Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The FBI has successfully dismantled the hacking operations of a Chinese state-sponsored group named "Volt Typhoon," which targeted critical US infrastructure such as the power grid and pipelines. FBI Director Christopher Wray informed lawmakers about a campaign executed to shut down the group, accusing China of preparing to cripple key US infrastructure in case of a conflict. The group, first exposed by Microsoft in May, allegedly accessed data on US assets by hacking into hundreds of older office routers. Wray emphasized China's extensive resources in cyber warfare, asserting that their hacking program surpasses that of all other major nations combined, with FBI cyber agents outnumbered 50 to 1 by Chinese counterparts. China has yet to respond to the accusations.
Ransomware gang LockBit has claimed responsibility for an attack on a Chicago children's hospital, deviating from its previous policy of not targeting nonprofits. Unlike previous cases, the criminals refuse to reverse the attack on Saint Anthony Hospital and are demanding an $800,000 ransom. Cybersecurity experts note that criminal goals evolve, and organizations should not assume immunity from attacks.
The global cybersecurity advisor at ESET stated, “No one remains safe from these attacks whether they are targeted or caught up in larger campaigns. Companies should never believe they are foolproof due to the nature of their business, nor should they reduce the best possible protection they have to offer.".
Security researchers suspect that the Akira ransomware group may be exploiting a nearly four-year-old Cisco vulnerability (CVE-2020-3259) as an entry point into organizations' systems. In several recent incidents involving Akira and Cisco's AnyConnect SSL VPN, TrueSec found that at least six devices were running versions vulnerable to the flaw, patched in May 2020.
While there is no publicly available exploit code for the Cisco vulnerability, its potential exploitation by Akira suggests either the purchase or development of an exploit, indicating a deep understanding of the flaw. The Akira group has been known to target Cisco VPNs for ransomware attacks.
Researchers recommend organizations check if their Cisco AnyConnect devices are running vulnerable versions and urge businesses to consider initiating broad password resets and implementing multi-factor authentication.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw (CVE-2022-48618) impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities catalog, indicating evidence of active exploitation. The vulnerability exists in the kernel component and could allow an attacker with arbitrary read and write capabilities to bypass Pointer Authentication. While exploit methods have not been publicised, Apple has said improved checks have been implemented to help combat the vulnerability.
Apple released patches for this flaw on December 13, 2022, but it was not publicly disclosed until January 2024, more than a year later. CISA recommends applying the fixes by February 21, 2024, for all Federal Civilian Executive Branch agencies.
Researchers at Qualys have identified a vulnerability (CVE-2023-6246) in Linux's GNU C Library (glibc) that could allow attackers to gain full root access to a system.
The heap-based buffer overflow is found in the glibc __vsyslog_internal() function, utilized by widely-used syslog() and vsyslog() logging functions. An unprivileged attacker could exploit the flaw by providing specific inputs, potentially leading to remote execution with root privileges. Although triggering the vulnerability remotely is unlikely due to the specific conditions required, its severity is significant, affecting major Linux distributions.
The issue was addressed in glibc 2.38, which also resolved five other security defects identified by Qualys researchers. One other flaw in glibc's qsort() function, leading to memory corruption, was also highlighted, impacting all glibc versions from 1.04 (September 1992) through 2.38 (January 2024).
In September 2023, Johnson Controls International suffered a ransomware attack costing the company $27 million in expenses and resulting in a data breach.
The Dark Angels ransomware gang, using encryptors based on leaked source code, was responsible for the attack, claiming to have stolen over 27 TB of confidential data and demanding a $51 million ransom. Johnson Controls confirmed the unauthorized access, data exfiltration, and deployment of ransomware in a recent quarterly report filed with the U.S. Securities and Exchange Commission. The company expects the cost to increase as they assess the stolen data with the help of external cybersecurity experts.
Johnson Controls believes the unauthorized activity has been fully contained, and its digital products and services are now fully available.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #267 – 2nd February 2024
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.