Daily Brief

The US government has issued a ban on the sale of Kaspersky Lab products in America starting late July. From October, Kaspersky will also be prohibited from issuing updates and malware signatures. Top executives at Kaspersky Lab, except CEO Eugene Kaspersky, have been sanctioned by the US. The sanctions and product bans are part of escalating cybersecurity concerns involving the Russian-based company. These developments were discussed by cybersecurity experts and journalists in a recent video and podcast session. The session included various viewpoints on the implications of the ban and its potential impacts on cybersecurity practices. Kaspersky Lab has faced scrutiny due to allegations of ties with Russian national interests, influencing these US government decisions.

The U.S. Treasury's Office of Foreign Assets Control (OFAC) has sanctioned 12 executives from Kaspersky Lab following a recent Commerce Department ban. These sanctions are part of efforts to protect the integrity of the U.S. cyber domain and guard against malicious cyber threats. Sanctioned individuals are from the executive and senior leadership teams but do not include Kaspersky Lab as a whole or its CEO, Eugene Kaspersky. The Commerce Department previously announced that Kaspersky software and related services are banned in the U.S., citing national security risks. Kaspersky Lab is also added to the U.S. Entity List, further restricting its business operations within the United States. Russia criticizes the U.S. move as an attempt to suppress foreign competition in favor of American products. Kaspersky denies any affiliations with the Russian government, amidst ongoing cybersecurity concerns.

Change Healthcare has begun formal notifications to hospitals and pharmacies regarding a ransomware attack in February that resulted in the theft of patient data. The data breach could potentially affect a "substantial proportion" of the U.S. population, with stolen data including names, birth dates, phone numbers, and email addresses; however, full medical histories have not been confirmed as compromised. The healthcare provider continues to work on identifying all affected individuals but faces challenges due to incomplete address information, delaying the notification process to late July. The breach originated from compromised credentials used by ransomware criminals to access a Citrix-based management platform without multi-factor authentication. The attack led to significant operational disruptions, including delayed prescription fulfillments and medical services, with a recovery and system restoration process stretching over several weeks. Change Healthcare incurred costs nearing $1 billion due to the attack, and a ransom of $22 million was paid to the attackers to prevent further data leaks. This incident highlights the ongoing vulnerability of the healthcare sector to cyberattacks, with similar disruptive ransomware incidents occurring in other healthcare facilities globally.

The Los Angeles Unified School District (LAUSD) confirmed a data breach involving stolen student and employee information from their Snowflake account. Data sold by hacker "Sp1d3r" for $150,000 includes comprehensive details like student demographics, grades, financials, and parent information. Two cyber threats involved; "Sp1d3r" sold data stolen from Snowflake, while "Satanic" independently sold different LAUSD data. Hackers exploited accounts that lacked multi-factor authentication, accessing and downloading sensitive data, then attempting extortion. An investigation involving SnowFlake, Mandiant, and CrowdStrike traced the breach to threat actor UNC5537 using stolen customer credentials. LAUSD, alongside the FBI and CISA, is still investigating the extent of the data compromise and working to secure their systems. The ongoing security incident highlights the critical need for robust data protection practices, including the implementation of multi-factor authentication.

The U.S. has issued sanctions against 12 senior executives of Kaspersky Lab, excluding CEO Eugene Kaspersky. Sanctions prevent U.S. persons and businesses from engaging with the named individuals and put non-U.S. financial entities at risk of similar sanctions. The actions are part of broader measures, including product bans and the inclusion of Kaspersky operations in sanctioned lists, citing national security threats. The Treasury has not designated Kaspersky Lab itself or its CEO but targets individuals within the company's executive circle. The sanctions are in alignment with Executive Order 14024, which addresses operations in sectors critical to the Russian economy. Previous U.S. administration actions have also targeted Kaspersky products, barring them from U.S. government networks over concerns of potential Kremlin-backed espionage. The U.S. Treasury emphasized the commitment to protecting the integrity of the cyber domain and safeguarding U.S. citizens from cyber threats.

The US Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on twelve Kaspersky Lab executives linked to the Russian technology sector. These sanctions are part of broader measures taken by the Biden administration, which include a ban initiated in July on sales and software updates of Kaspersky antivirus products in the US. The Department of Commerce has added AO Kaspersky Lab, OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (UK) to the Entity List, effectively barring US firms from transacting with these entities. The sanctions are in accordance with Executive Order 14024, targeting individuals operating within significant sectors of the Russian economy, including technology and defense. The specific individuals targeted hold leadership roles at Kaspersky Lab and are being sanctioned without affecting the company’s CEO or its broader corporate structure. Sanctioned individuals have their assets in the US frozen and are barred from accessing them. BleepingComputer has reached out to Kaspersky for comment regarding the sanctions and potential further implications.

Researchers have identified a new vulnerability in UEFI firmware, posing significant risks across various Intel chip families, including those since Kaby Lake in 2017. This vulnerability, documented as CVE-2024-0762 with a CVSSv3 score of 7.5, primarily affects Phoenix Technologies' UEFI software utilized in many consumer and enterprise systems. Similar to infamous exploits like BlackLotus, this flaw could allow unauthorized code execution and privilege escalation through buffer overflow and TPM configuration manipulation. Lenovo has responded promptly with patches after the flaw was initially discovered in their ThinkPad X1 models; other vendors using Phoenix's firmware may also be affected. Phoenix Technologies recommended that all affected users update their firmware immediately to prevent potential exploitation. The flaw was traced back to unsafe handling of the 'TCG2_CONFIGURATION' variable within the TPM configuration, which if manipulated, could lead to severe security breaches. Intel has yet to respond to inquiries regarding the vulnerability, which reflects broader concerns over UEFI security historically disturbed by similar exploits.

UnitedHealth's subsidiary, Change Healthcare, was the target of a significant ransomware attack in February, resulting in the theft of 6 TB of sensitive medical data. The breach potentially impacted a third of all Americans, exposing patient data and causing widespread disruption in the U.S. healthcare system, notably in pharmacies. The BlackCat ransomware gang, responsible for the attack, exploited compromised credentials via Citrix remote access service, which lacked multi-factor authentication. UnitedHealth has conceded to paying an initial ransom of $22 million, which was subsequently stolen by the attackers without fulfilling their promise to delete the stolen data. Despite another ransom reportedly paid after further threats, there is ongoing concern about the stolen data's usage in fraudulent activities. Change Healthcare is offering affected individuals two years of complimentary credit monitoring and identity theft protection services. Formal data breach notifications will start being mailed in late July, but in the meantime, affected patients are encouraged to visit changecybersupport.com for further assistance and information.

UnitedHealth subsidiary Change Healthcare was targeted in a ransomware attack in February, resulting in the theft of 6 TB of sensitive data. The attack caused significant disruptions across the US healthcare system, notably preventing pharmacies from processing insurance claims. Data compromised includes substantial personal and medical information, affecting potentially a third of all Americans. Change Healthcare has initiated measures including complimentary credit monitoring and identity theft protection services for impacted individuals. Lack of multi-factor authentication on Citrix remote access service facilitated unauthorized access by the BlackCat ransomware gang. Despite paying a $22 million ransom, the data was neither secured nor deleted, with additional ransom demanded via data leaks. The financial impact of the attack on UnitedHealth is estimated at $872 million as of April, with expectations of further increases. Formal breach notifications are to be mailed by late July, although not all affected individuals may be reachable directly.

Cloudflare and The Register are hosting a webinar on June 25th to discuss expanding attack surfaces in cybersecurity. The session will cover emerging trends that contribute to the increase in attack surfaces. Participants will learn effective strategies for managing and reducing vulnerabilities. The webinar will feature real-world case studies from leading organizations actively addressing these challenges. Cloudflare’s industry expertise will provide attendees with actionable insights to enhance their security posture. The event is designed to help professionals understand and mitigate the evolving cyber threats affecting their organizations.

The Tor Project has launched Tor Browser 13.5 with key updates for both Android and desktop platforms. The update focuses on usability improvements rather than new security features. For desktop users, enhancements include better bridge management and improved visual design of letterboxing for privacy. Android users will see a revamped connection experience and a more accessible location for Tor logs. The redesign also makes managing bridge connections easier, with a more user-friendly interface and clear labeling. Error messages for onion sites have been standardised to align with other network errors, improving consistency. The Tor team has announced upcoming support changes, phasing out Windows 8.1 and macOS 10.14 with the next major release.

A Chinese cyberespionage group named SneakyChef is primarily targeting government entities in Asia and the EMEA region using a malware called SugarGh0st. SneakyChef's operations, detected since August 2023, utilize document lures from foreign ministries and embassy-related entities. Both SugarGh0st and another Trojan, SpiceRAT, are identified in SneakyChef's latest attacks, evidencing an evolution in their toolset. These attacks use sophisticated spear-phishing campaigns, embedding malware in RAR archives disguised as legitimate documents. Once executed, SugarGh0st and SpiceRAT deploy via different stages, including DLL side-loading and decoy document presentation, to avoid detection. Besides government targets in regions like Angola, India, and Latvia, the threat actor has also targeted U.S. organizations working in AI. This ongoing campaign demonstrates SneakyChef's persistent and expanding interest in sensitive governmental and technological sectors.

A new phishing campaign, named PHANTOM#SPIKE, uses military-related content to spread malware in Pakistan. The malware is delivered via email attachments containing ZIP files, purporting to be documents from an upcoming military forum in Russia. These ZIP files include a Microsoft Compiled HTML Help (CHM) file that covertly executes a malicious executable when interacted with. The malicious executable, termed "RuntimeIndexer.exe," functions as a backdoor, establishing remote connectivity for command and control. Upon execution, the malware can perform actions like retrieving system info, listing running tasks, extracting public IP addresses, and setting up persistence mechanisms. The backdoor allows attackers to execute commands remotely, steal sensitive information, or deploy additional malware. Despite its fairly unsophisticated approach, the campaign effectively exploits the theme of military events to trick users into opening harmful attachments.

The ransomware group Qilin leaked over 400GB of data belonging to London's pathology services provider Synnovis, reportedly stolen during a cyberattack. Synnovis, a partnership between Synlab and two London NHS Trusts, was forced to pull its systems offline due to the ransomware attack, causing significant disruptions across multiple hospitals. Despite claiming to have stolen over 1TB of data, Qilin released data that matched claims after negotiations with Synnovis stalled, and the company refused to pay a $50 million ransom, in line with UK policy against cyber ransom payments. The ongoing impact of the attack has severely affected hospital operations, leading to the postponement of 1,134 elective surgeries and 2,194 outpatient appointments since the attack began on June 4. NHS London continues to mitigate the impact, with some services returning to near-normal levels and mutual aid agreements helping prioritize critical blood tests. Qilin expressed no remorse for the attack, acknowledging the healthcare crisis caused and insisting it was part of their 'struggle', showing a disregard for the ethics of their actions in targeting healthcare infrastructure.

CDK Global, a major SaaS platform for US car dealerships, was targeted in a cyberattack leading to significant disruptions. Following the cyberattack, threat actors started impersonating CDK support staff in phone calls to customers, aiming to gain unauthorized system access. CDK has shut down its customer support channels and taken most systems offline as a precautionary response to the cyberattack. The company has set up automated toll-free lines to provide updates and warnings about the security breach and the associated risks. Customers have been advised to avoid performing any Dealer Management System (DMS) tasks and to ignore unsolicited communications purporting to be from CDK. The Digital Retail Application and Data remains secure, despite the disabling of many system integrations. There is currently no estimated time for when full service functionality will be restored, and CDK continues to work with third-party experts on a resolution.