Brent Forrest Cybersecurity News Update 11-29-2023

It's a chilly morning this week and it is very welcome!  For those that know how much I truly love 
running, this week was the first week to break out the gloves.  Sadly, a few of the updates provided below have affected some businesses either in North Texas or East Texas.

As we move into the Holidays, it is the time for scams and phishing attempts to take a rise with sales, gift cards, and other tricks.  Please take the time to continue to educate your employees about the dangers that come along with the joys of the holiday season.  There are plenty of options available for bringing this awareness; KnowBe4, Wizer-Training, Proofpoint Security Awareness, Barracuda Security Awareness, and others.  Also remember, mixing both education (i.e., video, info graphics, etc.) and training (i.e., phishing tests, gamification) is a great way to solidify diligence when it comes to phishing (email), vishing (voice), and smishing (texting) attacks. 

Let’s dive into this week's “chilling” cyber update. 

Play Ransomware Update 

Play ransomware has shifted to a Ransomware-as-a-Service model. 

• Utilizing legitimate credentials, exposed RDP servers, and exploits specific to FortiOS vulnerabilities for initial access. 
• Propagating ransomware internally through GPO's, scheduled tasks, PSExec, or wmic where the ransomware extensions end with ". play" 
• Incidents in November hit an all time high of 36 cases reported in a single day (Nov 28th)

Google to weaken ad blockers on Chrome in a push for security 

Starting in June 2024, adblockers (uBlock Origin as an example) extensions on Chrome will no longer work as intended. 

• The older platform, Manifest V2, will be disabled as Chrome moves to Manifest V3 
• V3 is supposed to bring more security, higher efficiency, and ask for few user permissions; yet with more limited feature sets will mean limited functionality. 
• Speculation is that this is a way for Google to move away from 3rd party adblockers due to their loss in ad-revenue. 
•  Link (1): https://cybernews.com/privacy/google-to-weaken-chrome-ad-blockers-push-for-security/ 

Fidelity National Financial attacks 

On November 22, Blackcat/AlphV publicly took credit for attack on Fidelity Nation Financial 

• This attack has affected consumers attempting to close on their homes, causing delays on closing the purchase/sale of homes. 
• The SEC 8-K Filing (Link 2) was released Nov. 19th per the filing, within the document they have restricted access to certain systems that has had a business disruption (title insurance, escrow, and other title related services, mortgage transaction services, and technology to the real estate and mortgage industry) 
• No other information was released, other than that the threat actor gained access to certain FNF systems and acquired credentials. 
• Blackcat/AlphV called FNF out on hiring Google Mandiant as their Incident Response 
• Link (1): https://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat 
• Link (2): https://www.sec.gov/ix?doc=/Archives/edgar/data/1331875/000133187523000064/fnf-20231119.htm 

Gulf Air exposed to data breach 

Gulf Air, air carrier for Kingdom of Bahrain, has experienced an incident that resulted in the theft of sensitive customer information. 

• The "how" is still an unknown - ransomware, MOVEit, Citrix Bleed, or some other mechanism. 
• Operations and Critical Systems were not affected, which means no disruption of flight schedules - and means that it being a ransomware attack is much less (again, unknown) 
• Link (1): https://www.techradar.com/pro/security/gulf-air-hit-with-data-breach-customer-data-possibly-affected 

Idaho National Labs data breach 

SiegedSec, a hacktivists group, leaked stolen HR data online that was obtained from Idaho National Labs (INL) 

• INL is a nuclear research center ran by the U.S. Department of Energy - employing roughly 5,700 specialists in atomic energy, integrated energy, and national security 
• SiegedSec is claiming to have obtained data on users, employees, and citizens with the following information: Name, DoB, Email, Phone number, SS#, Address, Employment Info 
• As of right now, INL has confirmed that servers supporting their Oracle HCM system was affected and they are working to investigate the incident 
• I have personally been to one of their training facilities several years ago where we were able to perform a true tabletop scenario of an attack on an Operational Technology environment where we had to protect a SCADA / PLC environment 
• Knowing their team that protects their systems (at least at that point in time), there is no telling how long SiegedSec was in that environment moving around very slowly 
• Link (1): https://www.bleepingcomputer.com/news/security/hacktivists-breach-us-nuclear-research-lab-steal-employee-data/ 

ownCloud releases 3 vulnerabilities 

CVE-2023-49103 (10): disclosure of sensitive credentials and configuration in containerized deployments (actively being exploited) 

• CVE-2023-49105 (9.8): WebDAV Api Authentication Bypass using Pre-signed URLs 
• CVE-2023-49104 (8.7): Subdomain validation bypass 
• Each of the above CVE's have their own workarounds listed out in the URL's - if you use ownCloud in your environment, review and see how this potentially affects your environment (call their support for additional assistance if necessary) 
• Link(1): https://www.theregister.com/2023/11/27/three_major_vulnerabilities_in_owncloud/#:~:text=ownCloud%20has%20disclosed%20three%20critical,server%20credentials%2C%20and%20license%20keys. 

North Texas water utility hit by cyberattack 

Daixin Team, cyber gang that first appeared in June 2022 and has also targeted Oakbend Medical Center (Richmon, TX), Fitzgibbon Hospital (Missouri), and Ista International (Germany) 

• The Threat Actor's page on data exfiltrated is a bit interesting in that they claim to have obtained both PII and PHI data - yet this is a Water, Wastewater, and Solid Waste Management company, so how did they obtain PHI OR is this more of a canned statement? 
• NTMWD (North Texas Municipal Water District) has stated that only the business network was affected and not any of the Operational network - most of which has been restored at this point. 
• Pennsylvania water authority was also hit a bit harder by an alleged pro-Iran group (Cyber Av3ngers) by attacking an outpost (Municipal Water Authority of Aliquippa) - this outpost contains a collection of pumps that maintain water pressure and regulate water flow; equipment was taken offline, and they are utilizing backup tools to maintain water pressure. 
• Link (1): https://therecord.media/north-texas-water-utility-cyberattack 
• Link (2): https://therecord.media/water-authority-pennsylvania-cyberattack-pro-iran-group 

UT Health East Texas resumes divert status; access to MyChart, video visits unavailable in wake of cyberattack. 

Ardent Health Services, oversees 30 hospitals across the United States, experienced a severe ransomware attack in Oklahoma, New Mexico, and Texas 

• Ardent took measures to shut down a significant number of its computerized services, including clinical programs and its use of Epic Systems, which tracks patients' health care records. 
• The incident began on Thanksgiving Day, but the "who", "how", and "what" has not been released at this point in time - the fact it occurred less than a week ago, this is pretty standard as I am sure they know the "who" and hopefully the "how" so that they are able to remove the threat actors from their systems. 
• Here in Texas, this has affected many of the hospitals across East Texas that fall under the UT Health East Texas 
• Link (1): https://www.nbcnews.com/tech/security/emergency-rooms-least-3-states-diverting-patients-ransomware-attack-rcna126890 
• Link (2): https://www.kltv.com/2023/11/27/ut-health-east-texas-resumes-some-emergency-room-admissions-wake-cyber-security-incident/ 
• Link (3): https://www.kltv.com/2023/11/28/ransomware-investigation-expert-discusses-ut-health-east-texas-data-breach/ 
• Link (4): https://ardenthealth.com/datasecurityupdate 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!