SugarGh0st RAT Targets AI Experts, SEC Amends Breach Notification Rules, Australian MediSecure Ransomware Attack - Daily Intel Briefing May 17, 2024

Welcome to the Daily Threat Briefing for May 17, 2024.?Today's?briefing explores three stories: a new campaign leveraging a newly identified RAT dubbed SugarGh0st RAT was found targeting AI experts, the SEC made amendments outlining a new 30-day reporting window for breach notifications, and a report on ransomware attacks against Australian healthcare provider MediSecure.

Executive Summary

1???SugarGh0st RAT Targets American AI Experts

???Actionable Takeaway:?Enhance security awareness and training to recognize and report phishing attempts. Implement advanced training for employees to report security issues beyond phishing to detect and mitigate threats like SugarGh0st RAT.

2???SEC Tightens Breach Notification Timelines

???Actionable Takeaway:?Financial institutions should update their incident response strategies and ensure compliance with the new SEC regulations to avoid penalties and protect consumer data.

3???Ransomware Hits Australian Healthcare Provider MediSecure

???Actionable Takeaway:?Strengthen oversight and security measures for third-party vendors. Ensure robust backup and disaster recovery processes are in place to restore operations quickly during a breach.

SugarGh0st RAT Used to Target American Artificial Intelligence Experts

On May 16, 2024, Proofpoint released a technical report on a sophisticated cyber attack operation called the SugarGh0st RAT Campaign. This attack has resulted in breaches into US companies, government agencies, and academia, explicitly targeting artificial intelligence experts. The actor believed to be behind this cyber campaign is likely China-affiliated based on a similarity to a previous version of the malware that a Chinese nation-state attack group used.

• The malware used by the attacker was identified as a recent variant of the notorious Gh0st RAT. It was distributed through an AI-themed phishing lure that selectively targeted AI experts.
• The campaign was tracked to a previously unknown threat actor, "UNK_SweetSpecter." The researchers identified the campaign as targeting less than 10 AI experts with direct links to a prominent US-based AI organization.
• This highly focused campaign sought to obtain nonpublic information on generative artificial intelligence. The Gh0st RAT's SugarGh0st variant included several advanced capabilities custom-made for reconnaissance, data exfiltration and lateral movements within the victim's system.
• The actors used a free account to send its targets an AI-themed email and a zip archive. If opened, this trojan would deploy the SugarGh0st malware onto the victim's system.

Insights and Analysis

The targeted nature of this attack campaign highlights the attacker's interest in obtaining nonpublic information about generative artificial intelligence and points to an increasing trend of cyberattacks becoming more specialized.

• These campaigns now target specific individuals, showcasing a shift in focus from mass attacks to more tailored attacks. This highlights the human element of cybersecurity, emphasizing the need for education and awareness among personnel in sensitive industries.
• Custom variants of known malware indicate a persistent evolution in the cyber threat landscape. This stresses the importance of crafting secure code practices and implementing effective security measures for any applications utilized within a business environment.
• The AI-themed phishing lure raises concerns over how socially engineered attacks have become. The attackers are well aware of their target individuals, interests and lines of work, thereby successfully crafting a deceitful lure.
• This highly technical report contains Indicators of Compromise (IoCs). It highlights the malware's advanced capabilities in obtaining specific registry keys, loading and executing malicious code from library files, and issuing custom commands via the command-and-control (C2) interface.

SEC: Financial organizations have 30 days to send data breach notifications

On May 15, 2024, the Securities and Exchange Commission released a technical report on the final amendments to Regulation S-P, which focuses on enhancing the security of nonpublic personal information handled by financial institutions. These amendments are in response to evolving technological landscapes and increasing cybersecurity threats.

• The introduction of a mandatory incident response program for covered institutions, which include broker-dealers, investment companies, registered investment advisers, and transfer agents.
• There is a requirement for covered institutions to notify affected individuals promptly (within 30 days) if their sensitive customer information was accessed or is likely to have been accessed without authorization.
• Expansion of the scope of protected information under the safeguards and disposal rules to include all nonpublic personal information, whether obtained directly or received from other financial institutions.
• Adjustments to compliance documentation and annual privacy notice delivery provisions, aligning them with the FAST Act's terms.

Insights and Analysis

The mandatory incident response program is a significant step towards standardized cybersecurity practices across all covered financial institutions.?

• An increased emphasis on the human element in cybersecurity, where quick and effective incident response can mitigate potential harm to individuals whose information may be compromised.
• The requirement for covered entities to have written policies and procedures signifies a shift towards more formalized and structured cybersecurity practices, crucial for maintaining trust and integrity within the financial sector.
• Harmonizing safeguards for customer information across different institutions and states enhances overall data security and consumer protection.

Australian government warns of 'large-scale ransomware data breach'

On May 16, 2024, the Australian government released a technical report on a large-scale ransomware breach impacting healthcare data. The breach, notably disclosed by MediSecure, involved:

• A ransomware attack compromises individuals' personal and health information.
• Early indicators suggest the origin of the breach from a third-party vendor utilized by MediSecure.
• MediSecure acknowledges the breach's significant impact on customers and emphasizes its commitment to transparency and ongoing updates.
• This is a historical context recalling a similar October 2022 incident involving Medibank, which led to extensive healthcare data exposure on the dark web and subsequent cybersecurity reforms in Australia.
• The Australian federal police initiated an investigation, with national cybersecurity coordinator Michelle McGuinness and Australia's minister for cybersecurity, Clare O'Neil, closely monitoring the situation and discouraging premature speculation about the breach.

Insights and Analysis

The early indication that the breach originated from a third-party vendor underscores the critical vulnerabilities of third-party integrations in securing sensitive data.

• This incident highlights the human element in cybersecurity, particularly the need for thorough vetting and continuous monitoring of third-party service providers who handle sensitive information.
• It stresses the importance of robust incident response plans and transparent communication with affected parties to maintain trust and manage public perception during a data breach.
• Given the historical context of the Medibank breach and the ongoing reforms, this incident suggests a need for improved secure coding practices and more stringent cybersecurity measures across the health sector.

Purpose and Disclaimer.

Welcome to Device Threat Insights and Analysis, where I present three key stories that captured my attention as a threat intelligence professional. Please note that these reports?are not affiliated?with any organization, and my insights should be considered opinions or a starting point for navigating the vast sea of public reporting. Before taking action, conduct a thorough impact analysis specific to your business needs. Follow me for more content and stay ahead in the ever-evolving world of threat intelligence.

References:

Story 1:

https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american

Story 2:

https://d6jxgaftxvagq.cloudfront.net/Uploads/o/u/r/secregulationspfactsheet_55860.pdf

https://www.bleepingcomputer.com/news/security/sec-financial-orgs-have-30-days-to-send-data-breach-notifications/

Story 3:

https://therecord.media/medisecure-data-breach-ransomware-australia-healthcare