Cyber Watch – May 3rd, 2024

Xforce cyber watch banner

Welcome to the Cyber Watch series for today, May 3rd, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.  

This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.

Browser APIs Create New Ransomware Risk, Researchers Expose

A new breed of ransomware that exploits powerful modern web browsers to encrypt users’ files for a ransom demand has emerged. This threat, demonstrated by cybersecurity researchers, stems from browser APIs that allow web applications to interact with the local file system.

Florida International University scientists, including Kemal Akkaya’s team and a Google researcher, revealed how hackers could hijack apps using the File System Access API in Chrome and Edge. If a user uploads files to a malicious site, like a fake photo editor, the attackers can access those folders and encrypt the contents. The researchers created a proof-of-concept “RøB” ransomware to analyze its real-world impact across operating systems, cloud providers, and antivirus products.

Their alarming findings: RøB could stealthily encrypt numerous file types, bypassing current ransomware defenses. The researchers created a proof-of-concept “RøB” ransomware to analyze its real-world impact across operating systems, cloud providers, and antivirus products. 

Verizon DBIR 2024 Highlights Vulnerability Exploits, Human Error in Breaches

The highly anticipated Verizon 2024 Data Breach Investigations Report (DBIR) has been released, which provides a comprehensive analysis of the global cybersecurity landscape. With insights drawn from nearly 30,500 incidents and a record 10,626 confirmed data breaches across 94 countries, the report offers valuable insights for organizations seeking to bolster their defenses against ever-evolving threats.

One of the key takeaways from the report is the alarming 180% increase in vulnerability exploitation as an initial breach entry point. This trend underscores the critical importance of robust vulnerability management strategies and the urgency for organizations to prioritize proactive measures, including agent-based and agent-less security solutions, advanced detection tools, and rapid patch management.

Additionally, the report highlights the persistent role of human error in facilitating data breaches. Alarmingly, users were found to click on phishing simulation links within a median time of just 21 seconds, emphasizing the need for continuous security awareness training and the potential of leveraging AI-powered solutions to augment human decision-making.

Agencies Warn of Pro-Russia Hacktivists Targeting OT Systems Across West

Cybersecurity agencies from the United States, United Kingdom, and Canada have raised concerns over pro-Russia hacktivist groups targeting operational technology (OT) facilities across North America and Europe. The joint advisory, titled “Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity,” sheds light on the disruptive activities of these threat actors since 2022.

According to the alert, Russian hacktivists have exploited vulnerabilities in outdated virtual network computing (VNC) remote access software and weak or default passwords on human-machine interfaces (HMIs). Their attacks have targeted small-scale OT systems in critical sectors such as water and wastewater, dams, energy, and food and agriculture.

The agencies revealed that these hacktivists have manipulated HMIs, causing water pumps and blower equipment to exceed normal operating parameters. They have maxed out set points, altered settings, turned off alarm mechanisms, and changed administrative passwords, locking out operators in some cases. While most victims swiftly reverted to manual controls, minor tank overflow events have occurred.

Cybercriminals Selling Remote Desktop Access on Hacker Forums

Cybersecurity communities are on high alert as an alarming trend emerges – the sale of Remote Desktop Protocol (RDP) access on underground hacker forums. This illicit trade poses a significant threat to individual and organizational cybersecurity, potentially granting unauthorized access to sensitive information and critical systems.

RDP, a proprietary protocol developed by Microsoft, is designed to enable remote administration and support. However, in the wrong hands, it can serve as a gateway for cybercriminals to install malware, steal confidential data, or gain control over critical infrastructure. The sale of RDP access typically involves credentials, including IP addresses, usernames, and passwords of vulnerable or compromised systems.

These credentials are often obtained through various nefarious means, such as phishing attacks, credential stuffing, or exploiting vulnerabilities in the RDP setup itself. 


UnitedHealth Pays Over $3.3 Billion to Providers After Change Healthcare Cyberattack

In the aftermath of a devastating cyberattack on its subsidiary, Change Healthcare, UnitedHealth Group has paid out a staggering $3.3 billion to affected healthcare providers. The disclosure comes months after the company revealed in February that a cyber threat actor had breached part of Change Healthcare’s information technology network.

The cyberattack caused widespread disruptions, leaving numerous healthcare providers temporarily unable to fill medication prescriptions or receive reimbursements from insurers. This abrupt halt in revenue cycles severely impacted operations and cash flows for providers relying on Change Healthcare’s services.

UnitedHealth Group’s swift action underscores the far-reaching consequences of such cyberattacks on critical healthcare infrastructure and the importance of robust cybersecurity measures. 


Continuum Discloses Data Breach Exposing 377,000 Patients’ Medical Records

Continuum, a prominent provider of health management and patient care coordination services, has disclosed a concerning data breach that has exposed the personal details and medical records of over 377,000 individuals. The company revealed that attackers gained unauthorized access to its systems on October 18th, successfully penetrating their defenses and accessing files containing sensitive patient data.

The breach notification letter from Continuum states that the attackers accessed a trove of highly sensitive information, including names, addresses, dates of birth, Social Security numbers, medical record numbers, provider names, and even clinical information such as diagnoses and treatment details. 

Exposing personal medical data poses severe risks for affected individuals, as this information could be exploited for identity theft, financial fraud, targeted phishing attacks, blackmail, and potentially compromising patients’ medical histories and personal information.


Massive Data Breach Hits Australian Facial Recognition Firm Outabox

A major data breach has rocked Outabox, an Australian company that provides facial recognition kiosks to bars, clubs, and casinos. A website called “Have I Been Outaboxed” emerged this week, allegedly set up by former Outabox developers in the Philippines, claiming to have over 1 million records from the company’s database.

The leaked data includes sensitive personal information such as facial recognition biometrics, driver’s license scans, signatures, club membership details, addresses, birthdays, phone numbers, visit timestamps, and even slot machine usage data. The breach has sparked concerns over the privacy risks associated with the growing use of facial recognition technology in public spaces.

Privacy advocates have long warned about the potential for such data breaches involving facial recognition systems. The incident is being investigated by Australian police and federal agencies, with one arrest already made of a 46-year-old man in Sydney on blackmail charges related to the breach.


Dropbox Discloses Data Breach Impacting Sign E-Signature Service Users

Dropbox, the popular cloud storage and file-sharing company, has disclosed a significant data breach affecting customers of its electronic signature service, Sign, formerly HelloSign. The breach has compromised sensitive user data, including email addresses, usernames, phone numbers, hashed passwords, account settings, and authentication data such as API keys, OAuth tokens, and multi-factor authentication details.

According to Dropbox, a threat actor gained unauthorized access to the Sign production environment, enabling them to access customer information stored in the service’s database. Even individuals who merely received or signed a document through Sign without creating an account had their names and email addresses exposed in the breach.


CISA Adds Critical GitLab Vulnerability to Must-Patch List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical improper access control vulnerability affecting GitLab Community and Enterprise Editions to its Known Exploited Vulnerabilities (KEV) catalog. 

This flaw, tracked as CVE-2023-7028 with a maximum severity score of 10.0, enables account takeover via password reset without user interaction. It stems from an issue where password reset emails could be delivered to unverified email addresses, granting unauthorized access to accounts. 

GitLab has released patches in versions 16.7.2, 16.5.6, 16.6.4, and backported fixes to 16.1.6, 16.2.9, and 16.3.7 to address this flaw. Self-managed GitLab customers are advised to review logs for potential exploitation attempts and update their deployments immediately.

By adding CVE-2023-7028 to the KEV catalog, CISA has mandated federal agencies to remediate this vulnerability by May 22, 2024, as per its Binding Operational Directive 22-01 aimed at reducing risks from known exploited vulnerabilities. However, researchers report thousands of instances still exposed online, primarily in the US, Germany, and Russia.


UK’s NCSC Unveils Advanced Mobile Solutions to Bolster Cyber-Resilience Against Nation-State Threats

The National Cyber Security Centre (NCSC) has introduced Advanced Mobile Solutions (AMS), a pioneering initiative aimed at fortifying organizations’ mobile infrastructure against nation-state cyber threats. Addressing the risks posed by commercial spyware targeting consumer-grade devices, AMS aims to prevent these devices from becoming gateways for sophisticated threat actors into corporate systems.

Chris P., NCSC security architect, emphasized the necessity of protecting sensitive communications on mobile devices, acknowledging the impracticality of employing high-grade crypt appliances on consumer-grade devices. AMS operates on the principle that while individual devices may be compromised, entire fleets of devices should remain secure, with compromised devices posing no threat to bulk data or system security.

AMS is built upon several core principles, including the assumption that mobile devices are untrustworthy, the necessity of robust borders between mobile infrastructure and core networks, and the encryption of sensitive data to prevent aggregation in plain text. The initiative incorporates mobile device management tools, commercial data protection solutions, VPN terminators, continuous monitoring, and cross-domain data inspection.

That’s all for today. Stay tuned for our next episode. See you next week!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

How Can We Help?

Lets collaborate for mutual success