Daily Brief

McLaren Health Care announced a data breach affecting approximately 2.2 million individuals, with sensitive personal information compromised. The breach occurred between late July and August 2023, with the organization becoming aware of the security issue on August 22, 2023. An external cybersecurity team revealed that unauthorized access had been ongoing since July 28, with data exposure confirmed by October 10. Types of data accessed vary among individuals but remain undisclosed; all affected parties will receive instructions for 12-month identity protection services. McLaren has not found evidence of misuse of the data but warns those affected to monitor their financial accounts and be vigilant of unsolicited communications. ALPHV/BlackCat ransomware group claimed responsibility for an attack on McLaren's network, threatening to auction the collected data they say concerns 2.5 million people.

Hospitals, clinics, and other healthcare providers are increasingly victimized by ransomware, surpassing other cyberattacks in the industry. Healthcare data breaches are on the rise, with a 15.3% cost increase from 2020, averaging at $4.45 million per incident. Breach detection within healthcare organizations is worryingly slow, taking 287 days on average, allowing further data exploitation. Ransomware's immediate effect includes denying access to critical data, potentially endangering patient care and safety. A ransomware attack on MCNA Dental compromised personal data of approximately 8.9 million patients, indicating the extensive reach of cybercriminals. HIPAA provides a stringent framework for protecting patient information, which can enhance security measures and rebuild trust post-breach. Proactive security measures and adherence to tools like Specops Password Policy are vital steps in reinforcing an organization's defense against cyber threats. Implementing strong password policies and protective software solutions can significantly reduce the risk of password-based breaches.

Google's Mandiant revealed a cyber attack by Russian group Sandworm against Ukraine's power grid, causing an October 2022 outage. Sandworm utilized novel techniques on industrial control systems, deliberately timing the outage with a barrage of missile attacks on Ukrainian infrastructure. The blackout's exact location, duration, and affected population remain undisclosed; however, it highlights Sandworm's ongoing tactics to destabilize Ukraine's power grid. Initially infiltrating the system in June 2022 via a hypervisor managing SCADA, the hackers later deployed CaddyWiper malware for further disruption and evidence removal. The October 10 cyber-physical attack involved an ISO image file malware that tripped substation breakers, leading to power disruption. A new variant of CaddyWiper was introduced two days post-attack, indicating a layered and persistent attack strategy. Mandiant's analysis stresses the urgent need for infrastructure asset owners worldwide to mitigate against these sophisticated threats, especially MicroSCADA system users.

The Industrial & Commercial Bank of China (ICBC) experienced a ransomware attack on November 8, 2023, affecting its financial services systems. ICBC took immediate action by isolating the impacted systems and has commenced recovery with the help of information security experts. This incident was reported to law enforcement, and ICBC confirmed the event did not affect its New York Branch, Head Office, or other affiliates. The ransomware attack disrupted U.S. Treasury market operations, causing issues with equities clearing for ICBC's clearing customers. An ICBC Citrix server vulnerable to the 'Citrix Bleed' security bug was exploited in the ransomware attack and is currently offline. ICBC is the world's largest commercial bank by revenue and has an extensive global presence with branches in 41 countries, serving over 730 million individual and corporate customers. The U.S. Treasury is aware of the cybersecurity incident and is monitoring the situation closely with financial industry participants and regulators.

Cybersecurity researchers have uncovered a new backdoor, named Effluence, in Atlassian Confluence Data Center and Server. Effluence persists as a threat even after patches are applied, enabling remote access and data exfiltration without authentication. The backdoor is linked to the exploitation of a critical security flaw, CVE-2023-22515, allowing unauthorized creation of admin accounts. Attackers leverage this backdoor to execute commands, create new admin accounts, delete files, and gather extensive data, while covering their tracks. The sophisticated web shell used by the attackers can activate only in response to specific requests, remaining undetected during typical use. The Effluence malware uses common Atlassian APIs, raising concerns about its potential impact on other Atlassian products like JIRA or Bitbucket. The incidents call for heightened vigilance and may require additional security measures beyond patching to ensure the backdoor is eradicated.

Security Operation Centers (SOCs) are embracing automation due to the sheer volume of threat signals, with an estimated 80% being common across organizations. Despite the efficiency of automated solutions, they cannot entirely replace human judgment for detection and response, necessitating customized approaches for unique threats. The GigaOm Radar for Autonomous Security Operations Center report warns against fully autonomous SOCs and highlights the demand for products offering both automated and customizable capabilities. Advanced vendor solutions automate various SOC workflow stages, including integration of threat intelligence feeds and pre-built detection rules, to manage the majority of alerts effectively. Customization is vital for addressing industry or company-specific use cases, accounting for the unique 20% of threats that automation alone cannot manage. Vendors that combine automation with customization capabilities, such as Hunters, enable organizations to tailor their security strategies while maintaining efficiency in threat management. An effective SOC requires a blend of automated capabilities for common threats and the flexibility to address particular needs, avoiding a one-size-fits-all approach to security tools.

ICBC, China's largest bank, suffered a ransomware attack, disrupting its financial services systems and impacting global trade activities. The bank responded by disconnecting and isolating the compromised systems to contain the incident and has been working on an investigation and recovery. ICBC's domestic and foreign affiliates were not affected as they operate independently from the bank's core systems. The cyber-attack hampered US Treasury market operations, preventing the settlement of trades for market participants. Cyber security analysts linked the incident to the exploitation of the "CitrixBleed" vulnerability in an unpatched Citrix Netscaler box. The attack's consequences expanded to equity traders being unable to place or clear trades through ICBC due to connectivity issues. Ransomware gang LockBit is suspected to be behind the attack, known for acquiring significant sums through numerous attacks since 2020. Experts call for stricter measures against ransomware, highlighting the ineffectiveness of current strategies and suggesting a prohibition on ransom payments.

Iranian-linked cyber group Imperial Kitten has targeted sectors in the Middle East involving transportation, logistics, and technology, with a focus on Israel. CrowdStrike attributes the attacks to Imperial Kitten, also known as Crimson Sandstorm, TA456, Tortoiseshell, and Yellow Liderc, which has been active since at least 2017. The group uses social engineering and recruitment-related content to deliver custom .NET-based malware and has also employed watering hole attacks, exploiting website vulnerabilities and using stolen credentials and phishing. Imperial Kitten leverages job-themed phishing campaigns using macro-laden Excel documents to install a Python-based reverse shell for command and control communications. Post-exploitation tactics include lateral movement tools like PAExec and NetScan, as well as deployment of IMAPLoader, StandardKeyboard implants, and a RAT that uses Discord for command and control. Microsoft reports that Iranian cyber activity has been more reactive and opportunistic since the onset of the Israel-Hamas war on October 7, 2023, with Iranian operators employing their established tactics and exaggerating their success. Related cyber activities include the Hamas-affiliated Arid Viper targeting Arabic speakers with Android spyware through malicious apps impersonating Skipped and Telegram.

A covert cyber espionage campaign targeting Urdu-speaking users has been identified by ESET, involving a spyware named Kamran. The malware was disguised as a legitimate Android app offered by Hunza News, a regional news website serving the Gilgit-Baltistan area. The app contained espionage features and has compromised at least 20 devices, collecting a wide range of personal data. Users visited the website and were prompted to download the app directly, bypassing the security of the Google Play store. The spyware requests extensive permissions to exfiltrate sensitive information, including contact details, call logs, messages, location, and more, to a Firebase server. The design of Kamran spyware is relatively simple, with no remote control capabilities, and it repeatedly uploads the same data to the control server. The threat actor behind Kamran has not been identified, and the app has only been distributed through the website, not via any official app stores.

Intel is being sued for not addressing a known security flaw in its AVX chip instruction set, which led to the recent "Downfall" vulnerability. Plaintiffs claim Intel was aware of the chip's susceptibility to side-channel attacks since 2018, but only patched the issue in 2023 after public disclosure. The Downfall vulnerability allows attackers to potentially read sensitive data, like encryption keys, from a computer's memory. Intel Core processors from the 6th to 11th generation are affected by the flaw, which can significantly slow down computer performance when patched. The lawsuit accuses Intel of failing to redesign its chips to be secure while speculatively executing AVX instructions, despite being aware of the problem. Secret buffers related to the AVX instructions were not publicly disclosed and these "backdoors" were not addressed by prior mitigations for earlier Spectre and Meltdown flaws. Plaintiffs using patched systems have experienced performance degradation in various applications and games. Intel has opted not to comment on the lawsuit.

Kyocera AVX Components Corporation experienced a data breach affecting 39,111 individuals due to a ransomware attack. Personal information such as full names and Social Security Numbers were compromised during the incident. The breach occurred between February 16 and March 30, 2023, with systems encryption and service disruptions noted on March 30, 2023. LockBit ransomware group claimed responsibility, publishing stolen data including sensitive documents and schematics. Kyocera AVX has started notifying affected individuals and is offering a free 12-month dark web monitoring and password leak service. There's currently no evidence of misuse of the stolen data, but Kyocera AVX warns affected individuals about potential risks of fraud and identity theft.

The Industrial & Commercial Bank of China (ICBC) is recuperating from a ransomware attack that affected U.S. Treasury settlements and equities clearing. The cyberattack spurred the Securities Industry and Financial Markets Association to alert its members, indicating widespread concern. ICBC's clearing customers faced significant disruptions, leading to a temporary suspension of orders and inbound FIX connections. Ongoing recovery efforts are in place, with financial sector participants and federal regulators maintaining vigilant communication. The U.S. Treasury is actively monitoring the cybersecurity breach and its potential ramifications across financial systems. No immediate response was available from an ICBC USA spokesperson, although industry experts have confirmed the ransomware attack. Dubbed 'Citrix Bleed', an unpatched security vulnerability on an ICBC's Citrix server is linked to the cyberattack. ICBC stands as the world's largest commercial bank by revenue, serving millions of individual and corporate customers globally.

SolarWinds has vehemently disputed the SEC's lawsuit concerning the SUNBURST cyberattack, contending the charges are legally and factually baseless. The company defends its cybersecurity posture pre-attack, refuting the SEC's claims of insufficient security controls and misrepresentation of their adherence to the NIST framework. SolarWinds accuses the SEC of attempting to extend its regulatory domain without the appropriate authority or expertise in cybersecurity regulation. The SEC lawsuit alleges misleading statements by SolarWinds and its CISO to investors about the company's security practices and known vulnerabilities. SolarWinds contends its investor disclosures were accurate and argues deep disclosures of security weaknesses could aid potential attackers, an industry-wide concern. The case highlights a complex issue of transparency versus security risk, with the potential to shape future cybersecurity practices and regulations. SolarWinds argues the SEC lawsuit could disincentivize internal discussions on cybersecurity risk improvement and drive skilled professionals away from the industry.

Lace Tempest threat actor exploited a zero-day vulnerability in SysAid IT support software, tracked as CVE-2023-47246. The flaw, a path traversal issue, could allow code execution and has been patched in version 23.3.36 of SysAid software. Exploitation involved Lace Tempest uploading a malicious WAR archive to deliver a web shell, enabling backdoor access and subsequent malware deployment. Attackers loaded Gracewire malware using a delivered PowerShell script and employed Cobalt Strike for post-exploitation activities. Organizations using SysAid are urged to apply the provided patches immediately to prevent potential ransomware attacks. The U.S. FBI has warned of ransomware attackers targeting third-party vendors and system tools for malicious activities, including the Silent Ransom Group's extortion methods. The FBI alert highlighted the ongoing trend of cybercriminals using legitimate tools for system compromise and extortion.

Google Ads has been misused to distribute a trojanized version of the CPU-Z tool, which delivers the Redline info-stealing malware. Malwarebytes analysts identified the campaign and linked it to previous malvertising operations that targeted users with malicious Notepad++ downloads. Victims are lured to a cloned Windows news site where a seemingly trustworthy 'Download now' button delivers a signed installer containing a malicious script. The FakeBat malware loader in the MSI file silently fetches and activates the Redline Stealer payload on the victim's system without triggering security warnings. Redline malware is capable of harvesting a wide array of personal data, including passwords, cookies, browser data, and cryptocurrency wallet information. Users are advised to exercise caution when clicking on Google Search ads and ensure the authenticity of the domain or employ ad-blockers to evade such threats.