CISO Daily Update - March 5, 2024

NEW DEVELOPMENTS

Self-Propagating Worm Created to Target Generative AI Systems

Source: Infosecurity Magazine

"Morris II," a self-propagating computer worm that attacks generative AI (GenAI) systems, was created by researchers from the Israel Institute of Technology, Intuit, and Cornell Tech. This worm could distribute malware and provide unauthorized access to personal data by using adversarial self-replicating prompts to target weaknesses in GenAI models–e.g., replicate the input as output and initiate other malicious actions. The report highlights the need for strong controls to address replication and propagation threats in GenAI-powered apps.

Article Link

American Express Credit Cards Exposed in Third-party Data Breach

Source: Bleeping Computer

American Express customers are alerted to a data breach affecting their credit cards due to an attack targeting a merchant processor. Although American Express was not compromised, customer data, including account numbers, names, and card expiration dates, may have been accessed by hackers. The breach's scope remains undisclosed, including the number of impacted customers and the identity of the breached merchant processor. American Express assures affected customers that they will not be held responsible for fraudulent charges and advises monitoring account statements for suspicious activity. Additionally, customers are encouraged to enable instant notifications through the American Express mobile app and consider requesting a new card number if their data is compromised.

Article Link

BlackCat Ransomware Turns Off Servers Amid Claim They Stole $22 Million Ransom

Source: Bleeping Computer

The ALPHV/BlackCat ransomware gang has reportedly shut down its servers amid allegations that they defrauded an affiliate of $22 million following a ransom payment from Optum, the operator of the Change Healthcare platform. While the gang's data leak blog and negotiation sites have been taken offline, the exact motive behind this action remains unclear—whether it signifies an exit scam or a rebranding effort. An affiliate claiming to have stolen critical data from Change Healthcare alleges that ALPHV/BlackCat suspended their account and seized the ransom payment. The incident mimics previous rebranding efforts by the ransomware operation, formerly known as DarkSide and BlackMatter, and further highlights the evolving nature of these threat actors and the ransomware landscape.

Article Link

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Source: The Hacker News

U.S. cybersecurity and intelligence agencies have warned about Phobos ransomware targeting government and critical infrastructure entities, operating under a ransomware-as-a-service (RaaS) model. Phobos variants, including Eking, Eight, Elbie, Devos, Faust, and Backmydata, have been active since May 2019. Tactics include phishing, exploiting exposed RDP services, and utilizing various remote access tools and techniques for infiltration and persistence. Phobos actors target domain administrator access and employ tools like Bloodhound and Sharphound for reconnaissance and data exfiltration. A recent coordinated ransomware attack attributed to CACTUS targeted virtualization infrastructure and exploited a critical security flaw in Ivanti Sentry servers. Ransomware remains lucrative, with median ransom demands reaching $600,000 in 2023. However, payment does not guarantee data recovery or future protection, as evidenced by a high re-attack rate on organizations that have paid a ransom.

Article Link

Virgin Hotels Breach Exposes Thousands

Source: Cybernews

Virgin Hotels North America experienced a cybersecurity breach, exposing sensitive personal information, including Social Security numbers (SSNs) of over 4,000 individuals. The breach, discovered in late August 2023, prompted the company to engage a cybersecurity firm for incident response support. While the breach notification did not specify whether clients or employees were affected, Virgin Hotels plans to offer affected individuals complimentary identity protection and credit monitoring services.

Article Link

Over 100 Malicious AI/ML Models Found on Hugging Face Platform

Source: The Hacker News

Over 100 malicious AI/machine learning (ML) models have been discovered on the Hugging Face platform. These models can execute code upon loading a pickle file, potentially granting attackers full control over compromised machines through backdoor access. The rogue models establish connections to various IP addresses, including one associated with the Korea Research Environment Open Network (KREONET). The incident highlights the dangers of poisoned open-source repositories and the need for strong security controls governing AI use.?

Article Link

VULNERABILITIES TO WATCH

Critical TeamCity Bugs Endanger Software Supply Chain

Source: Darkreading

Critical vulnerabilities were discovered in JetBrains TeamCity, a popular CI/CD pipeline tool used by 30,000 organizations, including prominent companies such as Citibank, Nike, and Ferrari. The vulnerabilities, tracked as CVE-2024-27198 and CVE-2024-27199, could enable threat actors to bypass authentication and gain admin control over TeamCity servers. Rapid7 reported the flaws in February, with the criticality necessitating immediate patching for on-premises deployments through version 2023.11.3. Failure to patch could expose organizations to sophisticated attacks targeting the software development lifecycle. JetBrains has released an updated version, 2023-11.4, along with a security patch plugin for expedited protection.?

Article Link

TA577 Exploits NTLM Authentication Vulnerability

Source: Infosecurity Magazine

Cybersecurity researchers at Proofpoint discovered a new tactic employed by the threat actor TA577, targeting organizations globally to steal NT LAN Manager (NTLM) authentication information. TA577 launched campaigns on February 26 and 27, 2024, sending tens of thousands of messages with zipped HTML attachments. Upon opening, these attachments attempted to connect to a Server Message Block (SMB) server controlled by the threat actor to capture NTLM hashes. While no malware delivery was detected, the stolen NTLM hashes could be exploited for password cracking or "Pass-The-Hash" attacks. The use of open-source toolkit Impacket on the SMB servers and the delivery method designed to bypass security measures highlight the sophistication of TA577's tactics. Organizations are advised to block outbound SMB to prevent exploitation of this vulnerability.

Article Link

SPECIAL REPORTS

Cybersecurity Laws: Adapting to an Ever-Changing Threat Landscape

Source: The Cyber Express

Establishing standards, guidelines, and enforcement procedures are necessary to protect sensitive data and critical infrastructure from cyber threats. Current cybersecurity laws address a wide range of topics, including intellectual property protection, data privacy, breach reporting obligations, and the responsibilities of individuals and organizations to uphold a safe online environment. However, the rapid pace of technological advancement makes it difficult for cybersecurity laws and guidelines to keep up with new risks.?

Article Link

What Organizations Need to Know About the Digital Operational Resilience Act (Dora)

Source: Help Net Security

The Digital Operational Resilience Act (DORA) is a recent EU regulation aimed at enhancing cybersecurity and operational resilience, particularly for financial entities (FEs) and third-party service providers. DORA aligns with the NIS2 directive but has sector-specific applicability, focusing on 20 financial entities. It was released on January 16, 2023, with full enforcement by January 17, 2025. Organizations must prioritize compliance efforts, with a focus on strengthening critical systems, incident reporting, resilience testing, and internal audit functions.

Article Link