This week’s Cyber Security Headlines – Week in Review, July 3-7, is hosted by Rich Stroffolino with our guest, Hadas Cassorla, CISO, M1
The book that Hadas recommends during the show is Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, by George Finney.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Semiconductor giant says IT supplier was attacked, LockBit makes related claims
The Taiwan Semiconductor Manufacturing Company (TSMC) said one of its IT hardware suppliers experienced a security incident that caused an information leak. TSMC made the statement after the LockBit ransomware group claimed it attacked the company in a posting on its leak site on Thursday. A company spokesperson would not specifically address the LockBit posting but said the company recently became aware that one of its suppliers, a firm called Kinmax, was attacked, causing the “leak of information pertinent to server initial setup and configuration.” TSMC is considered the world’s most valuable semiconductor company with a 2021 annual revenue of more than $57 billion.
CISA issues warning for cardiac device system vulnerability
The warning identifies a device from medical technology company Medtronic. Tracked as CVE-2023-31222 it carries a “critical” CVSS score of 9.8 and affects the company’s Paceart Optima software that runs on a healthcare organization’s Windows server. The application stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows. Medtronic said in an advisory that if exploited, the vulnerability allows hackers to delete, steal, or modify data from a cardiac device. Hackers can also use the device’s issues to penetrate into a healthcare organization’s network.
Thirty-three US hospitals hit by ransomware this year
At least 19 US healthcare organizations (HCOs) have been breached by ransomware gangs so far this year, according to Brett Callow, threat analyst for the New Zealand-based anti-malware specialist Emsisoft. Callow stated that, according to Emsisoft data, those 19 providers operate 33 hospitals and at least 16 of the 19 had data exfiltrated. The Emsisoft report is careful to underscore the potential magnifying effect of an HCO or an HCO partner being compromised, describing an attack on CommonSpirit Health last year which operates more than 140 hospitals, as well as the recent Black Cat/ALPHV group which recently added Barts Health NHS Trust to its leak site. Barts oversees three major hospitals in London.
Japan’s major port hit with ransomware
The Port of Nagoya is Japan’s busiest port, accounting for about 10% of the country’s total trade volume. The port’s administrative authority issued a notice that a ransomware attack on July 4th impacted its Nagoya Port Unified Terminal System, or NUTS. This impacted operations, canceling the loading and unloading operations from ship containers onto trailers. Authorities say it plans to restore NUTS and resume operations by the morning of July 6th. No word on what group orchestrated the attack.
Thanks to today’s episode sponsor, SlashNext
UK law could allow for real-time internet logs
A UK government inquiry into online fraud in the country found that it “cost society at least £4.7 billion each year” but that less than 8% of reported fraud crimes end up investigated. It deemed the level of policing focus not up to the scale and complexity of modern fraud. To combat this, the government began considering a new law that would empower its GCHQ intelligence agency to monitor logs of domestic internet traffic in real-time to identify and disrupt fraud. Currently the UK government can request internet connection records from telcos, which can be used to identify a person suspected of a crime. It’s unclear how GCHQ would overcome the technical hurdles for such real-time monitoring if this law came into effect.
Shell confirms MOVEit-related breach after ransomware group leaks data
Energy giant Shell has confirmed that personal information belonging to employees has been compromised as a result of the recent MOVEit Transfer hack. In a brief statement issued on Wednesday, Shell finally confirmed being hit by the MOVEit hack, clarifying that the MFT software was “used by a small number of Shell employees and customers.” Shell pointed out that “this was not a ransomware event” — likely referring to the fact that file-encrypting malware was not deployed in the attack — and that there is no evidence of any other IT systems being affected.
Silentbob campaign: cloud-native environments under attack
Cybersecurity researchers have unearthed an attack infrastructure that’s being used as part of a “potentially massive campaign” against cloud-native environments. Cloud security firm Aqua stated, “This infrastructure is in early stages of testing and deployment, and consists of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs to deploy Tsunami malware, cloud credentials hijack, resource hijack, and further infestation of the worm.” Silentbob is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an “advanced copycat.”
Fileless attacks surge as cybercriminals evade cloud security defenses
The number of fileless or memory-based attacks that exploit existing software, applications, and protocols has surged 1,400% in the last year, according to Aqua Security’s 2023 Cloud Native Threat Report. Aggregated honeypot data collected over a six-month period showed that more than 50% of attacks focused on defense evasion. Attacks include masquerading techniques, such as files executed from /tmp, and obfuscated files or information, such as dynamic loading of code. In addition, threat actors used memory resident malware in 5% of attacks, Aqua said. One of the most successful techniques is HeadCrab, where an advanced threat actor uses custom-made malware that is undetectable by agentless and traditional antivirus technologies,” the report says. Aqua found evidence that HeadCrab has taken control of at least 1,200 Redis servers, some of them belonging to security companies. Such evasive attack techniques highlight the importance of agent-based runtime security, Aqua said.