Cybersecurity stories in the news with a post-RSA flavor.
RSAC 2024 Recaps
Last week was RSA Conference in San Francisco, and you’ll find several good recaps:
- The Future of AI and Finding Delight at RSA Conference 2024
- Day 1 Recap: Impactful Opening Keynotes, RSAC Innovation Sandbox Contest Winner, and More
- Day 2 Recap: Keynote Highlights, Launch Pad, Cryptographer’s Panel, and More Geopolitics
- Day 3 Recap: Keynote Highlights, Ted Lasso, the Four Horsemen of Cyber, the Russo-Ukrainian War, and More
- Day 4 Recap: Closing Celebration with Alicia Keys, RSAC College Day, and What’s Ahead for 2025
RSAC Innovation Sandbox Winner: Reality Defender
I cannot read the company name without the “Men in Black” theme song playing in my head. Reality Defender – a company using AI to detect AI fakes won the 2024 RSAC Innovation Sandbox. You can see their 3-minute pitch here.
Breaches and Attacks in the News
Dell warns of data breach, 49 million customers allegedly affected
By Lawrence Abrams – BleepingComputer
Dell is warning customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers. The computer maker began emailing data breach notifications to customers yesterday, stating that a Dell portal containing customer information related to purchases was breached.
Update: Dell API abused to steal 49 million customer records in data breach
Boeing confirms attempted $200 million ransomware extortion attempt
By AJ Vicens – Cyberscoop
The cybercriminals who targeted Boeing using the LockBit ransomware platform in October 2023 demanded a $200 million extortion payment, the company said Wednesday. Boeing confirmed to CyberScoop that it is the unnamed multinational aeronautical and defense corporation referenced in an indictment unsealed Tuesday by the U.S. Department of Justice. The indictment, which identified Dmitry Yuryevich Khoroshev as the main administrator and developer behind the LockBit ransomware operation, was part of a sweeping international array of actions against the Russian national that included sanctions in the U.S., the U.K. and Australia.
See also: Boeing refused to pay $200 million ransomware demand from LockBit gang
FBCS Collection Agency Data Breach Impacts 2.7 Million
By Ionut Arghire – SecurityWeek
Debt collection agency Financial Business and Consumer Solutions (FBCS) now says that the personal information of roughly 2.7 million individuals was compromised in a recently disclosed data breach. In a May 10 update to a filing with the Maine Attorney General’s Office, FBCS revealed that it has identified an additional 724,000 affected individuals, increasing the initial impact estimation to 2,679,555 people. As part of the incident, a third-party had unauthorized access to certain systems between February 14 and February 26, 2024, the company explains in a notification letter to the impacted individuals.
Ascension Healthcare Suffers Major Cyberattack
By Nathan Eddy – DarkReading
Healthcare provider Ascension, which operates 140 hospitals across 19 states, fell victim to a cyberattack that took down multiple essential systems including electronic health records (EHRs), the MyChart platform for patient communication, and certain medication and test-ordering systems. The organization disclosed the attack on May 8 and said it is actively investigating it with internal and external advisers, prioritizing patient safety amid the disruption. According to a report in the Detroit Free Press, employees became aware of computer network issues on May 7, which prompted a shutdown of the entire system.
See also: Major health care system hobbled by ‘cyber incident’ and Cybersecurity incident impacts operations at Ascension hospitals
City of Wichita breach claimed by LockBit ransomware gang
By Bill Toulas – BleepingComputer
The LockBit ransomware gang has claimed responsibility for a disruptive cyberattack on the City of Wichita, which has forced the City’s authorities to shut down IT systems used for online bill payment, including court fines, water bills, and public transportation. Wichita, Kansas, is the largest city in the state, with a population of nearly 400,000. It serves as a major cultural, economic, and transportation hub in the region and is home to several aircraft factories. Last Sunday, May 5, 2024, the City’s authorities announced they were facing a disruptive cyberattack after ransomware encrypted portions of its network. To contain the damage and stop the spread of the attack, the City’s IT specialists shut down computers used in online services.
Ohio Lottery ransomware attack impacts over 538,000 individuals
By Sergiu Gatalan – BleepingComputer
The Ohio Lottery is sending data breach notification letters to over 538,000 individuals affected by a cyberattack that hit the organization’s systems on Christmas Eve. A filing with the Office of Maine’s Attorney General revealed that the incident impacted 538,959 individuals. The attackers gained access to the affected people’s names, Social Security numbers, and other personal identifiers. While the Ohio Lottery didn’t reveal the nature of the incident, which affected mobile and prize-cashing operations, the DragonForce ransomware gang claimed the attack days later. DragonForce says the 94 GB of leaked data contains only 1.500.000 records with Ohio Lottery clients’ names, Social Security numbers, and dates of birth. While DragonForce ransomware is a relatively new operation that exposed its first victim in December 2023, the tactics, negotiation style, and data leak site suggest an experienced extortion group.
See also: 500,000 Impacted by Ohio Lottery Ransomware Attack
Surveys and Research
Two appointment-TV-style reports dropped in May: the Verizon Data Breach Investigations Report (DBIR) and the Mandiant M-Trends Special Report. A few of the highlights are below.
2024 Verizon Data Breach Investigations Report
- Vulnerabilities are showing – 14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year’s report, and exploitation of vulnerabilities as an initial access step for a breach grew by 180%— almost triple that of last year— fueled in part by the MOVEit vulnerability and several other zero-day exploits used by ransomware actors.
- Defenders struggle to remediate quickly – It can take around 55 days for organizations to remediate 50% of critical vulnerabilities after their patches are available— a dangerous lag.
- More training is needed – 68% of all breaches involved a non-malicious human element, caused by a person who either fell victim to a Social Engineering attack or made some type of Error.
Mandiant’s M-Trends 2024 Special Report
In its 15th year, Mandiant’s report on the evolving cyber threat landscape, with data drawn directly from frontline incident response investigations and threat intelligence findings of high-impact attacks and remediations around the globe. This year’s highlights include:
- Shorter dwell times are likely driven by a larger proportion of ransomware incidents globally in 2023 (23%) versus 2022 (18%). The median dwell time for these ransomware cases dropped to 5 days compared to 9 days in the previous report.
- In 2023, Mandiant experts once again saw exploits used as the most prevalent adversary initial infection vector. In intrusions where the initial intrusion vector was identified, 38% of intrusions started with an exploit. This is a six percentage point increase from 2022 […]
- Phishing remained the second most common intrusion vector. However it declined in 2023, with 17% of intrusions, compared to 22% in 2022.”
A good analysis of the Mandiant report can be found on Anton on Security.
Industry-Specific Cybersecurity News
FBI warns of gift card fraud ring targeting retail companies
By Sergiu Gatlan – BleepingComputer
The FBI warned retail companies in the United States that a financially motivated hacking group has been targeting employees in their gift card departments in phishing attacks since at least January 2024. Tracked as Storm-0539, this hacking group targets the personal and work mobile devices of retail department staff using a sophisticated phishing kit that enables them to bypass multi-factor authentication. Upon infiltrating an employee’s account, the attackers move laterally through the network, trying to identify the gift card business process and pivoting towards compromised accounts linked to this specific portfolio. In addition to stealing the login credentials of gift card department personnel, their efforts extend to acquiring secure shell (SSH) passwords and keys. Together with stolen employee information such as names, usernames, and phone numbers, these could be sold for financial gain or exploited by Storm-0539 in future attacks.
Black Basta Ransomware Hit Over 500 Organizations: The US government warns of Black Basta ransomware attacks targeting critical infrastructure organizations.
By Ionut Arghire – SecurityWeek
The Black Basta ransomware group has hit more than 500 organizations globally, including critical infrastructure entities in North America, Europe, and Australia, the US government warns. First identified in April 2022, Black Basta has been operating under the ransomware-as-a-service (RaaS) business model, where affiliates conduct cyberattacks, deploy malware against victim organizations, and collect a percentage of the ransom payment. In a November 2023 report, blockchain analytics firm Elliptic estimated that Black Basta affiliates had received over $100 million in ransom payments from at least 90 victim organizations. According to a new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Black Basta affiliates have conducted attacks against 12 out of 16 critical infrastructure sectors, including healthcare organizations.
Investigative Cybersecurity Reporting
How Did Authorities Identify the Alleged Lockbit Boss?
By Brian Krebs – Krebs on Security
Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.
Cybersecurity Podcasts
Dark Reading ‘Drops’ Its First Podcast
By Kelly Jackson Higgins – DarkReading
Dark Reading has launched its first-ever podcast: Dark Reading Confidential, a new monthly podcast hosted by Dark Reading senior editor Becky Bracken, and featuring Jim Donahue, managing editor of commentary and copy desk, and Kelly Jackson Higgins. Episode 1, “The CISO and the SEC,” features Reddit CISO Fredrick “Flee” Lee, a member of the Dark Reading CISO Advisory Board; Reddit chief counsel Ben Lee; and Beth Burgin Waller, a cybersecurity attorney. The episode dives into the uncertainty CISOs face with the new SEC breach disclosure rules, and guests explain what it means for the role of the CISO and share their expertise and advice to CISOs in this new regulatory realm. Listen to Dark Reading Confidential here on Dark Reading or on major platforms: Apple Podcasts, Spotify, Amazon Music and Audible, Pocket Casts, and Deezer.