April Cyber Summary

Most banks, stock exchanges and other financial institutions have robust cyber security measures in place – but threat actors tend to treat that as a challenge rather than a deterrent.

The numerous third parties involved in the modern supply chain offer cyber criminals easier access to larger, more secure – and more lucrative – targets. In this month’s review, Stephen Green, Threat Intelligence Lead, looks at the third-party cyber attacks in April that left the Department of Insurance, Securities and Banking and the London Stock Exchange Group exposed.

Third-party risk leads to leaked securities data

The LOCKBIT ransomware group’s recent attack on Tyler Technologies, a third-party provider for the D.C. Department of Insurance, Securities and Banking (DISB), underscores the importance of understanding the risk posed by other parties in your supply chain. This incident reveals how attackers can leverage third-party services to access and compromise sensitive data.

Your cyber expert

Stephen Green

Threat Intelligence Lead | Cyber Risk

sgreen@thomasmurray.com

LOCKBIT gained access to Tyler Technologies’ private cloud environment, which stored DISB’s securities data (disb.dc.gov). Tyler Technologies says it detected the unauthorised activity in late March. It discovered that the threat actor had access to an isolated segment of its private cloud hosting environment, though says that it was able to quickly recover thanks to its ‘immutable back-ups' (Tyler Technologies).

LOCKBIT published DISB on its shaming site on 13 April 2024, and threatened to publish the exfiltrated (stolen) data on 19 April, however it appears that due to the lack of payment, LOCKBIT has auctioned this data off to an unknown party.

The attack emphasises the urgent need for enhanced security measures at every level of the supply chain, and the importance of knowing the cyber security posture of every third party in it. Attack surface management, third-party risk management (TPRM), rigorous security protocols, regular audits, and the rapid implementation of security patches should all be top priorities. Cyber criminals are exploiting third-party vulnerabilities more and more often, so it is essential that organisations extend their cyber security strategies to include all external partners, thereby fortifying their overall networks against such insidious threats.

Third-party breach of the World-Check database

The recent breach of the World-Check database, managed by the London Stock Exchange Group, also highlights significant cyber security vulnerabilities through third-party associations (TechCrunch). The hacker group GHOSTR accessed 5.3m records via a third-party company, exposing sensitive information that includes personal and financial details critical for “know your customer” checks.

This incident underscores the potential for massive security lapses in supply chains and the severe implications of such data leaks. Stolen data can be used for identity theft, financial fraud, and creating fake identities. Additionally, by impersonating or misusing the identities of individuals listed in the database, criminals could leverage this data to launder money or bypass sanctions.

The breach also risks compromising the integrity of compliance processes within financial institutions, potentially leading to regulatory penalties and loss of public trust.

FBI releases latest Internet Crime Complaint Center Report

The FBI Internet Crime Complaint Center (IC3) 2023 report states that reported cyber-crime losses reached US$12.5bn in 2023. The figure marks a 22% surge in reported losses compared to 2022.

In 2023, the FBI IC3 received a record number of complaints, totalling 880,418 – representing a nearly 10% increase in complaints received compared to the previous year.

This latest annual report notes that these figures are conservative as far as cyber crime in 2023 is concerned, as only a small percentage of victims reported incidents to law enforcement. According to the report, tech support scams and extortion crimes increased last year, while phishing, non-payment/non-delivery scams, and personal data breaches slightly decreased.

The most expensive type of crime monitored by IC3 this year is “investment scams,” which increased from $3.31bn in 2022 to $4.57bn in 2023 (+38%). The second most costly crime was business email compromise (BEC), which caused $2.9bn in losses. The FBI reports that investment frauds most often claimed victims aged 30 to 49, whereas tech support scams involving elderly victims constituted well over half of the losses recorded.

In 2023, IC3 received 2,825 ransomware complaints, resulting in adjusted losses exceeding $59.6m. The IC3 reported 1,193 ransomware complaints from organisations within a critical infrastructure sector. Among the 16 critical infrastructure sectors, IC3 reports indicated that 14 sectors had at least one member affected by a ransomware attack in 2023.

The five top ransomware variants reported to the IC3 that affected organisations in the critical infrastructure sector were LOCKBIT, ALPHV/BLACKCAT, AKIRA, ROYAL, and BLACK BASTA.

Addressing the critical CVE-2024-3400 vulnerability in PAN-OS

CVE-2024-3400, a severe vulnerability in Palo Alto Networks' PAN-OS, specifically impacts GlobalProtect gateway and portal configurations in versions 10.2, 11.0, and 11.1. This vulnerability allows for arbitrary file creation that leads to an OS command injection. Palo Alto Networks recommends upgrading to the latest patched versions immediately to mitigate potential security threats.

To detect potential exploitation of CVE-2024-3400, administrators can use specific commands on the PAN-OS CLI to inspect logs for unusual entries that could indicate exploitation attempts. For instance, searching for patterns in log entries where session information does not match expected formats might suggest malicious activity.

If the value does not look like a GUID but shell commands or a file path, this could be evidence of system exploitation (Palo Alto).