Daily Brief

Over 100 medical associations have petitioned the U.S. Department of Health and Human Services (HHS) to hold UnitedHealth Group responsible for the notification of a recent ransomware breach. UnitedHealth's Change Healthcare, responsible for processing patient data, was compromised in February, risking vast amounts of private health information. The medical groups have stressed that Change Healthcare should bear the brunt of the breach notification and government investigation responsibilities. The breach, impacting a substantial but unspecified number of Americans, falls under HIPAA regulations, necessitating broad notification of the affected individuals. UnitedHealth has acknowledged their duty to comply with legal requirements for breach notification, and has been cooperating with HHS's Office for Civil Rights. On a related note, UnitedHealth's CEO announced a $22 million ransom payment to BlackCat/ALPH ransomware affiliates and projected the total costs related to the breach could significantly exceed $872 million.

Canadian pharmacy chain London Drugs suffered a ransomware attack orchestrated by the group LockBit, which demanded a $25 million ransom. The attack, which occurred on April 28, led to the temporary closure of 79 London Drugs locations across multiple provinces. Despite threats from LockBit to release stolen data, London Drugs has stated it is unable and unwilling to meet the ransom demands. No customer or patient data has been reported compromised; however, some employee files were exfiltrated. London Drugs is offering two years of free credit monitoring and identity-theft protection to all current employees while it assesses the extent of the data breach. The incident is still under investigation, and the company promises to keep affected parties informed as per privacy laws. LockBit's activity has reportedly dropped by 60% following recent law enforcement disruptions, indicating a potential decline in their operations.

The parent company of the New York Stock Exchange, Intercontinental Exchange (ICE), has been fined $10 million by the SEC for not properly notifying of a 2021 cyber intrusion. ICE failed to report a vulnerability and subsequent attack under the rules of Regulation Systems Compliance and Integrity (Regulation SCI), which demands immediate notification of such incidents. After detecting the potential for a cyber attack via a VPN zero-day, ICE did not externally report the incident for several days while internally investigating the scope of the breach. SEC alleges that ICE should have assessed the breach as significant sooner and informed them immediately as per regulatory requirements. Even though a substantial attack was not established after initial investigations, the legal and compliance teams were only informed five days post-notification of the vulnerability. The SEC criticized ICE for its significant delay in reporting, highlighting the importance of prompt communication in maintaining the integrity of global financial markets. The $10 million penalty is deemed minimal compared to ICE's quarterly revenue, pointing to the need for stiffer penalties for non-compliance to maintain effective cybersecurity measures in significant financial institutions.

Microsoft has divulged plans to gradually phase out VBScript from Windows, beginning in the second half of 2024. VBScript will transition to an optional feature in its first phase of deprecation during the Windows 11 24H2 release. By around 2027, VBScript will no longer be pre-installed but will remain accessible on demand, with its removal entirely planned for a later date. Microsoft aims to replace VBScript with more modern and secure scripting languages such as JavaScript and PowerShell to enhance web development and automation capabilities. The retirement of VBScript, historically a vector for malware attacks via Internet Explorer and Office macros, reflects Microsoft's broader initiative to mitigate security risks. Previous Microsoft efforts to curb malware include disabling Excel 4.0 macros, enhancing protections against untrusted Office macros, and extending support for the Antimalware Scan Interface in Office 365 applications. The complete removal of VBScript from future Windows OS iterations will eventually end the usability of VBScript-dependent projects, with all related dynamic link libraries (.dll files) also being eliminated.

Georgia resident Malachi Mullings has been sentenced to a decade in prison for money laundering involving $4.5 million from scams. Mullings' criminal activities included business email compromise (BEC) attacks targeting healthcare providers and romance scams exploiting individuals. His operations, running from 2019 to July 2021, involved impersonating officials to misdirect funds to accounts he controlled. Among the victims were state Medicaid programs and elderly citizens, with one elder alone defrauded of $260,000. Fraudulent funds were used to purchase luxury items, including a Ferrari and jewelry, to launder the proceeds of the scams. He utilized 20 bank accounts under his company’s name, The Mullings Group, to facilitate the laundering process. Mullings pleaded guilty to eight charges of money laundering and conspiracy to commit money laundering. He was one of ten individuals charged, with allegations involving fraud against multiple state healthcare programs.

China-affiliated state hackers are increasingly utilizing vast proxy server networks called operational relay box (ORBs) for cyberespionage, complicating detection and attribution efforts. ORBs, managed by cybercriminals, blend compromised devices and commercial virtual private servers, allowing state-sponsored groups like APT5 and APT15 access. These networks enable anonymous internet activity across multiple geographic regions by cycling through a broad range of nodes, masking malicious traffic's origin. Mandiant has identified specific ORBs, such as SPACEHOP and FLORAHOX, which are employed by Chinese threat actors for reconnaissance and exploiting vulnerabilities like CVE-2022-27518. ORBs' varied infrastructure, including cloned Linux-based images and networks consisting of TOR nodes and hacked routers, heightens their utility and complexity for both offensive and defensive cyber operations. The short lifespan of an ORB node’s IPv4 address and its use across different Autonomous System Number (ASN) providers make tracking and defending against ORBs particularly challenging for cybersecurity professionals. As ORB usage grows, enterprise defense strategies must adapt to account for increased stealth and resilience in cyber attack methodologies.

The Intercontinental Exchange (ICE) has agreed to pay a $10 million penalty to resolve SEC charges following a VPN security breach in April 2021. ICE, a major financial services company managing entities like the New York Stock Exchange, was cited for failing to report the breach promptly as mandated by Regulation Systems Compliance and Integrity (Regulation SCI). The SEC criticized ICE for taking four days to evaluate the breach’s impact and internally declaring it minor, though immediate notification was required. The breach was attributed to sophisticated nation-state threat actors who exploited a vulnerability in ICE’s VPN system to deploy malware. The attackers managed to install webshell code on the VPN device, potentially accessing sensitive data such as employee passwords and multi-factor authentication codes. Despite limited access to a single device, the hackers still exfiltrated VPN configurations and some user metadata. ICE’s internal communication failures extended the delay in reporting the breach to both legal and compliance officials within the company's subsidiaries. ICE and its subsidiaries received a cease-and-desist order from the SEC alongside the penalty, requiring adherence to all Regulation SCI rules going forward.

LastPass is now encrypting URLs within password vaults to improve security and user privacy, moving toward a comprehensive zero-knowledge architecture. This encryption aims to protect sensitive details encapsulated in URLs that could hint at the nature of the stored accounts, such as banking or email services. The improvement comes after LastPass experienced two significant breaches in 2022, where encrypted password vaults were accessed and weaker encrypted master passwords were compromised. The breaches exposed unencrypted URLs in password vaults, which helped attackers target and steal over $4 million from cryptocurrency exchanges. The first phase of the new encryption feature rolls out next month, automatically encrypting primary URL fields for all existing and new accounts. Subsequent phases will include encryption of additional URL-related fields, like equivalent domain URLs and URLs stored in user notes, with full implementation expected in the second half of the year. Users currently do not need to take any action; LastPass will provide step-by-step instructions to impacted accounts as the deployment progresses.

The SEC has updated guidelines for public companies on disclosing ransomware and other cybersecurity incidents. Public companies must report "material" cybersecurity incidents using Form 8-K, Item 1.05, which affects decisions on investments. Companies face confusion when deciding if an incident is material and whether to file a report under Item 1.05 or Item 8.01 for less significant events. Erik Gerding, Director of SEC's Division of Corporation Finance, discussed the issues with voluntary disclosures leading to potential investor confusion. The distinction between filings helps investors discern the significance of cybersecurity incidents more effectively. Material incidents need to be disclosed immediately under Item 1.05, while non-material or undecided incidents should use Item 8.01. The SEC emphasizes transparency in disclosing cybersecurity incidents but aims to minimize confusion by clarifying the use of different forms.

Microsoft's new AI-powered Windows 11 Recall is designed to make previously viewed information easily accessible but has raised privacy and security concerns. The feature captures and stores window screenshots every few seconds on devices, storing this data for up to three months by default. All collected data is stored on the device in an encrypted form, safeguarded with BitLocker, and not shared externally according to Microsoft. Recall's extensive data collection includes potentially sensitive information, raising fears about both intentional misuse and incidental exposure. The Information Commissioner's Office (ICO) in the UK is contacting Microsoft to ensure the feature’s compliance with privacy regulations. Cybersecurity experts and users express concerns over the potential for this data to be accessed by other users or exploited by malware if devices are compromised. Microsoft asserts that they prioritize user control and privacy in design, but the cybersecurity community remains skeptical about the potential risks involved.

Zerto is hosting a live event in Boston to discuss ransomware protection in multicloud environments. The event will feature Anthony Dutra from Zerto, who will present survey findings on ransomware impact concerns. Attendees will learn about critical strategies and technologies to defend against ransomware. The live event aims to address security measures for sensitive data across various hosting platforms. Attendees can also explore additional resources like white papers on ransomware resilience and real-time encryption detection techniques. Opportunities for hands-on demonstrations with Zerto technology via Zerto Hands on Labs. The event highlights the growing need for specialized defenses in increasingly complex cloud architectures.

Researchers have identified a new threat group, Unfading Sea Haze, active since 2018, targeting military and government entities in the South China Sea region. Bitdefender’s report suggests these cyber attacks align with Chinese strategic interests, employing tactics similar to other China-linked groups. The attackers used sophisticated methods to maintain access within compromised systems, highlighted by poor credential management and lack of patching. The campaign utilized various malware including Gh0st RAT, with advanced techniques like fileless execution and scheduled tasks for persistence. Spear-phishing with malicious LNK files was a prominent initial attack vector, launching payloads to control affected systems remotely. Tools such as ITarian RMM were used to establish footholds, a tactic uncommon among nation-state actors except for certain groups like Iran's MuddyWater. The adversary demonstrated high sophistication with a wide array of custom tools and evasion techniques, focusing on in-memory execution to avoid detection. Aside from automation, manual techniques were also employed for data exfiltration, specifically targeting sensitive information from messaging applications.

AI SPERA announced the availability of its Criminal IP search engine on AWS Marketplace, meeting high technical and security standards. Criminal IP offers enhanced threat detection leveraging AI and machine learning capabilities, providing insights into risks associated with internet-connected devices. The tool's integration with AWS simplifies procurement and deployment processes, aligning with customers' existing cloud architectures. Users can integrate Criminal IP's threat intelligence data into pre-existing services and systems, such as SOAR and SIEM, through seamless API integration. Criminal IP features a rich repository of data including risk classifications, geographical insights, and graphs of vulnerable assets, facilitating robust cybersecurity management. Criminal IP now also features a payment flexibility option, enhancing user experience on the AWS platform. Additionally, AI SPERA has expanded its global collaboration, partnering with over 40 renowned security firms worldwide.

"Unfading Sea Haze," an undisclosed threat actor, has been actively compromising military and government targets in the South China Sea region since 2018. This group is believed to be operating in alignment with Chinese geopolitical interests and has connections to known Chinese threat group APT41. The attacks primarily used spear-phishing emails with malicious ZIP files leading to the deployment of fileless malware via MSBuild. Key tools employed include a backdoor named 'SerialPktdoor,' a keystroke logger, browser data stealers, and a novel use of Microsoft’s compiler to execute malware directly in memory. Initial access and persistence are maintained through local administrator account manipulation, scheduled tasks, and the inadvertent use of commercially available Remote Monitoring and Management tools. Recent tactics have evolved, leveraging more stealthy techniques like remote SMB shares for launching C# payloads, alongside the use of sophisticated malware like Gh0stRAT. Data exfiltration methods have also adapted with time, transitioning from custom-built tools to using mainstream software like curl and FTP with dynamically changing credentials. To defend against these sophisticated threats, organizations are advised to implement comprehensive security measures including patch management, multi-factor authentication, network segmentation, and sophisticated detection systems.

Rockwell Automation advises disconnecting internet-facing industrial control systems (ICSs) to protect against malicious cyber activity. Prompted by increased global geopolitical tensions and adversarial cyber activities, immediate action is requested to identify and disconnect vulnerable devices. Supported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), guidance includes mitigating known vulnerabilities and deploying patches. Historical exploitation of operational technology (OT) assets by malicious actors, including Advanced Persistent Threat (APT) groups seeking political, economic, or disruptive gains. Recent research highlights potential for high-impact attacks similar to Stuxnet via web-based interfaces of programmable logic controllers (PLCs). New malware techniques employing PLC web interfaces can achieve platform-independent, persistent, and covert operations. Recommended strategies include limiting exposure of system information, securing remote access points, and conducting periodic security audits to enhance OT and ICS network security.