TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #40
Events for the week of April 15th, 2024
The crucial five strategic threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share and enjoy reading about these events. Please reach out if you have any questions!
1. Microsoft is a national security threat, says ex-White House cyber policy director
Overview: Microsoft has a shocking level of control over IT within the US federal government – so much so that former senior White House cyber policy director AJ Grotto thinks it's fair to call Redmond's recent security failures a national security issue. Grotto this week spoke with The Register in an interview you can watch below, in which he told us that exacting even slight concessions from Microsoft has been a major fight for the Feds. "If you go back to the SolarWinds episode from a few years ago … [Microsoft] was essentially up-selling logging capability to federal agencies" instead of making it the default, Grotto said. "As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach."
Area of Impact: Everyone running Microsoft systems in their enterprise environment and interested in logging processes tracking system behavior.
TRIAGE: Microsoft has always been one of the biggest players in the IT space - but it took quite a long time for a focus on the security side of things to become a reality. Now that we have a focus from them on security in general, we see service maturity issues - as called out here, a massive issue around monitoring systems being a paid service with multiple tiers granting different levels of views into the data. U.S. governmental organizations are not the only ones facing an issue with tiered views into data going across the wires and missing the ability to detect threats due to restricted views tied into their subscription levels, and so this is really a worldwide concern. When a company that makes the systems also provides monitoring for those systems being a giant paywall, you start to see concerns around a conflict of interest between profit and reasonable efforts to really help secure systems worldwide.
2. UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’
Alt Source: UnitedHealth confirms it paid ransomware gang to stop data leak
Overview: Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans’ private healthcare data. UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may “cover a substantial proportion of people in America.”
Area of Impact: A ransomware event of this magnitude affected a huge portion of the population and their access to general medical services along with a major impact to prescription services.
TRIAGE: This is a continuation of the developing story with Change healthcare and their ransomware incident. We now have confirmation from the company that they paid out a ransomware payment, but the actual details of the ransomware initial attack, the apparent dissolution of BlackCat and a new group coming back for more money calling themselves RansomHub, has kept this top of mind for anyone looking at ransomware activity for 2024.
3. LastPass: Hackers targeted employee in failed deepfake CEO call
Overview: LastPass revealed this week that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company's Chief Executive Officer. However, while 25% of people have been on the receiving end of an AI voice impersonation scam or know someone who has, according to a recent global study, the LastPass employee didn't fall for it because the attacker used WhatsApp, which is a very uncommon business channel.
Area of Impact: Awareness on deepfake attacks, the maturity of deepfake technology and how we will see an exponential usage of deepfakes in the coming years is a necessity for all infosec professionals.
TRIAGE: Deepfake technology is constantly improving at an exponential rate and scammers continue to use these tools to ensnare people, especially people who are less technologically savvy in a general sense. In the research I have seen, more than 90% of general communication between people is non-verbal. So, if you see the face you expect on the other end and the voice sounds normal, people just tend to let any weird inconsistencies go. These deepfake systems are getting to the level of functioning in real-time with high accuracy, and outside of scams, we are also facing a deluge of potentially altered news content, geo-political messaging and purely made up false-flag disinformation campaigns from around the world.
4. Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage
Overview: Microsoft has revealed that North Korea-linked state-sponsored cyber actors have begun to use artificial intelligence (AI) to make their operations more effective and efficient. "They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective," the tech giant said in its latest report on East Asia hacking groups. The company specifically highlighted a group named Emerald Sleet (aka Kimusky or TA427), which has been observed using LLMs to bolster spear-phishing efforts aimed at Korean Peninsula experts.
Area of Impact: Any maturity in North Korean state-sponsored activity should remain a cause of deep concern. They are almost exclusively financially motivated, which means they attack targets of opportunity without any real focus outside of gathering funds. This puts organizations worldwide in their crosshairs.
TRIAGE: Depending on the motives of the threat group and their general capabilities, the usage of AI systems and LLMs in their current state can be a serious force-multiplier. With financial motivation as the focus for NK, LLM based AI is a natural extension of their plans to help conduct believable phishing and espionage campaigns. This is also the flip side of deepfake tech as covered above, with both deepfakes and AI adding massive capability to dupe their targets into falling for attacks that appear as genuine requests or standard operations from their peers.
5. Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
Overview: The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.
Area of Impact: Awareness of legal activity tied to cybercrime activity.
TRIAGE: We have seen a large uptick in law enforcement activity from the U.S. side of cybercrime in the past year, but in general very little from Russia. While it is always positive to see criminal activity being punished, the political reasoning behind those actions merits some consideration. This also requires an awareness of the political moves being made by U.S. authorities as well as others worldwide for any type of major cybercrime takedowns.