Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Watch for malvertising in your search results
Malvertising is nothing new. The tactic of creating a fake advertisement that directs victims to malicious sites instead of an expected destination has been used by hackers for years. What is currently on the rise, however, is the use of browser search results to trick people into clicking bad links. Increasingly, threat actors are purchasing ad space on Google or Bing, and using SEO (search engine optimization) techniques to get their ads to appear on common web searches. Just because a link is “sponsored” in your search results, don’t assume it’s valid: use the same techniques of checking the destination URL or independently researching sites to reduce your cyber risk.
What’s causing the current rise? Some researchers have mused that the recent change by Microsoft to block macros in untrusted documents by default has encouraged threat actors to look for more reliable methods of duping unsuspecting victims. Fake ads featuring brands such as Notepad++, Zoom, AnyDesk, Foxit Software, Photoshop, Adobe, and others have been identified and shut down in recent months. For a cautionary tale regarding a fake Delta Airlines ad, check out one person’s story as reported in the Washington Post.
Tampa General Hospital suffers data breach
On July 19, Tampa General Hospital (TGH) in southwest Florida announced that patient data had been compromised during a May 2023 cyber attack.
“On May 31, 2023, through our proactive monitoring tools, TGH detected unusual activity on our computer systems,” according to a bulletin posted as a banner on the hospital’s website. While they were able to prevent a ransomware attack on their systems, the hospital discovered that “an unauthorized third party accessed TGH’s network and obtained certain files from its systems between May 12 and May 30, 2023.”
According to the TGH announcement, the specific information stolen varies with each individual affected, but may have included:
- Names, addresses, phone numbers;
- Dates of birth;
- Social Security numbers (SSN);
- Health insurance information;
- Medical record and patient account numbers; and/or
- Dates of service and/or limited treatment information used for TGH business operations.
The hospital emphasized that their electronic medical record system was neither involved nor accessed in the attack.
The Snatch ransomware group is claiming to have exfiltrated over four terabytes of hospital data, according to posts on the gang’s leak site on July 21. The Nokoyawa crime syndicate is also claiming responsibility.
Class action litigation is already being considered: “It’s now being investigated whether Tampa General Hospital had proper data security standards in place prior to the breach and, if not, whether a class action lawsuit can be filed,” according to a post on ClassAction.org. Similar notifications have appeared on topclassactions.com, among others. An estimated 1.2 million customers are believed to have been affected by the incident.
Patch alert: Citrix/NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
On July 20, CISA issued a cybersecurity advisory regarding NetScaler’s Application Delivery Controller (ADC) and NetScaler Gateway. The advisory came after it was discovered that a recently disclosed zero-day vulnerability (tracked as CVE-2023-3519) has been exploited in an attack on an unidentified critical infrastructure organization. The vulnerability can be exploited for unauthenticated remote code execution against appliances configured as a gateway or AAA virtual server.
The advisory documents the tactics, techniques, and procedures used by the attackers, and provides tips on IOCs, detection methods, mitigation strategies, and incident response guidance.
Citrix/NetScaler released a patch for the vulnerability in a bulletin released July 18. Customers managing their own systems are urged to update their systems as soon as possible. “Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action,” according to the bulletin.
PokerStars become the latest announced MOVEit victim
Gaming operator PokerStars is notifying U.S. customers about a potential data breach in connection with the MOVEit zero-day vulnerability incident in which the Cl0p ransomware gang accessed and stole data from MOVEit servers.
According to a breach announcement provided to the Maine Attorney General, over 110,000 individuals may have been affected by the incident, with private information like names, addresses, and Social Security numbers being compromised.
“Following the incident, we no longer utilize the MOVEit Transfer application,” according to a statement from PokerStars. There has been no indication so far that the hackers have used the stolen data.
So far, nearly 400 organizations worldwide have been confirmed to be affected by MOVEit transfer attacks, with over 20 million individuals having their data exposed.
Microsoft to standardize logging for cloud services
On July 19, Microsoft announced that they will be increasing the security features of their basic enterprise cloud platform, bringing them closer to the capabilities of their premium system. The changes take effect in September.
“In response to the increasing frequency and evolution of nation-state cyberthreats, Microsoft is taking additional steps to protect our customers and increase the secure-by-default baseline of our cloud platforms. These steps are the result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA) about the types of security log data Microsoft provides to cloud customers for insight and analysis,” according to the announcement.
That “close coordination” was largely driven by the exploitation of a zero-day vulnerability in Microsoft Office that was reported by CISA on July 11. Some 25 organizations around the world were affected, including the U.S. State and Commerce departments. In the incident, CISA determined that several critical security logs that could have been used to detect the attack were not available for organizations using Microsoft basic offerings (known as “E3” for commercial customers and “G3” for government customers). Only customers using premium “E5” and “G5” licensing, which generally cost 50-60% more than the basic packages, had access to those logs.
CISA applauded Microsoft’s move in a blog post by Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, citing the importance of “security-by-default” in systems and solutions.
