Welcome to our latest cybersecurity roundup. This week, we cover a breach of Japan’s solar power grid by Hacker CN, LockBit’s release of 300 GB of London Drugs data, a new global ATM malware threat, and a critical vulnerability in Cisco’s Firepower Management Center software. We also discuss RansomHub’s threats against Christie’s, the FBI’s insights into the Scattered Spider group, Check Point’s VPN breach attempts, and a Fortinet SIEM exploit. Additionally, we highlight the recovery of a lost password to a $3 million crypto wallet, NIST’s efforts to clear its vulnerability backlog, and Okta’s warning of credential stuffing attacks.

We’re here to keep you informed on pressing cybersecurity developments from around the globe.

 

1. Hackers access a Japanese solar power grid

Japanese media reported a significant cyberattack on the solar power grid infrastructure, marking what might be the first publicly confirmed incident of its kind. Malicious actors hijacked 800 SolarView Compact remote monitoring devices, manufactured by industrial control electronics company Contec, at various solar power generation facilities. The cybercriminals used these compromised devices to engage in bank account thefts – they were after compute power. The hacker group responsible for the attack is likely Hacker CN, also known as Arsenal Depository. South Korean security firm S2W identified Hacker CN as a group potentially based in China or Russia. This group was previously linked to hacktivist attacks targeting Japanese infrastructure, particularly after the Japanese government released contaminated water from the Fukushima nuclear power plant, under an operation termed “Operation Japan.” Though the exploitation of these remote monitoring devices did not threaten power system operations, experts caution that such intrusions could be more dangerous if highly capable adversaries gained access. (CSO Online)

 

2. Lockbit drops 300 gigabytes of data from London Drugs

Last month, cybercriminals stole files from London Drugs’ head office and have now released some data after the company refused to pay a ransom. The Richmond, B.C.-based retailer said the files might contain employee information and is offering affected staff credit monitoring and identity theft protection. The hacking group LockBit claimed responsibility, releasing over 300 gigabytes of data. London Drugs, which shut down its stores temporarily, stated there’s no evidence customer data was compromised. LockBit, described as the “world’s most harmful cybercrime group,” has been disrupted by international law enforcement efforts, but it remains active. (The Star)

 

3. New ATM malware poses significant global threat

According to notifications posted on a dark web news site, a threat actor is advertising a new malware that it claims is able to compromised 99% of ATM devices in Europe and 60% of ATMs worldwide. The announcement claims it can target machines made by the world’s leading ATM manufacturers including Diebold Nixdorf, Bank of America, NCR, and Hitachi. The malware can operate automatically or with manual oversight, and interested parties are being offered a three day trial using a test payload. (Security Affairs)

 

4. High-severity vulnerability hits Cisco Firepower Management Center

Cisco is warning of a vulnerability with a CVSS score 8.8 within the web-based management interface of the Firepower Management Center (FMC) Software. This vulnerability is an SQL injection issue which can be exploited for an attacker who has at least Read Only user credentials. There are currently no workarounds for this vulnerability, but Cisco has confirmed that it does not affect Adaptive Security Appliance (ASA) Software or Firepower Threat Defense (FTD) Software. (Cisco advisory)

 

5. The RansomHub group puts a deadline on Christie’s

The hacker group RansomHub, responsible for a recent attack on Christie’s, has threatened to leak sensitive client information if ransom demands aren’t met by May 31. RansomHub, previously behind an attack on Change Healthcare, claimed access to Christie’s data on the dark web, releasing sample data including names, birth dates, and nationalities. Christie’s acknowledged a tech issue in early May, just before major auctions, revealing unauthorized access by a third party. Despite rejecting initial ransom demands, Christie’s faces pressure to comply to avoid GDPR fines and reputational damage. (ITPro)

 

6. The FBI untangles Scattered Spider

At last week’s Sleuthcon conference just outside Washington DC, Bryan Vorndran, assistant director of the FBI’s Cyber Division, revealed insights into Scattered Spider, a cybercriminal group linked to numerous high-profile breaches. Known also as 0ktapus or UNC3944, Scattered Spider comprises around 1,000 members, many of whom do not know each other directly. Vorndran described the group as a “very, very large, expansive, dispersed group of individuals.” This group has breached several prominent companies, including MGM Resorts and Okta. The FBI considers Scattered Spider a top-tier cybersecurity threat, alongside nation-state actors from China and Russia. Composed primarily of native English speakers from the United States and the United Kingdom, the group employs both digital and physical threats. Some members even offer violence as a service, engaging in activities such as assaults and property damage to extort victims. Despite facing criticism for the lack of public arrests, the FBI officials say they have taken non-public actions against the group. In January, authorities in Florida arrested 19-year-old Noah Urban, identified as a key figure in the crime ring. (Cyberscoop)

 

7. Attackers target Check Point VPNs to access corporate networks

On Monday, cybersecurity firm Check Point issued an advisory that it observed a small number of attempts to breach its customers’ VPNs this past Friday. The attacks did not attempt to exploit a software vulnerability but instead targeted customers who are using outdated VPN local accounts with password-only authentication. The company advised customers to secure network accounts by adding another layer of authentication. Check Point also released a solution designed to automatically prevent unauthorized access via local accounts using password-only authentication. (Infosecurity Magazine)

 

8. PoC exploit released for bug in Fortinet SIEM

Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue in Fortinet’s SIEM solution (CVE-2024-23108). The PoC exploit allows commands to execute as root on several versions of Internet-facing FortiSIEM appliances. Fortinet disclosed the maximum severity bug back in February, stating attackers may be able to execute unauthorized commands via crafted API requests. The researchers published indicators of compromise to help owners of vulnerable devices investigate potential issues. (Bleeping Computer and Security Affairs)

 

9. Researchers crack 11-year-old password to $3 million crypto wallet

Researcher Joe Grand and a friend helped a man find the lost password to his cryptocurrency wallet containing 43.6 BTC, valued at nearly $2.96 million. The anonymous man, dubbed Michael, set up a crypto wallet in 2013 and then used RoboForm to create its unique 20-character password. Michael opted to store the password in an encrypted file instead of storing it in RoboForm due to security concerns. However, he lost the password when the encrypted file became corrupted. The researchers recovered Michael’s password by exploiting a long-fixed vulnerability in the RoboForm password generator. Michael said he was glad he lost access to his wallet as holding onto his tokens allowed them to appreciate from $5,300 in 2013 to roughly $68,000 at current rates. He gave a portion of his bitcoin to the researchers as payment for their help. (The Block and Slashdot)

 

10. NIST hopes to clear out the NVD backlog

The National Institute of Standards and Technology (NIST) has awarded a contract to help process incoming Common Vulnerabilities and Exposures (CVEs) for the National Vulnerability Database (NVD). They aim to clear the backlog of unprocessed CVEs by September 30. NVD’s slowdown in CVE enrichment became evident in February. NIST is implementing a multi-pronged solution, including improved tools, automation, and a consortium to address challenges. They have started ingesting CVE 5.0 and 5.1 records hourly since May 20. NIST is committed to modernizing the NVD and addressing the growing volume of vulnerabilities with technology and process updates, ensuring the program’s sustainability and supporting automated vulnerability management. (Helpnet Security)

 

11. Okta warns users of credential stuffing attacks

Okta warns customers of credential stuffing attacks targeting the Customer Identity Cloud’s cross-origin authentication feature. Threat actors are using stolen username and password combinations from phishing, malware, or data breaches to compromise customers’ tenants. Customers should review logs for suspicious activity, such as failed or successful cross-origin authentication attempts and logins with leaked passwords. Okta advises rotating compromised passwords, enrolling in passwordless authentication, enforcing strong passwords, implementing MFA, disabling unused cross-origin authentication, restricting permitted origins, and enabling breached password detection. This warning follows a cyberattack in October 2023, where customer support system user data was stolen. (Securityweek)

 

12. Europol seizes 2,000 domains in dropper takedown

The law enforcement agency announced it carried out “Operation Endgame,” which targeted malware droppers used to initially get malware loaded onto systems. This saw the seizure of over 2,000 domains, four arrests across Armenia and Ukraine, and the release of over 13.5 million unique passwords to Have I Been Pwned. Authorities previously tied the dropper sites to use with IcedID, SmokeLoader, and Trickbot. German authorities also added eight other suspects related to this takedown to the EU’s Most Wanted list. (CyberScoop)

 

13. LightSpy makes its way to macOS

LightSpy serves as a modular surveillance framework, targeting iOS and Android devices. However, a report from ThreatFabric discovered a variant targeting macOS. It discovered this by exploiting a misconfigured interface, finding LightSpy can exploit a series of WebKit flaws to execute within Safari. The interface also showed references to Windows, Linux, and routers but did not include any technical documentation of how its attack chain works. It’s not clear how wide of a reach the spyware will have. It only works on macOS 10.13.3 or earlier. Apple cut off support for macOS 10 almost four years ago, so it’s probably vulnerable to a lot of other nasty stuff too. (Bleeping Computer)

 

14. An alleged leak of Google’s search algorithm contradicts the company’s public statements

A significant leak of 2,500 internal Google documents reveals detailed insights into how the company’s search algorithm functions, contradicting Google’s long-standing public statements. SEO expert Rand Fishkin, who received the documents, claims they show Google has misled the public about its ranking processes. The documents detail Google’s search API and data collection practices, offering technical insights valuable to developers and SEO professionals. Key revelations include discrepancies about the use of Chrome data in rankings and the role of E-E-A-T (experience, expertise, authoritativeness, and trustworthiness). Despite Google’s claims that Chrome data isn’t used for ranking and E-E-A-T isn’t a ranking factor, the documents suggest otherwise. They show Google tracks author data, which may influence search results, contrary to Google’s public statements.This leak challenges Google’s transparency, showing a complex, secretive system influencing web content and sparking calls for more critical examination of Google’s claims by journalists and the SEO industry. The U.S. government’s antitrust case against Google adds to this scrutiny, highlighting the need for greater accountability in how Google operates its search engine. (The Verge)

15. German researchers discover a critical vulnerability in a TP-Link router 

Security researchers from German cybersecurity firm ONEKEY have discovered a critical vulnerability in TP-Link’s Archer C5400X router with a maximum severity score of 10.0. The flaw in the “rftest” network service o allows remote, unauthenticated attackers to execute arbitrary commands, compromising the device completely. Exploiting this vulnerability can let hackers inject malware or use the router for further attacks. TP-Link has released a patched version, and users should update their firmware immediately to secure their routers from potential exploitation. (Techspot)

 

16. New North Korean hacking group emerges

A North Korean hacking group has been formally identified by Microsoft, and it has been given the name Moonstone Sleet, an upgrade from its earlier name Storm-1789, a nomenclature system Microsoft uses for uncategorized malicious actors. Moonstone Sleet appears to share techniques and code with another North Korean group, Diamond Sleet. Currently its TTP portfolio includes “setting up fake companies and job opportunities to engage with potential targets, deploying trojanized versions of legitimate tools, and creating malicious games and custom ransomware.” (InfoSecurity Magazine)

 

17. New report looks at the security dangers of inadequate offboarding

Wing Security says that 63% of businesses may have former employees who still have access to organizational data. Inadequate or insufficient offboarding practices, the company says, often happen during periods of mass layoffs, citing the 80,000 tech employees who were made redundant in the first half of 2024 alone, “especially considering that the average employee uses 29 different SaaS applications.” The report cites four distinct risks, being data breaches, compliance violations, insider threats, and intellectual property theft. Their recommendation is to use automation in SaaS Security Posture Management (SSPM). A link to the report is available in the show notes to this episode. (The Hacker News and Wing Security)

In high-security environments like the DoD and the Intelligence Community, the System Security Plan (SSP) is critical for ensuring that systems handle sensitive national security data appropriately. It helps in achieving and maintaining the authorization to operate (ATO), which is mandatory for systems that process, store, or transmit classified information. The SSP ensures all stakeholders are aware of the security features of the system and understand their responsibilities in maintaining its security integrity.

The SSP is not only a compliance document but also a dynamic tool used for ongoing security management and decision-making, essential for maintaining the stringent security requirements demanded by the DoD and Intelligence Community.

RedSeal plays a pivotal role in assisting Information System Security Officers (ISSOs) and Information Systems Security Managers (ISSMs) in creating and maintaining a System Security Plan (SSP) for the systems managed within high-security environments.

How RedSeal can contribute to each aspect of an SSP:

 

Step 1: System identification

RedSeal function: Provides detailed network mapping and visualization capabilities.

Benefit: Helps define the system boundary by identifying all network devices and connections, ensuring a comprehensive description of the system.

 

Step 2: System environment

RedSeal function: Models both the physical and virtual aspects of the network environment.

Benefit: Offers a clear view of how the system operates within its environment, including how data flows across the network and external interactions.

 

Step 3: Security requirements

RedSeal function: Integrates with compliance frameworks and checks against security policies.

Benefit: Ensures all security controls meet specific requirements outlined in relevant security standards and regulations.

 

Step 4: Security controls implementation

RedSeal function: Automatically maps and validates security controls against industry standards like NIST SP 800-53.

Benefit: Helps document the implementation details of each security control within the network, including configurations and the effectiveness.

 

Step 5: Roles & responsibilities

RedSeal function: Does not directly manage roles and responsibilities but provides documentation and reporting that supports role definition.

Benefit: Helps define the scope of responsibility for network security, detailing responsibility for managing and operating specific security controls.

 

Step 6: System interconnection

RedSeal function: Identifies and documents all network connections and interdependencies.

Benefit: Assists in accurately describing each interconnection, including security measures and data flow between systems.

 

Step 7: Security assessment & authorization

RedSeal function: Facilitates security assessments by providing comprehensive network visibility and risk analysis.

Benefit: Enhances the security assessment process, helping document current security state and changes needed for maintaining or obtaining ATO.

 

Step 8: Risk assessment results

RedSeal function: Conducts thorough risk assessments and prioritizes vulnerabilities.

Benefit: Provides detailed insights into potential risks, helping to document current risks and previous assessments in the SSP.

 

Step 9: Incident response plan

RedSeal function: Models potential attack paths and simulates breach scenarios.

Benefit: Supports development and documentation of system-specific incident response plans by identifying critical assets and potential attack vectors.

 

Step 10: Maintenance & continuous monitoring 

RedSeal function: Offers continuous monitoring of the network’s security posture and compliance status.

Benefit: Helps document the procedures and technologies used for continuous monitoring and maintenance of security controls, ensuring the SSP remains up-to-date with the actual security posture of the system.

 

RedSeal significantly streamlines the process of SSP development and maintenance by providing critical data, insights, and automation capabilities. This support not only enhances the accuracy and effectiveness of the SSP but also reduces the manual effort required from ISSOs and ISSMs, allowing organizations to focus more on strategic security management tasks.

Download our System Security Planning datasheet today.

Welcome to our latest cybersecurity roundup. This week, we explore critical lessons from NERC’s GridEx VII exercise, the surge in Chinese-manufactured devices in US networks, increased OT attacks by Russia’s Sandworm group, a data breach disclosure by Dell, a gift card fraud warning from the FBI, and how solar storms impacted Midwest corn planting. We’ve compiled the latest headlines to keep you informed on pressing cybersecurity developments.

 

1. Lessons from NERC’s GridEx exercise

A report from NERC and the E-ISAC looks at lessons learned from the GridEx VII exercise, a simulated targeting of North America’s electric grid with cyber and physical attacks. The exercise, which was conducted over two days in November 2023, involved participants from the electric sector and the government, and was followed by an in-person meeting between industry executives and government leaders from the United States and Canada. Recommendations from the report include increasing resilience for communications systems essential for operating the grid, preparing for recovery from complex and prolonged power outages, and increased coordination efforts between non-federal government partners and electric utilities. (NERC)

 

2. Chinese-manufactured devices in US networks see a 41% YoY increase

A report from Forescout found that the number of Chinese-manufactured devices in US networks has increased 41% year-over-year, despite official bans by the US government. The report says, “Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year. One vertical of interest is the government where Hikvision and Dahua cameras, despite being banned, remain connected to networks. Other devices, including Yealink VoIP phones, are also present in the thousands.” The researchers note that vulnerable IP cameras often serve as initial access points to sensitive networks, and China-linked APTs have been known to exploit these devices in the past. (Forescout)

 

3. More OT attacks tied to Sandworm

Mandiant has published a report on the recent activities of Sandworm, a threat actor attributed to Russia’s GRU. Mandiant now tracks the group as “APT44,” and notes that “no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign.” The threat actor has a much broader focus than the war in Ukraine, however, and the researchers are tracking “operations from the group that are global in scope in key political, military, and economic hotspots for Russia.”

Mandiant’s report ties APT44 to several hacktivist groups that have claimed responsibility for attacks against OT systems in the United States and the European Union, including three water utilities in Texas, a wastewater treatment plant in Poland, and a hydroelectric dam in France. These attacks don’t seem to have had any serious effects, but the researchers note that “[c]ontinued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs.” Sandworm has been responsible for several damaging attacks in the past, including the 2017 NotPetya attack and the disruptions of Ukraine’s energy grid in 2015 and 2016. (Mandiant)

 

4. Dell discloses data breach

Dell has disclosed a breach involving customer names and home addresses, as well as “Dell hardware and order information, including service tag, item description, date of order, and related warranty information,” TechCrunch reports. The company didn’t provide information on how many customers were affected or how the data was breached. TechCrunch notes that a user posted on a dark web forum last month claiming to be selling 49 million customer records from Dell, including “information of systems purchased from Dell between 2017 and 2024.” (Techcrunch)

 

5. F5 Networks warns of new Big-IP vulnerabilities

The vulnerabilities, numbered CVE-2024-26026 and CVE-2024-21793, exist in the BIG-IP Next Central Manager (NCM), a single-pane-of-glass management and orchestration solution provided by F5. Discovered by a researcher at Eclypsium, the vulnerabilities can lead to device takeover via SQL injection and OData injection respectively. F5 suggests “restricting the management access to the impacted products to only trusted users and devices over a secure network.” (Security Affairs)

 

6. Gift card fraud ring targets retailers’ employees

A warning from the FBI regarding Storm-0539, a financially motivated hacking group that targets the mobile devices of retail department staff using a phishing kit that enables them to bypass multi-factor authentication. After stealing the login credentials of gift card department personnel, the group seeks out SSH passwords and keys, which along with employee PII can be sold online. They then use compromised employee accounts to generate fraudulent gift cards. (BleepingComputer)

 

7. Solar storms delay the planting of corn

And finally, last Friday we noted that coming solar storms had the potential to disrupt electronics here on planet Earth, including the electrical grid and GPS satellite signals.  Over the weekend, intense solar storms, the strongest since 2003, did indeed disrupt GPS systems crucial for self-driving tractors, causing some farmers in the Midwest to halt planting corn. This timing is critical as planting after May 15th can significantly reduce crop yields, according to the University of Nebraska-Lincoln. Farmer Tom Schwarz noted that the precision required for his organic farming is so high that only GPS can achieve the necessary accuracy. Additionally, farmers were warned that future tending to their crops based on GPS data gathered this past weekend would likely be inaccurate. The solar storms reached a G5 severity, indicating potential major impacts on power grids and communications, although significant disruptions were avoided. We had clouds here in the Baltimore area, so no northern light show for us, but some of our colleagues from the Boston area shared pictures that were spectacular. (The Verge)

 

8. Black Basta ransomware targets critical infrastructure entities

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory on the Black Basta ransomware-as-a-service operation, stating that BlackBasta affiliates have breached more than five hundred organizations since the ransomware surfaced in April 2022. The advisory notes that the threat actors “have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.” The agencies add, “Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.” CNN cites sources as saying a Black Basta affiliate was responsible for the attack against the Ascension healthcare network last week. (CISA, CNN)

 

9. CMMC is coming, but concerns for small businesses persist under revamped rule

The Cybersecurity Maturity Model Certification (CMMC) is being revamped and its implementation is imminent, but significant concerns remain for small businesses. The updated rules aim to improve the security of the defense supply chain by requiring contractors to meet specific cybersecurity standards. However, small businesses face challenges such as the high costs of compliance, resource constraints, and the need for technological upgrades. These challenges could be financially burdensome, requiring investments in cybersecurity infrastructure and training for employees. Additionally, small businesses may struggle to allocate the necessary resources to meet the new requirements. (Federal News Network)

 

10. A malicious Python package targets macOS users

A malicious Python package named ‘requests-darwin-lite’ on PyPI, mimicking the popular ‘requests’ library, targeted macOS devices using the Sliver C2 framework, a tool for gaining access to corporate networks. Discovered by Phylum, the attack included multiple obfuscation steps such as steganography within a PNG image to covertly install Sliver. The package has since been removed from PyPI following Phylum’s report. Sliver is known for its post-exploitation capabilities and has become a preferred tool for cybercriminals due to its effectiveness in simulating adversary actions and evading detection compared to other frameworks like Cobalt Strike. This recent incident underscores the ongoing rise in cybercriminal adoption of Sliver for targeting various platforms, including macOS.

Meanwhile, Apple has extended security updates to older iPhones and iPads, addressing a zero-day vulnerability initially patched in March for newer devices. This vulnerability, found in the iOS Kernel’s RTKit, could allow attackers to bypass kernel memory protections. Although the exploiters of this flaw and the specific nature of the attacks remain undisclosed, such iOS zero-days are often used in targeted state-sponsored spyware attacks. Devices including the iPhone 8, iPhone X, and various iPad models have received the patches. Users of these devices are strongly encouraged to update immediately to safeguard against potential exploits. (Bleepingcomputer)

 

11. A glimpse into Africa’s internet vulnerability

Early Sunday morning, several African countries experienced a severe internet outage caused by two severed undersea cables. The incident is under investigation but is suspected to have been caused by a ship anchor. The country recently experienced two similar disruptions including back in February,  when a ship’s anchor dragged through three cables in the Red Sea. Africa’s internet relies on a limited number of fragile undersea cables so when routes become unavailable, alternate pathways become jammed causing service slowdowns. Repairing damaged cables can take weeks due to requiring specialized skills and equipment and fair weather conditions. Progress toward improving Africa’s internet infrastructure challenges has been slowed by logistical and financial constraints. Experts say the problem needs to be solved through investment in diversified connectivity such as satellite internet links and vital communications infrastructure on the ground such as data centers and internet exchanges. (BBC)

 

12. Wichita ransomware attack resulted in data theft

The city of Wichita, Kansas has disclosed that the ransomware attack it sustained earlier this month led to the theft of personal and financial information. The city stated, “As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.”The city added, “We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world.” SecurityWeek reports that the LockBit ransomware gang has claimed responsibility for the attack.(SecurityWeek)

 

13. Turla Group looks to backdoor diplomatic missions

Researchers at ESET detailed how an unnamed European Monistry of Foreign Affairs saw three of its diplomatic missions in the Middle Easter targeted by two novel backdoors. ESET said it had medium confidence that the Russian-affiliated group Turla orchestrated the attack. The LunarWeb backdoor deployed on servers, while LunarMail targeted workstations as an Outlook add-in, communicating with C2 servers over email. LunarMail spreads through a spearphishing email with malicious Word doc attachments, while LunarWeb uses a compiled ASP.NET page to decode two embedded components in the attack chain. An analysis shows both being used in targeted attacks since 2020. (The Hacker News)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.