Information Security News 9-25-2023

Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics

Article Link: https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html

• Cybersecurity researchers from ESET recently discovered an advanced backdoor dubbed “Deadglyph” currently used for cyber espionage in the Middle East.
• What makes Deadglyph interesting is that portions of the malware are written in native x64 binary and .NET assembly languages instead of one singular language. The report from ESET suggests that the authors had two separate development groups and that using multiple languages was an attempt to hinder the malware analysis process.
• The method of delivery is unknown; however, shellcode is loaded from the Windows Registry to begin malware execution via the x64 module. From there, the .NET portion begins communicating with the C2 server as it waits for additional instructions.
• Link to ESET’s Report: https://www.welivesecurity.com/en/eset-research/stealth-falcon-preying-middle-eastern-skies-deadglyph/

Rising OT/ICS Cybersecurity Incidents Reveal Alarming Trend

Article Link: https://www.helpnetsecurity.com/2023/09/20/ot-ics-cybersecurity-incidents/

• According to a report from Rockwell Automation, which reviewed over 100 cybersecurity incidents on industrial environments, 60% of cyberattacks on industrial environments are led by state-affiliated actors and 80% started with an IT system compromise.
• Phishing occurred in 34% of attacks, highlighting that attackers are unintentionally aided by insiders who click on malicious links.
• The report also highlighted that supervisory control and data acquisition (SCADA) systems were targeted in 53% of incidents and programmable logic controllers (PLCs) in 22% of incidents.

Dallas says Royal Ransomware Breached Its Network Using Stolen Account

Article Link: https://www.bleepingcomputer.com/news/security/dallas-says-royal-ransomware-breached-its-network-using-stolen-account/

• The City of Dallas, Texas, recently said that the Royal ransomware attack that forced it to shut down all IT systems in May and led to the exfiltration of over 1 TB of data started with a stolen account.
• According to the article, Royal prepared their attack by deploying Cobalt Strike beacons and then began deploying their ransomware payloads at 2 AM on May 3^rd. On the morning following encryption, all network printers began printing out ransom notes to unsuspecting employees.
• The City of Dallas recovered all of their systems over the course of just over 5 weeks, bringing the last server back online on June 13^th. Additionally, the Dallas City Council has currently set a budget of $8.5 million for ransomware attack restoration efforts, with the final costs to be shared later.
• Link to an Overview from the City of Dallas: https://www.dallascitynews.net/update-on-ransomware-incident-personal-data-protection
• Link to a Full Write-Up of the Incident from the City of Dallas: https://dallascityhall.com/DCH%20Documents/dallas-ransomware-incident-may-2023-incident-remediation-efforts-and-resolution.pdf

Youth Hacking Ring at the Center of Cybercrime Spree

Article Link: https://cyberscoop.com/youth-hacking-ring-at-the-center-of-cybercrime-spree/

• Teenagers and culprits in their early 20s are increasingly pulling off high-profile hacks, such as the recent Las Vegas casino breaches, using advanced skills and loudly bragging about their exploits in language filled with racism and misogyny.
• Researchers have identified this online community of young cybercriminals as the “Com” ecosystem, which has various subgroups and collectives that mimic each other’s tactics and have assisted in various high-profile cyberattacks.
• It was noted that many members of the “Com” ecosystem are highly skilled in social engineering due to being native English speakers. Additionally, many of these young hackers have begun working with global cybercrime syndicates, further dragging them into lives of crime.
• The article highlights recommendations from industry experts who suggest that Congress explore funding juvenile cybercrime prevention programs to address youth cybercrime.

Microsoft Leaks 38TB of Private Data via Unsecured Azure Storage

Article Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-private-data-via-unsecured-azure-storage/

• The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository.
• Researchers at the cloud security firm Wiz found the misconfigured Azure Blob storage bucket in June 2023 and reported the issue to the Microsoft Security Response Center, who resolved the issue.
• The misconfiguration led to 38TB of data, including backups of personal information and credentials for Microsoft employees and an archive of over 30,000 internal Teams messages.
• The exposure is the result of Microsoft using an overly permissive shared access signature (SAS) token, allowing full control over shared files. As the researchers noted, SAS tokens are created offline, can be set to never expire, and are difficult to manage, track, and revoke.

Ransomware Cyber Insurance Claims up by 27%

Article Link: https://www.helpnetsecurity.com/2023/09/22/ransomware-cyber-insurance-claims-h1-2023/

• According to a report by cyber insurance firm Coalition, cyber insurance claim frequency increased by 12% in the first half of 2023. Likewise, the claim severity increased by 42% with an average loss amount of over $115,000.
• While frequency and severity rose across the board, organizations with $100 million in revenue saw the largest increases with a 20% increase in claim frequency and 72% in claim severity to start 2023.
• The report also highlighted that Coalition was said to have recovered $23 million in stolen funds, which was all returned to policyholders.
• Link to Coalition’s Report: https://info.coalitioninc.com/download-2023-cyber-claims-report-mid-year-update.html
• Link to an Additional Article (CSO Online): https://www.csoonline.com/article/652906/us-cyber-insurance-claims-spike-amid-ransomware-funds-transfer-fraud-bec-attacks.html
• Link to FRSecure’s Free Incident Response Plan Template: https://frsecure.com/incident-response-plan-template/

Cyber-Related False Claims Actions are on the Uptick

Article Link: https://www.csoonline.com/article/652720/cyber-related-false-claims-actions-are-on-the-uptick.html

• Recently, the U.S. Department of Justice (DOJ) announced that Verizon agreed to pay over $4 million to resolve False Claims Act (FCA) allegations regarding their Managed Trusted Internet Protocol Service (MTIPS) failing to meet three cybersecurity controls for trusted internet connections required for General Services Administration (GSA) contracts.
• In addition to reviewing the FCA allegations levied against Verizon, the article also discussed other organizations that were fined as a result of FCA allegations. These included Comprehensive Health Services, Jelly Bean Communications, and Jelly Bean’s company manager and co-owner.
• The article highlighted that there will likely be an increased pace in FCA actions in the future as more avenues for whistleblowers open up. Additionally, several contributors to the article predicted that defense contractors will likely be the next focus of the DOJ’s future FCA actions.

UK-US Data Bridge Becomes Law, Takes Effect 12 Oct.

Article Link: https://iapp.org/news/a/uk-u-s-data-bridge-becomes-law-takes-effect-12-october/

• On September 21, the UK Government approved the creation of a US-UK “data bridge” which means they permit the flow of personal data between two countries.
• The US-UK data bridge adds onto the recently renegotiated US-EU Data Privacy Framework, which outlines data privacy requirements for data transferred between the European Union, Switzerland, United States, and now United Kingdom.
• Each agreement comes with regulations that organizations from each country are required to follow when transferring data across borders, unless identified alternative transfer mechanisms are used. The US-UK regulations are set to take effect on October 12^th of this year.
• Link to US-UK Information: https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents
• Link to US-EU Information: https://www.dataprivacyframework.gov/s/

Microsoft to Start Retiring Exchange Web Services in October 2026

Article Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-to-start-retiring-exchange-web-services-in-october-2026/

• Microsoft recently stated that the Exchange Web Services (EWS) API for Exchange Online and Office 365 will be retired across all environments on October 1, 2026.
• EWS is a cross-platform API that can be used to develop apps capable of accessing mailbox items such as email messages, meetings, and contacts.
• EWS components will continue to receive security and some non-security updates. However, there will be no changes to the product’s design or features. Microsoft encourages developers who are using the EWS API to switch to the Microsoft Graph API.
• Link to Microsoft’s Announcement: https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-exchange-web-services-in-exchange-online/ba-p/3924440