Final Patch Tuesday of 2023 - Microsoft and Adobe

Both Adobe and Microsoft have released the notes for the final patches to occur this year for both companies as 2023 closes out. Microsoft disclosed vulnerabilities for Office and Components, Win32k, Windows Kernel, the Microsoft Bluetooth Driver, among other things. The tech giant has fixed several flaws within their software that allowed for Denial of Service (DoS) exploits, spoofing, Elevation of Privelege (EoP), information disclosure, and remote code execution. Of these flaws, Microsoft has confirmed that there are 4 critical level vulnerabilities among the 38 they found and corrected within the patch.

Adobe experienced a slightly larger vulnerability load, disclosing that the company has found and patched 212 vulnerabilities, of which 13 were labeled as critical severity amongst their software suites. Adobe Experience Manager was the recipient of the lion’s share of these vulnerabilities, logging 185 of the 212 patched vulnerabilities.

None of these vulnerabilities were known to be exploited in the wild, but as always, we suggest that you update to the latest security build on any device/software/network to stay as secure as possible.

SEC Clarifies New Incident Disclosure Rules Coming into Effect

In July, the SEC announced that it would be adopting and implementing new rules surrounding the disclosure of a cybersecurity incident for public companies. These new rules would require companies to disclose any material breach within four business days of discovering the incident, if it had a material impact. Companies would also be required to submit annual reports regarding the information on their cybersecurity risk management, strategy, and governance. These rules, according to the SEC, are to provide investors with “timely, consistent, and comparable information”.

There was some concern raised by industry professionals pointing to the fact that the information the SEC is forcing victims to provide could be very useful to threat agents, providing insight to help set ransom demands. Erik Gerding, director of the SEC’s Division of Corporation Finance, has clarified that the final versions of the rules will require less information than initially outlined, even allowing for delayed response, or exemption if the company can verify that releasing that information will cause more harm or prove a substantial risk to public safety or national security.

The FBI has allowed delayed responses on behalf of the Justice Department in regards to cybersecurity incidents, providing some guidelines for how this process may work. The SEC has promised to assist companies regarding these new rules and promises to create a formal definition of what is “material” to an organization.

Guidance on Incorporating SBOMS Issued by NSA

Guidance on how organizations can incorporate software bill of materials (SBOMs) and mitigate supply chain risks has been published by the National Security Agency (NSA). In May 2021, an executive order concerning cybersecurity mandated the use of SBOMs to create transparency for users and to allow an understanding of related software components.

In the guidance, the NSA states that consumers should be leveraging available government resources to ensure that the software they acquire is secure. The agency also suggests software suppliers to mature their SBOM exchange practices, putting responsibility on the software providers to ensure that their software is secure by design.

Defensible Strategies

Learn from those who have been attacked

7 Million Exposed in Customer Data Breach at Delta Dental

Delta Dental, a large dental insurance company in California, has sent out notification letters to impacted individuals that their personal information was compromised. The company disclosed that on the 27th of November, they were able to determine that personal information of clients were included in the breach that occurred in late May. The breach was a result of the MOVEit Incident, a zero day exploit of the software’s file transfer tool.

The incident has affected more than 2600 organizations, including many Upstate New York entities, including healthcare organizations, SUNY schools, private colleges and universities, and many other organizations alongside Delta Dental. Reports are showing that more than 6.9 million individuals are involved in the Delta Dental breach and upwards of 62 million total individuals across the rest of the breach.

Instances such as the MOVEit breach are glaring examples of why companies should prioritize third-party risk management. If you and your organization have any questions, or would like to take a deeper look into your risk management plans, please feel free to reach out to Cyber Defense!

Hospitality Industry Targeted by Resurfacing Malware, Qakbot

The hospitality industry is being targeted by a phishing campaign that is seeing a new version of a previously dismantled malware. Qakbot, also known a Qbot or Pinkslipbot, was once the target of a coordinated effort, known as Operation Duck Hunt, where authorities managed to gain access to its infrastructure and enabled infected PCs to uninstall the malware and render ineffective.

The campaign, that is ongoing, was first discovered by Microsoft who noticed a wave of phishing emails from users claiming to be an IRS employee starting on December 11th of 2023. The tech giant has said that it is a low volume campaign, utilizing a URL within a PDF to download a Windows Installer onto the target’s computer. Once the installer has run, Qakbot is capable of of harvesting sensitive information, as well as delivering additional malware, and even ransomware.

While phishing campaigns are not new, it is imperative that we continue to teach and learn about attempts to infiltrate through phishing lures and spam emails. If you would like help learning more about how to prevent breaches like these, please reach out to us for Phishing and Internet Security Training!

NOTICE

New York has implemented an amendment to the DFS Regulation that may significantly impact your operations. Many of these changes were original proposed in the regulation proposal stage.

For a comprehensive overview of these changes, we have prepared a detailed web page where Jim has outlined the amendments section-by-section. You can access this valuable resource at the following link: https://cyberd.us/dfs-reg-500-2nd-amendment

Cyber Defense is happy to assist with navigating these changes and getting your company, so please do not hesitate to contact us as soon as possible!

McLaren Health Care Notifies User of Data Breach

Health Care delivery system, McLaren Health Care has sent out an incident notification letter stating that roughly 2.2 million individuals in their system have had their personal information compromised. The data breach, which occurred earlier this year has been confirmed to be related to an unauthorized access to the company’s network, which was determined to have taken place between July 28th and August 23rd of 2023.

The user information has not been shown to have been misused in any way but ransomware group Alphv/BlackCat has claimed to be the organization that stole the data and is threatening to auction it. No further insight on how the breach occurred, but McLaren has been working with the Maine Attorney General and disclosing information regarding the leak.

AI Company ChatGPT Experiencing Regular Outages

Generative application ChatGPT has reported that they were experiencing outages on both the ChatGPT interface and the associated APIs, that allow other programs to directly interface with ChatGPT. According to parent company OpenAI, the outages were due to continual DDoS attacks. They have claimed that the incident has been resolved, but security experts warn that this is the beginning of attention directed at OpenAI and other AI companies.

Leading experts agree that as AI grows and garners more attention, attacks like these will be more commonplace and used to hide attempts to perform data exfiltration efforts. AI is a prime target for threat agents and ransomware groups, as these companies have access to massive amounts of valuable data.

OpenAI did not confirm who the attacker was, but a group known as Anonymous Sudan has claimed responsibility, citing political reasons as the primary motive behind the attack.

SEC Draws Line in the Sand With Latest Suit

Over the years, organizations dealing with sensitive data from the government have flouted cybersecurity risk regulations from Department of Defense (DoD) contracts and other federal contracts by simply entering perfect scores, knowing that no true audit would be conducted. However, as the SEC has shown with the recent lawsuit against SolarWinds for the exact thing many are guilty of, they have shown that the government is coordinating to enforce cybersecurity regulations and hold those organizations accountable.

The self attestation that the DoD has required for prime and subcontractors are rooted in the lucrative contracts these organizations sign, but as of last year, only 36% of those contractors were reporting scores to the federal database, according to a study conducted by Merrill Research. These guidelines are due to get an overhaul in the new Cybersecurity Maturity Model Certification (CMMC) 2.0 regulation that is pending.

The CMMC will institute a new program that will enforce and audit the contractors, holding them truly accountable for the first time, as cybersecurity becomes more and more of a concern for the United State’s government. In a worst case scenario, if the contractor is found to not be in compliance, the organization will be subject to action by SEC and the cancellation of current and future contracts with the DoD and United State’s government.

Cyber Defense is available to discuss and to help implement these updated regulations to avoid any negative consequences from not being in compliance. Please reach out, if you require assistance!

Defensible Strategies

Learn from those who have been attacked

Data of Aerospace Company Boeing Leaked by Ransomware Group

After a cybersecurity event that occurred in late October, aerospace giant Boeing has had more than 43 gigabytes of data leaked by LockBit. LockBit is a ransomware-as-a-service group that has been one of the largest and most resilient groups, having been active for more than four years and having thousands of victims. The information the group was able to secure after the attack was posted to their website after not receiving any contact from Boeing, according to the ransomware group.

The data, while not confirmed by Boeing, seems to be of system information, configuration backups, and logs for monitoring and auditing tools. Some of the data published are backups from Citrix appliances, which has sparked speculation that the attack may have been perpetuated by the ransomware group taking advantage of a recently disclosed Citrix vulnerability (CVE-2023-4966), but no confirmation of the method of the attack has been made by either LockBit or Boeing.

Data Breach Disclosed by State of Maine, 1.3 Million People Impacted

The government organization of the State of Maine has disclosed a data breach that has occurred after a large scale hacking campaign targeting the use of the MOVEit file transfer tool. The attack took place between May 28th and May 29th of 2023, but the data breach was only confirmed in a recent notice of Security Incident.

According to the State, the incident was limited to only the file transfer tool, but that sensitive data include Social Security numbers, driver’s license/state identification numbers, and other data of 1.3 million people was compromised. According to the notice, the State of Maine moved to immediately block internet access to and from the MOVEit server and other methods to secure the information.

Due to the attack, the State of Maine has set up a call center to help people determine if their data was involved. The state has also offered two years of complimentary credit monitoring and identity theft protection services to those who had their data exposed.

NOTICE

New York has implemented an amendment to the DFS Regulation that may significantly impact your operations. Many of these changes were original proposed in the regulation proposal stage.

For a comprehensive overview of these changes, we have prepared a detailed web page where Jim has outlined the amendments section-by-section. You can access this valuable resource at the following link: https://cyberd.us/dfs-reg-500-2nd-amendment

Cyber Defense is happy to assist with navigating these changes and getting your company, so please do not hesitate to contact us as soon as possible!