CISO Daily Update - May 1, 2024
NEW DEVELOPMENTS
Kansas City System Providing Roadside Weather, Traffic Info Taken Down by Cyberattack
Source: The Record
Last week, a cyberattack took down the Kansas City Scout System–disrupting real-time weather and traffic information services vital for drivers during dangerous storms. The outage was confirmed as a cyberattack and affected all systems including traffic cameras and message boards. As efforts to restore service continue, drivers are urged to navigate based on current road conditions. The incident reinforces the vulnerability of critical infrastructure to cyber threats, with this incident occurring amid a weekend of deadly storms in the region.
Philadelphia Inquirer Struck by Cyberattack
Source: Cybernews
The Philadelphia Inquirer disclosed a cyberattack affecting over 25,000 readers. Unauthorized access between May 11th and May 13th, 2023 led to the copying of certain user files including financial and account information. While no evidence of misuse has been found, the newspaper is offering affected individuals free credit monitoring and identity theft protection services for 24 months as a precaution. Established in 1829, the Inquirer is one of the US's oldest daily newspapers with a daily circulation exceeding 60,000 copies.?
Change Healthcare Hacked Using Stolen Citrix Account With No MFA
Source: Bleeping Computer
Change Healthcare fell victim to a ransomware attack orchestrated by the BlackCat gang–exploiting a Citrix account lacking multi-factor authentication. UnitedHealth CEO Andrew Witty's testimony spoke to the matter and provided details on the attack and the impact which included extensive operational disruptions and financial losses. Attackers accessed the network for ten days before encrypting systems and exfiltrating corporate and patient data for extortion. Despite paying a ransom, Witty described the decision as one of the hardest he had faced. Remediation efforts included system containment, extensive IT replacements, and rebuilding core services. While some data leakage occurred, no evidence suggests the compromise of comprehensive medical records or doctors’ charts.
US Spy Agencies to Share Intelligence on Critical Infrastructure in Policy Revamp
Source: Cyberscoop
President Joe Biden is expected to sign a revised policy to enhance intelligence sharing between U.S. intelligence agencies and critical infrastructure owners and operators. This move comes amidst a surge in cyberattacks targeting critical systems like water treatment facilities and the electrical grid. The updated directive addresses technological and geopolitical changes that have altered the threat landscape. It clarifies the roles of agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and emphasizes resilience in the face of evolving threats. Despite calls to designate the space industry as critical infrastructure, the administration has decided to maintain the existing 16 sectors.?
Google Blocked 2.3M Apps From Play Store Last Year for Breaking the G Law
Source: The Register
Google's enhanced security measures and policies enabled it to block a staggering 2.3 million potentially malicious Android apps from being published on the official Play Store last year–marking a significant increase from the previous year. The tech giant also took down 333,000 developer accounts and rejected an additional 200,000 apps for improperly handling sensitive permissions. Key initiatives included updated rules governing AI apps, notifications, privacy, and account data deletion, as well as stricter developer verification and testing requirements. While not infallible, as evidenced by past incidents of malicious apps slipping through, Google attributes this improved policing to investments in advanced machine learning, app review processes, and its commitment to upholding stringent security standards in line with regulations like the EU's Digital Services Act.
Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years
Source: The Hacker News
Cybersecurity researchers uncovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years. These containers, devoid of actual content, serve as landing pages redirecting users to phishing or malware-hosting websites. Three main campaigns have been identified: downloader, e-book phishing, and website redirection. The malicious payload delivered via these campaigns poses a significant threat, with users having limited means to protect themselves. As threat actors continue to exploit open-source registries like Docker Hub, developers are urged to exercise caution when downloading packages to mitigate supply chain attacks.
领英推荐
New Latrodectus Malware Attacks Use Microsoft, Cloudflare Themes
Source: Bleeping Computer
The Latrodectus malware, associated with the developers of IcedID, is now being distributed via phishing campaigns using Microsoft Azure and Cloudflare themes to appear legitimate and evade detection. These emails, distributed through reply-chain phishing, contain PDF attachments or URLs leading to a fake Cloudflare captcha–concealing JavaScript files that download the Latrodectus malware. Once installed, it drops a DLL file, enabling malicious activity in the background, and potentially leading to further malware infections or network breaches.
VULNERABILITIES TO WATCH
Threat Actors Claiming of 0-Day Vulnerability in Zyxel VPN Device
Source: Cyber Security News
Threat actors claim to have discovered a critical zero-day vulnerability in Zyxel VPN devices widely used across government, finance, and healthcare sectors. The alleged flaw, which allows unauthorized access to private networks, was made public by the cybersecurity monitoring group MonThreat but has yet to be officially confirmed by Zyxel. With no available patch and the potential for exploitation, organizations utilizing these VPN devices face risks of compromise before a fix is released.
Linux Kernel Vulnerability (CVE-2024-26925) Let Hackers Access Unauthorized Data
Source: Cyber Security News
A critical vulnerability in the Linux kernel's netfilter subsystem (CVE-2024-26925) has been addressed to enhance system security globally. Found in the nf_tables component used for packet filtering, the flaw resulted from improper mutex release within the garbage collection sequence–potentially leading to race conditions. Greg Kroah-Hartman, a key kernel maintainer, rectified the issue by adjusting the mutex release sequence. Users are strongly advised to update to the latest stable kernel version to mitigate risk.
SPECIAL REPORTS
Ransom Payments Surge by 500% to an Average of $2M
Source: Infosecurity Magazine
According to Sophos' State of Ransomware 2024 report, ransomware demands and payments have increased in the past year with the average ransom payment surging by 500% to $2 million per incident. About 63% of ransom demands exceeded $1 million, with 30% demanding over $5 million. Smaller organizations with under $50 million in revenue accounted for 46% of seven-figure ransom demands. While some victims negotiated lower payments, 94% of paid ransoms matched the initial demand on average. Insurance providers funded nearly a quarter of all ransom payments, as recovery costs excluding ransoms averaged $2.73 million.
DHS, CISA Partner to Secure Critical Infrastructure in the Age of AI
Source: The Cyber Express
The Department of Homeland Security (DHS), collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and Countering Weapons of Mass Destruction Office (CWMD), unveiled a comprehensive strategy to secure critical infrastructure against emerging AI threats. This multi-pronged approach includes guidelines for categorizing AI risks to infrastructure across attacks using AI, attacks targeting AI systems, and AI design flaws, and proposes mitigation through governance, mapping, measurement, and management. Additionally, DHS analyzed AI misuse for developing chemical, biological, radiological, and nuclear (CBRN) threats and established an AI Safety and Security Board, AI Roadmap, and AI Corps to bolster expertise.?
Ransomware Rising Despite Takedowns, Says Corvus Report
Source: Infosecurity Magazine
Despite recent takedowns of ransomware groups like LockBit and BlackCat, Corvus Insurance's latest report reveals a 21% increase in ransomware activity in Q1 2024 compared to the same period last year. The void left by takedowns has been swiftly filled by new ransomware gangs, resulting in the highest activity ever recorded for a first quarter. Affiliates of dismantled groups have transitioned to other ransomware operations, with upticks in activity by groups like Black Basta and Akira. Information technology and services remain the most targeted industries.