Back

Blogs

Ireland's Elections: What's next for climate pledges?

View All

Case Studies

Supporting BrainDrip LLC's Entry into the Hydrogen Market

View All

Upcoming Events

Webinars

Image of Payments System HackingImage of Payments System Hacking

Thoughts

Decoding This Week’s Cyber Threats

8th May, 2024

Cyber threat actors relentlessly pursue potential vulnerabilities and the necessary tools to exploit them. Often, these groups are motivated by financial gain. Yet as geopolitical tensions rise, so do state sponsored cyber attacks, growing in sophistication and resource as seen with the recent MoD breach.

Our latest Cyber Threat Digest explores the motivations and tactics behind the high profile cyber attacks in focus this week.

Digital Frontlines: The MoD Breach and the Shadow of State-Sponsored Cyber Warfare

The UK Ministry of Defence (MoD) recently fell victim to a sophisticated cyberattack, putting the personal data of numerous UK armed forces personnel at risk. This breach, targeting a third-party payroll system, exposed sensitive information including names, bank details, and in a few instances, addresses of both current and former military members. The incident highlights the alarming rise of state-sponsored cyber threats against national security assets.

The breach was first discovered a few days ago, and its ramifications are still being assessed. Immediate measures were taken by the MoD to mitigate the damage, namely, severing the connection of the compromised external network, operated by a contractor, from the rest of its digital infrastructure. While initial reports from prominent news outlets like the BBC and Sky News confirm that there has been no evidence of data exfiltration, the anxiety remains palpable.

In a forthcoming session in the House of Commons, Defence Secretary Grant Shapps is scheduled to detail the breach and the government’s response. It is anticipated that the government will not specify the attackers’ nation of origin, although ministers are expected to condemn the act as the work of “hostile and malign actors.”

This incident arrives amid escalating tensions between Western nations and China, especially following joint accusations from the UK and US in March, where China was blamed for a series of global, malicious cyber-attacks. These included targeting the UK’s Electoral Commission and conducting reconnaissance operations against British lawmakers’ email accounts.

The UK government, which recently designated Beijing’s actions as an “epoch-defining challenge,” has faced criticism for not adopting a stronger stance. Prominent figures, including Conservative former leader Iain Duncan Smith, have urged the government to acknowledge China as a “systemic threat” following these revelations.

In light of this breach, the MoD has acted swiftly to support affected personnel, providing specialist advice and access to personal data protection services to monitor the potential misuse of their information. Despite these measures, the breach serves as a stark reminder of the sophisticated and persistent nature of state-sponsored cyber threats.

This situation underscores the need for robust cyber defences and proactive international collaboration to counteract the activities of state actors like China, which not only engage in espionage but also support other authoritarian regimes, intensifying global geopolitical tensions.

As the digital battlefield expands, the incident at the MoD is a critical wakeup call. It illustrates the vulnerability of even the most secure entities and highlights the imperative for ongoing vigilance and enhanced cybersecurity measures to safeguard national interests in an increasingly interconnected world.

ArcaneDoor Unlocked: Suspected Chinese Cyber Campaign Targets Global Network Devices

A new cybersecurity threat, named the ArcaneDoor campaign, has been unsettling the digital landscape since its inception in July 2023, with detection only occurring in January 2024. This campaign targets network devices and is believed to be potentially linked to Chinese threat actors, heightening concerns across the global cybersecurity community.

Researchers have unveiled that the ArcaneDoor exploits two critical zero-day vulnerabilities identified in Cisco’s network security devices, namely the Adaptive Security Appliance and the Firepower Threat Defence software. These vulnerabilities, CVE-2024-20353 and CVE-2024-20359, expose networks to significant risks.

CVE-2024-20353 allows attackers to trigger a denial of service condition by exploiting incomplete error checking in HTTP header parsing, without needing authentication. CVE-2024-20359 presents a more severe threat where a legacy function in the software could be manipulated by authenticated local users to execute arbitrary code with root privileges.

The investigation has further uncovered that several IP addresses linked to the attackers are associated with known Chinese autonomous systems like TenCent and ChinaNet, suggesting the possible involvement of Chinese threat actors. However, it remains unclear whether this campaign is state sponsored.

Strategically, ArcaneDoor’s focus on governmental and critical infrastructure devices suggests motives that align with cyberespionage activities, possibly indicating state sponsorship. This ongoing campaign shows no signs of abatement and highlights a critical vulnerability in national and international security frameworks.

Tactically, the unknown initial infection vector remains a challenge, but patches for the exploited vulnerabilities have been issued. Immediate updates are crucial to secure network devices against potential breaches.

For organisations worldwide, especially those involved in critical infrastructure or government sectors, understanding, and mitigating the risks posed by ArcaneDoor is paramount to maintaining cybersecurity integrity and national security.

Beware of Digital Wolves in Journalist’s Clothing: The Crafty Cyber Tactics of APT42

In an increasingly digital world, the line between legitimate communication and cyber deception is becoming dangerously blurred. Recently, the spotlight has fallen on APT42, an Iranian state-sponsored threat group, known for its sophisticated social engineering tactics that mask its malicious intents behind the guise of journalism. This group has cleverly targeted organisations in the West and the Middle East, breaching security through the art of disguise.

APT42 employs a cunning strategy by sending emails that mimic those of journalists, NGO representatives, or event organisers. These communications are crafted to look like they come from reputable sources such as The Washington Post and The Economist, using slightly misspelled domain names to create a false sense of legitimacy. The purpose? To build enough trust to persuade recipients to click on malicious links disguised as news articles or conference information.

The arsenal of APT42 includes two particularly nefarious tools: Nicecurl and Tamecat. Nicecurl is a VBScript-based backdoor capable of executing commands, downloading payloads, and mining data. Tamecat, on the other hand, leverages PowerShell to run arbitrary code or scripts, allowing the attackers vast flexibility to steal data and tamper with systems.

Once the victim’s trust is secured, the trap is sprung. Links in the emails redirect the targets to phony login pages that mimic popular services like Google or Microsoft. Unsuspecting users enter their credentials, which are then harvested by the attackers to infiltrate corporate networks and access sensitive information.

APT42 goes to great lengths to avoid detection. It employs strategies such as using the victim’s own email addresses for data exfiltration and employing technologies like ExpressVPN and Cloudflare to cover its tracks. These methods make it challenging to attribute the attacks directly to them.

Behind APT42 is the Iranian Islamic Revolutionary Guard Corps Intelligence Organisations (IRGC-IO), with targets that include NGOs, media outlets, educational institutions, activists, and legal sectors. The strategic choice of targets in the US, UK, Israel, UAE, and Azerbaijan suggests a focused intent to gather intelligence aligning with Iranian interests.

As digital frontiers evolve, so too do the tactics of groups like APT42. Understanding their methods offers a critical lens through which we can better protect ourselves.

Cyberattack Hits NHS Dumfries and Galloway, Exposing Patient and Staff Data

NHS Dumfries and Galloway, a healthcare provider based in Scotland, has become the latest victim of a cyberattack, details of which remain partly undisclosed. As of March 15, 2024, the attack was reported to be ongoing and targeted, causing significant service disruptions. The healthcare provider has raised concerns over the possibility that the attackers might have accessed a substantial amount of data, including sensitive information identifiable to patients and staff.

The nature of the cyberattack has not been definitively confirmed, but given the patterns of disruption and data access, experts suggest that it could be a ransomware attack. As of now, NHS Dumfries and Galloway has not appeared on any ransomware data-leak sites, which could potentially provide further clues about the attackers.

Cyberattacks on healthcare institutions are often driven by specific motives, ranging from hacktivism intended to disrupt services, to retaliatory actions against perceived injustices. A notable instance occurred in late 2023 when the ransomware group @ALPHV incited its affiliates to target healthcare services as a form of revenge against law enforcement actions.

The identification of the perpetrators may become clearer as more details emerge about the tactics, techniques, and procedures (TTPs) used in the attack. Confirmation could also arise if the victim’s information appears on a data-leak site or is announced through channels such as Telegram.

On March 26, 2024, the ransomware group @INCRansom claimed responsibility for the attack, labelling the incident as “NHS Scotland” on its data-leak platform. They also released a sample of the data, suggesting that about three terabytes of data were stolen. By May 6, 2024, @INCRansom had uploaded all the data it claimed to have exfiltrated from NHS Dumfries and Galloway to its website, available for download in ZIP file format.

This cyberattack underscores the vulnerabilities in healthcare data security and the profound impact such incidents can have on patient and staff privacy. It serves as a critical reminder of the need for enhanced cybersecurity measures across the healthcare sector to protect against increasingly sophisticated cyber threats.

 

 

Authors

Ian Hirst

Partner, Cyber Threat Services

Read Bio