Intelphreak - 21:00Z June 18th, 2024

BLUF: Former Microsoft Security Researcher Blows the Whistle, Sygnia Uncovers China-Linked Threat Actor Velvet Ant, UK Hospitals Need Trainees’ Help After Cyber Attack, Talos Intelligence Has Identified a Pakistani APT Targeting Indian Entities, VulnCheck Report Shows 90% Increase in Disclosed Exploited Vulnerabilities Since April

BEGIN TEARLINE

[National Security] Microsoft Whistleblower:

Microsoft’s whistleblower Andrew Harris says anyone using Microsoft’s cloud services is at risk of having data accessed by unauthorized users.¹ After years of performing security research for the company he claimed to have discovered a flaw that allows hackers to masquerade as legitimate employees & gain access to classified information. His colleagues urged him to stay quiet about the flaw because there would be “tremendous financial consequences.” The US Federal Government was about to make a huge investment in cloud services. Microsoft’s president at the time said in 2021, in front of congress, that “there was no vulnerability in any Microsoft product or service that was exploited (in Solar Winds)”.

AC: This account, if true, brings a whole new context to the SolarWinds attack. Especially if your cloud holds government information. This same flaw was exploited during the famous SolarWinds cyber attack. Microsoft has declined to comment but has not disputed the account. Interviews with former colleagues of Harris support his claims.

[National Security] Velvet Ant Threat Actor:

Sygnia has conducted in depth forensic analysis of a cyber attack that led to the discovery of a statesponsored APT with ties to China, deemed Velvet Ant⁴. The group infiltrated the target organization’s on-premises network for the purposes of espionage for 3 years. One mechanism of persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet. The threat actor used this as a Command & Control server. The long period of persistence combined with the advanced methods used by the group allowed them to detect when persistence was compromised, and to pivot infiltration mechanisms with what they learned about the infrastructure.

AC: This report outlines the degree of threat posed by state sponsored actors targeting large organizations. Due to how advanced techniques have gotten, it can be difficult to harden systems against these threats. Sygnia recommends a broad approach that combines constant monitoring, regular proactive threat hunting, hardening all legacy & internet facing devices, and strict controls on all network traffic.

[Cybercrime] UK Hospitals Need Help After Cyber Attack:

A ransomware attack on Synnovis, a pathology firm, has snowballed into several hospitals in London being unable to process blood transfusions & pathological testing⁵. An email to all trainees asking for help with carrying out pathology services manually is the most recent development⁵. The attack carried out by a threat actor calling themselves Qilin is thought to be Russian in origin. A spokesperson from NHS London has stated that all patients who have not been contacted yet should continue to attend their appointments.

AC: Another targeted ransomware attack has taken out critical processes at multiple medical facilities that serve a densely populated Metropolitan area. While this is alarming, operations are mostly continuing smoothly besides some cancelled & rescheduled appointments. Manual documentation and delivery methods have helped keep up medical services in the meantime. This disruption will continue for a few weeks as NHS is coordinating a response.

[Cybercrime] Operation Celestial Force:

Talos has identified an APT operating android & windows malware out of Pakistan.² Since 2018 Operation Celestial Force has been using an Android-based malware named GravityRAT. Talos also uncovered a malware deemed “HeavyLift”. GravityAdmin is the panel software used to manage the several attack campaigns. The goal of the operation is mostly espionage and surveillance.AC: It is wise to check your endpoints just to ensure they are not infected. Installing the latest security updates to all Android & Windows devices is recommended. Regular training to counter social engineering & phishing is highly advised. The main targets of this operation appear to be Indian entities. The methods & targeting align with a similar threat actor: Transparent Tribe.

[Research] May VulnCheck Exploited Vulnerabilities Report:

VulnCheck researched 103 CVEs that were publicly disclosed as being novelly employed in the field³. Among the most exploited software was Google Chrome, Microsoft Windows, Apple Safari, and Adobe Acrobat Reader. The graph below shows just how many more KEVs were reported outside of CISA recently.AC: This report was surprising in that it shows just how much more KEVs were reported through VulnCheck KEV than CISA KEV. The numbers tell a tale of why the security community must come together to share information on vulnerabilities. There are too many KEVs in the wild to rely on just one or two federal agencies to document them. Moving towards more openly sourced security research can help us stay ahead of the constantly evolving threat environment.

END TEARLINE

Final Analyst Comments:
Quite a busy week for Cybersecurity news & research! The Microsoft whistleblower story is a big deal because it implies that two of the top Cloud Service Providers were knowingly vulnerable to unauthorized access of sensitive (and classified) data. It is vital to ensure your organization has not had a compromise of confidentiality from this. The significant increase in publicly disclosed exploits that were seen in the wild is a trend in the right direction. With an ever-growing number of cyber-attacks from criminals/state actors, the open dissemination of vulnerabilities & hardening techniques can help professionals get an advantage. The more reporters we have, the more likely we are to catch a vulnerability before it is exploited. The cyber attack on the London hospital trusts shows how important proper security is to society. Thank you to all who gave constructive criticism & kind words regarding the first Intelphreak report. As I get the workflow ironed out, it will come out at the same time each week.

Analyst: ResidentGood

END REPORT

If you are interested in anything Cybersecurity, come check out our discord

Sources:

1. https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russianhackers
2. https://blog.talosintelligence.com/cosmic-leopard/
3. https://vulncheck.com/blog/kev-report-may-2024
4. https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/
5. https://www.bbc.com/news/articles/cljj1d2nz00o