Cyber Briefing - 2023.05.25
The latest in cybersecurity: GitLab , Agrius, Moneybird, Barracuda Email, PowerExchange Backdoor, Apria Healthcare, Ransomware, Iran, Israel, NSA, Biden, Netflix
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
GitLab has issued a Security Advisory on May 23, 2023, addressing a critical vulnerability present in the GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.0.0. Users and administrators are urged to visit the provided web link and promptly apply the recommended updates to protect their systems.
State-aligned hackers from Russia, Iran, and North Korea are increasingly focusing their cyberattacks on small and medium businesses (SMBs) worldwide. Proofpoint researchers have discovered that these advanced persistent threat actors are employing compromised SMB infrastructure in phishing campaigns, targeting SMBs, governments, militaries, and major corporations. Additionally, state-aligned financial theft and supply chain attacks are being conducted against SMB financial services firms and vulnerable regional managed services providers. The researchers warn that SMBs face a tangible risk from these APT actors and anticipate a continued rise in SMB targeting throughout 2023.
Agrius, a suspected Iranian state-supported threat actor, has introduced a new ransomware strain called 'Moneybird' in its ongoing attacks against Israeli entities. Check Point researchers, who discovered the ransomware, believe that Agrius developed it to expand their operations and evade detection. By exploiting vulnerabilities in public-facing servers and using tactics such as hiding behind Israel-based ProtonVPN nodes and deploying webshells, Agrius gains access to corporate networks, ultimately encrypting target files with AES-256 encryption and demanding a high ransom for data restoration. Although Moneybird aims to cause business disruption rather than solely locking down computers, the attack is deemed highly destructive as payment is unlikely due to the exorbitant ransom demand.
Barracuda, a network security solutions provider, disclosed a recent breach of its Email Security Gateway (ESG) appliances caused by threat actors exploiting a now-patched zero-day vulnerability. The vulnerability, identified as CVE-2023-2868, was found in the email attachment screening module and promptly fixed with security patches released on May 20 and 21. Although the impact is significant due to the widespread use of ESG appliances by numerous organizations globally, Barracuda assured that its SaaS email security services remained unaffected. Impacted customers were notified through the ESG user interface, while the company recommends conducting network reviews to identify any further compromises.
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about an ongoing cyberespionage campaign targeting state bodies in Ukraine. The threat actor, identified as UAC-0063, has been sending spear-phishing emails to government departments, impersonating the Embassy of Tajikistan. The emails contain weaponized documents that, when opened and macros enabled, deploy a chain of malicious actions, including dropping keyloggers and backdoors. The campaign's scope extends beyond Ukraine, with indications suggesting potential targets in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.
A new PowerShell-based malware called PowerExchange has been used by Iranian state hackers APT34 to infiltrate on-premise Microsoft Exchange servers. The malware allows the threat actors to backdoor the servers and steal user credentials through a web shell named ExchangeLeech. The PowerExchange backdoor communicates with its command-and-control server via emails sent using the Exchange Web Services API, making it difficult to detect as it blends in with benign traffic. The FortiGuard Labs Threat Research team has linked these attacks to APT34 based on similarities between PowerExchange and the TriFive malware previously used by the group.
NCB Management Services, a US-based debt collector, has experienced a data breach that exposed the financial information of approximately 1.1 million individuals, including payment card numbers and security codes. The company has indicated that it is considering paying a ransom to the attackers. NCB took three days to detect the breach, and while no misuse of the data has been reported, experts caution against ransom payments and advise affected individuals to monitor their accounts and credit reports for any signs of unauthorized activity or identity theft. NCB has assured customers that it has taken steps to prevent further unauthorized access and will provide identity theft monitoring services free of charge for two years.
Recommended by LinkedIn
Apria Healthcare, a home healthcare equipment provider serving millions of patients, disclosed a data breach that occurred over multiple months in 2019 and 2021. The breach potentially exposed personal, medical, health insurance, and financial information of nearly 1.9 million patients and employees, including bank account and credit card numbers with security codes. Although Apria claims no evidence of data theft, experts warn of possible ongoing identity theft and emphasize the need for enhanced cybersecurity measures.
One of New England's major health insurers, Point32Health, revealed that patient data, including medical history and diagnoses, was compromised in a ransomware attack. The incident was discovered on April 17, and an investigation was launched with cybersecurity experts. The affected files contain personal and protected health information of current and former subscribers, including clinical data, Social Security numbers, addresses, and insurance account details. While no misuse has been reported so far, the insurer has begun notifying potentially impacted individuals and providing resources for assistance.
Iranian Hackers Target Israeli Shipping Israeli shipping and logistics companies have fallen victim to a series of cyber attacks believed to be orchestrated by the Iranian hacker group Tortoiseshell, according to ClearSky, a cybersecurity company based in Tel Aviv. The hackers employed a watering hole attack, compromising websites frequented by their target audience to inject malicious code. The attack aimed to collect user data such as IP addresses, screen resolutions, and previously visited webpages, with the intention of tailoring future attacks. This incident highlights the ongoing cyber conflict between Iran and Israel, with Iranian actors continually enhancing their capabilities in recent years.
Thomas Hardye School in Dorchester has fallen victim to a cyber attack, resulting in the disruption of their IT systems and website, with hackers demanding a ransom for their release.
Despite the incident, the school remains open, with teaching being adjusted accordingly and exams proceeding as scheduled.
The attack has caused widespread impact, affecting various operations reliant on the school server, such as canteen payments, fingerprint-based pupil payments, electronic diaries, records, and messaging.
CommonSpirit, a nonprofit Catholic hospital chain operating 143 hospitals and 2,300 care facilities across 22 states, has revealed that a ransomware incident last fall cost the organization an estimated $160 million. The updated figure, disclosed in an unaudited report sent to investors, includes lost revenues, remediation costs, and other related business expenses. While CommonSpirit expects insurance coverage to alleviate most of the financial burden, the company is also facing potential class action lawsuits related to the cyberattack.
President Joe Biden has selected Air Force Lt. Gen. Timothy Haugh to head the National Security Agency (NSA) and U.S. Cyber Command, taking over from Army Gen. Paul Nakasone. Haugh's responsibilities would include fortifying Ukraine's cybersecurity, combating foreign interference in American elections, and addressing ransomware attacks. While some Republicans have advocated for splitting the leadership, the Biden administration supports the "dual-hat" arrangement, which allows for more efficient decision-making and quick response to cyber threats.
Netflix has started its crackdown on users who have been sharing their accounts with others for free, extending the policy to over 100 countries. The streaming giant announced the move, which requires individuals outside the original household to pay for access or create their own account, through an email sent to account holders worldwide. While account sharing within the same household is still allowed, Netflix aims to recoup subscription fees lost due to the widespread practice of sharing passwords, which has impacted their profits.
European cybersecurity firm Sekoia.io has secured €35 million in Series A funding, bringing its total funding to €45 million. The funding round saw participation from Banque des Territoires, Bright Pixel, and previous investors. Sekoia.io, launched in 2020, offers a security-as-a-service platform that enables organizations to identify and respond to emerging threats in real time. With plans to expand its presence in new markets, the company aims to become a leading provider of cyber detection and response solutions in Europe.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: