Daily Brief

LockBit ransomware group claims to have leaked 50GB of data from Boeing after ransom demands went unmet. The leaked files reportedly include compressed archives and backups of various systems, finances, marketing, and supplier details. Boeing has not confirmed the authenticity of the data leak but has acknowledged a cybersecurity incident within its parts and distribution business. Speculation arises about the use of Citrix Bleed as the potential exploit for the initial breach, though Boeing hasn't commented on the entry point. Security researcher notices Boeing corporate emails among the leaked data, indicating potential risk for further malicious activities. Boeing appears on the LockBit dark web site as a victim, with negotiations either failing or never occurring, leading to the public data dump. The same week, LockBit also claimed responsibility for a ransomware attack on China's largest bank, ICBC, affecting its financial services systems.

Hackers have compromised multiple U.S. healthcare organizations using ScreenConnect remote access. Managed security platform, Huntress, noticed unauthorized activities suggesting preparations for further attacks. Persistent access to affected systems was established by attackers installing additional remote access tools like AnyDesk. The incidents, spanning from late October to early November 2023, involved similar methods, highlighting the likelihood of one actor. Intrusions occurred through a ScreenConnect instance associated with Transaction Data Systems (TDS), which may indicate a breach or credential compromise. The attackers executed sophisticated techniques to avoid detection while using memory-based payloads and misusing legitimate services. Attempts made by Huntress to alert the possibly affected company, Outcomes (formerly TDS), have been met with no response.

Poloniex exchange was the target of a significant theft, with an estimated $120M in user funds stolen. Exchange founder Justin Sun has proposed a 5% "white hat bounty" to the thieves for the return of the stolen funds. Sun has threatened to involve law enforcement if the funds are not returned within 7 days. A portion of the stolen assets has been frozen, and the exchange claims its operating revenue can cover the losses. Systems have been restored, and the exchange is taking measures to ensure security before resuming full services. Blockchain security firms SlowMist and Cyvers have tracked and reported on the theft; various tokens were stolen through multiple transactions. There are indications the notorious Lazarus group, known for state-sponsored cyber activities, could be behind this and similar incidents.

Microsoft has extended Windows Server 2012 Extended Security Updates (ESUs) until October 2026, providing three additional years for users. This extension aims to give administrators more time for upgrading systems or migrating workloads to Azure. Windows Server 2012 and R2's mainstream support ended in October 2018, but ESUs allow for continued technical assistance and bug fixes. Customers on Azure may already receive free ESUs, while others can purchase the service, which is deployable via Azure Arc without keys. Microsoft offers step-by-step guidance for extending ESU protection and details on ESU activation scenarios. For on-premises servers, upgrading to Windows Server 2022 or migrating to Azure Virtual Machines are suggested alternatives to maintain security and compliance. The extension reinforces Microsoft's commitment to cybersecurity as older, unsupported versions of software can pose significant risks.

The State of Maine reported a data breach in their MOVEit file transfer tool, affecting the personal information of approximately 1.3 million people. A zero-day vulnerability was exploited by the Clop ransomware gang, leading to a massive data theft campaign. The breach occurred between May 28, 2023, and May 29, 2023, impacting various state agencies with Maine’s Department of Health and Human Services being the most affected. Types of data exposed include personal, financial, and minor-specific information, with the extent of exposure varying per individual's interaction with state agencies. Notification to the public was delayed due to the State's comprehensive investigation into the breach. Impacted individuals will receive free credit monitoring and identity theft protection services for two years, and are advised to monitor their financial accounts for any unusual activity. A dedicated call center has been established to assist and address concerns relating to the security incident.

Ransomed.vc, a ransomware group, announced its dissolution following a lack of interest in its sale and attention from law enforcement. Initially, the group offered itself for sale to a "trusted person," later dropping the price by 20% as it pushed for a rapid exit. The group cited that the involvement of inexperienced young affiliates, poor operational security (opsec), and the risk of their arrest as reasons for shutting down. Six individuals associated with the group are suspected to have been arrested, prompting the group's leader to terminate all of its 98 affiliates. Ransomed.vc, known for claiming an attack on Sony and Japan’s largest telco NTT Docomo, had its claims questioned by cyber researchers and rival cybercriminals. In addition to erratic behavior, the group engaged in a smear campaign against a cybersecurity executive, further diluting its credibility. The disappearing act of Ransomed.vc follows a pattern seen in ransomware circles, where groups often resurface with new identities after lying low.

McLaren Health Care announced a data breach affecting approximately 2.2 million individuals, with sensitive personal information compromised. The breach occurred between late July and August 2023, with the organization becoming aware of the security issue on August 22, 2023. An external cybersecurity team revealed that unauthorized access had been ongoing since July 28, with data exposure confirmed by October 10. Types of data accessed vary among individuals but remain undisclosed; all affected parties will receive instructions for 12-month identity protection services. McLaren has not found evidence of misuse of the data but warns those affected to monitor their financial accounts and be vigilant of unsolicited communications. ALPHV/BlackCat ransomware group claimed responsibility for an attack on McLaren's network, threatening to auction the collected data they say concerns 2.5 million people.

Hospitals, clinics, and other healthcare providers are increasingly victimized by ransomware, surpassing other cyberattacks in the industry. Healthcare data breaches are on the rise, with a 15.3% cost increase from 2020, averaging at $4.45 million per incident. Breach detection within healthcare organizations is worryingly slow, taking 287 days on average, allowing further data exploitation. Ransomware's immediate effect includes denying access to critical data, potentially endangering patient care and safety. A ransomware attack on MCNA Dental compromised personal data of approximately 8.9 million patients, indicating the extensive reach of cybercriminals. HIPAA provides a stringent framework for protecting patient information, which can enhance security measures and rebuild trust post-breach. Proactive security measures and adherence to tools like Specops Password Policy are vital steps in reinforcing an organization's defense against cyber threats. Implementing strong password policies and protective software solutions can significantly reduce the risk of password-based breaches.

Google's Mandiant revealed a cyber attack by Russian group Sandworm against Ukraine's power grid, causing an October 2022 outage. Sandworm utilized novel techniques on industrial control systems, deliberately timing the outage with a barrage of missile attacks on Ukrainian infrastructure. The blackout's exact location, duration, and affected population remain undisclosed; however, it highlights Sandworm's ongoing tactics to destabilize Ukraine's power grid. Initially infiltrating the system in June 2022 via a hypervisor managing SCADA, the hackers later deployed CaddyWiper malware for further disruption and evidence removal. The October 10 cyber-physical attack involved an ISO image file malware that tripped substation breakers, leading to power disruption. A new variant of CaddyWiper was introduced two days post-attack, indicating a layered and persistent attack strategy. Mandiant's analysis stresses the urgent need for infrastructure asset owners worldwide to mitigate against these sophisticated threats, especially MicroSCADA system users.

The Industrial & Commercial Bank of China (ICBC) experienced a ransomware attack on November 8, 2023, affecting its financial services systems. ICBC took immediate action by isolating the impacted systems and has commenced recovery with the help of information security experts. This incident was reported to law enforcement, and ICBC confirmed the event did not affect its New York Branch, Head Office, or other affiliates. The ransomware attack disrupted U.S. Treasury market operations, causing issues with equities clearing for ICBC's clearing customers. An ICBC Citrix server vulnerable to the 'Citrix Bleed' security bug was exploited in the ransomware attack and is currently offline. ICBC is the world's largest commercial bank by revenue and has an extensive global presence with branches in 41 countries, serving over 730 million individual and corporate customers. The U.S. Treasury is aware of the cybersecurity incident and is monitoring the situation closely with financial industry participants and regulators.

Cybersecurity researchers have uncovered a new backdoor, named Effluence, in Atlassian Confluence Data Center and Server. Effluence persists as a threat even after patches are applied, enabling remote access and data exfiltration without authentication. The backdoor is linked to the exploitation of a critical security flaw, CVE-2023-22515, allowing unauthorized creation of admin accounts. Attackers leverage this backdoor to execute commands, create new admin accounts, delete files, and gather extensive data, while covering their tracks. The sophisticated web shell used by the attackers can activate only in response to specific requests, remaining undetected during typical use. The Effluence malware uses common Atlassian APIs, raising concerns about its potential impact on other Atlassian products like JIRA or Bitbucket. The incidents call for heightened vigilance and may require additional security measures beyond patching to ensure the backdoor is eradicated.

Security Operation Centers (SOCs) are embracing automation due to the sheer volume of threat signals, with an estimated 80% being common across organizations. Despite the efficiency of automated solutions, they cannot entirely replace human judgment for detection and response, necessitating customized approaches for unique threats. The GigaOm Radar for Autonomous Security Operations Center report warns against fully autonomous SOCs and highlights the demand for products offering both automated and customizable capabilities. Advanced vendor solutions automate various SOC workflow stages, including integration of threat intelligence feeds and pre-built detection rules, to manage the majority of alerts effectively. Customization is vital for addressing industry or company-specific use cases, accounting for the unique 20% of threats that automation alone cannot manage. Vendors that combine automation with customization capabilities, such as Hunters, enable organizations to tailor their security strategies while maintaining efficiency in threat management. An effective SOC requires a blend of automated capabilities for common threats and the flexibility to address particular needs, avoiding a one-size-fits-all approach to security tools.

ICBC, China's largest bank, suffered a ransomware attack, disrupting its financial services systems and impacting global trade activities. The bank responded by disconnecting and isolating the compromised systems to contain the incident and has been working on an investigation and recovery. ICBC's domestic and foreign affiliates were not affected as they operate independently from the bank's core systems. The cyber-attack hampered US Treasury market operations, preventing the settlement of trades for market participants. Cyber security analysts linked the incident to the exploitation of the "CitrixBleed" vulnerability in an unpatched Citrix Netscaler box. The attack's consequences expanded to equity traders being unable to place or clear trades through ICBC due to connectivity issues. Ransomware gang LockBit is suspected to be behind the attack, known for acquiring significant sums through numerous attacks since 2020. Experts call for stricter measures against ransomware, highlighting the ineffectiveness of current strategies and suggesting a prohibition on ransom payments.

Iranian-linked cyber group Imperial Kitten has targeted sectors in the Middle East involving transportation, logistics, and technology, with a focus on Israel. CrowdStrike attributes the attacks to Imperial Kitten, also known as Crimson Sandstorm, TA456, Tortoiseshell, and Yellow Liderc, which has been active since at least 2017. The group uses social engineering and recruitment-related content to deliver custom .NET-based malware and has also employed watering hole attacks, exploiting website vulnerabilities and using stolen credentials and phishing. Imperial Kitten leverages job-themed phishing campaigns using macro-laden Excel documents to install a Python-based reverse shell for command and control communications. Post-exploitation tactics include lateral movement tools like PAExec and NetScan, as well as deployment of IMAPLoader, StandardKeyboard implants, and a RAT that uses Discord for command and control. Microsoft reports that Iranian cyber activity has been more reactive and opportunistic since the onset of the Israel-Hamas war on October 7, 2023, with Iranian operators employing their established tactics and exaggerating their success. Related cyber activities include the Hamas-affiliated Arid Viper targeting Arabic speakers with Android spyware through malicious apps impersonating Skipped and Telegram.

A covert cyber espionage campaign targeting Urdu-speaking users has been identified by ESET, involving a spyware named Kamran. The malware was disguised as a legitimate Android app offered by Hunza News, a regional news website serving the Gilgit-Baltistan area. The app contained espionage features and has compromised at least 20 devices, collecting a wide range of personal data. Users visited the website and were prompted to download the app directly, bypassing the security of the Google Play store. The spyware requests extensive permissions to exfiltrate sensitive information, including contact details, call logs, messages, location, and more, to a Firebase server. The design of Kamran spyware is relatively simple, with no remote control capabilities, and it repeatedly uploads the same data to the control server. The threat actor behind Kamran has not been identified, and the app has only been distributed through the website, not via any official app stores.