Cyber Intelligence Briefing: 11 November 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

1. INCIDENTS ARE ON THE RISE

Our 2022 research, S-RM Cyber Security Insights Report 2022, shows no let up in serious cyber incidents. Of the 600 respondents, all senior leaders from large organisations with a revenue of over USD 500 million, 75% said they’d experienced a serious cyber incident within the past three years. Last year when we asked the same question, the number was 60%. That’s 15% difference, or a 25% increase overall. And incidents of all types were up, but the biggest rises were in data exfiltration (11%) and ransomware/extortion (10%).

SO WHAT?

Despite revenues of over USD 500 million, the stats suggest a lot of these organisations are either not investing money in the right place or their information security initiatives, such as employee training or the roll-out of security tools, have not been properly implemented.

2. SOLARWINDS AND AVEANNA HEALTHCARE SETTLE LAWSUITS

SolarWinds has agreed to pay USD 26 million to settle a class action lawsuit filed by its shareholders following the December 2020 breach of its Orion platform. Threat actors used routine software updates to insert malicious code into Orion, leading to the compromise of several customers, including at least eight US government agencies.

Separately, US healthcare and hospice provider Aveanna Healthcare also agreed to pay the state of Massachusetts USD 425,000. The payment settles a lawsuit for a breach that compromised the data of 170,000 patients.

SO WHAT?

In addition to the immediate costs associated with incident response, organisations recovering from a data breach will likely be subject to significant regulatory fines if evidence of security malpractice is found.

3. SUPPLIER RANSOMWARE ATTACK STOPS TRAINS

A suspected ransomware attack on a third party service provider brought Danish trains to a standstill. The effects of the attack were felt by Danske Statsbaner, Scandinavia’s largest train operator, which suffered several hours of downtime to critical information regarding railroad maintenance and speed limits.

SO WHAT?

Engaging with third parties will introduce new risks to your IT environment. If unmanaged, it may be the foothold an attacker needs to reach their end target. Regular cyber risk assessments on new and existing third party providers is vital for mitigating this threat.

4. MEDIBANK REFUSES TO PAY RANSOM

Medibank refused to pay a ransom to a threat actor responsible for a data breach affecting 9.7 million Medibank customers. Following this refusal, the threat actors began publishing sensitive medical information on the dark web. The data, which includes passport numbers, was separated into ‘naughty’ and ‘good’ lists based on medical diagnoses.

SO WHAT?

Data leaks can result in victims receiving unwanted phone calls and emails. There is also a heightened risk that the leaked data will be used to launch fraudulent activity. It is the responsibility of the breached organisation to notify the victims of the exposed data set so appropriate action can be taken.

5. CONTI AFFILIATES

Black Basta and BlackByte ransomware groups, suspected to be comprised of previous Conti members, continue to attack European critical infrastructure. These groups have shifted focus from US-based organisations to European NATO-affiliated countries to avoid sanction-based non-payments and pursuits by international law enforcement.

SO WHAT?

Ransomware groups typically do not shut down operations, but instead redistribute resources and rebrand under a different name. Threat intelligence is critical for organisations to remain aware of new ransomware groups that are employing either old or newly developed techniques, tactics, and procedures.

6. STOP THE COUNT

A pro-Russian hacking group has claimed responsibility for DDoS attacks on several Mississippi state election websites. The websites were taken offline whilst voters attempted to cast their vote in the US mid-term elections. Officials have reassured that the election system remains secure and was not compromised.

SO WHAT?

Threat actors often boast about past, ongoing, and future DDoS attacks. Dark web monitoring can allow organisations to identify whether they are a target, and if so, put in place appropriate plans to mitigate the reputational impacts associated with DDoS attacks.

7. BITCOIN BUST

The US Department of Justice (DoJ) has detained an individual and seized over 50,000 bitcoins after the coins were unlawfully obtained from the notorious Silk Road dark web marketplace. This is the DoJ’s largest cryptocurrency seizure and second largest financial seizure ever.

SO WHAT?

It’s vital for organisations that are undertaking cryptocurrency transactions – such as ransom payments – to carry out due diligence on their cryptocurrency brokers to avoid possible violations of sanctions and anti-money laundering laws.

8. PATCH, PATCH, PATCH!

For November’s Patch Tuesday, Microsoft has released security fixes for 68 flaws. Six of these are classified as actively exploited zero-day vulnerabilities. This includes two Microsoft Exchange zero-day bugs, dubbed ProxyNotShell, which we discussed in a previous October edition.

SO WHAT?

Organisations should review whether any impacted software is employed in their estate and implement available patches as soon as possible.