Blog

This Week in Cybersecurity News – 3/4/24 – Hacked Buffet Edition

9 minute read

  • Nathan Burke

Breaches and hacks

Golden Corral Data Breach Impacts 180,000 Employees

By Ionut Arghire – SecurityWeek

Restaurant chain Golden Corral says personal information was compromised in an August 2023 data breach.

US restaurant chain Golden Corral is informing roughly 180,000 individuals that their personal information was stolen in a data breach.

The incident, the company says, was identified on August 15, 2023, and led to the disruption of certain corporate operations.

The investigation that ensued determined that a threat actor accessed certain systems and “acquired certain data relating to current and former employees and beneficiaries between August 11, 2023 until August 15, 2023”.

Recently concluded, the review of the compromised data determined that it includes names, Social Security numbers, driver’s license numbers, financial account information, medical information, health insurance information, and credentials.

“After determining the scope of information in the potentially impacted files, Golden Corral undertook efforts to locate address information for the affected individuals.  That review process completed on January 26, 2024. Golden Corral then put resources in place to assist and provide direct notice,” the company says.

See Also: BleepingComputer

Phishing

Hackers target FCC, crypto firms in advanced Okta phishing attacks

By Bill Toulas – BleepingComputer

A new phishing kit named CryptoChameleon is being used to target Federal Communications Commission (FCC) employees, using specially crafted single sign-on (SSO) pages for Okta that appear remarkably similar to the originals.

The same campaign also targets users and employees of cryptocurrency platforms, such as Binance, Coinbase, Kraken, and Gemini, using phishing pages that impersonate Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL.

The attackers orchestrate a complex phishing and social engineering attack consisting of email, SMS, and voice phishing to deceive victims into entering sensitive information on the phishing pages, such as their usernames, passwords, and, in some cases, even photo IDs.

The phishing operation discovered by researchers at Lookout resembles the 2022 Oktapus campaign conducted by the Scattered Spider hacking group, but there is not enough evidence for a confident attribution.


Need to Know: Key Takeaways from the Latest Phishing Attacks

By Blink Ops (Sponsored Post) – BleepingComputer

These days, cyber threat actors continue to rely just as much on psychological manipulation in the form of convincing phishing emails as they do on technical hacks to infiltrate networks.

This article takes a look at some lessons from recent phishing attacks and highlights actionable tips to limit the risks of phishing affecting your company.

Malware and vulnerabilities

CISA warns of Microsoft Streaming bug exploited in malware attacks

By Sergiu Gatlan – BleepingComputer

CISA ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their Windows systems against a high-severity vulnerability in the Microsoft Streaming Service (MSKSSRV.SYS) that’s actively exploited in attacks.

The security flaw (tracked as CVE-2023-29360) is due to an untrusted pointer dereference weakness that enables local attackers to gain SYSTEM privileges in low-complexity attacks that don’t require user interaction.

CVE-2023-29360 was found by Synactiv’s Thomas Imbert in the Microsoft Streaming Service Proxy (MSKSSRV.SYS) and reported to Microsoft through Trend Micro’s Zero Day Initiative. Redmond patched the bug during the June 2023 Patch Tuesday, with proof-of-concept exploit code dropping on GitHub three months later, on September 24.

The U.S. cybersecurity agency did not provide details regarding ongoing attacks, but it did confirm that no evidence was found that this vulnerability was used in ransomware attacks.

Ransomware

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

The Hacker News

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the government said.

The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.


Rhysida ransomware wants $3.6 million for children’s stolen data

By Bill Toulas – BleepingComputer

The Rhysida ransomware gang has claimed the cyberattack on Lurie Children’s Hospital in Chicago at the start of the month.

Lurie is a leading pediatric acute care institution in the U.S. that provides care to over 200,000 children annually.

The cyberattack forced the healthcare provider to take its IT systems offline and postpone medical care in some cases.

Email, phone, access to MyChart, and on-premises internet were all impacted.

Ultrasound and CT scan results were rendered unavailable, patient service prioritization systems were taken down, and doctors were forced to switch to pen and paper for prescriptions.

Today, the Rhysida ransomware gang has listed Lurie Children’s on its extortion portal on the dark web, claiming to have stolen 600 GB of data from the hospital.

Rhysida ransomware now offers to sell the stolen data for 60 BTC ($3,700,000) to a single buyer.


The Week in Ransomware – March 1st 2024 – Healthcare under siege

By Lawrence Abrams – BleepingComputer

Ransomware attacks on healthcare over the last few months have been relentless, with numerous ransomware operations targeting hospitals and medical services, causing disruption to patient care and access to prescription drugs in the USA.

The most impactful attack of 2024 so far is the attack on UnitedHealth Group’s subsidiary Change Healthcare, which has had significant consequences for the US healthcare system. This attack was later linked to the BlackCat ransomware operation, with UnitedHealth also confirming the group was behind the attack.

The attack has caused significant disruptions in Change Healthcare’s services, significantly impacting pharmacies that cannot bill customers picking up prescription medicines.

This disruption has trickled down to patients, who, in some cases, are forced to pay full price for their medications until the issue is resolved. However, some medicines can cost thousands of dollars, making it difficult for many to afford the payments.

See Also: Tripwire


LockBit ransomware returns to attacks with new encryptors, servers

By Lawrence Abrams – BleepingComputer

The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last week’s law enforcement disruption.

Last week, the NCA, FBI, and Europol conducted a coordinated disruption called ‘Operation Cronos‘ against the LockBit ransomware operation.

As part of this operation, law enforcement seized infrastructure, retrieved decryptors, and, in an embarrassing moment for LockBit, converted the ransomware gang’s data leak site into a police press portal.


Notorious ransomware group claims responsibility for attacks roiling US pharmacies

By AJ Vicens – CyberScoop

The group known as ALPHV said it was behind an attack that has disrupted a service used by healthcare providers to process payments.

A notorious ransomware and extortion group tied to dozens of cyberattacks against health care entities claimed responsibility Wednesday for an ongoing attack that’s disrupting payment processing at pharmacies and other care-related entities across the country.

ALPHV, also known as BlackCat, first claimed responsibility to DataBreaches.net on Tuesday for the attack on Change Healthcare, a subsidiary UnitedHealth Group. On Wednesday, ALPHV — perhaps best known for its role in last year’s breaches of Las Vegas casinos — posted a statement to its website that accused UnitedHealth Group of lying about the group behind the attack and the scope of affected parties.

Reuters, citing sources familiar with the investigation, reported Monday that the group was involved.

UnitedHealth Group did not immediately respond to a request for comment.

MITRE, NIST, and other cyber frameworks

Updated NIST cybersecurity framework adds core function, focuses on supply chain risk management

By Caroline Nihill – FedScoop

10 years after the agency’s first cybersecurity framework, version 2.0 includes “govern” as a core function to set the tone for implementation and oversight of cyber strategies.

A decade after releasing its landmark national cybersecurity framework, the National Institute of Standards and Technology on Monday released version 2.0, an updated document that emphasizes governance and supply chain issues for both public and private sector entities.

The new guidance, which outlines “high-level cybersecurity outcomes that can be used by any organization … to better understand, assess, prioritize and communicate its cybersecurity efforts,” adds a sixth core function — “govern” — to the previously stated pillars: “identify,” “protect,” “detect,” “respond,” and “recover.”

“Govern” focuses on how an organization’s “cybersecurity risk management strategy, expectations and policy are established, communicated and monitored,” the framework stated, and is intended to address the implementation and oversight of a cybersecurity strategy.


NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

By Robert Lemos – DarkReading

The National Institute of Standards and Technology (NIST) has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here’s where to start putting the changes into action.

The US National Institute of Standards and Technology (NIST) has released the latest draft of its well-regarded Cybersecurity Framework (CSF) this week, leaving companies to mull how a few significant changes to the document affects their cybersecurity programs.

Between the new “Govern” function to incorporate greater executive and board oversight of cybersecurity, and the expansion of the best practices beyond just those for critical industries, cybersecurity teams will have their work cut out for them, says Richard Caralli, senior cybersecurity adviser at Axio, an IT and operational technology (OT) threat management firm.


CISO Corner: Operationalizing NIST CSF 2.0; AI Models Run Amok

By Tara Seals – DarkReading

Dark Reading’s roundup of strategic cyber-operations insights for chief information security officers and security leaders. Also this week: SEC enforcement actions, biometrics regulation, and painful encryption changes in the pike.

Welcome to CISO Corner, Dark Reading’s weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we’ll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We’re committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue:

  • NIST Cybersecurity Framework 2.0: 4 Steps to Get Started
  • Apple, Signal Debut Quantum-Resistant Encryption, but Challenges Loom
  • It’s 10 p.m. Do You Know Where Your AI Models Are Tonight?
  • Orgs Face Major SEC Penalties for Failing to Disclose Breaches
  • Biometrics Regulation Heats Up, Portending Compliance Headaches
  • DR Global: ‘Illusive’ Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms
  • MITRE Rolls Out 4 Brand-New CWEs for Microprocessor Security Bugs
  • Converging State Privacy Laws & the Emerging AI Challenge

New techniques

Echoes of SolarWinds in New ‘Silver SAML’ Attack Technique

By Jai Vijayan – DarkReading

A successor to the “Golden SAML” tactic used in the SolarWinds campaign, this new technique taps SAML response forgery to gain illegitimate access to apps and services.

After the threat actor behind the SolarWinds attack compromised the company’s Orion network management product and leveraged it to break into target enterprise networks, the group often used a technique dubbed “Golden SAML” to maintain persistent access to different applications and services in that environment.

The technique involved stealing the victim organization’s Active Directory Federation Services (ADFS) token-signing certificate and using it to forge SAML response tokens. The tokens allowed the threat actor to authenticate — without a password or two-factor authentication — to any federated service they wanted on the victim’s network with self-assigned administrator and super-admin privileges.


‘Savvy Seahorse’ Hackers Debut Novel DNS CNAME Trick

By Nate Nelson – DarkReading

Petty scammers have figured out how to leverage a core function of DNS in order to maintain scalable, stealthy, pliable malicious infrastructure.

A newly discovered threat actor is running an investment scam through a cleverly designed traffic distribution system (TDS), which takes advantage of the Domain Name System (DNS) to keep its malicious domains ever-changing and resistant to takedowns.

“Savvy Seahorse” impersonates major brand names like Meta and Tesla — and, through Facebook ads in nine languages, lures victims into creating accounts on a fake investing platform. Once victims fund their accounts, the money is funneled to a presumably attacker-controlled account at a Russian state-owned bank.

It’s a common sort of scam. According to the Federal Trade Commission (FTC), US consumers reported losing 4.6 billion dollars to investment scams in 2023 alone. That’s nearly half of the $10 billion reported to have been lost to all forms of scams, making it the most profitable kind out there.

So what separates Savvy Seahorse from the pack is not the character of its ruse but, rather, the infrastructure supporting it.

As outlined in a new report from Infoblox, it operates a TDS with thousands of varied and fluid domains. What keeps the whole system together is a Canonical Name (CNAME) record, an otherwise bland property of DNS which it uses to ensure that, like the ship of Theseus, its TDS can continuously create new and shed old domains without really changing anything at all about the campaign itself.

US government cybersecurity news

DOE announces $45 million investment for cybersecurity research

By Christian Vasquez – Cyberscoop

The funding goes to 16 projects aimed at developing advanced tools to protect the energy sector.

The Department of Energy on Monday announced a $45 million investment into cybersecurity research for the energy sector, including projects on artificial intelligence detection and response and quantum communication for the grid.

DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will fund 16 projects with organizations headquartered in six states, covering six topics that are largely aimed at reducing cyber risks and improving the resilience of the electricity, oil, and natural gas sectors.

“DOE is committed to strengthening the nation’s energy sector, including protecting it against current or emerging cyber threats that would threaten Americans’ access to secure, reliable energy,” Energy Secretary Jennifer Granholm said in a statement. “With today’s announcement, the Biden-Harris administration is helping teams across the country develop innovative next-generation cybersecurity solutions for tackling modern-day challenges.”

The investments come shortly after the nation’s top security officials sounded the alarm on Volt Typhoon, a China-linked hacking group that has targeted critical infrastructure in ways that signify destructive or disruptive intent.

Featured podcast

Malicious Life – Kevin Mitnick Part 2

The second in a two part series sharing the story of someone called the greatest social engineering master or all time.

Author

Cybersecurity News

More like this

Blog

Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

FacebookLinkedInTweetEmail According to Gartner, through 2028, more than 60% of security incidents will be traced to ...

Read the post: Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

Blog

Prioritizing MITRE ATT&CK Techniques for Remote Services

FacebookLinkedInTweetEmail The fifth, and final, in a five part series exploring how security teams can identify ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Remote Services

Blog

Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management

FacebookLinkedInTweetEmail Nagomi’s new “Threats in the News” feature is transforming the way cybersecurity teams manage and ...

Read the post: Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management