Daily Brief

Ascension, a prominent U.S. healthcare network, is experiencing clinical operation disruptions and outages across several hospitals due to a suspected ransomware attack. Key systems affected include MyChart electronic health records, phone systems, and systems for ordering tests, procedures, and medications. Ambulances are being redirected and non-urgent procedures paused to prioritize emergency services and ensure safety and care continuity. Ascension advised business partners to disconnect from its network and is working with Mandiant experts to assess and mitigate the situation. Attack attributed to the Black Basta ransomware gang, known for accelerating attacks against the healthcare sector and other high-profile targets globally. The healthcare system remains on downtime procedures and is rescheduling non-emergent services, requiring patients to bring detailed personal medical information to appointments. Ascension is one of the largest private U.S. healthcare systems, with substantial national reach and significant annual revenue, demonstrating the potential scale and impact of the breach.

Over half a million customers of the Ohio Lottery had their personal data compromised following a security breach on Christmas Eve. The breach resulted in the exposure of names and social security numbers of approximately 538,959 individuals. Although Ohio Lottery has found no evidence of misuse of the leaked data, they have offered a year of free credit monitoring and ID theft protection to the impacted parties. The attack did not impact the lottery's gaming systems, but did temporarily prevent payouts for winnings above $599. DragonForce, a ransomware gang, claimed responsibility for the data theft, alleging to have stolen significantly more data than reported by Ohio Lottery. The stolen data, which supposedly includes dates of birth and other sensitive information not disclosed in the regulatory filing, has allegedly been made available for download by DragonForce. The nature of the attack—whether it involved ransomware or was solely for extortion—is still unclear, but the responsible group is known for using double extortion tactics.

Security researchers from Kaspersky identified critical flaws in Telit Cinterion cellular modems, commonly used in industrial, healthcare, and telecom sectors. A series of eight vulnerabilities, with impacts ranging from code execution to potential network compromise, have been disclosed. The most severe vulnerability, CVE-2023-47610, allows remote execution of arbitrary code via specially crafted SMS messages, without authentication. Attackers can exploit these vulnerabilities to gain in-depth access to the modem’s operating system and manipulate memory, potentially taking complete control of the device. Although Telit has patched some of the issues, others remain unresolved, posing ongoing risks. The vulnerabilities have broad implications, potentially affecting global network security and device integrity due to the wide deployment of these modems. Kaspersky suggests mitigation strategies including disabling SMS for vulnerable devices and enforcing strict application signature checks to protect against unauthorized changes.

The Ohio Lottery experienced a ransomware attack on December 24, 2023, affecting 538,959 individuals. Personal data compromised includes names, Social Security numbers, and other identifiers. The gaming network remained unaffected, ensuring no operational impact on lottery games. A detailed forensic investigation concluded on April 5, 2024, identifying the breach of specific files. In response, Ohio Lottery is offering free credit monitoring and identity theft protection services. DragonForce ransomware group claimed responsibility, later leaking data after failed negotiations. The leaked data reportedly involves 1.5 million records, lesser than the initially claimed three million. Ohio Lottery assures no evidence of the stolen data being used fraudulently has been found yet.

Brad Smith, Microsoft's Vice Chair and President, has been called to testify before the House Committee on Homeland Security concerning severe cybersecurity breaches attributed to nation-state actors from China and Russia. The hearing, named "A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security,” is set for May 22, in response to significant security incidents including the attack on Microsoft Exchange by a China-linked group. This group, identified as Storm-0558, compromised senior U.S. officials' emails, unlawfully accessing around 60,000 emails. Additionally, a group linked to Russia, known as Midnight Blizzard or APT29, accessed emails of Microsoft's executives and stole source code by exploiting a vulnerability in network management software. The Cyber Safety Review Board criticized Microsoft for a series of preventable errors leading to these breaches, prompting Microsoft’s pledge for major internal security reforms under the newly launched Secure Future Initiative. This initiative emphasizes critical areas such as protecting identities, isolating production systems, monitoring threats, and accelerating response to threats. The article mentions widespread concern about Microsoft's ability to safeguard data, which has prompted urgent calls for accountability similar to other U.S. government vendors.

North Korean threat actor Kimsuky deployed new Golang-based malware, named Durian, targeting South Korean cryptocurrency companies. Observed by Kaspersky in their Q1 2024 APT trends report, the attacks occurred in August and November 2023, leveraging legitimate South Korean software for initial infection. Durian serves extensive backdoor functions including command execution, file downloads, and data exfiltration. The Durian infection chain includes multiple malware such as AppleSeed and LazyLoad, along with legitimate tools like ngrok and Chrome Remote Desktop, to steal browser data like cookies and login details. The use of LazyLoad suggests possible operational overlap or collaboration with another North Korean subgroup, Andariel, part of the Lazarus Group. Kimsuky has been active since at least 2012, associated with high-level North Korean military intelligence, focusing on geopolitical intelligence theft and crafting sophisticated spear-phishing attacks. Recent reports link North Korean groups to other high-target cyber campaigns including the use of TutorialRAT spear-phishing attacks that utilize Dropbox for evasion and targeted attacks with Windows shortcut files by group ScarCruft.

Researchers from Singapore demonstrated a technique called GhostStripe that manipulates CMOS sensor-based cameras in autonomous vehicles to distort traffic sign recognition. The attack uses rapid light flashes to affect a camera’s image capture line-by-line, creating inconsistent color stripes that make traffic signs unrecognizable to the vehicle's computer vision systems. GhostStripe1 and GhostStripe2 are two versions of the attack; the former tracks cars and adjusts LED flickering remotely, while the latter requires direct access to the vehicle’s camera system. Tests conducted on real roads with a camera used in Baidu Apollo's vehicles achieved a successful manipulation rate of over 90% on various traffic signs, with effectiveness decreasing in bright ambient light. Common countermeasures suggested include replacing CMOS cameras with CCDs, altering the line capture method, adding more cameras, or incorporating the attack pattern into AI training models to improve detection. The technique underscores ongoing vulnerabilities in autonomous vehicle technologies and the potential for targeted cyber-attacks that compromise road safety.

In 2008, a malware-infected USB stick used in a military laptop in Afghanistan led to a significant breach of the U.S. Department of Defense's networks. The breach, suspected to be conducted by Russian cyber spies, quickly spread across both classified and unclassified DoD systems. This incident prompted the Pentagon to initiate Operation Buckshot Yankee, aiming to eliminate the malware from its networks, a process which took over a year. The severity of the situation led to the establishment of US Cyber Command, initially a sub-unified command in 2009, which later became an independent unified command in 2018. Four key figures in the development of US Cyber Command, dubbed the "Four Horsemen of Cyber," recently reunited to discuss the command’s inception and early challenges at the RSA Conference. During the initial aftermath of the breach, there was a fundamental lack of cybersecurity awareness among senior military and government officials, highlighting a major gap in digital warfare readiness. The discussion also covered the broader implications of cyber threats and the necessity of incorporating cybersecurity in national defense strategy effectively. A classified narrative created to persuade the DoD of the necessity for a cyber warfighting command was mentioned, with hopes for future declassification.

An upcoming webinar titled "The Future of Threat Hunting is Powered by Generative AI" will focus on AI’s role in advancing cybersecurity defenses. The session will be led by Aidan Holland, a researcher at Censys, who will introduce CensysGPT, an AI tool designed to enhance threat hunting capabilities. CensysGPT allows users to query network data in plain language, facilitating easier analysis and insight generation. The webinar aims to demonstrate the practical applications of CensysGPT in identifying and addressing cybersecurity threats. Attendees will include cybersecurity professionals, IT enthusiasts, and anyone interested in the evolution of cyber defenses. The event will provide firsthand experiences with CensysGPT, emphasizing its potential to transform traditional methods of threat detection and research.

Cybersecurity has evolved, shifting focus from traditional perimeter defenses like antivirus and firewalls to endpoint security, emphasizing the importance of Endpoint Detection and Response (EDR) solutions in modern cybersecurity strategies. EDR solutions are essential for businesses of all sizes due to their ability to monitor, detect, and respond to threats at the endpoint level, providing comprehensive visibility and faster response capabilities. The selection of an EDR solution involves understanding your organization’s specific needs, including technical requirements and the capacity of your in-house team to manage the solution effectively. Managed EDR solutions offer a convenient alternative to in-house management, providing the expertise of dedicated security professionals to handle day-to-day operations and threat responses. Key considerations when choosing an EDR solution include real-time detection and alerting, ease of integration with existing systems, user-friendliness, scalability, and cost-effectiveness. Advanced EDR solutions offer capabilities like process isolation, threat hunting, and real-time analytics, which are pivotal for proactive cybersecurity postures. Managed EDR solutions are increasingly favored as they mitigate common challenges such as alert fatigue and staffing constraints, making them suitable for businesses lacking specialized security personnel.

Google has released security updates for Chrome to address a zero-day vulnerability identified as CVE-2024-4671. The vulnerability relates to a use-after-free issue in Chrome's Visuals component and has been exploited actively. An anonymous researcher reported the flaw on May 7, 2024. Use-after-free vulnerabilities can cause a range of issues, from system crashes to arbitrary code execution. The existence of an exploit for CVE-2024-4671 in the wild has been confirmed by Google, though details of the attacks and attackers remain undisclosed. This is the second zero-day vulnerability Google has addressed in Chrome in 2024, following a previous patch in January. Chrome users are advised to update to the latest versions to prevent attacks: 124.0.6367.201/.202 for Windows and macOS, and 124.0.6367.201 for Linux. Users of other Chromium-based browsers are also recommended to update their software as patches become available.

Malicious apps disguised as Google, Instagram, WhatsApp, and other popular platforms are compromising Android devices to steal user credentials. The SonicWall Capture Labs team highlights that these apps trick users into granting extensive permissions, effectively taking over control of the devices. Permissions include access to accessibility services and the device administrator API, allowing the malware to perform actions like data theft and malware installation unknowingly. Once installed, the malware connects to a command-and-control server to execute commands such as accessing contact lists, SMS messages, call logs, and more. Phishing URLs presented by the apps mimic login pages of services like Facebook, GitHub, and LinkedIn, further aiming to harvest user credentials. There are also reports of other Android malware campaigns that use similar tactics, including the distribution of banking Trojans that intercept sensitive information and manipulate user interactions. The increase in Android-based malware attacks highlights a significant rise in mobile banking Trojan incidents, particularly affecting regions like Turkey, Saudi Arabia, and India.

Google has issued a security update for Chrome, addressing the fifth zero-day vulnerability exploited this year. The flaw, identified as CVE-2024-4671, is a high-severity "use after free" issue in Chrome's Visuals component. CVE-2024-4671 was anonymously reported and is believed to be actively exploited. Use after free vulnerabilities involve programs using pointers that reference freed memory, leading to potential data leakage or crashes. The updates are available across various platforms, with version numbers specific to each operating system. Chrome users can manually update their browsers through the "About Chrome" settings to ensure they have the latest version. This vulnerability is part of a series of zero-day exploits identified in 2024, with three others revealed at the Pwn2Own contest in Vancouver.

Security vulnerabilities in Telit Cinterion cellular modems could enable attackers to control devices remotely via SMS. Eight distinct issues identified, most severe being CVE-2023-47610, allowing arbitrary remote code execution through specially crafted SMS messages. Attack relies on known subscriber numbers and impacts modems even without binary SMS capability, using a fake base station as a workaround. Flaws were initially reported to Telit by Kaspersky in February 2023; some remain unpatched despite partial remediation. While CVE-2023-47610 has a high severity rating from both Kaspersky and NIST, other vulnerabilities could compromise application security and device integrity. The vulnerabilities affect multiple modem variants across industries due to similar software and hardware architecture. Recommended mitigation measures include disabling SMS capabilities to affected devices and enforcing stricter signature verification on applications.

Cybersecurity experts have identified a new attack method termed 'LLMjacking,' involving the theft of cloud credentials to access cloud-hosted Large Language Models (LLMs). Attackers breach systems using vulnerabilities in software like the Laravel Framework, then hijack Amazon Web Services credentials to tap into LLM services. Perpetrators employ tools such as a Python script for key validation and a reverse-proxy server to facilitate unauthorized access without revealing stolen credentials. The attackers assess the potential of the stolen credentials without running legitimate LLM queries, focusing on determining access limits and quotas. The strategy enables them to market access to the compromised LLM accounts, effectively monetizing the credentials while incurring substantial costs to the victim, potentially over $46,000 daily. The attackers also attempt to adjust logging settings to avoid detection and maintain unauthorized usage. Sysdig researchers recommend that organizations enable comprehensive logging and proactive monitoring of cloud environments and adopt robust vulnerability management practices to mitigate such threats.