Flair Data Systems Cybersecurity News Update 12-20-2023

Happy Wednesday and Merry Christmas! 

There has been an interesting set of events in play this week, even if there are only a few of them on the list below.  Some of these are updates and a few are new threats. Going into the end of the year, cyber criminals are not taking a break. So, in addition to this last cyber update of 2023, Jessica Nemmers and I took a moment to reflect and discuss some important focus areas to best protect your organization as we ring in the new year, if you want to check out that blog post as well: http://www.flairdata.com/end-of-year-cybersecurity-checkup-for-a-stronger-2024 

With next week being a short week due to Christmas and New Years, I plan on postponing my next update until 2024.  I hope you have a great Christmas with your family and friends and take time to catch a breath before 2024 strikes up in a couple of weeks.  Merry Christmas and Happy New Year! 

With that, let’s jump into this week’s cyber update... 

Box storage platform suffers outage 

Last Friday Box experienced a critical outage that prevented customers from accessing files that impacted logins, uploads, downloads, and API calls 

• Later that day, Box had restored services however a cause for the outage has not been reported yet - Let's hope it was as they stated and a malfunction of systems and not another company added to a long list being added to cyber attacks 
• Link (1): https://www.bleepingcomputer.com/news/technology/box-cloud-storage-down-amid-critical-outage/ 

Alphv/Blackcat website seized  

On Tuesday (19th), the DOJ released a noticed that they had seized the domain of Alphv/Blackcat's systems through a multi-national operation to infiltrate and take down the ransomware gang 

• This is the 3rd time over the years that law enforcement has breached Alphv's (the ransomware gang has operated under different names - DarkSide, BlackMatter, and now BlackCat/AlphV) 
• Part of the operation allowed the FBI was able to obtain the encryption keys for 400+ organizations ransomed and built a decryption tool to help them 
• Throughout the day, the FBI and Alphv were playing a game of seeing who could take the domain back which is capable of being done because both sides have the private keys used to register the onion URL in Tor 
• Bad News: Alphv has also stated that the FBI had only captured roughly 400 companies' encryption keys but there are over 3,000 companies still in their possession and Alphv is stating those will never see their keys 
• Now the even scarier part - because of this Alphv has stated that any restrictions they had in place against critical infrastructure and hospitals has been removed and are free game 
• Link (1): https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransomware-operation-creates-decryption-tool/ 
• Link (2): https://therecord.media/alphv-black-cat-ransomware-takedown-fbi 

MongoDB suffers breach 

Last Wednesday (13th), MongoDB detected an incident that led to investigating their systems and found that there was an unauthorized access of certain MongoDB corporate systems 

• Information is still unknown as MongoDB is continuing to investigate 
• Link (1): https://www.bleepingcomputer.com/news/security/mongodb-says-customer-data-was-exposed-in-a-cyberattack/ 

Seattle cancer center hit with ransomware 

Last Friday (15th), Hunters International ransomware group listed Fred Hutchinson Cancer Center on its leak site - claiming to have stolen 533 GB of data 

• On December 11th, Fred Hutchinson Cancer Center had notified federal law enforcement agencies following the detection of unauthorized activity on its clinical network - however, this has probably been ongoing for a longer period of time 
• It has been reported that the threat actor is also extorting individuals as well as the organization 
• Ongoing investigation is underway 
• Link (1): https://therecord.media/seattle-fred-hutch-cancer-center-ransomware-attack 

Hacking with Mr. Cooper 

This is an update to the incident / data breach that occurred on Oct 31st for Mr. Cooper 

• Mr. Cooper has started contacting customers (current and previous), which is roughly 14.7 million, that their personal information was exfiltrated 
• Information would include names, addresses, dates of birth, phone numbers, SS#'s, and bank account numbers 
• All systems have been restored but details around the "how" it happened has not been released as of yet 
• Link (1): https://www.securityweek.com/mr-cooper-data-breach-impacts-14-7-million-individuals/#:~:text=Mortgage%20giant%20Mr.%20Cooper%20is,stolen%20in%20a%20recent%20cyberattack. 

SMTP smuggling to bypass email protections 

This was the results of a research project by SEC Consult Vulnerability Lab and Timo Longin 

• By performing this exploit, it is possible to smuggle/send spoofed e-mails while still passing SPF alignment checks 
• Microsoft, GMX, and Cisco Secure Email were products that the researchers identified vulnerabilities - Microsoft and GMX were able to fix these quickly... Cisco did not 
• Please take the time to review the link - it is very informative and provides workarounds for Cisco 
• Link (1): https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ 

December Windows 11 Patch Breaks Wi-Fi Connectivity  

KB5033375 cumulative updated for December Patch Tuesday has been seen to cause Wi-Fi connectivity issues on some Windows 11 devices 

• It has been recommended to uninstall the KB listed above IF you are experiencing this issue - but it has only been seen to affect enterprise wireless networks but not affecting home wireless/internet usage 
• Enterprise wireless networks with fast-transition / fast-roaming enabled to facilitate seamless device movement between wireless access points 
• Please review the Link above for further information 
• Link (1): https://www.bleepingcomputer.com/news/microsoft/decembers-windows-11-kb5033375-update-breaks-wi-fi-connectivity/ 

Comcast Xfinity Data Breach 

On December 18th, the Attorney General of Maine was notified of the Comcast breach 

• 35 million customers are currently being notified that their confidential information was compromised 
• This compromise was due to a Citrix vulnerability 
• Sensitive information exposed included: Name, Contract Info, last 4 of SS#, DoB, Secret questions and answers, Usernames, and hashed passwords 
• Based on information from Comcast, they were applying patches as quickly as possible, but the threat actor still was able to gain access between October 16th  and 19th of 2023 
• Link (1): https://www.darkreading.com/cyberattacks-data-breaches/console-associates-p-c-comcast-xfinity-reports-data-breach-exposing-confidential-information-of-35m-customers 
  

Until next YEAR, it’s Brent Forrest signing off. Be cyber safe my friends! 

Merry Christmas and Happy New Year!