Weekly Cyber News Roundup

August 7th to August 11th 

Content 

01. Vulnerabilities
02. News Bites
  • Russia top suspect behind UK Electoral Commission hack

  • Police Service of Northern Ireland Data Breach highlights insider threat risks

  • Largest cyber attack against US hospitals in years causes significant disruption

  • March’s Capita cyber attack to cost firm over £25 million

  • Signs that notorious Ransomware gangs are working together on cyber attacks

03. Conclusion

Vulnerabilities 

Microsoft patches two zero days and over 80 flaws

Microsoft has patched 87 vulnerabilities, including two zero-days actively exploited. The first, disclosed last month, is identified as CVE-2023-36884.

This month, Microsoft addressed it as a Windows Search Security Feature Bypass Vulnerability and released ADV230003, a preventive measure against its exploitation.

The second zero-day, CVE-2023-38180, targets .NET and Visual Studio, causing a system crash. Action1’s Mike Walters noted its 7.5 CVSS score, resulting from its sole denial of service potential. Additionally, attention was drawn to CVE-2023-21709, an elevation of privilege flaw in Microsoft Exchange Server with a 9.8 CVSS score.

Microsoft also listed 20+ remote code execution bugs. Notably, CVE-2023-29328 and CVE-2023-29330 in Microsoft Teams require user involvement in a malicious Teams meeting. Three RCE vulnerabilities in the Microsoft Message Queuing Service have a CVSS score of 9.8, yet with a lower exploitation probability.

Quick News Bites

Russia top suspect behind UK Electoral Commission hack

British intelligence has linked the Electoral Commission's data breach to Russian involvement.

The Electoral Commission disclosed the "complex cyber attack" by "hostile actors" this week, though the breach started in August 2021 and was detected 14 months later.

The breach accessed voter registers from 2014-2022, including overseas voters, and potentially compromised sensitive emailed information. While the commission stated the breached data presents a low risk to individuals, questions remain about the prolonged undetected presence of hackers. The delay in public disclosure was attributed to ongoing investigations and security upgrades.

According to a report in the Telegraph the breach exhibited ransomware signs, raising fears of possible election interference. The hackers also got into the commission’s email system. It is not known what was accessed but the commission said that any sensitive information emailed in by people - such as bank records - could be compromised.

Tensions between the UK and Russia have been high, especially after Russia's 2022 invasion of Ukraine. Though the cyberattack happened before the invasion, it intensifies these strains. Whilst Russia top the lists of suspects China was named as a close second due to the value the CCP puts on ‘collecting’ data for their strategic interests.

Police Service of Northern Ireland Data Breach highlights insider threat risks

The Police Service of Northern Ireland experienced a data breach that inadvertently exposed the names, roles, and locations of both police and civilian personnel.

The leak transpired after a Freedom of Information request was mistakenly fulfilled with a spreadsheet carrying this sensitive information. From the chief constable to rank-and-file officers and administrative staff, details of all PSNI members were on the document, though private addresses were exempt. An immediate investigation was initiated to understand the oversight.

Making matters worse is that militant dissident republicans said that they had access to the information including the details of 40 Mi5 officers. 

The data breach underscores not just the serious potential risks of insider threats but also the dangers posed by accidental insider breaches, emphasising the need for stringent data protection measures.

Largest cyber attack against US hospitals in years causes significant disruption

A massive cyber-attack struck U.S. hospital systems, causing disruptions that closed emergency rooms in several states and rerouted ambulances.

Starting last Thursday, the ransomware attack focused on Prospect Medical Holdings, with facilities across Texas, Connecticut, Rhode Island, and Pennsylvania all being impacted. The company shut down its systems and sought expertise from cyber security specialists.

In a statement Prospect Medical said it is reevaluating its systems, potentially rescheduling appointments and promising to notify affected patients.

Cyber security experts noted the grave repercussions on the already stressed healthcare sector and emphasised the rush to digitise without adequate security measures during the Covid-19 pandemic.

Top of Form

March’s Capita cyber attack to cost firm over £25 million

Capita revealed a financial impact up to £25m as a result of the cyber-attack suffered in March, leading to a near £68m pre-tax loss for the first half of the year.

The attack, orchestrated by the Black Basta ransomware group, hacked Capita's Microsoft Office 365, accessing data of the company's employees and various clients.

Though the company confirmed a data breach, they stated that only 0.1% of its server estate was compromised. Recovery measures have been taken, with affected parties notified. While nearing the end of their investigation, Capita acknowledged learning valuable lessons.

The company, used by local councils, the military, and the NHS, revised its financial damage estimates for the attack from £15m-£20m to £20m-£25m, attributing to data analysis complexities, recovery costs, and cybersecurity enhancements.

Capita's shares dropped 12% following the report, and post-attack, around 90 entities reported data breaches to the UK's Information Commissioner's Office, emphasising the attack's broader implications.

Signs that notorious Ransomware gangs are working together on cyber attacks

Hive ransomware group's former affiliates may be joining other significant dark web entities, leading to speculation of major ransomware gangs collaborating. After law enforcement successfully disabled Hive in a joint FBI-Europol operation, it is theorised that Hive's affiliates might have transitioned to Royal and Black Basta, explaining the similarities of attacks.

Security analysts at Sophos observed connections among three notorious ransomware groups: Royal, Hive, and Black Basta. Cyber-attacks early in 2023 were said to have exhibited notable similarities in their techniques, suggesting potential collaboration or sharing of intricate technical specifics among the groups.

For instance, repeated usage of identical usernames and passwords during their system intrusions was observed. Furthermore, each employed matching techniques like delivering payloads in .7z archives named after their victims, and executing similar commands.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

LONDON | 28 April 2022
DUBLIN | 11 May 2022

Join us in Dublin or London for the Security First 2022 conference.  We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.