Daily Brief

Operational Technology (OT) systems differ from IT systems as they directly interface with and control physical processes. OT and IT convergence through the Industrial Internet of Things (IIoT) increases efficiency but also introduces IT-like cyber threats to OT systems. Real-time operational demands of OT systems may render traditional cybersecurity measures like multi-factor authentication problematic due to added latency. Legacy OT systems were not designed with modern cybersecurity threats in mind, often lacking encryption and authentication capabilities. In OT, safety and reliability outweigh the typical IT focus on data confidentiality and integrity, influencing the type of cybersecurity measures employed. Cybersecurity strategies for OT must be specifically tailored, balancing the need for system safety and reliability with data protection. The unique challenges of securing OT systems include negating disruptions while protecting against contemporary cyber threats. Cost-effective enterprise-grade Privileged Access Management (PAM) solutions and cloud security strategies are available to enhance OT cybersecurity.

Leicester City Council confirmed a ransomware attack resulted in the theft of residents' confidential data after the INC Ransom group leaked documents. The leak included residents' IDs, bank statements, and official council forms related to housing and rent, with a threat of more stolen data potentially existing. The Council is contacting affected individuals and has involved the Information Commissioner's Office as well as local cybercrime law enforcement. Despite the breach, the Council has communicated that its recovery is nearly complete, with most services operational. INC Ransom, linked to other government and healthcare attacks, has seen a rise in activity, potentially benefiting from law enforcement action against other ransomware groups. The Council urges residents to be aware of potential fraud and assures them that continued engagement with council services remains secure. Cybersecurity researcher notes the redistribution of affiliates and rise in attacks by ransomware groups including INC Ransom following crackdowns on groups like LockBit and ALPHV.

GenAI is enhancing the potency and scale of cybercrimes by facilitating advanced reconnaissance and social engineering tactics. The UK National Cyber Security Centre anticipates a surge in impactful cyberattacks over the next two years due to AI technologies. AI commoditization is expected to support both cybercriminals and nation-state actors in rapidly analyzing stolen data for further exploitation. Sophos identifies the risk of generative AI, such as LLMs, in enabling the creation of deceptive content to extract sensitive information. Sophos will host a webinar detailing the risks of AI-driven large-scale scam campaigns, demonstrating how GenAI tools can harvest user credentials for cyberattacks. The webinar presents the ease with which novice cybercriminals can create convincing online materials to ensnare victims. Corporate executives and cybersecurity professionals are encouraged to register for insight into AI-propelled cyber threats and prevention strategies.

Ivanti has issued security updates addressing four vulnerabilities in Connect Secure and Policy Secure Gateways, which could lead to code execution and denial-of-service attacks. No exploitation of these vulnerabilities has been reported at the time of the security update release. The company had previously patched a critical vulnerability in its Standalone Sentry product that allowed for unauthenticated command execution. Another critical flaw was fixed in the on-premises version of Neurons for ITSM, which could have enabled an authenticated remote attacker to write files and execute code. Ivanti CEO Jeff Abbott publicly acknowledged the need to overhaul the company's security approach, including adoption of secure-by-design principles and transparency with customers. Ivanti is enhancing its internal security mechanisms, utilizing third-party researchers, and expanding its bug bounty program to encourage responsible vulnerability disclosure.

Microsoft's Exchange Online hack in 2023 potentially tied to Chinese cyberespionage group Storm-0558, with ongoing uncertainty about the theft of an Azure signing key. The Cyber Safety Review Board criticizes Microsoft's security measures and communication transparency, addressing how the signing key was compromised. The U.S. State Department detected the hack through advanced logging features, revealing a broader inability among other organizations to spot such breaches without similar tools. Microsoft admitted to ineffective key rotation practices and a software flaw that allowed the attackers to use a consumer MSA signing key for enterprise email account breaches. Investigators theorize the key could have been obtained via an engineer's laptop from a previously compromised acquisition without definitive evidence. Microsoft added telemetry data and extended log retention to bolster security post-attack, following the CSRB's call for improved measures. Storm-0558 is attributed to significant state-backed espionage efforts, focusing on high-level U.S. government email accounts related to national security. Connections are drawn between Storm-0558 and prior Chinese cyber operations, including the significant 2009 Operation Aurora.

City of Hope, a US cancer treatment and research organization, disclosed an IT security breach affecting approximately 827,149 individuals. Personal information, including financial and medical records, was accessed and potentially stolen from its systems between September 19 and October 12, 2023. The breach was detected as "suspicious activity" a day after the intrusion, prompting immediate mitigation measures and the implementation of enhanced security. City of Hope began notifying affected individuals in December and has offered two years of free identity monitoring services through Kroll. No incidents of identity theft or fraud have been reported as a result of the breach, according to a City of Hope spokesperson. The organization has engaged a cybersecurity firm to improve network and system security and has reported the incident to law enforcement and regulatory bodies. This breach is part of a larger trend of cyberattacks targeting healthcare facilities, with recent incidents affecting NHS Scotland and Change Healthcare. The US government is responding to the rise in cyberattacks on critical infrastructure by proposing new reporting requirements and indicating that voluntary cybersecurity practices for hospitals may soon be mandated.

SurveyLama, an online survey platform, experienced a significant data breach exposing personal details of 4.4 million users. Have I Been Pwned (HIBP) identified and verified the breach, initially informed by an affected user. Sensitive data involved includes varied personal information; the exact nature of the data has not been specified in the summary provided. SurveyLama confirmed the breach via email notifications to impacted individuals. Passwords were stored in salted SHA-1, bcrypt, or argon2 hashes, with SHA-1 considered vulnerable to brute force attacks. Users are urged to change their SurveyLama passwords and any others that are identical on different platforms. The compromised data has not been publicly disclosed as of now, which may limit immediate widespread exploitation. Vigilance is advised as the data could eventually be leaked to the cybercrime community, posing a risk for identity theft and fraud.

IxMetro Powerhost, a hosting firm, faced a ransomware attack which encrypted their VMware ESXi servers and backups, affecting numerous customers. The new ransomware, dubbed SEXi, specifically targeted the company’s servers that hosted virtual private servers, leading to widespread service disruptions. The attack was discovered early Saturday, with PowerHost announcing the incident and its ongoing attempts to restore services from encrypted backups. The SEXi ransomware gang demanded a ransom of two bitcoins per victim for decryption keys, which could potentially cost PowerHost $140 million. PowerHost is compensating affected customers by offering new VPS setups for those who still have their own website content to bring their operations back online. The SEXi ransomware operation is relatively new, emerging in March 2023, and has so far only been observed targeting VMware ESXi servers, but could potentially expand to Windows devices. There is no complexity in the ransomware’s infrastructure as per current knowledge, with all victims receiving the same contact address in the ransom notes – a departure from typical targeted victim communication. It is presently unclear whether the SEXi ransomware operators are engaging in double extortion tactics by stealing data and threatening leaks if payment is not made.

Omni Hotels & Resorts confirmed a cyberattack that led to a significant IT outage at their locations. The hotel chain quickly shut down systems to contain data and protect against further intrusion. Cybersecurity experts were engaged to conduct an ongoing investigation into the incident. Unspecified sources claim the cybersecurity issue stemmed from a ransomware attack as Omni works to restore encrypted servers from backups. Internal efforts are underway to manually recover affected systems, with anticipated system availability by Thursday. The cyberattack disrupted reservations, hotel room door lock systems, and point-of-sale operations, causing issues with credit card payments and reservations management. The impact follows a previous data breach in 2016 where malware on point-of-sale systems at Omni hotels exposed payment card information.

IxMetro, a division of Chile-based PowerHost, was targeted by SEXi ransomware, leading to encrypted VMware ESXi servers and backups. SEXi ransomware is a new threat, first observed in March 2023, primarily targeting VMware ESXi servers with the .SEXi file extension. PowerHost is struggling to restore service after the ransomware encrypted both their servers and the backups meant for disaster recovery. The cybercriminals demanded an exorbitant ransom of two bitcoins per victim, which would amass to a total of $140 million if paid by PowerHost. PowerHost has offered to set up new VPS servers for customers who can independently provide their website content. It is currently unclear whether the SEXi ransomware group is engaging in double extortion tactics by stealing data and threatening to leak it, as this has not been observed yet. The ransomware's infrastructure is not sophisticated at this time, using identical Session messaging app contact addresses for communication with all victims.

Jackson County, Missouri, declared a state of emergency following a ransomware attack that disrupted county services on Tuesday. Key county departments like Assessment, Collection, and Recorder of Deeds are expected to be closed for the week as systems are being restored. The incident affected tax payment, marriage license, and inmate search systems, but did not impact the local Boards of Elections. Law enforcement including the FBI and the Department of Homeland Security have been notified, and external IT security experts are assisting with the investigation. County Executive Frank White, Jr. has authorized emergency measures to protect resident data and ensure continuation of essential services. Officials stated that residents' financial information is safe, as it is managed by the external payment service provider Payit, which was not affected by the attack. Jackson County is a significant jurisdiction in Missouri, encompassing the largest city of Kansas City and 17 other municipalities.

The Cybersecurity and Infrastructure Security Agency (CISA) called for urgent security reforms at Microsoft following a breach attributed to a Chinese-linked group. Microsoft's outdated key rotation practices allowed unauthorized access to Outlook Web Access and further escalation to enterprise email accounts. Approximately 60,000 emails from the US State Department were stolen, including sensitive diplomatic discussions and a complete list of employee email addresses. Microsoft's slow response in correcting misinformation regarding the breach’s cause and the failure to detect key compromises has been highlighted as a major concern. The report by the Cyber Safety Review Board emphasized the need for Microsoft to prioritize security risk management and update legacy infrastructure. Microsoft's recent "Secure Future Initiative" was noted to require supervision by top executives, following the company's overreliance on AI for security solutions without a clear understanding of the incident's cause.

Omni Hotels & Resorts suffered a major IT systems disruption starting Friday, impacting bookings, payments, and door lock systems. The luxury hotel chain has over 50 properties in the US and Canada and has acknowledged the outage on social media, apologizing to guests. Specific details regarding the cause of the IT outage, including whether it was ransomware-related, were not provided by Omni or TRT Holdings. Hotel guests across the country have experienced significant disruptions, with reports of paper check-ins, non-operational card machines, and the need for staff to escort guests to their rooms. A self-identified Omni employee described the situation as chaotic and stressful, both for guests and staff unsure of their income during the server downtime. Comparisons have been drawn to the MGM Resorts ransomware incident, raising suspicions of a possible cyberattack, but no confirmation from Omni has been made. Separately, Meta platforms including WhatsApp, Facebook Messenger, Instagram, and the Ads Transparency suite experienced outages, with services gradually being restored.

The U.S. Department of State is investigating a possible cyber incident following claims by a threat actor of leaking documents from a government contractor. The alleged breach targeted Acuity, a technology consulting firm providing critical services to federal agencies, with claims of compromised classified information. The hacker, known as IntelBroker, claims the data leak includes contact details of government, military, and Pentagon personnel linked to the Five Eyes alliance. IntelBroker has a track record of similar data leaks from various government entities, including the U.S. Army and the Department of Defense. Details of the breach methodology have not been disclosed, though IntelBroker has already leaked data from other government agencies, suggesting potential links among the incidents. A previous significant breach attributed to IntelBroker involved DC Health Link, affecting members and staff of the U.S. House of Representatives. Neither the NSA nor Acuity has commented on the breach, and the Cybersecurity and Infrastructure Security Agency (CISA) has declined to comment on the ongoing investigation.

A severe unauthenticated SQL injection vulnerability in LayerSlider, a WordPress plugin, potentially affects over one million websites. Discovered by researcher AmrAwad, the security flaw, with a CVSS score of 9.8, could enable attackers to access site databases and extract sensitive data. Wordfence, a WordPress security firm, was alerted to the flaw, CVE-2024-2879, by AmrAwad through its bug bounty program, prompting swift action. The vulnerability stems from improper sanitization within the 'ls_get_popup_markup' function, risking complete site takeovers or data breaches. Attackers could carry out a time-based blind SQL injection, using response times to siphon off password hashes and user information, exploiting the lack of prepared SQL queries in WordPress. Swift developer response resulted in a security update released within two days, with users urged to update to version 7.10.1 to mitigate the risk. WordPress site admins are reminded to maintain updated plugins, use strong passwords, and manage account access meticulously to enhance security.