Daily Brief

Over 464,000 patients affected by data breach at Kootenai Health, an Idaho-based not-for-profit healthcare provider. Personal information stolen and leaked by the 3AM ransomware operation following a cyberattack detected in early March 2024. Unauthorized access granted to threat actors on February 22, allowing ten days of network roaming and data theft. Stolen data includes sensitive patient information, exposed on March 2 after observing unusual activity disrupting IT systems. 3AM ransomware claimed responsibility and released a 22GB archive of stolen data on its darknet portal, focusing on non-payment of ransom demand. Kootenai Health offers 12-24 months of free identity protection services to impacted individuals and has published an information notice on its website. Links suggested between 3AM ransomware and other notable ransomware entities like Conti and Royal.

Ivanti announced a critical authentication bypass vulnerability in Virtual Traffic Manager (vTM) appliances, allowing the creation of rogue administrator accounts. The flaw, identified as CVE-2024-7593, arose from incorrect implementation of an authentication algorithm enabling remote attackers to bypass authentication mechanisms on vTM admin panels. While no exploits of this vulnerability have been reported among customers, a Proof of Concept is available publicly, increasing the risk of exploitation. To mitigate risks, Ivanti has released updates for affected Virtual Traffic Manager versions and recommends restricting access to the vTM management interface to internal networks. Patched versions include Ivanti vTM 22.2R1 and 22.7R2, with further updates scheduled for other supported versions in the following weeks. Ivanti also reported vulnerabilities in other products, including an information disclosure issue in Ivanti ITSM and an authentication bypass in Ivanti Connect Secure, among other products. The company further advised administrators to perform regular audits to detect any unauthorized administrator accounts created through the exploit.

Researchers from the CISPA Helmholtz Center for Information Security have discovered a critical vulnerability in T-Head's XuanTie C910 and C920 CPUs, nicknamed GhostWrite. The flaw, rooted deeply within the CPU's hardware architecture, allows unprivileged attackers to bypass security protocols to read from and write to any part of the device's memory. Effected through faulty vector instruction extensions, this bug can undermine operating system and hardware-enforced process isolation, offering attackers unrestricted device control. Mitigation requires disabling the CPU’s vector functionality, which hampers performance significantly by halving the accessible instruction set. The reliability and speed of the attack (microseconds to execute) mean conventional security measures, such as Docker containerization or sandboxing, cannot prevent exploitation. The discovery is part of broader findings that include significant vulnerabilities in Qualcomm and AMD processors, raising concerns about hardware-level security across multiple leading chip manufacturers. AMD disclosed another flaw named Sinkclose in its processor line, which had gone unnoticed for nearly two decades and could allow privileged access to disable security features or install persistent malware.

Gen AI copilots, such as Microsoft 365 Copilot and Salesforce's Einstein Copilot, while boosting productivity, pose significant data security risks. A case study revealed a data breach wherein a former employee used a gen AI copilot to extract sensitive customer data and shared it with a competitor. Nearly 99% of permissions in data access are unused, with over half being high-risk, leading to potential unauthorized access to sensitive information. Gen AI tools can inadvertently expose sensitive data by answering queries based on broad data access permissions. Security measures must include assessing and managing data access, ensuring sensitive information is protected, and minimizing overly permissive access rights. Implementing gen AI requires a comprehensive approach to data security, demanding specialized controls and constant monitoring to prevent exploits. Varonis offers tools and resources, including a free Data Risk Assessment, to aid organizations in understanding and mitigating risks before adopting gen AI technologies.

Belarusian-Ukrainian national Maksim Silnikau was arrested in Spain, extradited to the U.S., and charged with running the Ransom Cartel ransomware and a malvertising operation. Silnikau allegedly used multiple aliases to promote his cybercrime operations on Russian-speaking hacking forums. He faces legal action from two separate indictments in the U.S., related to his malvertising activities and the Ransom Cartel ransomware operation he created. Co-conspirators Volodymyr Kadariya and Andrei Tarasov were also indicted for their involvement in the malvertising operation. Authorities claim Silnikau managed "ransomware-as-a-service" operations, negotiated with initial access brokers, and laundered ransom payments through cryptocurrency mixers. His earlier cybercrime activities included creating the Reveton ransomware, which falsely locked users' systems demanding a ransom under the guise of law enforcement. Silnikau’s malvertising campaign involved disseminating malicious ads that led unknowing users to malware-infested sites, utilizing fake companies and sophisticated technical infrastructure to perpetuate the scheme. If convicted on all charges, Silnikau faces a potential sentence of over 100 years, though likely less with concurrent sentencing.

Belarusian-Ukrainian national Maksim Silnikau was arrested in Spain and extradited to the USA on charges of running major cybercrime operations including the Ransom Cartel ransomware and a malvertising scheme. Silnikau, known by aliases including "J.P. Morgan," led the Ransom Cartel, a ransomware-as-a-service operation, which surfaced in 2021 with similarities to the REvil ransomware family. From 2013 to 2022, Silnikau also orchestrated a large-scale malvertising operation that distributed malware, scareware, and facilitated online scams. Co-conspirators Volodymyr Kadariya and Andrei Tarasov were charged in connection with the malvertising operation, highlighting the international scope of the criminal network. Silnikau’s criminal activities included negotiating ransom payments, managing communications with victims, and obscuring financial transactions using cryptocurrency mixers. He was also the creator of the Reveton ransomware, launched in 2011, which locked users out of their systems demanding a ransom under the guise of law enforcement fines. The charges against Silnikau could lead to a prison sentence exceeding 100 years if convicted on all counts, although actual sentencing may be less due to concurrent terms. This arrest was part of a coordinated international law enforcement effort involving the National Crime Agency (NCA), the United States Secret Service, and the FBI.

Cybersecurity researchers at Tenable identified two critical security flaws in Microsoft's Azure Health Bot Service that could potentially allow a threat actor to access sensitive patient data and perform lateral movements within customer environments. The vulnerabilities were related to the Data Connections feature of the Azure AI Health Bot Service, which allowed integration with external data sources. Researchers found that this integration could be exploited by redirect responses to bypass built-in safeguards. By manipulating these vulnerabilities, attackers could obtain access tokens for management.azure[.]com, subsequently gaining the ability to list and access various internal resources. Another discovered vulnerability affected an endpoint integrating Fast Healthcare Interoperability Resources (FHIR) data exchange format, susceptible to a similar exploit. Microsoft was informed about these issues in June and July 2024, prompting a series of patches released across all affected regions to address these security flaws. There has been no evidence to suggest that these vulnerabilities were exploited in the wild prior to being patched. The discovery of these flaws highlights the ongoing importance of traditional web app and cloud security measures in the era of AI-driven chatbot services.

Luxembourg-based Orion SA reported a $60 million loss due to a business email compromise (BEC) fraud. A non-executive employee was tricked into making several wire transfers to accounts under criminal control. The company disclosed the financial impact in a Form 8-K filing with the U.S. Securities and Exchange Commission, noting no data breach occurred. Orion SA has not recovered the funds and expects to record a one-time pre-tax charge for the fraudulent transfers. The company is cooperating with law enforcement and exploring insurance options to mitigate losses. Orion recently increased its 2024 financial outlook, reflecting strong business performance despite the fraud incident. There has been no further evidence of additional fraudulent activities or unauthorized access to Orion's systems.

Hardsec (Hardware Security) emphasizes using hardware-based logic for enhanced security and resilience, complementing traditional software defenses. This approach is becoming recognized as essential for protecting critical services against increasingly sophisticated cyber threats. Hardsec is particularly valuable in high-stakes environments like government, defense, and finance, where system failures can have extreme consequences. National and international cybersecurity frameworks, including those by the US Department of Defense (DoD) and the UK National Cyber Security Centre (NCSC), are increasingly mandating hardsec measures. Hardsec offers a more straightforward, potentially flaw-free security defense that does not depend on the complex infrastructure required for software-only solutions. By implementing hardsec strategies, organizations can avoid supply chain attacks, align with regulatory compliance, and ensure a robust defense against both insider and external threats. Investing in hardsec is seen as crucial for a comprehensive defense-in-depth cybersecurity strategy, helping to provide a reliable safeguard for critical systems and data.

Kaspersky analyzed real-world use of prompt injection attacks, finding most are by job seekers or as generative AI protests. Resumes are manipulated to bypass LLM-based HR screening systems, often using hidden text to trick AI without alerting humans. No significant findings of malicious uses like spear phishing or data exfiltration, suggesting these are still theoretical threats. Some users employ prompt injection to protest against AI, citing concerns like natural resource usage and copyright issues. Despite potential for harm, current LLM capabilities limit the effectiveness of destructive actions via prompt injection. Popular misuse includes embedding commands to prioritize or favor certain candidates in automated recruitment systems. Example prompt injections range from harmless pranks to more serious requests to manipulate job application outcomes. Researchers believe while the threat is currently low, monitoring and understanding prompt injection remains critical as AI evolves.

The FBI successfully disrupted the infrastructure of the Dispossessor ransomware group across the U.S., U.K., and Germany. Dispossessor targeted a variety of sectors including education, healthcare, and transportation, impacting small-to-mid-sized businesses. The group, active since August 2023, employed a dual-extortion tactic which involved data theft and encryption threats to extort victims. Operations included sophisticated attack chains exploiting security vulnerabilities and weak passwords to gain unauthorized access and encrypt data. Law enforcement's takedown included servers and criminal domains which effectively halted the group's ransomware operations. Dispossessor's operations prominently featured blackmail tactics, including proactive contact through email or phone to increase ransom payments. Cybersecurity trends indicate a rise in ransomware incidents, especially among smaller organizations with less robust security systems. The crackdown reflects ongoing global efforts to combat ransomware, underlining continued innovations by cybercriminals to exploit digital infrastructures.

A new scam referred to as "digital arrest" involves criminals posing as law enforcement to extort money. A Delhi woman was coerced into paying ₹200,000 after scammers claimed to have arrested her husband. The scammers kept the woman on the phone for six hours, misleading her to believe she was helping to resolve alleged charges against her husband. Upon realizing the scam, when her husband returned home unharmed, she contacted the authorities leading to the arrest of three individuals involved in the operation. The fraudsters used advanced knowledge of banking systems and telecommunications, including SIM cards obtained through fake IDs, to carry out their crimes. Items recovered from the arrested suspects included multiple mobile phones, ATM cards, and SIM cards. Experts warn that such scams exploit public data and social media information, making individuals vulnerable to deceit in moments of panic. With rapid digitalization and certain gullible demographics, such scams are expected to rise, compounded by the potential use of AI in audio and video manipulation to deceive victims further.

Ukraine's CERT-UA has issued a warning about a new phishing campaign using emails purporting to be from the Security Service to install malware on government computers. The malware, named ANONVNC, allows attackers stealthy access and is based on the open-source remote tool MeshAgent. The campaign has already impacted over 100 computers since July 2024, specifically targeting Ukrainian government entities. The phishing emails distribute a ZIP archive containing an MSI installer, triggering the malware deployment upon opening. CERT-UA also highlighted recent phishing scams by UAC-0102 using HTML attachments to steal credentials from users of UKR.NET. Additionally, there has been an increase in the distribution of PicassoLoader malware aimed at deploying Cobalt Strike Beacon in compromised systems. The activities are connected to a threat actor identified as UAC-0057, focusing on government project offices and local government contractors in Ukraine.

AMD has declined to address a security vulnerability known as SinkClose (CVE-2023-31315) in its older Zen CPUs, affecting models dating back to 2006. The vulnerability enables highly privileged malware or users to execute arbitrary code in System Management Mode (SMM), gaining control over the entire system without being detected by the operating system or security tools. SinkClose is unique to AMD processors and offers an attacker deep system access, including the ability to spy, steal data, and meddle with device operations. Although the flaw allows complex system control, its exploitation requires prior kernel mode access, making it less critical than it might initially appear. Only select AMD processors released since 2017 will receive patches, including some models from the Epyc, Ryzen 3000, 4000, 5000, 7000, and 8000 series. AMD considers older models, like certain Zen and Zen+ architectures, to be outside of support boundaries, hence not eligible for the security patch. The cybersecurity firm IOActive discovered the threat, prompting AMD to issue patches for recent models but leaving older ones vulnerable, citing end of support.

The FBI, along with UK and German law enforcement agencies, have successfully disrupted the Radar/Dispossessor ransomware operation. Authorities seized critical infrastructure, including three servers in the U.S., three in the U.K., and 18 in Germany, as well as various internet domains utilized by the cybercriminals. The Dispossessor ransomware gang, active since August 2023, primarily targeted small to mid-sized businesses globally, impacting companies in multiple countries such as the U.S., Canada, Australia, and several European and South American nations. The gang used common cybersecurity vulnerabilities such as poor password practices and lack of multi-factor authentication to access and encrypt business data. After breaching networks and encrypting data, the group then contacted victims to negotiate ransom; if ignored, they would proactively reach out to other contacts within the affected companies. The FBI has encouraged victims to report any interactions with the Dispossessor gang to aid further investigations and possibly help in mitigating the ransomware threat. Dispossessor initially used repurposed data from previous ransomware attacks, such as LockBit, to establish their operations, and later adopted more sophisticated tactics using the LockBit 3.0 encryptor.