Security News – March 2023

Read our roundup of cybersecurity news from March 2023. Each month, we’ll bring you security cases and interesting insights to help you stay secure. 

Politics 

The U.S. government released the National Cyber Strategy. The strategy enforces mandatory regulation for critical infrastructure vendors and gives the green light for a more aggressive “hack-back” approach when dealing with foreign adversaries and ransomware attackers. Organizations that failed to implement preventive measures to secure their software will be held responsible. The strategy is divided into five main pillars:

  1. Critical Infrastructure Defense
  2. Disruption and elimination of threat actors
  3. Formulating market power to enhance security and resilience
  4. Investing in a resilient future
  5. Building international partnerships to achieve common goals

The newly classified cyber espionage APT group Kimsuky (APT43) is using aggressive tactics for social engineering. It appears that this group is most considerate of dictator Kim Jong Un’s personal and geopolitical goals. In addition to espionage activities, they also focus on stealing cryptocurrencies, which are used by the North Korean regime to evade sanctions.

Investigations and research

The U.S. Marshals Service is investigating the intrusion into their systems, theft of data and its encrypting. The stolen data also contained employee personal information and sensitive law enforcement information (court proceedings, subjects under investigation).

The Dutch police arrested three individuals responsible for stealing personal information belonging to tens of millions of people. The stolen data included names, birth dates, bank account numbers, credit card numbers, and social security numbers. They demanded a ransom at first, however, regardless of payment, they proceeded to sell the data on the darknet.

Centric Health was fined €460,000 for a ransomware attack that happened in 2019. The attack affected 70,000 patients, of which 2,500 lost their data irretrievably (without being able to restore them from backup). Even though the regulator took steps to address the situation, some of his actions just worsened the situation – for example, the deletion of information from the hard drive before it was analyzed by experts.

Researchers found a vulnerability in the OAuth implementation at Booking.com. The vulnerability allowed taking over any account that used Facebook for logging in, gaining access to the users’​ personal information or payment card details.

The electric vehicles charging infrastructure is highly vulnerable to cyber-attacks. Researchers found two vulnerabilities in the OCPP protocol that allow the service denial and theft of sensitive information. Each charging station examined by Idaho National Laboratory contained significant cybersecurity vulnerabilities, such as an obfuscated OS and many services with root privileges.

Instead of getting a court order, the FBI opted for a controversial tactic – they bought American (US) location data. The data was purchased from companies collecting it for advertising purposes.

Project Zero (Google) uncovered 18 zero-day vulnerabilities in Samsung Exynos chipsets designed for mobile devices, wearables and cars. The only thing attackers need to know to compromise a device is the victim’s phone number. The manufacturers have already made updates, however, it may still take a while before they reach the end users. To reduce potential attacks, it is recommended to disable Wi-Fi calling and Voice-over-LTE (VoLTE).

The FBI published the Internet Crime Report 2022. It shows that during the last year, ransomware gangs were successful in at least 860 cases of critical infrastructure attacks. The report indicates that most of the successful attacks were directed at the healthcare providers and critical manufacturing sectors.

ChipMixer, a cryptocurrency mixer, was shut down by an international police operation. The service was used by hackers, ransomware gangs and scammers who were trying to “launder” cryptocurrencies. They seized 7TB of data and over $46 million dollars.

Jelly Bean settled the US lawsuit for nearly $300,000. The dispute relates to one of the largest healthcare data breaches reported in 2021 (Healthy Kids Corp.). The fine was imposed for failing to comply with HIPAA regulations, as well as knowing violations of standard maintenance processes.This resulted in exploiting multiple vulnerabilities in the attack.

Following a ransomware attack, US company Blackbaud was fined $3 million for misleading information they provided. Even though the company discovered that the scope of the attack was larger than originally reported, they didn’​t revise their original statement. 

Attacks

A hospital in Barcelona was the target of a cyber-attack. All non-emergency operations were canceled and 3,000 patients had to be rescheduled. The Ransom House group was behind the attack. As a result, the hospital had to switch to paper-based documentation.

The University Hospital in Brussels fell victim to a cyber-attack. As a result, they had to disconnect all servers. The hospital director appreciated the well-developed contingency plan against the attacks, which relatively quickly helped to restore all of the hospital operations.

The California state agency HACLA, that is providing affordable housing for low-income groups, fell victim to a ransomware attack. The attackers (LockBit) gained access to a large volume of personal information (name, social security number, passport numbers, driver’s license numbers,…). They later posted the stolen data on the Internet.

The attackers are using infected versions of Telegram and WhatsApp to steal funds from or gain access to crypto wallets (via a so-called seed). Eset researchers found that they are using Google Ads to do so. After clicking on an ad link, the user is redirected to a page with the infected apps.

Emotet distributes itself using a Microsoft OneNote email attachment in order to avoid detection. This way they overcome Microsoft’s security, that is blocking the macros from running in Word and Excel.

The NBA Sports Association is warning their fans that some of their personal information may have been stolen. This happened after the data was stolen from their newsletter vendor. Fans were also warned about possible phishing campaigns. 

Security researchers are the target of a new malware campaign that is offering jobs through LinkedIn. Once again, North Korea (UNC2970 group) is suspected for being behind this campaign.

Other

Software and hardware manufacturers should be responsible for the lack of security of their products, not the users. The US is expected to publish a strategy that regulates manufacturers’ security choices. Increasing demands for government suppliers is the second option.

GitHub made sensitive information searchable in its repositories. The service is available to all of the users with admin/owner rights. This move makes it possible to trace forgotten API keys, account passwords, authentication tokens, and other sensitive data that could enable attackers to access the sensitive information.

GitHub has begun requiring mandatory two-factor authentication from developers using the plaform. This move is expected to help improve the security of more than 100 million users. They started with a small group of users but the goal is to cover all users by the end of the year.

The U.S. Environmental Protection Agency has changed the interpretation of a 1974 law in order to improve the safety of critical infrastructure supplying drinking water. Now, audits will include the impact of cyber incidents on drinking water supplies.

The US agency CISA is launching a proactive program designed to identify vulnerabilities in government agencies that can be exploited by ransomware criminals. In order to penetrate the systems, attackers often exploit existing and well-known vulnerabilities.

Nord Security has published the source for its Linux version of the NordVPN client. With this move, the company hopes to increase users’ trust in protecting their security and privacy. At the same time, the open source community can help improve the existing source code.

ChatGPT users are unaware that the data they enter is used for system training and improvement. There is a possibility that the data employees enter into ChatGPT will contain sensitive information about their companies. Attackers who mimic the ChatGPT interface and thus gain direct access to sensitive information pose another threat.

A Pwn2Own competition, aimed at identifying unknown security vulnerabilities, was held. For finding 27 unknown vulnerabilities, the participants won over a million dollars and a Tesla Model 3. The security experts’ targets were Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox and Tesla Model 3.