Cyber Security Headlines: December 23, 2024

Hosted by Steve Prentiss of the CISO Series, the Cyber Security Headlines podcast delves into the most pressing information security issues of the day. In the December 23, 2024 episode, titled "FlowerStorm attacks Microsoft 365, BeyondTrust on KEV, Ascension Health fallout," Prentiss covers a range of significant cybersecurity incidents and developments. This summary provides a comprehensive overview of the key topics discussed, enriched with notable quotes and timestamps for context.

1. FlowerStorm Targets Microsoft 365 Users

Timestamp: [00:00]

Steve Prentiss opens the episode by highlighting a new phishing-as-a-service platform named FlowerStorm, which poses a significant threat to Microsoft 365 users. Emerging from the remnants of the notorious Rockstar 2FA, FlowerStorm employs adversary-in-the-middle techniques to intercept user credentials and session cookies, effectively bypassing Multi-Factor Authentication (MFA) protections.

"This new phishing as a service platform has emerged from the ashes of Rockstar 2FA to use adversary in the middle techniques to intercept user credentials and session cookies in order to bypass Multi Factor Authentication protections." – Steve Prentiss [00:00]

FlowerStorm utilizes phishing portals that closely mimic legitimate Microsoft login pages, making it challenging for users to detect malicious attempts. According to a report from Sophos, approximately 63% of organizations and 84% of users targeted by FlowerStorm are based in the United States.

Protective Measures Recommended:

• Use MFA with AITM-resistant FIDO2 tokens: Enhances security against sophisticated interception techniques.
• Deploy Email Filtering Solutions: Helps in identifying and blocking phishing emails before they reach users.
• Implement DNS Filtering: Blocks access to suspicious and malicious domains associated with phishing activities.

2. BeyondTrust Vulnerability Added to CISA’s KEV Catalog

Continuing the security discourse, Prentiss discusses the inclusion of a critical vulnerability in BeyondTrust products into the CISA Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects BeyondTrust's privileged remote access and remote support products, allowing unauthenticated attackers to inject and execute commands as a site user.

"A critical vulnerability has been discovered in privileged remote access and remote support products which can allow an unauthenticated attacker to inject commands that are run as a site user." – Steve Prentiss [00:00]

The Common Vulnerability Scoring System (CVSS) has rated this flaw at a severe 9.8, prompting immediate action from federal agencies to remediate the issue by December 27th.

3. Ascension Health Ransomware Attack Impact

The episode sheds light on a significant ransomware attack on Ascension Health, one of the largest healthcare providers in the United States. The attack, which occurred on May 8, compromised the personal information of nearly 6 million individuals.

Prentiss details the types of data stolen, including:

• Medical Information: Records of medical tests and procedures.
• Insurance Data: Information related to insurance claims and coverage.
• Government Identification: Social Security numbers and passport details.
• Payment Information: Credit card and other financial data.

In response, Ascension Health is offering two years of free identity protection services and a $1 million insurance reimbursement policy to victims for any fraud incidents. The attack has had widespread repercussions, forcing member hospitals to:

• Turn away ambulances.
• Revert to paper records.
• Cancel non-emergency appointments.

4. Major Cyber Attack on Ukrainian State Registers

Prentiss reports on one of the largest cyber attacks attributed to Russian actors targeting Ukraine's state infrastructure. Ukrainian officials confirmed that the attack aimed to disrupt various state registers containing sensitive information such as:

• Citizens' Biometric Data
• Business Records
• Property Ownership Details
• Legal and Court Decisions
• Voter Information
• Tax Records and Permits

The pro-Russian group Zaknet (spelled XAKNET) claimed responsibility via their Telegram channel, stating that their hackers infiltrated the infrastructure of the Ministry of Justice through a contractor managing the state enterprise National Information Systems (NaIS).

"This attack intended to sow confusion and panic." – Steve Prentiss [00:00]

5. Surge in Bad Box Android Infections

Following a previous report on the infection of 30,000 Android devices in Germany, Prentiss updates listeners on the growing threat posed by the Bad Box botnet infrastructure. Researchers at BitSight have identified over 192,000 devices now infected, including:

• Russian-made Yandex 4K QLED Smart TVs
• Chinese-made Hisense Smartphones

The majority of these infections are concentrated in countries such as Russia, China, India, Belarus, Brazil, and Ukraine. Bad Box malware typically comes pre-installed on devices and is used to create email and messaging accounts for disseminating disinformation.

6. US Extradition Complaint Against Lockbit Technician

The podcast covers the recent legal developments involving Rostislav Paniev, a dual Russian and Israeli national accused of being a software developer for the Lockbit ransomware group. The U.S. Department of Justice has filed a complaint seeking Paniev's extradition to stand trial on 40 counts, including computer damage and extortion.

"Paniev worked for the CyberCrime Group from 2019 up until its takedown by law enforcement in February of this year." – Steve Prentiss [00:00]

Evidence against Paniev includes access to the Lockbit control panel, restricted exclusively to vetted Lockbit members, highlighting his direct involvement in the ransomware operations.

7. Microsoft 365 Product Deactivation Errors

Prentiss discusses a technical issue affecting Microsoft 365 users, where customers encounter product deactivated errors. These errors primarily occur during activities such as:

• Moving users between licensing groups (e.g., Azure Active Directory groups)
• Synchronizing on-premises security groups
• Switching user subscriptions (e.g., changing from an Office 365 E3 license to a Microsoft 365 E3 license)

Recommended Solutions:

• Click the Reactivate Button: Located on the error banner, followed by signing in when prompted.
• Sign Out and Restart Apps: Signing out of all Microsoft 365 apps, closing them, and restarting before signing back in can resolve the issue.

8. North Korea's Crypto Theft Escalates

One of the most alarming topics covered is the massive increase in cryptocurrency theft attributed to North Korean hackers. According to Chainalysis, North Korea stole $1.3 billion in crypto during 2024, more than doubling the previous year's total. This figure accounts for 59% of all crypto stolen in the year, marking a 21% increase over 2023, though still below the heights of the two preceding years.

The primary method for these thefts involves the compromise of private keys, which are essential for controlling access to crypto assets on various platforms.

Conclusion

Steve Prentiss concludes the episode by reminding listeners about the upcoming Week in Review show and encouraging them to subscribe to the YouTube channel for future updates. The episode underscores the persistent and evolving nature of cybersecurity threats, emphasizing the need for robust protective measures and vigilant monitoring to safeguard sensitive information and digital assets.

For those seeking more in-depth coverage of these topics, Prentiss directs listeners to visit CISOsseries.com for the full stories behind the headlines.