Vercara’s Open-Source Intelligence (OSINT) Report – March 21 – March 27, 2024

Vercara’s Open-Source Intelligence (OSINT) Report – March 21 – March 27, 2024

Table of Contents
Share on LinkedIn

Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. 

NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.

Russian APT releases more deadly variant of AcidRain wiper malware.

(TLP: CLEAR) A recognized ransomware group has leaked patient clinical data from NHS Dumfries and Galloway following a cyber-attack on its systems. The attack, which occurred earlier this month, resulted in the hackers accessing a significant amount of data, including patient and staff-identifiable information. The ransomware group, Inc Ransom, threatened to publish 3TB of data relating to NHS Scotland patients and staff unless their demands were met.

(TLP: CLEAR) Comments: The leaked data includes sensitive clinical documents, such as genetics reports and letters between doctors discussing patient treatments. The NHS is working to limit the sharing of this information and is conducting a thorough investigation in collaboration with law enforcement and cybersecurity agencies. The incident highlights the ongoing threat of ransomware attacks on healthcare organizations and the potential risks to patient privacy and safety.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.”  Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in realtime with previously-observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Sources: https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-releases-more-deadly-variant-of-acidrain-wiper-malware

Hackers threaten to publish huge cache of NHS data.

(TLP: CLEAR) NHS Dumfries and Galloway, a Scottish NHS Trust, has confirmed that patient clinical data has been leaked online by a recognized ransomware group. The cyber-attack, which occurred earlier this month, resulted in the hackers accessing a significant amount of data, including patient and staff-identifiable information. The ransomware group, known as Inc Ransom, threatened to publish 3TB of data relating to NHS Scotland patients and staff unless their demands were met.

(TLP: CLEAR) Comments: The leaked data includes sensitive clinical documents such as genetics reports and letters between doctors discussing patient treatments. NHS Dumfries and Galloway is working with law enforcement agencies and other organizations to respond to the situation and limit the sharing of leaked information. The incident highlights the increasing trend of ransomware attacks targeting healthcare organizations and the potential risks to patient privacy and safety.

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:

  • “implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
  • “implementing procedures to guard against and detect malicious software;
  • “training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
  • “implementing access controls to limit access to ePHI to only those persons or software programs requiring access.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Sources: https://www.bbc.com/news/articles/c3g5r9g45n4o
Sources: https://www.infosecurity-magazine.com/news/nhs-clinical-data-leaked-ransomware/ 

GitLab security flaw let attackers inject malicious scripts: Patch Now.

(TLP: CLEAR) GitLab, a popular web-based DevOps tool, has recently discovered a security flaw that could potentially allow attackers to execute malicious scripts on users’ systems. The vulnerability, labeled as CVE-2021-22214, affects GitLab versions 13.7 and later. It is caused by improper input validation in the CI/CD pipeline configuration file, which could be exploited by an attacker to inject and execute arbitrary commands.

(TLP: CLEAR) Comments: GitLab has released a security patch to address the issue and urges all users to update their installations immediately. This incident highlights the importance of regularly updating software to protect against potential security vulnerabilities.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION “Control: 

  • “a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
  • “b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
  • “c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and
  • “d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”
  • NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Sources: https://cybersecuritynews.com/gitlab-security-flaw-malicious-scripts/ 

Chinese hackers target ASEAN entities in espionage campaign.

(TLP: CLEAR) Chinese Advanced Persistent Threat (APT) groups have been targeting entities in the Association of Southeast Asian Nations (ASEAN) in a cyber espionage campaign, according to cybersecurity researchers. The APT groups, known as APT27 and APT40, have been actively conducting attacks on organizations in ASEAN countries, including Vietnam, Thailand, and the Philippines.

(TLP: CLEAR) Comments: The motive behind the cyber espionage campaign is believed to be intelligence gathering, with the APT groups seeking to obtain valuable information related to political, economic, and military activities in the ASEAN region. The stolen data can be used for various purposes, including strategic advantage, economic espionage, and even blackmail. Researchers have also noted that the APT groups have been evolving their tactics and techniques over time, making it more challenging to detect and defend against their attacks. They recommend that organizations in ASEAN countries enhance their cybersecurity measures, including implementing strong network defenses, conducting regular security assessments, and providing cybersecurity training to employees.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.3: “Anti-malware mechanisms and processes are active, maintained, and monitored

  • “The anti-malware solution(s) is kept current via automatic updates.
  • “The anti-malware solution(s):
    Performs periodic scans and active or real-time scans. 

OR 
            • Performs continuous behavioral analysis of systems or processes.

“If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”

Regular updating of anti-malware definitions and performing periodic scans requires processing and disk input/output.  As a result, most updates and scans happen overnight, resulting in a detection gap of up to several days depending on the type of device.  Protective DNS solutions are able to update their detection rules in realtime and provide support for network-based behavioral analytics.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Sources: https://www.infosecurity-magazine.com/news/chinese-apt-asean-entities/ 

‘Tycoon’ malware kit bypasses Microsoft, Google MFA.

(TLP: CLEAR) The Tycoon malware kit has been discovered to have the ability to bypass multi-factor authentication (MFA) systems used by Microsoft and Google. MFA is a security measure that adds an extra layer of protection by requiring users to provide additional verification, such as a code sent to their mobile device, in addition to their password. The Tycoon malware kit is a sophisticated tool used by cybercriminals to gain unauthorized access to systems and steal sensitive information. It was first identified in 2019 and has since evolved to include new features and capabilities.

(TLP: CLEAR) Comments: According to researchers, Tycoon uses a combination of techniques to bypass MFA, including the use of fake login pages and the interception of authentication tokens. This allows the malware to gain access to user accounts without the need for the additional verification provided by MFA. The discovery of Tycoon’s ability to bypass MFA is concerning as MFA is widely regarded as an effective security measure to protect against unauthorized access. It highlights the need for organizations and individuals to remain vigilant and implement additional security measures to protect their accounts and sensitive information. Both Microsoft and Google have been notified of the issue and are working to address the vulnerability. In the meantime, users are advised to be cautious and verify the legitimacy of login pages before entering their credentials. Additionally, it is recommended to use strong, unique passwords and consider using additional security measures, such as biometric authentication or hardware tokens, to further enhance account security.

(TLP: CLEAR) Recommended best practices/regulations:  Many user portals can be IP-restricted (ACL) as well as require MFA.  That added security measure will not be practical in all instances such as broad consumer use.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://www.darkreading.com/application-security/tycoon-malware-kit-bypasses-microsoft-google-mfa

About Vercara.

The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.

To learn more about Vercara solutions, please visit our solutions overview page or contact us.

Interested in learning more?
View all content.
  • Solutions
  • Products
  • Industries
  • Why Vercara
  • Plans
  • Partners
  • Resources
  • Company