This Month in Cybersecurity - February Edition

CISA Gives Warning of Active "‘Roundcube” Email Attacks

On February 12th, the United State’s Cybersecurity and Infrastructure Security Agency (CISA) gave a warning about a medium severity security flaw that was added to their Known Exploited Vulnerabilities (KEV). The vulnerability was added after evidence was found of active exploitation and is being tracked as CVE-2023-43770 with a CVSS score of 6.1.

The exploitation utilizes plain text messages to deploy a malicious link reference and lead to information disclosure from the web based email service. Roundcube has addressed the flaw with a new version, 1.6.3, which was released in September of last year, but those users who have not updated to this version are still vulnerable to this exploit.

New FortiOS Zero Day Exploit Announced

Earlier this month, Fortinet announced that it patched a critical remote code execution vulnerability that had been found in their FortiOS platform. The exploit, which is being tracked as CVE-2024-21762, was announced by Fortinet, with them stating that it may have been exploited in the wild. The impacted versions of OS are as follows:

  • 6.0

  • 6.2

  • 6.4

  • 7.0

  • 7.2

  • 7.4

Patches have been released for all versions EXCEPT the 6.0 version, and Fortinet is suggesting to users utilizing that version to upgrade to the latest build, 7.6, which is not affected by the vulnerability.

While Fortinet did not release details of potential attacks involving the vulnerability, it was released alongside information that some customers have yet to patch two other, older vulnerabilities that have been actively exploited by threat agents in China

Malware ‘Pikabot” Makes Resurgence

Threat agents have made significant changes to an existing malware known as Pikabot, that has reduced the complexity of the code. The security researchers that have been tracking Pikabot noted that this is a devolution of the malware which has streamlined itself to avoid efforts to be analyzed.

Pikabot, alongside another loader called DarkGate have both emerged as attractive replacements for threat agents that are using older malware software to gain access to a target’s network. These developments have come to light during a current cloud account takeover campaign that has seen hundreds of compromised user accounts in dozens of Microsoft Azure environments affected, especially those belonging to senior executives.

 

Defensible Strategies

Learn from those who have been attacked

Romanian Hospitals Offline After Ransomware Attack

After a ransomware attack over the weekend of February 10th, dozens of hospitals and healthcare facilities were knocked offline. The ransomware attack targeted the Hipocrate Information System by deploying the Backmydata ransomware, which encrypted data pertaining to the healthcare facilities.

Romania’s National Cyber Security Directorate (DNSC) announced that most of the impacted hospitals have fresh backups of their data, which will allow for fast restoration of all systems, but currently, the hospitals have isolated the impacted systems. According to a cancer treatment organization that was affected, all of their servers were shut down and they had to register over 180 patient admissions on paper.

Situations like these show why it is important to have a Business Continuity and Disaster Recovery Plan (BC/DR) in place. If you need help reviewing your BC/DR or have any questions about getting one set in place, please feel free to reach out!

Generative AI and Cybersecurity in 2024

Last year, generative AI saw the rise from a headline grabbing novelty to an indispensable tool for increasing productivity. Cybersecurity experts have now had a full year observing how threat agents and cyber criminals are using this to bolster their attacks and have started to report on the most common ways they have seen AI used.

Threat agents are using generative AI in a few ways to expand their attack repertoire, including marrying the two types of phishing through social engineering. In the past, threat agents would have to choose between broad phishing attempts and catching few vulnerable targets, or taking a more hands-on approach and actively researching the target in something known as ‘whale phishing’. Generative AI has given threat agents the ability to join these two together, allowing for tonally convincing messages on a mass scale.

There have also been attempts to create ‘unstoppable’ malware using AI, though nothing has come of that at this time. AI has been used to review source code of open sources software though, and find not only disclosed vulnerabilities, but some unknown ones as well.