Flair Data Systems Cybersecurity News Update 2-07-2024

I hope that the week is treating you well and enjoying some of the spring weather (wait, we are still in Winter?). The world never ceases to amuse one with the stories that are discovered, such as the last one with IoT based toothbrushes, which comes the same week I spent time with friends from Phosphorus (a firm that focuses on identity and manage xIoT devices) learning about their platform and capabilities.  

On that note, let’s jump into this week's cybersecurity news update. 

FBI grounds Volt Typhoon 

Volt Typhoon is a hacking campaign targeting privately owned Cisco and NetGear routers infected with "KV Botnet" malware 

• The FBI issued a command to infected routers that would delete the KV Botnet malware from the devices without affecting any legitimate files or information on the routers 
• A 2023 Lumen analysis showed that Volt Typhoon had been active since at least February 2022 

Link (1): https://cyberscoop.com/chinese-cyber-threats-fbi-operation-botnet/ 

More companies refuse to pay ransoms 

Based on data points provided in a Coveware report for Q4 of 2023, only 29% of organizations paid a ransom 

• In Q1 of 2019, 85% were paying the ransom 
• There are a couple of factors that attributed to this decrease in payment 
• Enterprise networks have increased cyber defenses and have more data backups to help them recover quickly 
• More companies are not trusting that the hackers will keep their promises and delete any stolen data 
• I mentioned in a prior email that I worked with an organization that found it easier to just wipe everything and rebuild than pay the ransom, considering most ransoms are starting to increase 

Link (1): https://www.axios.com/2024/01/30/ransomware-pay-out-decline-chart 

More vulnerabilities for Ivanti 

Over the past 12 months, the number of vulnerabilities that have been disclosed by Ivanti has continued to increase - which is not out of the normal for software firms 

• CVE-2024-21888: Privilege Escalation in the web component of Ivanti Connect Secure and Policy Secure 
• CVE-2024-21893: Server-side request forgery in the SAML component of Ivanti Connect Secure and Policy Secure 
• What is abnormal is the criticality of these vulnerabilities and the nature of what Ivanti performs as a Software company 
• These vulnerabilities continue to come with exploitation being seeing in the wild 
• One last note, this has gotten to the point where CISA has issued an emergency directive that required all federal agencies to disconnect all instances of Connect Secure and Policy Secure solutions from the agency networks no later than 11:59PM on Friday February 2, 2024 (last Friday) 

Link (1): https://www.cybersecuritydive.com/news/ivanti-vpns-threat-patch-CVEs/706707/#:~:text=Ivanti%20last%20week%20disclosed%20new,patch%20and%20new%20activity%20since. 

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2024-21893 

Link (3): https://nvd.nist.gov/vuln/detail/CVE-2024-21888 

Event log Crasher all versions of windows 

Microsoft has released patches for a new zero-day flaw (EventLogCrasher) that would allow an attacker to remotely crash the Event Log service on devices within the same Windows domain 

• This patch included all versions of Windows, including Win7 up to Win11 and Server 2008 R2 to Server 2022 
• Credential level needed would be a low level (Domain User) which includes the Domain Controllers 
• The issue here is that once crashed, the logs of what occurred on a system would no be recorded 
• Most 3rd party log monitoring systems (Sumo Logic, Splunk, etc.) utilize the Event Log service to capture the logs occurring on the system - so if it crashes, those tools are no longer capturing those logs 

Link (1): https://www.bleepingcomputer.com/news/microsoft/new-windows-event-log-zero-day-flaw-gets-unofficial-patches/ 

Continues layoffs in Tech 

Over the past year, we have seen the technology world start to lay off personnel - it has not stopped in 2024. So far this year: 

• SAP: 8k employees 
• EBay: 1k employees 
• Microsoft: 1,900 in the gaming division 
• Google: Replaces part of its ad sales team with AI 
• Alphabet: 12k employees including engineering, hardware, and digital assistant teams 

Link (1): https://www.computerworld.com/article/3685936/tech-layoffs-in-2023-a-timeline.html 

Cloudflare announces nation-state level breach 

Thanksgiving Day last year a threat actor was detected in the Cloudflare self-hosted Atlassian server and was quickly removed from the environment 

• Between November 14 to 17, a threat actor was able to perform reconnaissance on their internal wiki and bug database systems 
• Between Nov 20 and 21st, additional access indicated that they threat actor came back to test access to ensure they maintained connectivity 
• On November 22, persistent access to the Atlassian server using ScriptRunner for Jira was used against their source code management system - but was unsuccessful in accessing the console server that had access to the data center where Cloudflare had not yet put into production (Sao Paulo, Brazil) 
• The full report is worth reading, and one with a lot of great information where most organizations do not share at this level 

Link (1): https://blog.cloudflare.com/thanksgiving-2023-security-incident 

AnyDesk says hackers breached production servers, reset passwords 

AnyDesk is a remote access solution (i.e., ScreenConnect, TeamViewer, etc.) which has over 170,000 customers including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, Siemens 

• They have recently reported that they have experienced a cyberattack that allowed a threat actor to gain access to the company's production systems - source code and private code signing keys were stolen during the attack 
• Ransomware was not involved (or at least reported) for this incident but not much other details were provided other than the incident is currently under investigation 
• As part of the response, AnyDesk has stated they revoked security-related certificates and remediated or replaced systems as necessary 
• AnyDesk statement: "We can confirm that the situation is under control, and it is safe to use AnyDesk.  Please ensure that you are using the latest version, with the new code signing certificate." 
• Threat actors continue to utilize these types of tools to infiltrate or maintain persistence into environments - which makes sense why they are being targeted (think LastPass) 

Link (1): https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/ 

Chicago children’s hospital announces cyberattack 

Lurie Children's Hospital network has hit the 8th day of a cyber incident which has knocked out systems 

• No other further information is being provided to the public, so speculation has started to point to a ransomware incident 
• During most incidents, everyone is working around the clock to maintain operations while also restore systems without losing the data needed to determine the type of information potentially stolen 

Link (1): https://wgntv.com/news/chicago-news/lurie-childrens-hospital-network-outage-reaches-8th-day-experts-believe-ransomware-attack-is-to-blame/ 

Verizon 2023 breach - insider 

Verizon Communications has stated that due to an insider data breach 63,206 employee's sensitive data was exposed (not customer data) 

• The data exposed included: Full Name, Physical Address, SSN, National ID, Gender, Union affiliation, DoB, Compensation Information 
• They are stating that at this point in time there is no evidence that the information had been misused or shared outside of Verizon 
• Employees and Regulators are being notified of the incident 
• We continually ask organizations about processes and procedures around how they handle employee data and who has access to that data, for example are there controls in place to prevent SSN from being exported without it being masked 

Link (1): https://www.bleepingcomputer.com/news/security/verizon-insider-data-breach-hits-over-63-000-employees/ 

Chief AI Officer now a thing 

This article is dated; however, it came across this week on a news podcast I was listening to about how we will start seeing a new "chief" known as the CIAO 

• What stood out to me in this article is around this statement "A typical candidate is someone who has a proven track record of leading successful AI programs," - One could argue that AI is still considered bleeding edge and being developed so how has someone shown a "proven track record" 
• I know this is not technically a security concern, but it is a conversation I continue to have more with clients and others around AI and how it is affecting businesses 

Link (1): https://www.cio.com/article/657977/chief-ai-officer-what-it-takes-to-land-the-c-suites-hottest-new-job.html 

Three million malware-infected smart toothbrushes used in Swiss DDoS attacks  

The "who" and "how" has not been released but the fact that we have IoT based toothbrushes (thanks Phillips and Sonicare) is amusing still 

• These types of devices and combined with these attacks show that we need to continue evaluate the risk verse reward for building items like toothbrushes, toasters, washing machines to be connected to the internet 
• Updated comment from Fortinet: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.", the original author claims that is not the case 

Link (1): https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages 

Link (2): https://www.msn.com/en-us/news/technology/the-mysterious-case-of-the-3-million-toothbrushes-ddos-attack-was-original-report-a-hypothetical-scenario-that-never-happened-or-is-the-truth-elsewhere/ar-BB1i2Qsm 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends! 

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include strategies to reduce risk with existing or modern technology while enabling the business.  With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program. 

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children. 

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S.  We are a trusted cyber security company in Plano, TX.