This Week in Cyber 01 December 2023

Rhysida Ransomware Escalates: Strikes Prestigious London Hospital

On November 17th, we highlighted the emerging threat of the Rhysida ransomware group, shedding light on their nefarious activities. Fast forward to the present, and the cybercriminals have intensified their campaign, successfully breaching London's prestigious King Edward VII’s Hospital. This private medical institution, known for its acute and specialist care, joins the growing list of Rhysida victims, which includes the British Library and China Energy Engineering Corporation, as reported in our previous coverage.

In this latest attack, Rhysida has demonstrated the severity of its intrusion by publishing stolen medical documents on its Tor leak site, emphasising the compromise of sensitive data from patients and employees, including members of the Royal Family. With a brazen move, the ransomware group is auctioning this trove of information for 10 BTC, accompanied by a threat to publicly release it over seven days if their demands are not met. The FBI and CISA, in their joint Cybersecurity Advisory issued as part of the ongoing #StopRansomware initiative, provide insights into Rhysida's tactics and indicators of compromise. This underscores the urgency for organisations to fortify their defenses against evolving cyber threats and underscores the critical importance of proactive cybersecurity measures.

Passive Attack on SSH Reveals Potential Vulnerability in RSA Host Keys

Researchers have demonstrated a potential security vulnerability in the Secure Shell (SSH) protocol, showing that passive attackers could obtain private RSA host keys from a vulnerable SSH server. This attack involves observing naturally occurring computational faults during the connection establishment process. SSH uses host keys for authentication, and if a fault occurs during signature computation, an attacker could, in some cases, compute the signer's private key. This could enable masquerading as the compromised host, leading to the interception of sensitive data and man-in-the-middle attacks. The researchers recommend cryptographic design principles like encrypting protocol handshakes to mitigate such vulnerabilities. Note that TLS version 1.3, provides countermeasures by encrypting the handshake during connection establishment.

Okta Data Breach Update, Threat Widens

Identity services provider Okta has revealed an expanded impact stemming from the October 2023 breach of its support case management system. The company detected additional threat actor activity, with the unauthorised download of names and email addresses of all Okta customer support system users. The breach affects all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, excluding those in FedRamp High and DoD IL4 environments, which use a separate support system. Okta has taken steps to enhance security features, provide specific recommendations to defend against potential targeted attacks, and notify affected individuals. While there is no evidence of active misuse, the company remains vigilant and is conducting a thorough investigation with the assistance of a digital forensics firm. This disclosure follows Okta's initial announcement that the breach impacted 1% of its customer base.

The threat actors responsible for the attack remain unidentified, but the disclosure comes in the wake of previous targeting by the cybercrime group Scattered Spider. The group, known for its sophisticated social engineering tactics, targeted Okta in August 2023, aiming to gain elevated administrator permissions. Scattered Spider has since evolved into an affiliate for the BlackCat ransomware operation, showcasing its prowess in infiltrating both cloud and on-premises environments. Okta continues to work on securing its systems and has emphasised the importance of customer awareness to mitigate potential risks associated with phishing and social engineering attacks

Law Firms at Risk: CTS MSP Breach Exploits Citrix Vulnerability

Leading managed service provider (MSP) CTS, specialising in IT services for the legal sector, faces a significant cybersecurity challenge following a breach that potentially impacted numerous law firms across the United Kingdom. The breach, currently under investigation, caused a service outage, affecting a portion of the services provided by CTS. While the full extent of the impact is still being assessed, at least one law firm has reported direct consequences from the security incident.

The attackers allegedly exploited the CitrixBleed vulnerability (CVE-2023-4966) to gain initial access to CTS's infrastructure. This vulnerability, affecting certain versions of Citrix's NetScaler ADC and NetScaler Gateway, could lead to sensitive information disclosure. Citrix has urgently recommended that affected customers update to the latest releases of their products to mitigate the risks associated with this vulnerability.

Cybersecurity in Global AI Development

The U.K. and U.S., in collaboration with 16 other global partners, have unveiled comprehensive guidelines for the development of secure artificial intelligence (AI) systems. This initiative, endorsed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), emphasises customer ownership of security outcomes, advocating radical transparency, accountability, and prioritising secure design within organisational structures. The primary objective is to elevate cybersecurity standards for AI, ensuring its secure conception, development, and deployment. The guidelines extend the U.S. government's commitment to risk management in AI, emphasising rigorous testing, addressing societal concerns like bias, discrimination, and privacy, and establishing mechanisms for consumers to discern AI-generated content.

These commitments also necessitate companies to facilitate third-party discovery and reporting of vulnerabilities in their AI systems through bug bounty programs, promoting swift identification and resolution. Termed a 'secure by design' approach, the guidelines cover secure design, development, deployment, and operation and maintenance throughout the AI system development life cycle. This comprehensive strategy requires organisations to model threats to their systems, safeguard supply chains, and fortify infrastructure, aiming to counter adversarial attacks targeting AI and machine learning systems that seek to induce unintended behavior, such as manipulating classification models or extracting sensitive information.