Cyber Series: December wrap up 2024 

The state initially levied a $1.4 million fine but suspended $850,000, considering the organisation’s financial condition and its role in providing healthcare to underserved communities in New York’s Hudson Valley region. Despite multiple attempts to patch the CVE-2023-3519 vulnerability, including consulting with Citrix and third-party cyber security experts, HealthAlliance was unable to resolve the technical issues. This delay left critical systems exposed for months, during which attackers infiltrated the network using a web shell, harvested credentials, and accessed over 40 hosts. Between late September and early October 2023, cyber-criminals exfiltrated sensitive data from HealthAlliance’s network and subsequently notified the organisation’s leadership of the breach. 

HealthAlliance’s response included launching an investigation, notifying law enforcement, and replacing compromised systems. Affected patients and employees were informed through notification letters, with those whose Social Security numbers were exposed offered credit monitoring and identity protection services. Regulators noted that while HealthAlliance attempted remediation, it failed to implement compensating controls, such as network segmentation, enhanced monitoring, and stricter access controls, which could have mitigated the risks during the patching process. 

As part of the settlement, HealthAlliance agreed to adopt a range of cyber security improvements, including a policy mandating that critical vulnerabilities be patched within 72 hours or otherwise neutralised. The organisation also committed to bolstering its network monitoring capabilities and restricting access to sensitive systems. Experts highlighted the importance of a proactive approach to cyber security, recommending dedicated testing environments, automated patch management, and ongoing training for IT staff in advanced security practices. They also suggested that temporary safeguards, such as limiting access and monitoring unusual network activity, could help protect critical infrastructure during patching delays. 

HealthAlliance’s experience serves as a cautionary tale, emphasising the need for organisations to prioritise data protection, strengthen incident response capabilities, and invest in resilient cyber security measures to prevent similar incidents. By leveraging managed security services, fostering a culture of security awareness, and collaborating with vendors for rapid issue resolution, healthcare providers can better safeguard sensitive data while ensuring the continuity of care. 

https://www.bankinfosecurity.co.uk/ny-health-group-fined-550k-in-unpatched-vulnerability-hack-a-27043 

AI Chatbot Startup WotNot Exposes 346,000 Files, Including Sensitive Personal Data 

WotNot, an Indian AI chatbot startup headquartered in Ahmedabad, exposed nearly 350,000 sensitive files due to a misconfigured Google Cloud Storage bucket. This breach, discovered by researchers at Cybernews on August 27, 2024, left 346,381 files unsecured and accessible to anyone on the internet without any password protection. The exposed data included highly sensitive information such as scans of passports, identity documents, medical records, resumes, and travel itineraries, posing a significant risk of identity theft and fraud. 

Cybernews notified WotNot of the issue on September 9, 2024, and followed up with multiple emails, but it took over two months for the company to secure the bucket. WotNot attributed the breach to changes in cloud storage bucket policies meant to accommodate specific use cases but admitted failing to verify the bucket's accessibility. They emphasised that the exposed bucket was used by free-tier users and reassured enterprise customers that their private instances remained unaffected, ensuring compliance with strict security standards. 

The exposed files underscore the potential dangers of entrusting sensitive data to AI chatbots, especially when providers fail to prioritise data security. Thomas Murray does not recommend sharing personal or sensitive information with AI platforms, as it is often unclear how data is stored or if the data is used to train AI models. 

https://www.bitdefender.com/en-us/blog/hotforsecurity/ai-chatbot-startup-wotnot-leaks-346-000-files-including-passports-and-medical-records 

“aiocpa” Python Package Exposed as Cryptocurrency Infostealer 

ReversingLabs (RL), a cyber security firm, recently uncovered a sophisticated malicious campaign targeting cryptocurrency wallets through a compromised package named "aiocpa." This package, which appeared legitimate, was designed to serve as a synchronous and asynchronous Crypto Pay API client and had been downloaded 12,100 times. RL’s machine learning-based threat-hunting system, Spectra Assure, identified suspicious behavior in an update to the package (version 0.1.13 and later), revealing it contained malicious code intended to compromise cryptocurrency wallets. 

The attackers behind this campaign took a unique approach compared to typical threats targeting open-source repositories like npm and PyPI. Instead of directly inserting malicious code, they first published the aiocpa crypto client tool to build trust with users over time. Once a growing user base was established, the attackers injected malicious code through an update. Additionally, the malicious actor attempted to hijack an existing PyPI project named "pay," likely to gain access to its established user base, which could increase the attack’s reach. 

RL's investigation revealed that the code within the aiocpa package was heavily obfuscated and designed to steal sensitive data, such as crypto trading tokens, which could be used to drain victims' cryptocurrency wallets. Importantly, traditional application security testing tools failed to detect this threat, as the malicious code was hidden behind layers of encryption and was not visible in the referenced GitHub repository, typically considered legitimate. This underscores the importance of advanced threat-hunting tools like Spectra Assure, which analyses code behavior for deeper inspections. 

Upon identifying the threat, RL reported the malicious package to PyPI for removal, which was subsequently taken down. The discovery was shared publicly on November 25, 2024, and researchers at Phylum further discussed the unique nature of the attack. This incident highlights the increasing sophistication of open-source software threats, stressing the need for regular security assessments, machine learning-based tools, and careful evaluation of third-party code and dependencies. The PyPI security team also advised users to pin dependencies and versions using hashes to prevent malicious updates and mitigate supply chain risks. 

https://hackread.com/aiocpa-python-package-cryptocurrency-infostealer/ 

Telecom Giant BT Group Hit by Black Basta Ransomware 

Following the recent ransomware attacks on NHS hospitals in the United Kingdom, British telecommunications giant BT Group has also become a victim of a ransomware assault, attributed to the infamous Black Basta gang. The attack specifically targeted BT’s Conferencing business division, causing the company to take certain servers offline as a precautionary measure. Although BT has downplayed the impact, claiming limited disruption to its services and customer data, the Black Basta group painted a more alarming picture, claiming to have stolen 500 gigabytes of sensitive information. 

Black Basta provided evidence of the stolen data, releasing screenshots of documents and folder listings. The ransomware group also added BT’s btci.com and btconferencing.com domains to its data leak site, threatening to publicly release the stolen information unless a ransom was paid. The stolen data is reported to include highly sensitive financial, corporate, and personal information, such as passport copies, but the exact ransom demand remains undisclosed. 

In response, BT confirmed that it is actively investigating the breach and is cooperating with relevant authorities. The company emphasised that the attack was limited to the conferencing platform, and core services remained operational. A spokesperson stated that specific elements of the platform were isolated and taken offline to contain the damage. 

Black Basta, a ransomware-as-a-service (RaaS) group, has been active since 2022, targeting over 500 organisations worldwide, including high-profile victims like Ascension Healthcare, Hyundai Europe, Capita, Yellow Pages Canada, and Dish. The group has impacted various sectors, including 12 out of 16 critical infrastructure sectors. The FBI and CISA have issued warnings about Black Basta’s increasing threat to global security. 

https://hackread.com/telecom-giant-bt-group-black-basta-ransomware-attack/ 

Lockbit 4.0 

The LockBit ransomware group is preparing to launch a new version of its malware, LockBit 4.0, on February 3, 2025. This development follows a period of reduced activity after a significant law enforcement operation, known as Operation Cronos, dismantled much of their infrastructure in February 2024. 

On 19 December 2024, the group's representative, LockBitSupp, announced the upcoming release on their website, providing a new domain, lockbit4[dot]com, and multiple TOR sites to support the updated ransomware. This expansion suggests an effort to enhance their operational infrastructure. The forthcoming release of LockBit 4.0 indicates the group's resilience and intent to continue its ransomware operations. 

Threat actors targeting financial entities in December 2024

Ransomware vs Finance (last three months)