Flair Data Systems Cybersecurity News Update 6-19-2024

Good afternoon! 

I know today is a holiday for many organizations, and for those that can enjoy it, I hope you are spending it with your family and resting!  This week has some really interesting updates, specifically on a report called Inverted Rook, take a look at the full story in the link below and take a step back from your own personal thoughts about our current state of the U.S. and look around you as to how this type of scenario could really affect our country if it was to happen, not just our country, but the world as a whole.  This is not me trying to induce FUD (Fear, Uncertainty, and Doubt) but to look at this report and how it would look if it really did happen. 

Now, let’s dive into this week’s cybersecurity news update... 

RAND's Inverted Rook wargame 

Office of the Director of National Intelligence (ODNI) performed an exercise that called Defending the United States Against Critical Infrastructure Attacks: Exploring a Hypothetical Campaign of Cascading Impacts 

• Ok, whoever decided to make a Title of a report the length of a full-on sentence.... 
• The types of attacks in the scenario included: physical attacks on electrical substations, ransomware attacks on government services, malware attacks on power grids, disruption in transportation, hackers remotely poisoning water treatment facilities, and cyber attacks on Wall Street 
• The ripple effect would then lead to: government services being shutdown; power outages affecting hospitals, transportation, refrigeration, heating, etc.; sickness and death from poisoned water, hypothermia, exposure, civil unrest, etc.; financial services being disrupted; splitting factions between those blaming domestic extremists, foreign adversaries, and their own government; and the inability of government to go after foreign adversaries in order to deal with all the domestic chaos 
• Honestly, the scary part of all of this is that I can see it happening due to the lack of interworking between all entities, along with the fact no one really trusts one another - there is too much distrust between all of society that if something like this was to happen how do you know who to trust with as much lies that continues to spread across all government parties 

Link (1): https://sociable.co/military-technology/us-unprepared-attacks-critical-infrastructure-rand-simulation/ 

Black Basta Exploited CVE-2024-26169 Prior to Patch  

 
The Black Basta ransomware group exploited a privilege escalation flaw (CVE-2024-26169) in the Windows Error Reporting Service as a zero-day before it was patched in March 2024. 

• This vulnerability allows attackers to gain SYSTEM privileges. leveraging the flaw to create registry keys and start a shell with administrative privileges. 
• For years, I have noticed that WerFault has been able to gain access to LSASS and pull information that is then shipped back to Microsoft for "analysis", but I have always questioned this and the capabilities of when this would be utilized to perform actions (either through the ability to gather this information or the use of the tool with its inherent privileges) 
• I understand why Microsoft has such a tool built into Windows to help determine if there is an issue with their application and others, but the fact that it's pulling this data as needed without any user knowledge or ability to restrict it is not acceptable, but yet we are not the "owners" of the OS (Microsoft or Apple) to make that decision 

Link (1): https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day 

Pixel Phone 0-Day Patched  

CVE-2024-32896: elevation of privilege issue in Pixel Firmware that has potentially been under limited, targeted exploitation 

• GrapheneOS, an open-source security and privacy focused Android fork, revealed that this CVE addresses a previously incorporated partial solution for another CVE (CVE-2024-29748), and that they are not specific to Pixel devices - yet the mitigations that have been added to are specific to Pixel 
• Both CVEs refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices and CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific 
• The June 2024 patches addressed a total of 50 security vulnerabilities 

Link (1): https://source.android.com/docs/security/bulletin/pixel/2024-06-01 

Link (2): https://thehackernews.com/2024/06/google-warns-of-pixel-firmware-security.html 

Life360 faces extortion attempt after Tile data breach 

Life360, who a safety and location services company, has been a target of an extortion attempt after a threat actor accessed and stole sensitive information from a Tile customer support platform 

• Life360 acquired Bluetooth tracking service provider Tile in December 2021 
• It has not been released the "how" or "what" this event encompassed, but 404 Media reported that the hacker was believed to have used stolen credentials of a former Tile employee to gain access to multiple systems 

Link (1): https://www.bleepingcomputer.com/news/security/life360-says-hacker-tried-to-extort-them-after-tile-data-breach/ 

Ascension Updates 

Ascencion must provide an update that sates a worker had accidentally downloaded a malicious file, which was the cause for this nationwide cyberattack 

• This continues to beat the drum of we cannot rely on technology-based controls alone, but also, we need to continue to properly educate ourselves and our users 
• This week alone, I have had someone that has personally built out security awareness training for large organizations openly admit to me that they clicked on a phishing email "because they were not fully paying attention" 
• This does not mean they did anything wrong; it means that they got a friendly reminder to stop and think before clicking 
• Also, technology has its place - removing administrative rights from users is necessary and putting controls in place that elevate necessary tasks and not the user 

Link (1): https://www.wisn.com/article/ascension-reason-for-nationwide-cyber-attack/61101238 

Snowflake breach escalates with ransom demands and death threats 

Up to 10 organizations have been contacted for extortion payments ranging from $300k to $5m 

• Mandiant has reported that up to 165 Snowflake customers had their accounts compromised by UNC5537 through credential exposed by info-stealing malware 

Link (1): https://www.scmagazine.com/brief/ransom-demands-issued-to-snowflake-hack-victims 

AMD investigates breach after data for sale on hacking forum 

AMD is currently investigating whether or not it suffered a cyberattack after a threat actor posted on a forum that they stole data and have it up for sale 

• Data supposedly claimed to have been taken included: AMD employee information, financial documents, and confidential information 
• IntelBroker is the threat actor making the claim, who was also responsible for the DC Health Link breach and Europol Platform for Experts 

Link (1): https://www.bleepingcomputer.com/news/security/amd-investigates-breach-after-data-for-sale-on-hacking-forum/ 

Blackbaud has been fined for 2020 ransomware attack 

California Attorney General's Office has ordered a fine of $6.75 million to settle a ransomware attack that took place in May 2020 

• The AG office is claiming that the attack occurred due to poor security practices by Blackbaud 
• Blackbaud had made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public 
• It was discovered that the threat actors compromised unencrypted SSN's, bank account details, and login credentials 
• Private information of 13k nonprofits, universities, hospitals, and other organizations were compromised through Blackbaud 
• The company paid the ransom of $250k 
• This should show that one cannot just "pay" the ransom and hope to sweep the event under the rug, depending on what is said by the organization during the incident can have after affects that can go on for years 

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/blackbaud-fined-6m-after-2020-ransomware-attack# 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!