FlowerStorm attacks Microsoft 365, BeyondTrust on KEV, Ascension Health fallout - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines: December 23, 2024

Hosted by Steve Prentiss of the CISO Series, the Cyber Security Headlines podcast delves into the most pressing information security issues of the day. In the December 23, 2024 episode, titled "FlowerStorm attacks Microsoft 365, BeyondTrust on KEV, Ascension Health fallout," Prentiss covers a range of significant cybersecurity incidents and developments. This summary provides a comprehensive overview of the key topics discussed, enriched with notable quotes and timestamps for context.

1. FlowerStorm Targets Microsoft 365 Users

Timestamp: [00:00]

Steve Prentiss opens the episode by highlighting a new phishing-as-a-service platform named FlowerStorm, which poses a significant threat to Microsoft 365 users. Emerging from the remnants of the notorious Rockstar 2FA, FlowerStorm employs adversary-in-the-middle techniques to intercept user credentials and session cookies, effectively bypassing Multi-Factor Authentication (MFA) protections.

"This new phishing as a service platform has emerged from the ashes of Rockstar 2FA to use adversary in the middle techniques to intercept user credentials and session cookies in order to bypass Multi Factor Authentication protections." – Steve Prentiss [00:00]

FlowerStorm utilizes phishing portals that closely mimic legitimate Microsoft login pages, making it challenging for users to detect malicious attempts. According to a report from Sophos, approximately 63% of organizations and 84% of users targeted by FlowerStorm are based in the United States.

Protective Measures Recommended:

Use MFA with AITM-resistant FIDO2 tokens: Enhances security against sophisticated interception techniques.
Deploy Email Filtering Solutions: Helps in identifying and blocking phishing emails before they reach users.
Implement DNS Filtering: Blocks access to suspicious and malicious domains associated with phishing activities.

2. BeyondTrust Vulnerability Added to CISA’s KEV Catalog

Continuing the security discourse, Prentiss discusses the inclusion of a critical vulnerability in BeyondTrust products into the CISA Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects BeyondTrust's privileged remote access and remote support products, allowing unauthenticated attackers to inject and execute commands as a site user.

"A critical vulnerability has been discovered in privileged remote access and remote support products which can allow an unauthenticated attacker to inject commands that are run as a site user." – Steve Prentiss [00:00]

The Common Vulnerability Scoring System (CVSS) has rated this flaw at a severe 9.8, prompting immediate action from federal agencies to remediate the issue by December 27th.

3. Ascension Health Ransomware Attack Impact

The episode sheds light on a significant ransomware attack on Ascension Health, one of the largest healthcare providers in the United States. The attack, which occurred on May 8, compromised the personal information of nearly 6 million individuals.

Prentiss details the types of data stolen, including:

Medical Information: Records of medical tests and procedures.
Insurance Data: Information related to insurance claims and coverage.
Government Identification: Social Security numbers and passport details.
Payment Information: Credit card and other financial data.

In response, Ascension Health is offering two years of free identity protection services and a $1 million insurance reimbursement policy to victims for any fraud incidents. The attack has had widespread repercussions, forcing member hospitals to:

Turn away ambulances.
Revert to paper records.
Cancel non-emergency appointments.

4. Major Cyber Attack on Ukrainian State Registers

Prentiss reports on one of the largest cyber attacks attributed to Russian actors targeting Ukraine's state infrastructure. Ukrainian officials confirmed that the attack aimed to disrupt various state registers containing sensitive information such as:

Citizens' Biometric Data
Business Records
Property Ownership Details
Legal and Court Decisions
Voter Information
Tax Records and Permits

The pro-Russian group Zaknet (spelled XAKNET) claimed responsibility via their Telegram channel, stating that their hackers infiltrated the infrastructure of the Ministry of Justice through a contractor managing the state enterprise National Information Systems (NaIS).

"This attack intended to sow confusion and panic." – Steve Prentiss [00:00]

5. Surge in Bad Box Android Infections

Following a previous report on the infection of 30,000 Android devices in Germany, Prentiss updates listeners on the growing threat posed by the Bad Box botnet infrastructure. Researchers at BitSight have identified over 192,000 devices now infected, including:

Russian-made Yandex 4K QLED Smart TVs
Chinese-made Hisense Smartphones

The majority of these infections are concentrated in countries such as Russia, China, India, Belarus, Brazil, and Ukraine. Bad Box malware typically comes pre-installed on devices and is used to create email and messaging accounts for disseminating disinformation.

6. US Extradition Complaint Against Lockbit Technician

The podcast covers the recent legal developments involving Rostislav Paniev, a dual Russian and Israeli national accused of being a software developer for the Lockbit ransomware group. The U.S. Department of Justice has filed a complaint seeking Paniev's extradition to stand trial on 40 counts, including computer damage and extortion.

"Paniev worked for the CyberCrime Group from 2019 up until its takedown by law enforcement in February of this year." – Steve Prentiss [00:00]

Evidence against Paniev includes access to the Lockbit control panel, restricted exclusively to vetted Lockbit members, highlighting his direct involvement in the ransomware operations.

7. Microsoft 365 Product Deactivation Errors

Prentiss discusses a technical issue affecting Microsoft 365 users, where customers encounter product deactivated errors. These errors primarily occur during activities such as:

Moving users between licensing groups (e.g., Azure Active Directory groups)
Synchronizing on-premises security groups
Switching user subscriptions (e.g., changing from an Office 365 E3 license to a Microsoft 365 E3 license)

Recommended Solutions:

Click the Reactivate Button: Located on the error banner, followed by signing in when prompted.
Sign Out and Restart Apps: Signing out of all Microsoft 365 apps, closing them, and restarting before signing back in can resolve the issue.

8. North Korea's Crypto Theft Escalates

One of the most alarming topics covered is the massive increase in cryptocurrency theft attributed to North Korean hackers. According to Chainalysis, North Korea stole $1.3 billion in crypto during 2024, more than doubling the previous year's total. This figure accounts for 59% of all crypto stolen in the year, marking a 21% increase over 2023, though still below the heights of the two preceding years.

The primary method for these thefts involves the compromise of private keys, which are essential for controlling access to crypto assets on various platforms.

Conclusion

Steve Prentiss concludes the episode by reminding listeners about the upcoming Week in Review show and encouraging them to subscribe to the YouTube channel for future updates. The episode underscores the persistent and evolving nature of cybersecurity threats, emphasizing the need for robust protective measures and vigilant monitoring to safeguard sensitive information and digital assets.

For those seeking more in-depth coverage of these topics, Prentiss directs listeners to visit CISOsseries.com for the full stories behind the headlines.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, December 23rd, 2024. I'm Steve Prentiss. Phishing as a Service Platform Flowerstorm attacking Microsoft 365 users this new phishing as a service platform has emerged from the ashes of Rockstar 2fa to use adversary in the middle techniques to intercept user credentials and session cookies in order to bypass Multi Factor Authentication protections. The platform uses phishing portals that mimic legitimate Microsoft login pages to harvest credentials and MFA tokens. A report from Sophos says that approximately 63% of organizations and 84% of users targeted by Flowerstorm are based in the United States. To protect against these phishing attacks, experts recommend using Multi Factor Authentication with AITM resistant FIDO2 tokens, deploying email filtering solutions, and using DNS filtering to block access to suspicious domains. CISA adds Beyond Trust flaw to its known exploited vulnerabilities Catalog following up on a story we covered last week and which we discussed on last Friday's episode of Cybersecurity Headlines Week in review, the the issue afflicting security company Beyond Trust has now been added to the CISA Kev catalog. According to the CISA advisory, a critical vulnerability has been discovered in privileged remote access and remote support products which can allow an unauthenticated attacker to inject commands that are run as a site user, end quote. This vulnerability carries a CVSS score of 9.8 and federal agencies must now fix it by December 27th. Ascension Health ransomware attack impacted nearly 6 million people in breach notification documents filed with regulators. The health care giant Ascension Health states that the attack, which happened on May 8, resulted in the theft of medical information, insurance data, government identification and payment information which includes records of medical tests, credit card information, Social Security numbers and passport numbers. Victims are being offered two years of free identity protection services and access to a one million dollar insurance reimbursement policy for fraud incidents. This was one of many healthcare related attacks this year and like so many others, it forced its member hospitals to turn away ambulances, revert to paper records and cancel non emergency appointments. Ukraine suffers one of the largest Russian cyber attacks to date, according to a statement from Ukrainian officials released Thursday. This attack targeted Ukrainian state registers which store various types of official records including citizens biometric data, business records, property ownership, real estate transactions, legal and court decisions, voter information, tax records and permits. Ukrainian officials call this an attack intended to sow confusion and panic. The pro Russian group Zaknet that is spelt X a K N E T claimed responsibility through their Telegram channel. It said their hackers managed to infiltrate the infrastructure of the Ministry of Justice through a contractor that runs the registers, specifically the state enterprise National Information Systems nais. End quote thanks to today's episode's sponsor, threadlocker do zero day exploits and supply chain attacks keep you up at night? Well, worry no more. You can harden your security with ThreatLocker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that is T H R E A T L O C K-E R.com Bad Box Android Infection grows Following up on a story we covered last week in which we described 30,000 Android devices in Germany being infected, researchers at BitSight have discovered a new bad box bot infrastructure that shows more than 192,000 devices now infected. These additional devices include Russian made Yandex 4K QLED smart TVs and Chinese made Hisense smartphones. Most of the infected devices are in Russia, China, India, Belarus, Brazil and Ukraine. Bad box malware comes pre installed on these types of devices and creates email and messaging accounts for spreading disinformation. The US Unseals complaint against the technician accused of working For Lockbit the US is seeking to extradite Rostislav Paniev, 51, a dual Russian and Israeli national accused of being a software developer for the Lockbit ransomware group. He faces trial on 40 counts, including computer damage and extortion. The complaint states that Paniev worked for the CyberCrime Group from 2019 up until its takedown by law enforcement in February of this year. Among the pieces of evidence presented was Paniev's computer, which had access to the Lock Bit control panel, which was only available to Lockbit members who have undergone a vetting process and not to the general public. End quote Microsoft 365 users hit by random product deactivation errors another story from Microsoft 365 the company is looking into an issue in which customers using Microsoft 365 Office apps are encountering product deactivated errors. Specifically, these are occurring when, quote, moving users between licensing groups including Azure Active Directory groups or synced on premises security groups or switching user subscriptions, such as changing from an Office 365 E3 license to a Microsoft 365 E3 license. Affected users should be able to click the Reactivate button on the error banner and sign in when prompted. Or they can sign out of all Microsoft 365 apps, close them and restart them before signing back in North Korean hackers stole $1.3 billion of crypto in 2024, according to a report from research firm Chainalysis. This number is more than double last year's haul for the country. This amount also represents 59% of all the crypto stolen this year, which also has increased 21% over 2023, although still below the levels recorded in the two prior years. The majority of crypto stolen this year was due to compromised private keys, which are used to control access to users assets on crypto platforms. With the holiday season and the New Year circling all around us, this is just a reminder that we will not have a Super Cyber Friday discussion this week. But after you have celebrated Boxing Day and whatever else is happening for you, be sure to join us this Friday for our Week in Review show. Subscribe to our YouTube channel to join us this Friday at 3:30pm Eastern and join our chat room to discuss the news of the week. We certainly look forward to seeing you there. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.