News Items

The ransomware gang known as Sabbath is targeting critical infrastructure groups in North America. Sabbath has targeted US and Canadian critical infrastructure, including education, national resources, and health sectors. For example, the threat group extorted a US school district on social media in October 2021, demanding the payment of a multi-million dollar ransom. The Sabbath ransomware group also steals data in bulk and destroys backups in targeted attacks. Organizations are encouraged to limit access to legacy systems, improve visibility over network assets, and use threat intelligence to defend against Sabbath ransomware attacks. This article continues to discuss notable Sabbath ransomware incidents, the increased targeting of data backups by ransomware groups, and how organizations could defend themselves against Sabbath ransomware attacks.

SecurityIntelligence reports "Sabbath Ransomware Gang Targets Critical Infrastructure, Backups"

However sophisticated and resourceful cybercriminals can be, they still make mistakes. The India-based threat actor group called Patchwork, which has targeted users and government organizations in Pakistan, accidentally left its hacking strategies exposed online. Since 2015, Patchwork has affected various entities in Pakistan through the performance of spearphishing attacks. According to Malwarebytes, the attackers inadvertently exposed their malware details, captured keystrokes, and screenshots. Patchwork was found to have used malicious RTF files to drop a new variant of the BADNEWS Trojan dubbed Ragnatela in a campaign that lasted from late November to early December 2021. This article continues to discuss the Patchwork group's accidental exposure of its own hacking strategies, the group's use of Ragnatela in its recent campaign, the capabilities of this Trojan, and those that have fallen victim to it.

CISO MAG reports "Bad News for Hackers! Patchwork Group Expose Themselves in Malware Campaign"

A cyberattack on the Medical Review Institute of America (MRIoA) may have exposed the personal data of 134,571 individuals. MRIoA provides clinical reviews and virtual medical opinions. MRIoA is based in Salt Lake City, Utah. MRIoA stated that it was "the victim of a sophisticated cyber incident" discovered on November 9, 2021, that resulted in an adversary gaining unauthorized access to its network and exfiltrating data. MRIoA stated that the attackers broke into its computer system by exploiting an alleged vulnerability in a product made by SonicWall. The firewall maker confirmed that an intruder had accessed MRIoA's environment through a SonicWall vulnerability on November 2, 2021. Information affected by the incident may have included first and last name, gender, home address, phone number, email address, date of birth, and social security number. Additionally, information affected may have included clinical information, such as medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, and medical account number. Other information that may have been breached includes financial information, including health insurance policy and group plan number, group plan provider, and claim information. In the wake of the attack, MRIoA said it had new servers "built from the ground up to ensure all threat remnants were removed."

Infosecurity reports: "Clinical Review Vendor Reports Data Breach"

A cyberattack on a city in California has resulted in the exfiltration of personal and financial data belonging to vendors, city employees, and their spouses. A notice published by Grass Valley states that an unknown attacker was able to access some of the city's IT systems for four months last year. The city said that the attacker exploited the unauthorized access they enjoyed between April 13 and July 1, 2021, to steal data belonging to an unspecified number of individuals. Victims affected by the data breach include Grass Valley employees, former employees, spouses, dependents, and individual vendors hired by the city. Other victims include individuals whose information may have been provided to the Grass Valley Police Department and individuals whose information was provided to the Grass Valley Community Development Department in loan application documents. The information exposed during the attack was found to include social security numbers, driver's license numbers, vendor names, and limited medical or health insurance information. For individuals whose information may have been provided to the Grass Valley Police Department, the impacted data included the name and one or more of the following: social security number, driver's license number, financial account information, payment card information, limited medical or health insurance information, passport number and username and password credentials to an online account. Individuals who had applied for a community development loan may have had names and social security numbers, driver's license numbers, financial account numbers, and payment card numbers compromised. Grass Valley started notifying victims of the data breach on January 7, 2022.

Infosecurity reports: "Cyber-Thieves Raid Grass Valley"

Researchers at the cybersecurity firm SentinelOne have shared findings from their analysis of a flaw in the KCodes NetUSB kernel module that puts millions of end-user router devices from Netgear, TP-Link, Tenda, EDIMAX, D-Link, Western Digital, and more, at risk of Remote Code Execution (RCE). KCodes NetUSB is proprietary software that allows devices such as routers, printers, and flash storage devices to provide USB-based services over IP. The bug was discovered during the examination of a Netgear device by the SentinelOne vulnerability researcher, Max Van Amerongen. The kernel module, NetUSB, was found improperly validating the size of packets fetched through remote connections, potentially resulting in a heap buffer overflow. This article continues to discuss the discovery, potential exploitation, severity, and disclosure of the KCodes NetUSB flaw.

ZDNet reports "KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices"

Security researchers at Intezer have discovered a new malware dubbed SysJoker. The brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar, with Linux and Mac versions going fully undetected in VirusTotal. The Windows version, according to the researchers, has only six detections. These were uploaded to VirusTotal with the suffix ".ts," which is used for TypeScript files. SysJoker is used to establish initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors can carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyberforums, where ransomware groups and others can purchase it. The researchers stated that SysJoker was first seen in December during a cyberattack on a Linux-based web server of a "leading educational institution." Its command-and-control (C2) domain registration and other sample data show that this malware appears to have been created in the second half of 2021.

Threatpost reports: "Fully Undetected SysJoker Backdoor Malware Targets Windows, Linux & macOS"

Researchers at Check Point have found that global weekly cyberattacks hit an all-time high in Q4 2021 of 925 attempts per organization. The researchers analyzed information collected by hundreds of millions of global sensors from Check Point's Threat Prevention products across networks, endpoints, and mobiles. The researchers claimed attempted attacks have been continuously increasing since Q2 2020, with 50% more attacks seen per week on corporate networks in 2021 compared to 2020. The researchers noted that the education and research sector experienced the highest volume of attacks during 2021, amounting to an average of 1605 per organization every week, a 75% increase from 2020. It was followed by government/military with 1136 attacks, up 47% year-on-year, and communications with 1079, up 51%. Africa experienced the highest volume of weekly attacks in 2021, with an average of 1582 per organization, a 13% increase from 2020. However, European organizations experienced the most significant increase in weekly attacks, up 68% to 670. The researchers stated that ransomware was particularly prevalent over 2021. Check Point warned last October that attacks had spiked 40% since 2020, with one out of every 61 organizations worldwide impacted each week. The researchers urge firms to segment their networks, patch promptly, educate their employees and layer up advanced security controls like sandboxing and anomaly detection.

Infosecurity reports: "Corporate Cyberattacks Spike 50% in 2021"

David Maimon, Associate Professor of Criminal Justice at Georgia State University and the Evidence-Based Cybersecurity Research group he directs, explored 60 black market communication channels on the Internet to gain more insight into the online fraud ecosystem and to systematically gain data on it to identify trends. One of the observations made by Maimon and his team of graduate students is the rise in stolen checks, believed to be taken from US Postal Service and personal mailboxes. They looked at 60 online chat room channels, including group chats on messaging apps such as WhatsApp, ICQ, and Telegram, where people were known to sell fraudulent documents. An analysis of data gathered from those channels revealed that an average of 1,325 stolen checks were being sold every week in October 2021, a significant increase from the 634 being sold per week in September and 409 in August. Cybercriminals can use these stolen checks to steal a victim's identity, submit false applications for loans, access the victim's bank account, and more. This article continues to discuss the increased distribution and use of stolen checks among cybercriminals.

NextGov reports "How Cybercriminals Turn Paper Checks Stolen from Mailboxes into Bitcoin"

A cyberattack has forced the government of New Mexico's most populous county to close most of its county buildings to the public. Bernalillo County had to take some of its IT systems offline after becoming the target of a digital assault that county officials suspect was a ransomware attack. In a statement, the county said that all public safety departments, such as emergency 911 communications, the Sheriff's Office, and Fire and Rescue, were operating as usual "using back-up contingencies." However, the incident caused the county's Metropolitan Detention Center to cancel inmate visits last Wednesday. The county did not share any information about how or by whom the attack was orchestrated. Nor has the county stated if any data has been compromised or if it has received a ransom demand. The attack on Bernalillo County is also disrupting the local real estate industry. With key county IT systems offline, realtors cannot access information such as taxes and deeds that are needed to complete property sales.

Infosecurity reports: "Cyberattack on New Mexico County"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

A company that operates multiple fertility centers across Northern Illinois has suffered a data breach because of a cyberattack. Fertility Centers of Illinois (FCI) reported that the data breach affected 79,943 current and former patients. The unidentified adversary had access to some of the patients' protected health information (PHI) and could access personal data belonging to FCI employees. FCI hired third-party computer forensic specialists after the company detected suspicious network activity on February 1, 2021. Cybersecurity measures implemented by FCI ensured that the company's electronic medical record system could not be accessed, but the attacker was able to get into administrative files and folders. By August 27, 2021, FCI reviewed the contents of the compromised files and determined that they contained a range of patient data, including names in combination with one or more of the following types of information: Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs, or account login information. Employee information potentially compromised in the cyberattack included names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence and sickness certificates.

Infosecurity reports: "Cyberattack on Fertility Centers of Illinois"

Some malware samples that emerged in 2021 further proved that Apple's technologies are not invulnerable to attacks. The security researcher, Patrick Wardle, released a list of new Mac malware threats that emerged last year, identifying the infection vector, installation, persistence mechanisms, and other features for each malware sample. His list is intended to give security professionals better insight into threats facing macOS at a time when its use increased, largely due to the shift to remote work during the COVID-19 pandemic. A 2021 survey of 300 IT professionals revealed that employee use of Apple devices had increased significantly. Over 50 percent of the respondents reported that requests for Apple devices had also grown. Wardle's list consists of eight new malware samples that target macOS. It includes ElectroRAT, a cross-platform Remote Access Trojan (RAT), and Silver Sparrow, a malware tool that targets Apple's M1 chip. It also includes a cross-platform password stealer called XLoader as well as a macOS implant dubbed MacMa. Each of the malware samples was discovered by different antivirus and security firms. Last year's most significant Mac malware threats fell under the categories of cryptominers, adware, information stealers, and cross-platform Trojans. Although Macs have some security advantages, they are becoming less effective because malware is increasingly targeting browser plugins instead of the underlying OS. Malware developers are also creating more cross-platform applications independent of the OS. Jaron Bradley, macOS Detections Manager at Jamf, pointed out that threat actors had put a lot of effort into attacking Macs in 2021. Such efforts included looking for new zero-day vulnerabilities and exploiting them to deliver Mac-specific malware. The distribution of Mac-specific malware implementing zero-day bypasses shows that attackers are becoming more familiar with macOS and willing to spend time building these exploits. This article continues to discuss Wardle's list of new Mac malware samples that surfaced in 2021 and the misperception about Macs.

Dark Reading reports "New Mac Malware Samples Underscore Growing Threat"

Researchers at the cybersecurity company Sygnia have detailed a highly organized and stealthy cybercriminal operation dubbed 'Elephant Beetle.' The Elephant Beetle threat group has stolen millions of dollars from financial organizations, primarily focusing on organizations in Latin America. The researchers warn that the campaign could expand its attacks to organizations globally. According to the researchers, the actors behind the attacks take their time to examine compromised victims' financial systems to create fraudulent transactions hidden in regular activity, adding up to millions of dollars being stolen. The threat group uses legacy Java applications running on Linux-based machines and web servers as an initial entry point as such applications likely contain unpatched vulnerabilities. The vulnerabilities exploited by Elephant Beetle to gain network access are Primefaces Application Expression Language Injection, WebSphere Application Server SOAP Deserialization Exploit, SAP NetWeaver Invoker Servlet Exploit, and SAP NetWeaver ConfigServlet Remote Code Execution. The initial payload is an obfuscated web shell-enabling remote code execution or a sequence of exploitations that run different commands on the target machine. Elephant Beetle uses more than 80 unique tools and scripts to conduct the attacks and identify additional security flaws while hiding inside networks for months at a time. The attackers focus on smaller transactions to avoid suspicion, but all the transactions against victims add up to millions of dollars. Phrases and keywords used in code involved in Elephant Beetle incidents suggest that the actors behind the attacks are Spanish-speaking. Researchers have also noted that many of the command-and-control (C2) servers used by Elephant Beetle appear to be in Mexico. This article continues to discuss findings surrounding the organized financial-theft operation, Elephant Beetle.

ZDNet reports "Cybersecurity Researchers Warn About Cyberattacks by 'Elephant Beetle'"

Existing Machine Learning (ML) models have many inherent vulnerabilities that leave the technology open to spoofing, corruption, and other forms of deception. Attacks against Artificial Intelligence (AI) algorithms could lead to altered content recommendation engines, the disruption of self-driving vehicles, and more. These vulnerabilities raise concerns as ML models become increasingly integrated into critical infrastructure and systems. A program launched by DARPA (Defense Advanced Research Projects Agency), called Guaranteeing AI Robustness against Deception (GARD), aims to develop a new generation of defenses against adversarial attacks on ML models in order to get ahead of this safety challenge. One of GARD's objectives is to develop a testbed for characterizing ML defenses and evaluating the scope of their applicability. The field of adversarial AI is relatively new, so there are only a few methods for testing and evaluating potential defenses. In addition, these existing methods have been found to lack rigor and sophistication. It is critical to ensure that emerging defenses keep pace with or outperform the capabilities of known attacks to establish trust and guarantee their eventual use. GARD researchers have developed several resources and virtual tools to strengthen the community's efforts in evaluating and verifying the efficacy of existing and emerging ML models and defenses against adversarial attacks. GARD researchers from Two Six Technologies, IBM, MITRE, Google Research, and the University of Chicago, worked together to create a virtual testbed, toolbox, and benchmarking dataset, as well as training materials to support this effort. They made these assets available through a public repository for the broader research community to use. The virtual testbed, called Armory, enables repeatable, scalable, and robust evaluations of adversarial defenses. It allows researchers to test their defenses against known attacks and relevant scenarios. The Armory testbed also lets researchers make changes to scenarios to ensure that their defenses can be used across various attacks. This article continues to discuss the goals and developments of the GARD program.

Homeland Security News Wire reports "Aiding Evaluation of Adversarial AI Defenses"

This New Year, why not resolve to ditch your dodgy old passwords?

Most of the classic New Year resolutions revolve around improving your health and lifestyle. But this year, why not consider cleaning up your passwords too?

SoS Musings #56 -

The Cybersecurity Workforce Gap Remains

Cybersecurity Snapshots #25 -

Schools and Universities Targeted by Hackers During Pandemic

Broward Health has discovered that a data breach has compromised the personal information of their patients and employees. The incident impacts roughly 1,358,000 individuals. The incident was disclosed on January 1, 2022, when the organization announced that unauthorized access to a third-party medical provider resulted in patient and employee data being compromised. The organization stated that the threat actor gained access to the system on October 15, and the intrusion was discovered on October 19. The potentially compromised data includes names, birth dates, contact information (addresses and phone numbers), driver's license numbers, Social Security numbers, financial information, insurance data, and medical information such as condition, diagnosis, medical history, treatment, and medical record number. The company stated that this personal information was exfiltrated, or removed, from Broward Health's systems, however, there is no evidence the intruder actually misused the information.

SecurityWeek reports: "Broward Health Data Breach Impacts 1.3 Million People"

The Tehran-based security firm Amnpardaz discovered and analyzed malware dubbed iLOBleed. It is described as a sophisticated rootkit designed to target HP servers. Findings suggest that it has been used to target organizations in Iran, but no other information has been shared about those who have fallen victim to the malware. The rootkit's sophistication indicates that an Advanced Persistent Actor (APT) is likely behind it. According to Amnpardaz, iLOBleed is an implant that targets Hewlett Packard Enterprise's (HPE) Integrated Lights-Out (iLO) embedded server management technology. This technology allows users to monitor, configure, and update their servers remotely. HP servers' motherboard is embedded with iLO. The rootkit, which was first discovered in 2020, appears to use iLO firmware vulnerabilities found and disclosed over the past years. Although these vulnerabilities could have been fixed in more recent versions of HP firmware, it is possible for an attacker to downgrade the firmware to a more vulnerable version, which can be done on most systems. In addition, users cannot disable iLO completely. The iLOBleed rootkit can be delivered to targeted devices via the dedicated iLO network port. A user with administrator or root privileges can also deliver the rootkit through the server's operating system. When it is deployed on a device, the rootkit adds a malicious module to the iLO firmware, giving the attackers complete control over the compromised machine. Rootkits such as iLOBleed are highly persistent and stealthy. This article continues to discuss findings regarding the targets, delivery, and process of the iLOBleed rootkit.

Security Week reports "Sophisticated iLOBleed Rootkit Targets HP Servers"

A ransomware attack faced by the restaurant and hotel chain McMenamins on December 12, 2021, compromised 12 years of internal employee data. The ransomware attack forced the organization to shut down different operations, but its locations can still serve customers. McMenamins has confirmed that the attackers were able to compromise internal data belonging to employees who have worked for the company between January 1, 1998, and June 30, 2010. This set of data includes personal information such as names, home addresses, telephone numbers, email addresses, medical notes, Social Security numbers, income amounts, and more. The attackers could sell or use this data to carry out phishing attacks, commit identity theft, and other malicious activities. McMenamins is offering identity and credit protection services to past and current employees in response to the discovery. The organization has also dedicated a call center to answer questions about the ransomware incident. Letters have been sent to all affected individuals about what information was compromised and how they can protect their identity and credit. This article continues to discuss the impact and perpetrators of the December ransomware attack against McMenamins.

Threatpost reports "McMenamins Data Breach Affects 12 Years of Employee Info"

Intermountain Healthcare-owned Saltzer Health is informing patients that their personal information might have been compromised after an unauthorized party gained access to an employee email account. The organization operates 12 clinics and urgent care facilities in Boise, Caldwell, Meridian, and Nampa, Idaho, and said the attackers had access to the employee email account between May 25 and June 1, 2021. The company stated that the investigation into the incident revealed that the email account contained personal information that was potentially compromised during unauthorized access. Potentially affected information includes names and contact information, driver's license numbers and state identification numbers, and, in some cases, Social Security numbers and financial account details. Medical information affected by the unauthorized access includes diagnosis, medical history, treatment details, prescription medication information, and physician information, along with health insurance information. Saltzer Health's told the U.S. Department of Health and Human Services that the incident potentially impacted 15,650 people. The organization stated it has taken steps to mitigate the risk of data compromise within its environment, including resetting the affected email account's password and monitoring its network for any suspicious activity. According to Saltzer Health, it hasn't received reports of identity theft or fraud following the incident.

SecurityWeek reports: "Saltzer Health Informs Patients of Personal Information Exposure"

AT&T and Verizon won't start rolling out their C-band 5G service on January 5th like they originally planned. Instead, they have agreed to comply with a request from the Federal Aviation Administration and the Transportation Department to push back their 5G expansion by two more weeks. Authorities asked the companies for extra time to investigate concerns regarding possible interference with aircraft systems and electronics. Airlines and aircraft manufacturers are worried that the new frequencies are too close to those used by airplanes' radar altimeter, which provides data on the distance between the plane and the ground. Interferences with the airplane's radar altimeter could lead to unsafe landings. Wireless industry giants argue, however, that the C-band service's powers are low enough and that the gap in frequencies is large enough to prevent interference.

Engadget reports: "AT&T And Verizon Will Delay 5G Expansion Over Aircraft Interference Concerns"

In November 2021, ten months after Emotet's servers and infrastructure were taken down by an international task force, the botnet returned. The new Emotet consisted of two botnets that used different encryption for communication and additional commands than the previous version taken down in January 2021. The threat had made up 7 percent of attacks on organizations globally, at the time, and often delivered malware or ransomware to 1.6 million compromised machines. The revival of Emotet brings further attention to the lack of permanence of botnet takedowns. According to David Monnier, a fellow with the threat intelligence firm Team Cymru, Emotet's resurgence as well as the return of TrickBot in 2020 calls on the industry and government agencies to further examine whether the takedown tactic needs to be revised or revisited. Attackers' ability to learn from their actions and return with improved tactics, techniques, and procedures (TTPs), prevents many takedown efforts from being successful. Although defenders and law enforcement are getting better in takedown efforts, the balance is currently in favor of attackers. While the balance still seems to favor attackers, defenders must continue striving to increase the speed of disruption efforts and increase the time it takes for attackers to recover by taking down servers and infrastructure. Consistent effort will keep pressure on malicious actors and make cybercrime less profitable. This article continues to discuss the temporary Emotet shutdown, why many cybercrime shutdowns lack permanence, and the importance of continuing efforts to disrupt cybercrime activity.

Dark Reading reports "In the Fight Against Cybercrime, Takedowns Are Only Temporary"

Security researchers have warned that replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases in 2022. The researchers stated that by compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original victim or may choose to cherry-pick from the most valuable potential targets. Doing this can save adversaries time and money, as one successful attack can open the door to potentially thousands of victims at once. In an analysis of 24 recent software supply chain attacks, including those experienced by Codecov, Kaseya, SolarWinds, and Mimecast, the European Union Agency for Cybersecurity (ENISA) said that the planning and execution stage of supply chain attacks are usually complex, but the attack methods often chosen are not. The researchers noted that supply chain attacks can be conducted through the exploitation of software vulnerabilities, malware, phishing, stolen certificates, compromised employee credentials & accounts, vulnerable open source components, and firmware tampering, among other vectors. Ilkka Turunen, Field CTO of Sonatype, said that malicious software supply chain activity is likely to increase in 2022 due to low barrier to entry attack methods, such as dependency confusion, which is a "highly replicable" attack method. Security researchers also believe that ransomware incidents will also increase in 2022. Forcepoint researchers expect to see a "significant" rise in copycat attacks against the supply chain in 2022. The researchers at Forcepoint are urging organizations to conduct frequent code reviews of software used. They also encourage organizations to keep security in mind during every step of the software development and deployment process.

ZDNet reports: "Copycat And Fad Hackers Will be The Bane of Supply Chain Security in 2022"