Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
In this edition, the highlights include ethical hackers uncovering vulnerabilities in U.S. water infrastructure at DEF CON, a cyberattack disrupting gambling giant IGT, and a new Senate bill aiming to bolster healthcare cybersecurity. We’ll also dive into ongoing campaigns targeting Palo Alto Networks devices, a bold “nearest neighbor attack” exploiting Wi-Fi from Russia, and the Justice Department’s takedown of the Scattered Spider phishing ring. Stay informed on the latest developments shaping the cybersecurity world!
-
Volunteer DEF CON Hackers Dive Into America’s Leaky Water Infrastructure
A new initiative aims to bolster the cybersecurity of America’s critical infrastructure by enlisting ethical hackers to identify and address vulnerabilities. The program, known as the Franklin Project, has officially launched with six U.S. water companies participating, allowing skilled hackers to test their systems and recommend security improvements.
Unveiled at this year’s DEF CON conference, the Franklin Project is designed to strengthen the resilience of critical systems against cyberattacks. It also aims to document the lessons learned in an annual “Hacker’s Almanac,” providing a valuable resource for others to build their cybersecurity expertise. Jeff Moss, DEF CON’s founder, highlighted the initiative’s dual purpose: enhancing national cybersecurity defenses and fostering collaboration between hackers and infrastructure providers.
The project is now moving forward through a collaboration between the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative (CPI) and the National Rural Water Association (NRWA). Together, they are deploying top cybersecurity experts to assess and enhance the security of water companies in Utah, Vermont, Indiana, and Oregon. These efforts will include identifying vulnerabilities, implementing fixes, and sharing knowledge to strengthen defenses across the industry.
Paul Chang, program director, compared the project to DEF CON’s earlier efforts to address voting machine vulnerabilities but noted that the water sector presents a much greater challenge. Unlike voting machines, where a few manufacturers dominate the market, the U.S. has around 50,000 water suppliers, each with unique IT systems. Volunteers, ranging from students to seasoned professionals with decades of experience, will work closely with water companies to strengthen their cybersecurity measures.
The importance of this initiative is underscored by ongoing threats from nation-states such as China, Russia, and Iran, which have been known to target U.S. critical infrastructure. Water systems, in particular, represent a high-value target in potential conflicts. NRWA CEO Matt Holmes emphasized the growing risks faced by the water sector, particularly for small community systems that make up the majority of U.S. water providers. “Over 91 percent of the approximately 50,000 community water systems in the U.S. are small, serving fewer than 10,000 people,” Holmes said. “This partnership delivers essential cybersecurity tools to rural America, enabling these communities to assess, prepare for, and respond to potential cyberattacks.”
-
A Cyberattack on Gambling Giant IGT Disrupted Portions of its IT Systems
A cyberattack targeting International Game Technology (IGT), a global leader in gambling technology, caused disruptions across its systems, prompting the company to disable certain services as a precaution. IGT, known for producing slot machines and other gaming technologies, detected unauthorized access to its systems on November 17, 2024. In response, the company swiftly activated its cybersecurity incident response protocols.
According to a filing with the U.S. Securities and Exchange Commission (SEC), the company confirmed that the attack disrupted portions of its internal IT infrastructure. “On November 17, 2024, International Game Technology PLC became aware that an unauthorized third party gained access to certain of its systems, resulting in disruptions to portions of its internal information technology systems and applications,” the filing noted. IGT also launched an investigation with external experts and proactively took some systems offline to limit potential harm while working to restore functionality.
Although IGT has not disclosed specifics about the nature of the attack, the measures taken suggest it may have involved ransomware.
-
Stronger Cyber Protections in Health Care Targeted in New Senate Bill
A bipartisan group of U.S. Senators introduced legislation on Friday aimed at bolstering cybersecurity protections and safeguarding health data within the healthcare sector. The “Health Care Cybersecurity and Resiliency Act of 2024 (S.5390)” represents a year-long collaboration among Senators Bill Cassidy (R-La.), Maggie Hassan (D-N.H.), John Cornyn (R-Texas), and Mark Warner (D-Va.). This initiative follows the formation of a working group in November 2023 under the Senate Health, Education, Labor, and Pensions Committee to address the escalating cyber risks faced by the healthcare industry.
The legislation responds to alarming statistics from the Department of Health and Human Services, revealing that over 89 million Americans had their health information compromised in 2023—more than double the breaches reported in 2022. “In today’s digital age, protecting Americans’ health data is critical,” Senator Cornyn emphasized in a statement. “This practical bill will modernize cybersecurity practices across healthcare institutions, enhance inter-agency collaboration, and equip rural providers with tools to combat and respond to cyberattacks.” Senator Cassidy echoed these concerns, stating, “Cyberattacks not only jeopardize patients’ sensitive health information but can also delay critical, life-saving care. This bipartisan measure ensures that healthcare institutions are better equipped to shield Americans’ health data from increasing cyber threats.”
Key components of the bill include enhanced coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). This partnership aims to improve the sector’s ability to prevent and respond to cyberattacks. The bill also mandates the HHS Secretary to develop a comprehensive cyber incident response plan within a year of enactment, with input from CISA, the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST). The legislation calls for updates to existing regulations under the Health Insurance Portability and Accountability Act (HIPAA) to ensure compliance with modern cybersecurity best practices. Additional provisions include grants to healthcare providers to enhance their cyber resilience, training programs on cybersecurity best practices, and dedicated support for rural health clinics in mitigating breaches and enhancing their defenses.
This bill builds on earlier efforts by Senator Warner, who, alongside Senator Ron Wyden (D-Ore.), introduced legislation to establish minimum cybersecurity standards for healthcare providers and plans. That proposal was prompted by the February ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, which impacted 100 million Americans and forced the company to rebuild its IT systems. “Cyberattacks on healthcare organizations not only compromise personal data but can also disrupt care, leading to life-and-death situations,” Senator Warner remarked.
-
Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign
Approximately 2,000 Palo Alto Networks devices are believed to have been compromised in a campaign exploiting newly discovered vulnerabilities currently under active attack.
Data from the Shadowserver Foundation indicates that most incidents have been reported in the U.S. (554) and India (461), with additional cases in Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35). Censys recently reported finding 13,324 publicly exposed management interfaces for next-generation firewalls (NGFW), with 34% located in the U.S. However, not all of these exposed systems are necessarily vulnerable to exploitation.
The two critical flaws in question, CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), allow for authentication bypass and privilege escalation. Attackers could exploit these vulnerabilities to modify configurations or execute arbitrary code. Palo Alto Networks has designated this campaign as *Operation Lunar Peek* and confirmed that the vulnerabilities are being used to achieve command execution and deploy malicious software, including PHP-based web shells, on compromised firewalls.
The company has warned that exploitation efforts are likely to increase, especially following the release of an exploit that chains both vulnerabilities. Palo Alto Networks stated that a functional exploit is likely circulating, enabling more widespread attacks. Both manual and automated scanning for vulnerable systems have been observed, emphasizing the urgency for organizations to apply the latest security updates and restrict management interface access to trusted internal IP addresses.
Palo Alto Networks clarified that the actual number of compromised devices is likely lower than the Shadowserver Foundation’s estimates, as their data includes all exposed management interfaces, not just vulnerable ones. The company also noted that less than 0.5% of its firewalls have management interfaces exposed to the internet, thanks to adherence to industry best practices among most customers.
Organizations are strongly encouraged to implement the latest patches and follow best practices for securing management interfaces to mitigate these threats.
-
Hackers Breach US Firm Over Wi-Fi From Russia in ‘Nearest Neighbor Attack’
Russian state-sponsored hacking group APT28 (also known as Fancy Bear, Forest Blizzard, or Sofacy) successfully breached a U.S. company’s enterprise WiFi network using a novel method dubbed the “nearest neighbor attack.” This sophisticated technique enabled the attackers to infiltrate their target from thousands of miles away.
The breach was discovered on February 4, 2022, when cybersecurity firm Volexity identified unauthorized activity on a server belonging to a client in Washington, D.C., involved in Ukraine-related work. APT28, affiliated with Russia’s GRU military intelligence unit, has been conducting cyber operations since at least 2004 and is tracked by Volexity.
In this attack, the hackers initially obtained credentials for the target’s WiFi network through password-spraying attacks on public-facing services. However, multi-factor authentication (MFA) on these systems prevented the use of these credentials remotely. Recognizing the challenge of connecting to the network from such a distance, the attackers adopted a creative approach: they compromised an organization in a nearby building within the WiFi signal range of the primary target.
By exploiting devices with dual-network capabilities (e.g., laptops or routers connected to both wired and wireless networks), the hackers used the compromised neighboring organization as a pivot point to access the target’s WiFi. They ultimately identified a device that connected to three wireless access points near the target’s conference room.
Once inside the network, APT28 employed lateral movement tactics to locate sensitive systems and exfiltrate data. Using remote desktop connections (RDP) and native Windows tools, the attackers minimized their footprint. They executed scripts like servtask.bat to extract and compress Windows registry hives (SAM, Security, and System) into ZIP files for exfiltration.
Volexity’s investigation revealed that APT28 likely targeted this organization to gather intelligence on Ukraine-related activities. Despite initial challenges in attributing the attack, a subsequent Microsoft report in April linked the indicators of compromise (IoCs) to APT28. The report also suggested the hackers may have used the Windows Print Spooler vulnerability (CVE-2022-38028) as a zero-day exploit to escalate privileges within the target’s network.
APT28’s “nearest neighbor attack” demonstrates that close-access operations, traditionally requiring physical proximity to a target (e.g., being in a nearby parking lot), can now be conducted remotely. This approach reduces the risk of physical detection while maintaining the effectiveness of the attack. The incident underscores the need for organizations to treat corporate WiFi networks with the same level of security as internet-facing systems, incorporating robust protections such as MFA, network segmentation, and device monitoring to mitigate similar risks.
-
U.S. Justice Department Cracks Down on Scattered Spider Phishing Ring
The United States Department of Justice (DOJ) has unveiled charges against five individuals accused of executing advanced phishing schemes connected to the Scattered Spider cybercrime group. These operations, which have led to the theft of millions of dollars in cryptocurrency and sensitive corporate information, highlight the persistent risks posed by organized cybercriminal enterprises.
Scattered Spider has garnered attention for its involvement in high-profile cyberattacks, such as the ransomware assault on MGM Casino in 2023 that caused significant operational disruptions. The group is notorious for its credential-phishing tactics, which enable them to infiltrate corporate systems, exfiltrate sensitive data, and deploy ransomware. According to the DOJ, the five defendants face charges for their alleged involvement in, Phishing attacks, Data theft, Cryptocurrency theft, and Ransomware deployment.
The DOJ revealed that between September 2021 and April 2023, the group sent phishing text messages (via SMS) to employees of targeted companies. These messages impersonated legitimate organizations, claiming users’ accounts were at risk of deactivation and directing them to phishing websites. Once on these counterfeit sites, victims often unknowingly provided their login credentials and even authenticated two-factor verification requests sent to their devices.
The stolen credentials allowed the group to infiltrate corporate systems, exfiltrate proprietary information, and compromise cryptocurrency accounts, leading to the theft of millions in digital assets.
If convicted, the defendants could face significant sentences, including up to 20 years in prison for conspiracy to commit wire fraud and an additional two years for aggravated identity theft.
References:
https://www.theregister.com/2024/11/24/water_defcon_hacker/
https://securityaffairs.com/171311/hacking/cyberattack-on-gambling-giant-igt.html
https://cyberscoop.com/senate-cybersecurity-health-care-data-bill/
https://thehackernews.com/2024/11/warning-over-2000-palo-alto-networks.html
https://www.secureworld.io/industry-news/doj-scattered-spider-phishing-ring