This Week in Cyber 26th January 2024

Analyst Insight

In this week's cybersecurity roundup, the landscape is a mix of persistent and emerging threats. The ominous forecast for 2024 predicts a surge in DDoS attacks, showcasing an unsettling trend of larger and more prolonged assaults. Ransomware continues to cast its dark shadow, exemplified by the recent breach at Southern Water, attributed to the notorious Black Basta ransomware group. Despite the hope raised by the release of a free decryptor for Black Basta, the threat lingers as the group adapts and evolves its tactics. Adding to the concerns, a staggering collection of over 26 billion leaked records serves as a stark reminder of the ever-present danger posed by compromised credentials, underscoring the importance of frequent changes in the face of this enduring threat landscape.

Southern Water Faces Cybersecurity Threat as Black Basta Ransomware Group Strikes

Southern Water, a key UK utility firm, faces a cybersecurity threat from the Black Basta ransomware group. The attackers claim to have accessed 750 gigabytes of sensitive data, including personal and corporate documents, leading to potential data leakage. Screenshots posted by the group, including passports and ID cards, serve as evidence of the breach. While the group's ransom demand remains undisclosed, it follows a double-extortion model. Notably, a recent encryption vulnerability in Black Basta was exploited to create a free decryptor, but the flaw has since been addressed, limiting its effectiveness to attacks before December 2023. The group has amassed $107 million in Bitcoin ransom payments and is linked to the Conti Group, with funds laundered through the Russian exchange Garantex. The attack adds Southern Water to a list of over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall.

Gcore's Radar Report Unveils Disturbing Trends in Escalating DDoS Attacks

Gcore's Q3–Q4 2023 Radar report delves into concerning developments in DDoS attacks, showcasing a drastic surge to 1.6 Tbps. The report notes a substantial yearly increase, with peak attack volume surpassing 800 Gbps in Q1–Q2. Attack durations vary from three minutes to nine hours, emphasising attackers' strategic adaptability. UDP floods dominate at 62%, while the gaming industry remains the primary target (46%), followed by finance (22%) and telecom (18%) sectors. The findings emphasise the critical need for adaptive cybersecurity measures and international collaboration to counter evolving DDoS threats effectively.

Mother of all Breaches: 26 billion records found online

Bob Dyachenko, owner of SecurityDiscovery.com and the team at Cybernews.com recently uncovered a collection of over 26 billion leaked records on the open internet. While none of the data is new, the collections size is unprecedented. Sitting at over 12 terabytes, the breach collates over 3,800 breaches and most certainly constitutes the largest compilation of multiple breaches (COMB) to have been exposed. This represents an increased threat to victims of the breaches as the aggregated records could expose users who frequently use the same password, potentially allowing a malicious actor to pivot to other accounts. Once again, it’s time to think about changing your password.

Kasseika Ransomware Group Adopts BYOVD Attack

The Kasseika ransomware group has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack, allowing them to disable security-related processes on compromised Windows hosts. This technique involves terminating antivirus processes and services, paving the way for ransomware deployment. Kasseika, discovered in December 2023, shares similarities with the defunct BlackMatter group, hinting at a potential connection. The attack involves a phishing email, RATs for privileged access, and the use of Microsoft's PsExec to execute a malicious batch script. Kasseika employs a legitimate signed driver named "viragt64.sys" to disable 991 security tools. The ransomware demands a 50 bitcoin payment within 72 hours, threatening an additional $500,000 every 24 hours after the deadline. The group uses various tactics, including wiping event logs, to operate discreetly.

Jenkins Resolves Critical Arbitrary File Read Vulnerability, Fixes Eight Other Security Flaws

Jenkins, the open-source CI/CD automation software, recently resolved a critical security vulnerability (CVE-2024-23897) in its command-line interface (CLI), which, if exploited, could result in remote code execution. The flaw involves an arbitrary file read vulnerability through the CLI, where a quirk in the args4j library allows threat actors to read arbitrary files on the Jenkins controller file system. Attackers with "Overall/Read" permission can read entire files, while others can access the first three lines of the files. The issue has been fixed in Jenkins 2.442 and LTS 2.426.3 by disabling the command parser feature. In the meantime, users are advised to temporarily disable CLI access until the patch is applied. The update also addresses eight other security flaws, enhancing the overall security of the CI/CD platform.