Daily Brief

Infosys McCamish Systems (an Infosys subsidiary) was identified as the source of a significant data breach affecting the Bank of America. Confidential information of 57,028 individuals, potentially including Social Security Numbers and account details, was compromised. The security incident, classified as an "External system breach (hacking)," led to the non-availability of certain applications and systems. While Bank of America's systems remained secure, the data related to deferred compensation plans managed by the bank was exposed. The exact extent of the data accessed by the hackers remains uncertain, heightening the risk of identity fraud for the affected individuals. The LockBit ransomware gang is suspected of orchestrating the cybersecurity incident at Infosys McCamish Systems. Impacted individuals have been offered advice on precautionary measures and two years of complimentary identity theft protection services from Experian.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube, a popular email software, to its list of actively exploited flaws. The vulnerability, identified as CVE-2023-43770, is a medium-severity cross-site scripting (XSS) issue discovered by a Zscaler researcher, Niraj Shivtarkar. Attackers exploit this flaw by manipulating 'linkrefs' in plain text emails, leading to potential information disclosure. Roundcube has released patches for the affected versions (prior to 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3) with the latest update being version 1.6.3 on September 15, 2023. Though specific exploitation methods are not detailed, similar vulnerabilities have previously been exploited by Russia-linked threat actors such as APT28 and Winter Vivern. CISA has mandated U.S. Federal Civilian Executive Branch (FCEB) agencies to implement the necessary patches by March 4, 2024, to mitigate risks from this threat. Organizations are urged to update their Roundcube software immediately to prevent exploitation and secure their email communications.

South Korean researchers have cracked the Rhysida ransomware and released a free decryptor tool, aiding victims like the British Library. Rhysida ransomware, linked to the Vice Society criminal group, has been targeting various sectors including education, healthcare, and government since May of the previous year. The researchers found a vulnerability in the ransomware's use of a cryptographically secure pseudo-random number generator, allowing them to regenerate the internal state at the time of infection. The Korea Internet and Security Agency (KISA) is now distributing the tool, marking a significant achievement in combatting this particular strain of ransomware. The flaw in the ransomware involved its use of the system's execution time to generate encryption keys, limiting possible combinations and enabling decryption without the private RSA key. Rhysida ransomware partially encrypts files to speed up the process, making it difficult to detect and stop on networks. Despite the theoretical recoverability of data encrypted by ransomware, organizations are cautioned against trusting systems compromised by such intrusions without a complete wipe and restore.

Bank of America warns customers of a data breach involving personal information due to a third-party service provider hack. The breach at Infosys McCamish Systems compromised names, addresses, social security numbers, birth dates, and financial details including account and credit card numbers. Infosys McCamish Systems, part of IT giant Infosys, reported that 57,028 individuals had their data exposed. The incident, which occurred around November 3, 2023, led to LockBit ransomware gang claiming responsibility for encrypting over 2,000 systems. The bank clarified that its own systems were not compromised in the security incident. The LockBit ransomware group has become notorious since 2019 and is estimated to have extorted $91 million from U.S. entities with approximately 1,700 attacks since 2020. Bank of America, with a vast customer base serviced through thousands of financial centers and ATMs, has not yet disclosed the total number of customers affected.

The FBI successfully dismantled the Warzone RAT malware operation, seizing vital infrastructure and making significant arrests. Daniel Meli, a resident of Malta, was arrested for distributing "Warzone RAT," a malware used in various cybercrimes since 2018. The Warzone RAT allowed users to bypass user account control, remotely control desktops, and perform numerous other malicious functions. Alongside Meli's arrest, a second individual, Prince Onyeoziri Odinakachi from Nigeria, was detained for providing customer support to Warzone RAT users. Authorities in Boston confiscated four domains linked to the malware operation, effectively disrupting its online presence. The international cooperation led to the seizure of servers in multiple countries including Canada, Croatia, Finland, Germany, the Netherlands, and Romania. The US Department of Justice implicated Meli not only in distribution but also in customer support, suggesting his deep involvement in the operation. Daniel Meli faces extradition to the US with potential penalties of up to 15 years in prison, supervised release, and extensive fines for his criminal activities.

The FCC has revised its data breach reporting rules, obligating telecom companies to report any breaches involving customer PII within 30 days. Telecom carriers are now also required to notify customers immediately, without the previous mandatory waiting period, unless otherwise directed by law enforcement. The updated rules expand the requirement to report breaches, including inadvertent access or misuse, beyond just customer proprietary network information (CPNI) to include all PII. The change follows a series of proposals aimed at modernizing the FCC's approach to data breach notifications. Major U.S. telecom carriers, such as Comcast, Verizon, T-Mobile, and AT&T, have experienced significant breaches in recent years, underlining the need for stricter rules. The FCC emphasizes the vital importance of protecting the "treasure trove" of personal data that telecom carriers handle due to the ubiquitous use of mobile phones.

Dutch health insurers are reportedly requiring breast cancer patients to submit photos of their breasts for reconstructive surgery approvals, disregarding government bans. Patients have experienced the loss of these highly sensitive photographs on multiple occasions, raising significant privacy and security issues. These photos are not securely transmitted and have previously been stolen by ransomware attackers, leading to extortion and public exposure of patient data. Despite the Dutch Health Minister's directive that photos should be taken only in hospitals starting January 1, 2023, some insurers continue to request images directly from patients. Patients are suing the healthcare provider over breaches that resulted in the unauthorized distribution of private images online. Some hospitals are refusing to handle these images due to the potential for privacy violations, while insurance organizations vary in their adherence to the new policy. A specific case highlighted involves the insurer CZ, which denied requesting photos but later admitted to losing them and described the situation as "very annoying." Efforts to reach VGZ and the Health Minister for comments on these events and potential regulatory actions have been unsuccessful.

A sophisticated phishing campaign has breached hundreds of Microsoft Azure user accounts, focusing on senior executives. Compromised accounts provide access to sensitive information, facilitate fraudulent transactions, and serve as entry points for further attacks. Proofpoint's Cloud Security Response Team has identified the campaign and proposed defensive measures for organizations to implement. The phishing lures involve fake "View document" buttons in emails, which redirect victims to malicious pages designed to capture credentials. Targets predominantly hold high-level or privileged positions within their companies, increasing the value of the compromised accounts. The attackers use specific Linux user-agent strings and operate an infrastructure that includes proxies and hijacked domains to avoid detection. Some evidence suggests that the threat actors may be based in Russia or Nigeria, though this is not definitive. Recommended defense measures include strengthening authentication processes, improving user education, and deploying advanced threat detection systems.

CISA warns of active exploitation of a persistent XSS vulnerability (CVE-2023-43770) in Roundcube email servers, initially patched in September. Attackers utilize plain/text messages with maliciously crafted links to access restricted information, requiring user interaction for a successful attack. Affected versions include Roundcube newer than 1.4.14, before 1.5.4 in the 1.5.x series, and before 1.6.3 in the 1.6.x series. CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, indicating the threat it poses to federal agencies. U.S. Federal agencies are mandated to patch this vulnerability within three weeks to comply with a binding operational directive. Updates are also strongly recommended for private organizations, as over 132,000 Roundcube servers are currently accessible online. Previous targeting of similar Roundcube vulnerabilities by the Russian hacking group Winter Vivern was noted, with attacks on European governmental bodies and NATO-related entities.

The FCC has updated its reporting requirements, compelling telecom companies to disclose data breaches within seven days of discovery. Previously, telcos weren't required to notify customers unless Customer Proprietary Network Information (CPNI) was compromised; now, the rule includes Personal Identifiable Information (PII) as well. There is no longer a mandatory seven-day waiting period before telcos must inform customers; the notification must occur without unreasonable delay, not exceeding 30 days after determining a breach. Definitions of data exposure have expanded, obligating telcos to report even suspected breaches linked to individual customers using accessed information. An exception allows telecoms to forego customer notification if they determine no likely harm will result from a breach. The FCC's broadened definition of "breach" also includes inadvertent access or disclosure of customer information, expanding its scope beyond intentional cyber attacks. The new FCC rules echo broader moves by federal agencies like the FTC and SEC to enforce stringent breach reporting requirements, despite industry opposition and congressional criticism.

Willis Lease Finance Corporation reported an "unauthorized activity" to the SEC, indicating a potential cybersecurity breach. The incident was detected on January 31, and certain systems were taken offline to contain and assess the situation. Third-party cybersecurity experts were engaged, and as of the report, no further unauthorized activity has been observed since February 2. While some internal processes required workarounds for operations to continue, the full extent of the breach, including data theft, is still under investigation. Passport scans and other sensitive documents pertaining to customers and employees were posted on the Black Basta ransomware group's leak site. Black Basta, a formidable cybercrime group with ties to the disbanded Conti group, claims responsibility, alleging the theft of 910 GB of sensitive data from Willis Lease. The company has operated for over 45 years, serving as a key supplier of jet engines to major airlines, and is now assessing the breach's impact with law enforcement involved.

Over the weekend, a ransomware attack targeted the HIS used by 21 Romanian hospitals, which manage medical activity and patient data. The Romanian Ministry of Health announced that the Hipocrate Information System was encrypted, causing hospitals to revert to paper-based operations. Cybersecurity experts from the Romanian National Cyber Security Directorate (DNSC) are currently investigating the cyber-attack. DNSC has recommended not contacting the affected hospitals' IT teams to allow them to prioritize service and data restoration. Medical services have been disrupted, with healthcare providers having to write prescriptions and keep records manually after shutting down affected systems. It is unclear which ransomware group is responsible or whether patients’ personal or medical data was compromised. The service provider behind the HIS, Romanian Soft Company SRL, has not yet issued a public statement, and their spokesperson was unavailable for comment. DNSC disclosed that the Backmydata ransomware, part of the Phobos family, was used in the attack; most affected hospitals had recent data backups, but one had data backed up 12 days prior.

Hackers are actively exploiting an SSRF vulnerability (CVE-2024-21893) in Ivanti products, enabling the deployment of the DSLog backdoor. The affected Ivanti products are Connect Secure, Policy Secure, and ZTA gateways, with versions 9.x and 22.x being vulnerable. Ivanti released updates to address the vulnerability, but attackers are still targeting systems that haven't applied the patches. Initial exploit attempts were observed by Shadowserver, with the DSLog backdoor confirmed by Orange Cyberdefense. The DSLog backdoor allows remote code execution on compromised servers and is disguised to avoid detection, with a unique SHA256 hash as an authentication key for each device. Compromised devices had their logs wiped to obscure attack traces, but researchers were able to identify nearly 700 affected Ivanti servers. Ivanti has provided mitigation advice, and it is critical for administrators to apply the recommended updates to prevent potential breaches.

South Korean researchers exposed an encryption flaw in Rhysida ransomware, enabling a free file decryption tool for victims. The flaw involves the ransomware's use of a predictable seed value based on the system's time, which allows the decryption key to be recreated. Disk encryption was partially implemented by Rhysida, allowing researchers to decrypt without needing the complete private key. The decryption exploits the ransomware's faulty random number generation, using a computationally feasible method to find the correct seed. The free decryption tool is available on the Korean Internet & Security Agency's (KISA) website, although its safety and effectiveness are unspecified. Cybersecurity researchers and governments had been using the flaw privately for months before the public disclosure. The public release by South Korean researchers aims to increase resilience against ransomware, but may provoke Rhysida to fix the flaw soon.

Cybersecurity experts found a vulnerability allowing them to decrypt Rhysida ransomware without a ransom. A decryption tool has been developed and is being distributed through the Korea Internet and Security Agency (KISA). The Rhysida ransomware, first detected in May 2023, was broken down by researchers from Kookmin University in collaboration with KISA. The U.S. government previously warned that Rhysida ransomware targeted multiple sectors including education and government. The ransomware uses LibTomCrypt for encryption and partial encryption techniques to avoid detection. The breakthrough was possible due to an implementation flaw related to the malware's encryption key generation process. This successful decryption adds Rhysida to the list of ransomware like Magniber v2 and Hive, whose encryptions have been cracked by exploiting vulnerabilities.