cyber risks. The 14 participating organizations, including Deloitte, EY, KPMG, and UK Finance, will release recommendations on building resilience against cyber-attacks, safeguarding sensitive data exchanged during deals, and responding to breaches.
ICAEW’s CEO, Michael Izza, emphasizes the potential impact of cyber-attacks on the dealmaking process and calls for serious preventive actions. The task force aims to ensure London maintains its status as a prominent hub for deals, investments, and growth. NCSC’s deputy director, Sarah Lyons, notes the attractiveness of chartered accountants as targets for threat actors due to the sensitive financial data they handle.
EU Adopts First Cybersecurity Certification Scheme to Enhance IT Product and Service Security Across Member States
The European Union (EU) has approved its inaugural Cybersecurity Certification scheme, the European Cybersecurity Scheme on Common Criteria (EUCC), aimed at elevating the cybersecurity standards of IT products and services across member states.
Drafted by the European Union Agency for Cybersecurity (ENISA), the voluntary EUCC will replace existing national certifications after a transition period. It provides a standardized assessment process for Information and Communication Technology (ICT) suppliers, allowing them to demonstrate cybersecurity assurance for digital products. The scheme offers two assurance levels based on the risk associated with the intended use of the product or service.
EUCC, based on the SOG-IS Common Criteria evaluation framework, incentivizes suppliers to enhance security, fostering competition in national, EU, and global markets. ENISA plans to publish certificates issued under EUCC. This initiative aligns with the EU’s broader efforts to establish a trusted digital single market and follows recent legislative actions, including the Cyber Resilience Act and updates to the Network and Information Security Directive, reflecting the increasing focus on cybersecurity regulations and standards.
That’s all for today. Stay tuned for our next episode. See you next week!