Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Generative AI use policies
Generative AI tools like Bard and ChatGPT are in widespread use in many organizations today. While these tools can be very helpful in accelerating content generation, research, and automation, the risks that artificial intelligence technology introduces must be understood and mitigated. Content generated by these tools should never be accepted at face value, but should carefully reviewed and vetted for accuracy and currency. Data privacy issues must be considered, particularly when corporate information is used to seed queries sent to the AI tools. Unintentional biases in information generated by the software must be assessed and rationalized. Have you considered security policies or best practices to guide your staff in the use of generative AI? Act today.
Patch alert: Google reports WinRAR vulnerability attacks
In an October 18 blog post, researchers at Google report that they are seeing government-backed threat actors exploiting a high-risk vulnerability in a popular Windows utility.
The bug – tracked as CVE-2023-38831 – in most versions of WinRAR software (a widely-used data compression, encryption and archiving tool for Windows that opens RAR and ZIP files) allows attackers to execute arbitrary code when a user attempts to view files within a ZIP archive. According to the post, “the vulnerability had been exploited as 0-day by cybercrime actors in-the-wild since at least April 2023 for campaigns targeting financial traders to deliver various commodity malware families.” Yet, despite a patch being available since August, the researchers noted various successful campaigns targeting governments, critical infrastructure, and the energy sector.
While the blog provides IoCs for some of the campaigns exploiting the bug, it encourages patching as the best defense. “The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available… These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date.”
All versions of WinRAR 6.3 and earlier are vulnerable. Version 6.4, the latest and patched release, is available on the RARLAB website.
CCCS publishes updated guidance for “secure by design” principles
The Canadian Centre for Cyber Security (CCCS), along with 17 global partners, has released new guidance and insights for developing “secure by design” software. Entitled Shifting The Balance of Cybersecurity Risk: Principles And Approaches for Secure By Design Software, the October update reinforces three key principles of a “secure by default” approach to design. Illustrated through explanations, demonstrations, and evidence, the principles are:
- Take Ownership of Customer Security Outcomes: directing organizations to take responsibility for security instead of relying on the customer to do so, through responsible application hardening, application security features, and application default settings.
- Embrace Radical Transparency and Accountability: organizations should take a security-first mentality, and celebrate the safe and secure design of their products and applications as a market differentiator.
- Lead from the Top: Just as mature organizations have implemented corporate social responsibility (CSR) programs, they must actively guide cybersecurity programs, with the term “corporate cyber responsibility” (CCR) gaining popularity.
While the document is aspirational and has no legislative or regulatory force, the “authoring organizations strongly encourage every technology manufacturer to build their products based on reducing the burden of cybersecurity on customers.”
Cyber attack closes New York hospitals
On October 16, New York’s HealthAlliance of the Hudson Valley (HHV) announced a “potential cyber attack,” an incident that ultimately led to service disruptions and potential issues with patient care.
By October 19, HHV (a 177-bed healthcare system that includes the HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center) announced that they would be “temporarily diverting ambulances from HealthAlliance Hospital to other nearby medical facilities, and making decisions on whether to discharge current HealthAlliance Hospital patients to their homes or facilitate transfers to other hospitals within the WMCHealth Network”.
Over the weekend of October 20-22, HHV shut down all connected IT systems, then began “standing up [their] systems on a rolling basis”. As of October 21, the system restarts were still in progress, though HHV announced that all patient services were available once again, and almost all ambulance re-direct orders had been lifted.
The nature of the attack and ransom details have not been disclosed, but an investigation is ongoing.
Hacking the hackers: Trigona ransomware group shut down by Ukrainian Cyber Alliance
According to October 18 article in Bleeping Computer, altruistic hackers from the Ukrainian Cyber Alliance have broken into the systems of the Trigona ransomware gang and dismantled their IT infrastructure.
Announcing the successful attack on X (formerly Twitter), UCA declared “Trigona is Gone!” and “Welcome to the world you created for others,” taunting the hackers.
Reportedly exploiting a known critical vulnerability in Confluence Data Center and Server (specifically, CVE-2023-22515), the UCA gained access to Trigona ransomware’s infrastructure, “established persistence, and mapped the cybercriminal’s infrastructure completely unnoticed”. They eventually “managed to take all the information from the threat actor’s administration and victim panels, their blog and data leak site, and internal tools (Rocket.Chat, Jira, and Confluence servers)” and “exfiltrated the developer environment, cryptocurrency hot wallets as well as the source code and database records,” according to the report’s analysis. The hacktivists also took full control of Trigona’s websites, defacing or deleting all content.
Active since October 2022, the Trigona gang had been responsible for at least 15 significant ransomware attacks around the world.