Dr. Chase Cunningham - Defend & Conquer Weekly Review December 6, 2023
- By daniel michan
- Published on December 6, 2023
Dr. Chase Cunningham:
Hey, good morning, afternoon, evening, whatever it is. I'm Dr. Chase Cunningham, Dr. ZeroTrust. That's two doctors. And I'm reporting here for Cybersecurity HQ. I'm going to give you some things that you need to know this week in the realm of cybersecurity. Some of this should be slightly shocking, some of it's kind of comical. "Microsoft warns of a Kremlin backed a PT 28 Critical Outlook vulnerability." If you have Outlook, stuff don't suck at patching. "On Monday, Microsoft said it detected Kremlin backed nation state activity exploding a now patched critical security flaw in its Outlook email service to gain unauthorized access to victim's accounts within Exchange server. Microsoft attributed the intrusions to a threat actor called Forest Blizzard, which was formerly STRONTIUM, whatever, which is also widely tracked under a PT 28 Blue Delta, Fancy Bear, frozen Lake Iron Twilight, SEDNET, sofacy, and TA422." Good luck keeping up with that.
There's a criticality score of 9.8 here, which is a privilege escalation bug that could allow an adversary to access a user's net NTLMV2#, which is not good. That could then be used to conduct a relay attack against other services to authenticate as the user. This was patched back in March of 2023, so don't suck at patching. Go patch your stuff.
Mercy Health patients among giant data breach affecting 8.9 million people. Yikes. "Cincinnati, Ohio, a data breach at a medical transcription service where medical records are again, not good, is, potentially impacting," I hate when they say it, "Is impacting patients with Mercy Health, along with more than 8.9 million people across the US After an unauthorized party," duh, "Gained access and copied files from the company server." So not just gained access, they got files. They posted a notice on its website that Perry Johnson and Associates Inc. Which does business as PJ&A experienced, so this is a third-party thing. An unauthorized party gained access to the third-party between March and May. So March, April, May. Okay. The statement from PJ&A said, "During that time, they acquired copies of certain files from that system." Yeah, so if you're in Cincinnati, and you happen to work or use this healthcare system, Mercy Health, I would contact them and see what's up.
"Russian National pleads guilty to role in ransomware attacks. A Russian national December 4th, pleaded guilty to his role in developing and deploying a suite of malware tools known as Trickbot, which we've all heard about, used to launch ransomware attacks against American hospitals and other businesses, the Department of Justice has announced." It doesn't say much about the actual person, but I do have the literal publication here. "Vladimir Dunayev, 40 of Amur Blast," which is over there, "Provided specialized services and technical abilities and furtherance of the trick bot scheme. He pleaded out, collaborated with South Korea, which was where his extradition became possible." So it looks like they had him wrapped up and then they offered him a plea deal and he pleaded out.
"NASA, the organization that launches into space still does not fully comply with OMB," which is a government organization, "US Government cybersecurity guidance." Doesn't sound good. "According to a new GAO report, cybersecurity federal agencies made progress, but need to fully implement incident response requirements." Good Lord. "The administration of NASA should ensure that the agency fully implements all event logging requirements as directed by OMB guidance." Yeah. "National Aeronautics and Space Administration concurred with our recommendation and stated that it plans to address our recommendation by, among other things, creating a comprehensive plan to address all event logging requirements under a recently established cybersecurity improvement portfolio." So they're launching things into space, but they don't even have a plan in place to log event data. Super. Yeah.
"Sellafield nuclear site attacked by cyber groups linked to Russia and China. Claims of data breach have been denied by the nuclear waste and decommissioning facility." So this is a hazardous nuclear facility in the UK. Reportedly has been attacked by cyber threat actors linked to Russia and China, according to the Guardian. "The compromise of IT systems at the Sellafield Nuclear Waste and Decommissioning site could date back all the way to 2015." That's eight years, if I can do that math. "With senior staff accused of covering up the breach of sleeper malware." Super awesome. Great. "Which loaders in infected systems to steal data or launch attacks. It's believed to have been embedded in Sellafield's computer network." Now, of course, Sellafield is denying this, so there's a problem there. Yeah, it's only nuclear waste and nuclear stuff, who cares?
And lastly, EU adopts quote, "World first cybersecurity legislation for manufacturers including oil and gas industry." I'll give you a spoiler alert; it's the same stuff everybody else has put together, it's just been repackaged. "The European Commission welcomed the geopolitical agreement Thursday, reach between the EU Parliament and the council on the Cyber Resilience Act proposed in 2022. It's the first legislation of its kind in the world." No, it's not. "It will improve the level of cybersecurity of digital products to the benefit of customers and consumers across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software." Great. "Products with different levels of risk associated will have different security requirements." About time. "Less than 10% of products will be subject to third-party assessments," so that doesn't sound to me like it has any teeth.
Anyway, yeah, as always, stuff just keeps going where it is and stay smart, stay safe, stay secure. Catch you on the next one.