This month’s news shows that governments and critical infrastructure (such as healthcare and energy utilities) continue to be a high priority target for cyber criminals. We also saw how advanced threat actors take advantage of a product’s new feature vulnerabilities and digital certificates. Read on to find out what we’re talking about this month.
Cyberattack on top Indian hospital highlights security risk
The healthcare sector has always been a target for cyber criminals. In this case, the leading hospital in India’s capital is limping back to normalcy after a cyberattack crippled its operations for nearly two weeks. India, a country with 1.4 billion people (soon to surpass China), is pushing hard with digitalization of their entire health sector. More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021. As Srinivas Kodali, a researcher with the Free Software Movement of India, said: “Digitizing an entire health care system without really safeguarding it can pretty much kill an entire hospital. It suddenly stops functioning”.
“Even if it is unclear who conducted the attack, active detection technology could be the perfect tool for them to be able to defend against this kind of critical infrastructure advanced threats.” — Member of the Development Team
Source: ABC News, December 12
Microsoft digital certificates have once again been abused to sign malware
Multiple threat actors were involved in the misuse of Microsoft’s digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.
“Signed binaries are usually trusted by most EDRs and whenever a digital certificate is compromised (and in this case it is especially dangerous as the compromised certificates were from Microsoft), advanced threat actors can use them to bypass security measures when entering an organization. CounterCraft’s detection capabilities are able to detect malicious behavior on any binary regardless of whether they are signed.” — Fernando, Founder
Source: Arstechnica, December 14
AWS Elastic IP transfer feature gives cyber attackers free range
A new feature in Amazon Web Services (AWS) can be compromised, allowing threat actors to take over victims’ cloud accounts to steal data or use them for command-and-control for phishing attacks, denial of service, and other cyberattacks.
Threat actors can use the Amazon Virtual Private Cloud (VPC) Elastic IP (EIP) transfer feature to steal someone else’s EIP, allowing them to use it as their own command-and-control (C2) or launch phishing campaigns that impersonate the victim. Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
“This article reinforces the fact that cloud environments and their features are an attack vector for bad actors if not properly configured and secured, much like on-premise solutions, and because this attack method is new and not listed in reputable frameworks like MITRE ATT&CK, a bad actor may easily go undetected by existing security mechanisms. Organizations should ensure their people are trained on new features, only use these features if absolutely necessary, and properly secure them.” — Shunta Sharod Sanders, Director of Global Pre-Sales Engineering
Source: Dark Reading, December 20
Kremlin-backed hackers targeted a large petroleum refinery in a NATO nation
One of the Kremlin’s most active hacking groups targeting Ukraine (tracked under various names including Trident Ursa, Gamaredon, UAC-0010, Primitive Bear, and Shuckworm) recently tried to hack a large petroleum refining company located in a NATO country. The attack is a sign that the group is expanding its intelligence gathering focusing on energy companies in countries opposing Russia’s war on Ukraine and NATO allies.
Trident Ursa’s hacking techniques are simple but effective. The group uses multiple techniques to conceal the IP addresses and other signatures of its infrastructure, phishing documents with low detection rates among anti-phishing services, and malicious HTML and Word documents.
“Traditional cybersecurity is not enough to mitigate this kind of risk and protect oil and gas enterprises. Proactive cybersecurity is a must for these high-risk institutions. Deception technology makes it possible to not only detect attacks and intruders but to control the behavior of the adversary.” — Member of the Sales Team
Source: Arstechnica, December 23
Hackers stole data from multiple electric utilities in recent ransomware attack
In October, hackers stole data belonging to multiple electric utilities in a ransomware attack on a US government contractor. This attack hit Chicago-based Sargent & Lundy, an engineering firm that has designed more than 900 power stations and thousands of miles of power systems and holds sensitive data on those projects. Hackers used a strain of ransomware known as Black Basta that first surfaced early this year.
Federal regulations require electric utilities to maintain certain cybersecurity standards for protecting their systems from hacks. However, its third party suppliers are not vetted with the same rigorousness. For US cybersecurity officials, this engineering work can be harder to evaluate in terms of its risk to supply chain security than a firm that only makes software.
“We know electric utilities are a target of both sophisticated nation-state actors and cyber criminals. Deception-powered threat intelligence is perfect for this kind of scenario. It allows you to mitigate these attacks and relegate the incident to a one-off event.” — Member of the Threat Intel team
Source: CNN, December 27
Don’t miss next month’s roundup. Follow us on LinkedIn, Twitter, or sign up for our newsletter to stay in touch.