Happy New Year! I hope everyone had a great holiday week celebrating both Christmas and New Years. Now it’s time to get back into the swing of things.  

In 2023, there were too many incidents that occurred throughout the year, that I am hoping for a "slower" year in 2024! As a community, we all need to be more resilient and diligent in the protection of the data we are put in place to protect.  There will never be a 100% silver bullet, but if strong enough safeguards are put in place (i.e., awareness training, technical controls, third-party risk awareness, etc.) then there is a stronger chance to reduce the risk of an incident occurring.  I remember being asked a few years ago "what is the point of all these security tools if the bad guys still can get in" and what was said then still stands true today - sometimes it's slowing the threat actor down long enough to set off alarms and lock them out before real damage is done is what matters. 

That said, let’s jump into this week’s cyber update... 

Ransomware incident at Xerox 

INC Ransomware has added Xerox to their ransom portal on December 29th, claiming to have stolen sensitive data and confidential documents 

• Xerox has stated they had detected and contained the incident, which affected the Xerox Business Solutions subsidiary 
• Third-party investigations are underway to determine the full scope of the incident, and they are taking necessary steps to secure the environment 
• INC Ransomware shared that they have obtained email communications, payment details, invoices, filled-out request forms, and purchase orders 
• Link (1): https://www.bleepingcomputer.com/news/security/xerox-says-subsidiary-xbs-us-breached-after-ransomware-gang-leaks-data/ 

Agent Tesla and an old Microsoft Office vulnerability create new problems 

CVE-2017-11882, which allows for remote code execution capabilities through a memory corruption vulnerability 

• Fake Excel document is being attached to invoice-themed messages and potential targets, once opened the malicious documents are taking advantage of the CVE listed above 
• Through the phishing campaigns, the exploited enabled office document is being used to deliver an infostealer malware dubbed Agent Tesla 
• Link (1): https://securityboulevard.com/2024/01/ms-excel-vulnerability-exploited-to-distribute-agent-tesla/#:~:text=Threat%20actors%20with%20malicious%20intent,infostealer%20malware%20dubbed%20Agent%20Tesla. 
  

 

First American suffers cyberattack 

The incident was disclosed on Dec 20th, where a Threat Actor gained access and stole non-production systems company data 

• The incident has been contained but further investigation is underway, the banking unit is back online and operational 
• First American is the second largest title insurance firm, and it has not been determined as of yet if this incident is considered to have material impact 
• Link (1): https://www.cybersecuritydive.com/news/first-american-financial-encrypted-data/703411/#:~:text=First%20American%20Financial%20said%20the,the%20Securities%20and%20Exchange%20Commission. 

CBS and Paramount owner hacked a year ago 
 

National Amusements, the cinema chain and corporate parent of paramount and CBS, has confirmed that it experienced a data breach in which personal information of 82,128 people during a December 2022 data breach 

• People affected were only started to be notified a year later, and only discovered the breach in August of 2023 - what information was taken was unknown 
• Other information stolen included Financial Information (banking account numbers or credit cards numbers) along with associated security codes, passwords, or secrets 
• Stolen data related to company employees 
• Link (1): https://techcrunch.com/2023/12/26/cbs-paramount-owner-national-amusements-hacked/#:~:text=The%20private%20media%20conglomerate%20said,notifying%20those%20affected%20last%20week. 

Ohio Lottery cyberattack claimed by DragonForce

On Christmas Eve, the Ohio Lottery shut down key systems after a cyber-attack affected an undisclosed number of internal applications 

• Incident is currently under investigation, restoration of impacted systems is underway, and the gaming system is still fully operational 
• A new ransomware gang has emerged, DragonForce, and claimed the incident - who has stated they encrypted devices and stolen data during the attack including SS#'s and DoB's - potentially belong to both employees and customers 
• Link (1): https://www.bleepingcomputer.com/news/security/ohio-lottery-hit-by-cyberattack-claimed-by-dragonforce-ransomware/ 

Flaw in Black Basta decryptor allows recovery of victims’ files - temporarily 

Researchers were able to create a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free 

• Victims from November 2022 to December 2023 are potentially able to recover their files 
• Black Basta developers have fixed the bug in their encryption routine about a week ago, preventing this decryption technique from being used on newer attacks 
• Link #2 points to a Git Hub for the decryptor 
• Link (1): https://www.bleepingcomputer.com/news/security/new-black-basta-decryptor-exploits-ransomware-flaw-to-recover-files/ 
• Link (2): https://github.com/srlabs/black-basta-buster 

Cyberattack hits Boston area hospital 

On Christmas Eve, a cyber-attack caused the Anna Jaques Hospital (35 miles north of Boston) to turn away ambulances due to their electronic health records systems being down 

• This hospital is part of the Beth Israel-Lahey Health system - however, no other details are being provided about the incident 
• Link (1): https://therecord.media/cyberattack-on-massachusetts-hospital-disrupted-health-record-system 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!