Canary Trap’s Bi-Weekly Cyber Roundup – Nov. 10, 2023

Exciting times in the cyber realm! Welcome to the latest edition of the Canary Trap Cyber Roundup, your go-to source for bi-weekly insights into the ever-evolving world of cybersecurity. In this edition, we invite you to journey with us through the corridors of cyber events, gaining deeper insights into the forces shaping our digital reality.

Brace yourselves for the impact of a ChatGPT outage due to a DDoS attack and the aftermath of a major breach in Maine affecting over 1.3 million residents. Stay ahead with insights into enhanced software supply chain security, Canadian hospitals grappling with ransomware, the release of CVSS 4.0, and Microsoft’s move towards fortified admin portals with mandatory MFA.

• ChatGPT Outage from DDoS Attack

On Wednesday, OpenAI faced a significant disruption in its ChatGPT and API services, attributed to a suspected distributed denial-of-service (DDoS) attack. This issue first emerged on November 7, when the AI organization noticed difficulties with its language model-based chatbot and API, initially termed as partial outages. However, the situation escalated to a major outage by November 8. OpenAI later confirmed in an update that the service interruptions were due to “an abnormal traffic pattern indicative of a DDoS attack.”

The disruption of ChatGPT’s service was claimed by Anonymous Sudan, a group announcing its involvement via its Telegram channel. The group justified its attack against OpenAI, citing reasons such as the organization’s American roots, and alleged collaboration with Israel, including perceived anti-Palestine positions.

Anonymous Sudan, self-identified as a hacktivist group driven by religious and political motives, has a history of targeting various organizations with disruptive DDoS attacks. Their past targets reportedly include prominent companies like Microsoft, X (formerly known as Twitter), and Telegram.

However, investigations into the group’s background suggest that Anonymous Sudan may not have actual connections to Sudan. Instead, there are indications linking it to Russian hackers, including the well-known KillNet group. Some members of the cybersecurity community speculate that this group might even have affiliations with the Russian government.

As of this writing, ChatGPT’s operations have returned to normal. Over the past three months, only a few major outages have been recorded on OpenAI’s status page.

• Major Cybersecurity Breach in Maine: Over 1.3 Million Residents Affected by MOVEit Zero-Day Exploit

Maine has recently reported a significant breach resulting from a cyberattack that exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer application. This critical security flaw, identified as an unauthenticated SQL injection issue, allowed a well-known ransomware group to access sensitive data transmitted through the MOVEit system.

According to data from cybersecurity firm Emsisoft, the MOVEit hack has impacted over 2500 organizations and approximately 69 million individuals globally. Among these, around 1.3 million are residents of Maine, as confirmed by the state’s recent announcement following the conclusion of their investigation into the breach.

The cyberattack led to unauthorized access to a range of personal information, including names, birth dates, Social Security numbers, driver’s license/state ID numbers, taxpayer identification numbers, and in some instances, medical and health insurance details, as disclosed by the State of Maine. The data about its residents for various administrative purposes

Maine, which stores data about its residents for various administrative purposes and shares information with other organizations to improve public services, reported that the attackers infiltrated and downloaded files from certain state agencies. This breach occurred on May 28 and May 29 via Maine’s MOVEit server but did not compromise any other systems.

The Maine Department of Health and Human Services was the most affected entity, with over half of the stolen files pertaining to it. The Maine Department of Education also suffered significant impacts, accounting for 10-30% of the breached files.

In response to the incident, the State of Maine implemented immediate security measures, including cutting off internet access to and from the MOVEit server. Furthermore, Maine is now in the process of notifying affected individuals and is offering complimentary credit monitoring and identity theft protection services.

• Enhanced Software Supply Chain Security: New Guidelines Released by CISA, NSA, and ODNI

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) have jointly issued a comprehensive new guide for software vendors and suppliers. This guide focuses on fortifying the software supply chain, a critical aspect of cybersecurity.

Available as a PDF, the document serves as a practical resource for organizations to evaluate and strengthen their security protocols throughout the software lifecycle. It covers a range of topics, including the management of open source software (OSS) and the implementation of software bills of materials (SBOM).

This guidance arrives a year following a three-part joint advisory from CISA, NSA, and ODNI. It extends on the previous advice, providing in-depth strategies for ensuring the security and resilience of software development, production, distribution, and management. The agencies emphasize the importance of proactive risk management and mitigation in secure software development practices. The guidelines highlight that the roles of organizations as developers, suppliers, or customers in the software supply chain lifecycle will shape their specific responsibilities.

Key recommendations include implementing SBOM processing, evaluating vulnerabilities, preventing exploitation, updating SBOMs for new software versions, and other measures for effective SBOM utilization. The guidance underscores the pivotal role of SBOMs in software security and supply chain risk management. It suggests correlating SBOM data with other information to create risk scores and facilitate prompt responses to potential threats.

The agencies advise that efficiently leveraging SBOMs involves automated processing, analysis, and correlation, turning SBOM data into actionable security intelligence. They highlight the integration of SBOM data into various enterprise workflows like procurement, asset management, vulnerability management, and broader supply chain risk management and compliance. Thus, the value of an SBOM lies not just in the document itself but in its ability to feed data into automated systems for comprehensive risk analysis and management.

• Canadian Hospitals Hit by Ransomware: DAIXIN Teams Claims Responsibility for Data Breach

Recently, five Canadian hospitals became victims of a ransomware attack, leading to the leak of alleged stolen data. The affected institutions include Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital. This cyberattack targeted TransForm Shared Service Organization, a non-profit IT service provider for these hospitals, in October.

TransForm discovered that the attackers had breached a file server containing employee data and also accessed a shared drive used by the hospitals. The organization has firmly decided against paying the ransom, stating, “We did not pay a ransom and we are aware that data connected to the cyber incident has been published.” Following the incident, TransForm notified law enforcement authorities, including local and provincial police, Interpol, the FBI, and regulatory bodies like the Ontario Information and Privacy Commissioner. The full extent of the breach is still under investigation.

Bluewater Health confirmed the theft of a database with details of 5.6 million patient visits, affecting roughly 267.000 patients. Chatham-Kent Health Alliance reported unauthorized access to data of 1446 employees, including sensitive personal information. Erie Shores HealthCare noted the theft of social insurance numbers for 352 current and former employees.

Windsor Regional Hospital experienced a breach of a shared drive used by staff and some patients, with limited patient information and employee schedules being compromised. However, the hospital believes no social insurance or banking details were stolen. Hôtel-Dieu Grace Healthcare also reported a breach involving patient and employee information on a shared drive, although crucial data like social insurance and banking information were not included in the breach.

The DAIXIN Team, a known ransomware and data extortion group, has taken responsibility for these attacks. This group has been active since at least June 2022, predominantly targeting the Healthcare and Public Health sector. The group primarily deploys ransomware, exfiltrating personal identifiable information and patient health information, and threatens to release the data unless a ransom is paid. The DAIXIN Team typically gains initial access through virtual private network servers, exploiting vulnerabilities or using compromised credentials obtained through phishing attacks. Once inside, they move laterally using Secure Shell and Remote Desktop Protocol, escalating privileges to deploy ransomware.

An alert from CISA, the FBI, and the Department of Health and Human Services includes indicators of compromise and details on the DAIXIN Team’s tactics and techniques. The federal agencies have warned that this group is actively targeting U.S. businesses, especially in the healthcare sector, with their ransomware operations.

• CVSS 4.0 Released

The recent release of the Common Vulnerability Scoring System (CVSS) version 4.0 marks a significant step forward in enabling organizations to more effectively assess and manage the risks posed by security vulnerabilities in their unique environments. The efficacy of CVSS 4.0, however, hinges on the extent to which organizations are willing and able to utilize its comprehensive new metrics for more informed vulnerability prioritization.

Callie Guenther, a senior manager at Critical Start, highlights that CVSS 4.0 moves beyond the generalized risk assessments of previous versions. It offers a dynamic, context-sensitive evaluation that more accurately reflects the real-world risk a vulnerability presents, considering the current threat landscape and specific environmental factors. The Forum of Incident Response and Security Teams (FIRST), the maintainer of CVSS, unveiled CVSS 4.0, emphasizing several new metrics. These metrics enable analysts to account for not only a vulnerability’s technical severity but also additional factors like the availability of proof-of-concept code or active exploit activities. This approach allows for more precise adjustments to a vulnerability’s severity score tailored to specific environments.

CVSS 4.0 also introduces new components to the base metric, such as considering attack requirements in vulnerability assessments. According to Guenther, this allows for a multi-layered vulnerability assessment, taking into account inherent risks, current threats, and specific environmental factors for a customized risk management approach. Additionally, CVSS 4.0 offers a more detailed view of a vulnerability’s potential scope, including supply chain risks. It allows teams to evaluate the impact of a vulnerability on specific systems and any connected downstream systems, a refinement over the previous version’s general impact assessment.

Mayuresh Dani, a security research manager at Qualys, points out that CVSS 4.0 breaks down metrics further to include confidentiality, integrity, and availability for both the vulnerable system and subsequent systems. This provides a more nuanced understanding of the impact based on both the directly affected system and those that follow. Supplemental metrics in CVSS 4.0, such as automated exploitability or physical safety risks, offer additional context, particularly relevant in operational technology and industrial control system environments. When combined with tools like the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog and FIRST’s Exploit Prediction Scoring System, CVSS 4.0 can significantly enhance vulnerability management.

Patrick Garrity, a senior researcher at Nucleus, cautions that while scoring systems can guide, they are not definitive solutions. They should be complemented by threat intelligence and human analysis for optimal decision-making. With the introduction of CVSS 4.0, there is a possibility of an increase in overall vulnerability scores, as observed with the transition from CVSS 2 to 3. Garrity’s rescored vulnerabilities using CVSS 4.0 suggest a trend towards higher classifications. Thus, it is imperative for organizations to consider factors beyond the base score, such as asset value and exploitability, for determining remediation priorities.

Organizations should also be cautious about directly comparing scores across different CVSS versions due to varying criteria. Guenther advises that the context and specifics of the metrics should guide prioritization rather than relying solely on the score. This nuanced approach of CVSS 4.0 allows for a more comprehensive risk analysis and more effective vulnerability management strategies.

• Microsoft Introduces Enhanced Security Measures with Mandatory MFA for Admin Portals

Microsoft is set to implement a significant security update by introducing Conditional Access policies that will mandate multifactor authentication (MFA) for administrators accessing various Microsoft admin portals, including Microsoft Entra, Microsoft 365, Exchange, and Azure. In addition to requiring MFA for administrators, Microsoft is also launching policies to enforce MFA for individual MFA users across all cloud applications. Furthermore, a specialized policy for high-risk sign-ins will be available exclusively for Microsoft Entra ID Premium Plan 2 customers.

Starting next week, these Microsoft-managed policies will be progressively added to eligible Microsoft Entra tenants in a report-only mode. Administrators will have a 90-day window post-rollout to evaluate and decide whether to activate these policies on their tenants. If not disabled within this period, Microsoft will automatically activate these Conditional Access policies.

Alex Weinert, Microsoft’s Vice President for Identity Security, emphasizes the importance of the first policy, strongly recommending—and planning to deploy—MFA protection for all user access to key admin portals. He also notes that opting out of these policies is possible, but Microsoft teams will increasingly mandate MFA for specific interactions, as is already the case in certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrollment. Administrators with the Conditional Access Administrator role will be able to locate these new policies in the Microsoft Entra admin center under Protection > Conditional Access > Policies. They have the flexibility to modify the state of these policies (On, Off, or Report-only) and to exclude certain identities (Users, Groups, and Roles) within the policy. 

Microsoft advises excluding emergency access or break-glass accounts from these policies, in line with standard practices for other Conditional Access policies. Additionally, organizations have the option to further tailor these policies by cloning them and modifying them as needed, starting from Microsoft-recommended defaults. Weinert highlights Microsoft’s commitment to achieving 100% multifactor authentication usage, citing formal studies that show MFA significantly reduces the risk of account takeovers by over 99%. The ultimate aim is to merge machine learning-based policy insights and automated policy rollout to fortify security postures with the appropriate controls.

Share post: