cyber attack

---

TI10 Summary: Healthcare service provider, Optum, suffers cyber attack by nation-state rendering services unavailable

Article Title: UnitedHealth confirms Optum hack behind US healthcare billing outage

Threat Type: Cyberattack

Industry: Healthcare

Impact to Business: Business Disruption 

Additional Info: While unclear, the type of cyberattack bears all the signs of a ransomware attack.

“Optum Solutions, operates the Change Healthcare platform, which is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.  Change Healthcare has a wide presence in the US healthcare systems, used by hospitals, clinics, and pharmacies nationwide for electronic health reord (EHR) systems, payment processing, care coordination, and data analytics.” - Bleeping Computer

Mitigation: 

• Regularly perform updates & patching
• Maintain offline, encrypted backups of critical data
• Enable strong access controls and privilege management
• Implement a zero trust architecture to prevent unauthorized access to data and services
• Regularly educate and train employees

Source: https://www.bleepingcomputer.com/news/security/unitedhealth-confirms-optum-hack-behind-us-healthcare-billing-outage/

TI10 Summary: Chinese government agencies commissioned IT consulting firm for cyber espionage 

Article Title: New Leak Shows Business Side of China’s APT Menace

Threat Type: State-Sponsored Cyber Espionage

Industry: Not specific

Impact to Business: Information Disclosure

Additional Info: The leaked repository contained screenshots of a product catalog, technical specs of remote access trojans for Android, iOS, Linux, macOS & Windows platforms, an automated pentesting environment as well as additional tools & capabilities.  Documents show targeting activity covering a period between 2019-2022.

Mitigation: 

• Assess threat landscape to determine risk exposure & likelihood of threat attack (i.e. targeting intellectual property theft or third-party partnerships)
• Patch & maintain up-to-date antivirus signatures as well as run regular scans
• Retain backups separate from the network
• Adhere to industry best practices for supply chain risk management & auditing
• Enable detection rules for living-off-the-land TTPs based on environment
• Prepare a comprehensive incident response plan in case of incident or data breach

Source: https://krebsonsecurity.com/2024/02/new-leak-shows-business-side-of-chinas-apt-menace/

TI10 Summary: Hackers repurpose open-sourced network mapping tool to conduct malicious activities

Article Title: Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Threat Type: Worm

Industry: Not specific

Impact to Business: Information Disclosure

Additional Info: The tool is named “SSH-Snake”.  It replicates itself & spreads from one system to another as far as it can (lateral movement)

"The worm automatically searches through known credential locations and shell history files to determine its next move." - Miguel Hernández

Mitigation: Regularly perform updates & patching, design with security in mind

Source: https://thehackernews.com/2024/02/cybercriminals-weaponizing-open-source.html

TI10 Summary: US Government prepares water utilities against cyberattacks with 8 steps

Article Title: US govt shares cyberattack defense tips for water utilities

Threat Type: Multiple

Industry: Utilities

Impact to Business: Business disruption

Additional Info: Top Cyber Actions for Securing Water Systems

Mitigation: 

• Reduce Exposure to the Public-Facing Internet
• Conduct Regular Cybersecurity Assessments
• Change Default Passwords Immediately
• Conduct Inventory of Operational Technology/Information Technology Assets
• Develop and Exercise Cybersecurity Incident Response and Recovery Plans
• Backup OT/IT Systems
• Reduce Exposure to Vulnerabilities
• Conduct Cybersecurity Awareness Training

Source: https://www.bleepingcomputer.com/news/security/us-govt-shares-cyberattack-defense-tips-for-water-utilities/

TI10 Summary: Hackers exploit vulnerability in unpatched ScreenConnect servers to deploy ransomware

Article Title: ScreenConnect servers hacked in LockBit ransomware attacks

Threat Type: Vulnerability; Authentication Bypass Vulnerability

Industry: Not specific

Impact to Business: Business disruption, Financial

Additional Info: Tracked as CVE-2024-1709

“ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.” - Cybersecurity and Infrastructure Security Agency (CISA)

Mitigation: Perform vendor upgrade

Source: https://www.bleepingcomputer.com/news/security/screenconnect-servers-hacked-in-lockbit-ransomware-attacks/

TI10 Summary: Microsoft Exchange vulnerability allows hackers to perform code execution & elevate privilege 

Article Title: “Researchers from Shadowserver Foundation identified roughly 28,000 internet-facing Microsoft Exchange servers vulnerable to CVE-2024-21410”

Threat Type: Vulnerability, Elevation of Privilege

Industry: Not specific

Impact to Business: Information Disclosure 

Additional Info: Tracked as CVE-2024-21410

“A bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.” - Pierluigi Paganini, Security Affairs

Mitigation: Turn on the Extended Protection for Authentication (EPA) for Exchange Servers; consult the Exchange Extended Protection documentation

Source: https://securityaffairs.com/159424/hacking/28000-vulnerable-microsoft-exchange-servers.html

TI10 Summary: Google Cloud Run used for malware distribution

Article Title: Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Threat Type: Malware, Phishing

Industry: Finance

Impact to Business: Information Disclosure

Additional Info: “Google Cloud Run is a service provided by Google that enables customers to build & deploy web services located in Google Cloud. Adversaries may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing” - Cisco Talos

Phishing emails remain the primary vector, impersonating trusted financial institutions and government tax agencies or other entities

Related malware families - Astaroth, Mekotio & Ousaban (banking trojans)

Mitigation: Phishing training

Source: https://blog.talosintelligence.com/google-cloud-run-abuse/

TI10 Summary: Network compromised thru VPN access point via former employee’s Admin account

Article Title: U.S. State Government Network Breached via Former Employee's Account

Threat Type: Account Compromise

Industry: Government 

Impact to Business: Information Disclosure

Additional Info: Multi-factor authentication (MFA) was not enabled.  It's likely the threat actor obtained the credentials from a separate data breach due to the fact that the credentials appeared in publicly available channels containing leaked account information.  The threat actor accessed host & user information which they posted on the dark web.

"Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise," - Cybersecurity and Infrastructure Security Agency (CISA) & Multi-State Information Sharing and Analysis Center (MS-ISAC)

Mitigation: Disable/remove accounts not in use, enable multi-factor authentication (MFA), implement the principle of least privilege; additionally create separate administrator accounts to segment access to on-premises & cloud environments.

Source: https://thehackernews.com/2024/02/us-state-government-network-breached.html

TI10 Summary: Exploited vulnerability denies internet access to applications

Article Title: KeyTrap attack: Internet access disrupted with one DNS packet

Threat Type: Denial-of-service (DoS)

Industry: Not specific

Impact to Business: Disruption 

Additional Info: Tracked as CVE-2023-50387; A vulnerability named KeyTrap allows a remote attacker to cause a long lasting denial-of-service (DoS) by sending a single DNS packet.

"Exploitation of this attack would have severe consequences for any application using the Internet, including unavailability of technologies such as web-browsing, e-mail, and instant messaging. With KeyTrap, an attacker could completely disable large parts of the worldwide Internet.” - National Research Center for Applied Cybersecurity ATHENE

“This security gap could have allowed attackers to cause major disruption to the functioning of the internet, exposing one-third of DNS servers worldwide to a highly efficient denial-of-service (DoS) attack and potentially impacting more than one billion users.” - Akamai

Mitigation: Follow vendor security advisories applying patches & updates

Source: https://www.bleepingcomputer.com/news/security/keytrap-attack-internet-access-disrupted-with-one-dns-packet/

TI10 Summary: Hacker tool turns off VMware ESXi firewall & automates ransomware deployment

Article Title: RansomHouse gang automates VMware ESXi attacks with new MrAgent tool

Threat Type: Ransomware

Industry: Not specific

Impact to Business: Disruption, Financial Loss

Additional Info: RansomHouse is a ransomware-as-a-service operation

“Ransomware groups target ESXi servers because they deploy and serve virtual computers that typically hold valuable data that can be used in the subsequent extortion process.  Also, ESXi servers often run critical applications and services for businesses, including databases and email servers, so the operational disruption from the ransomware attack is maximized.” - Bleeping Computer

Mitigation: Perform regular software updates, implement strong access controls, enable network monitoring & logging

Source: https://www.bleepingcomputer.com/news/security/ransomhouse-gang-automates-vmware-esxi-attacks-with-new-mragent-tool/

TI10 Summary: Hackers exploit Microsoft Exchange Server vulnerability to escalate privileges

Article Title: Microsoft: New critical Exchange bug exploited as zero-day

Threat Type: Elevation of Privilege

Industry: Not specific

Impact to Business: Information disclosure

Additional Info: Tracked as CVE-2024-21410; This security flaw can let remote unauthenticated hackers escalate privileges targeting vulnerable Microsoft Exchange Server versions.

Mitigation: Apply Microsoft security patch (update released during the February 2024 Patch Tuesday)

Source: https://www.bleepingcomputer.com/news/security/microsoft-new-critical-exchange-bug-exploited-as-zero-day/

TI10 Summary: Nation-state hackers use AI for reconnaissance, coding assistance & malware development

Article Title: Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyberattacks

Threat Type: Social Engineering (and others)

Industry: Not specific 

Impact to Business: Information disclosure, disruptive or destructive activity

Additional Info: “Adversarial exploration of AI technologies has transcended various phases of the attack chain, such as reconnaissance, coding assistance, & malware development.” - The Hacker News

Mitigation: Microsoft is formulating a set of principles to mitigate risks posed by the malicious use of AI tools & APIs

Source: https://thehackernews.com/2024/02/microsoft-openai-warn-of-nation-state.html

TI10 Summary: Hackers exploit Fortinet bug & run malicious code on company networks

Article Title: New Fortinet RCE bug is actively exploited, CISA confirms

Threat Type: Remote Code Execution (RCE) Vulnerability 

How an RCE Attack Works by CrowdStrike

1. Hackers identify a vulnerability in a network’s hardware or software

2. In exploiting this vulnerability, they remotely place malicious code or malware on a device

3. Once the hackers have access to your network, they compromise user data or use your network for nefarious purposes.

Industry: Not specific 

Impact to Business: Information disclosure, business disruption

Additional Info: Fortinet flaws are commonly targeted to breach corporate networks in espionage campaigns & ransomware attacks

Mitigation: Keep software up to date, Implement Web Application Firewall, Sanitize user input anywhere you allow your users to insert data

Source: https://www.bleepingcomputer.com/news/security/new-fortinet-rce-bug-is-actively-exploited-cisa-confirms/

TI10 Summary: U.S. critical infrastructure compromised by People’s Republic of China (PRC) state-sponsored hackers

Article Title: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Threat Type: Advanced Persistent Threat (APT) Group; Volt Typhoon

Industry:  Communications, Energy, Transportation Systems, Water & Wastewater Systems 

Impact to Business:  Information disclosure, disruptive or destructive activity

Additional Info: U.S. agencies assess that People’s Republic of China (PRC) state-sponsored hackers are seeking to position themselves on IT networks to enable lateral movement to OT assets for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the U.S.

“As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.” - Cybersecurity and Infrastructure Security Agency (CISA)

Mitigation: U.S. agencies urge critical infrastructure organizations to apply the mitigations in the CISA advisory

• Harden the attack surface by applying patches & limit internet exposure of systems when not necessary
• Secure credentials and change default passwords
• Secure accounts by implemented multi-factor authentication (MFA), separate user & privileged accounts as well as encore the principle of least privilege
• Secure remote access services by limiting Remote Desktop protocol (RDP) 
• Secure sensitive data ensuring only authenticated and authorized users can access
• Implement network segmentation 
• Secure cloud assets in accordance with vendor-provided or industry standard hardening guidance as well as revoke unnecessary public access to cloud environments

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

TI10 Summary: [Zero-Day] Ivanti vulnerability allows attackers to bypass authentication & access restricted resources

Article Title: Newest Ivanti SSRF zero-day now under mass exploitation

Threat Type: [Zero-Day] Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability;

Crowdstrike defines “Zero-Day” as “when security teams are unaware of their software vulnerability, and they've had “0” days to work on a security patch or an update to fix the issue. “Zero-Day” is commonly associated with the terms Vulnerability, Exploit, and Threat.”

Industry: Multiple

Impact to Business: Information disclosure, credential theft

Additional Info: Tracked as CVE-2024-21893, Impacts Ivanti Connect Secure & Ivanti Policy Secure vulnerable devices (versions 9.x and 22.x)

Mitigation: “Due to the situation with active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. Only devices that have been factory reset and upgraded to the latest firmware version should be reconnected to the network. However, older versions that remain impacted are still without a patch.” - Bill Toulas, BleepingComputer.com

Source: https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-now-under-mass-exploitation/

TI10 Summary: Hackers target retail & employment agencies to steal user data

Article Title: ResumeLooters gang infects websites with XSS scripts and SQL injections to vacuum up job seekers' personal data and CVs

Threat Type: SQL Injection, Cross-Site Scripting (XSS)

Industry: Employment Agencies, Retail

Impact to Business: Information disclosure

Additional Info: ResumeLooters attempted to insert XSS scripts into all available employment agency forms to obtain admin credentials - these attacks are fueled by poor security as well as inadequate database & website management practices.

Mitigation: To prevent SQL Injection attacks:

• Use parameterized or prepared statements from your programming language rather than linking user input directly to SQL queries to differentiate between SQL code & user input
• Validate user input on the client & server - ensure the input follows the expected format & length
• Implement Web Application Firewalls (WAF) to detect & block SQL injections

To prevent XSS Infection:

• Validate user input on the client & server - ensure the input follows the expected format & length
• “Before rendering user-generated content, escape special characters to ensure that they are treated as literal text and not interpreted as code.” - Group-IB

Source: https://www.group-ib.com/blog/resumelooters/

TI10 Summary: Hackers host & push malware payloads via legitimate online platforms

Article Title: Hackers push USB malware payloads via news, media hosting sites

Threat Type: Malware

Industry: Health, transportation, construction, & logistics

Impact to Business: Information disclosure, cryptocurrency theft

Additional Info: Threat actor uses USB devices for initial infection & has been found abusing GitHub, Vimeo & Ars Technica to host encoded payloads.  These payloads are hidden in plain sight - they pose no risks to users visiting these web pages as they are only text strings.  However, when combined with the campaign's attack chain they are significant in downloading & executing malware in attacks.

Mitigation: Enable USB device control; Cybersecurity awareness & training about the risks associated with USB devices - avoid plugging in unknown USB devices.

Source: https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-payloads-via-news-media-hosting-sites/#google_vignette

TI10 Summary: Vulnerability threatens integrity of SSH connections

Article Title: Nearly 11 million SSH servers vulnerable to new Terrapin attacks

Threat Type: Vulnerability

Industry: Not specific

Impact to Business: May lead to phishing attacks & provide attackers with Man-in-the-Middle capabilities within encrypted sessions 

Mitigation: Patching CVE-2023-48795.  Check if an SSH client or server is susceptibility to Terrapin; vulnerability scanner

Source: https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/