Cybersecurity Bulletin - December 2024

Bitter Group Targets High-Value Turkish Entities with MiyaRAT

Turkish defense industry organizations have recently faced a new wave of threats from the "Bitter" cyber espionage group. This attack has been identified as utilizing the MiyaRAT malware family, in conjunction with the WmRAT software previously seen in similar campaigns. Cybersecurity experts indicate that MiyaRAT is specifically designed to target high-value entities and is distributed in a highly limited fashion.

According to cybersecurity firm Proofpoint, MiyaRAT is an exceptionally sophisticated piece of malware, actively and effectively employed in cyber espionage operations. MiyaRAT boasts advanced functionalities including data encryption, interactive reverse shell connections, and comprehensive file management. Its deployment alongside WmRAT is engineered to gain unauthorized access to computer systems, exfiltrate sensitive data, and monitor target activities.

Read the full article.

Cyberwise Insight: Our cybersecurity analysts observe a more discerning approach in the Bitter group's recent attacks. The exclusive use of MiyaRAT against high-value targets suggests the group is meticulously limiting its attack surface to evade detection by cybersecurity professionals. This underlines their careful strategy to bypass security measures and monitoring processes.

These developments underscore the critical importance for Turkish defense industry organizations to reassess their cybersecurity protocols. Experts emphasize the necessity for institutions, particularly within the government and defense sectors, to develop more robust and effective security measures against potential cyber threats. To counter advanced malware like MiyaRAT and WmRAT, continuous updates to cyber defense strategies are paramount.

Protective Measures

• Scrutinize Email Attachments: Exercise extreme caution before opening email attachments. Be particularly wary of RAR, EXE, and LNK files, as they are common carriers for malware.
• Stay Vigilant Against Phishing Attacks: Carefully examine email content and question requests from unknown senders.
• Detect and Block ADS: Scan your systems for malicious software hidden using Alternate Data Streams (ADS). Keep your security software updated to detect files containing ADS.
• Utilize IDS/IPS Systems: Implement Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to detect and block suspicious activities.
• Enable Automatic Updates: Ensure that software and security updates are installed automatically to protect against newly discovered vulnerabilities.
• Regulate User Privileges: Grant users only the necessary access levels and restrict unnecessary administrative privileges.
• Implement Continuous Monitoring: Employ a cybersecurity monitoring system that constantly tracks security events and abnormal behaviors.
• Engage with Threat Intelligence: Leverage cybersecurity threat intelligence services to gain insights into new threats and receive early warnings.
• Monitor Network Traffic: Conduct regular monitoring for suspicious network traffic and unusual connection attempts.
• Employ Dual-Layer Security: Combine antivirus and anti-malware programs for more comprehensive protection.
• Provide Employee Training: Educate your employees on cybersecurity awareness. Conduct training sessions on suspicious emails, phishing, and malware threats.
• Conduct Awareness Tests: Periodically simulate cyber-attacks with your employees to enhance their security consciousness.

Texas Tech University Health Sciences Center Cyberattack: 1.4 Million Patients' Data at Risk

The Texas Tech University Health Sciences Center (HSC) and its counterpart in El Paso have been hit by a significant cyberattack. This incident has the potential to expose the personal and health information of 1.4 million patients. The institution detected a security breach in September 2024, following disruptions to its computer systems. Investigations confirmed that certain files or folders were either stolen or deleted from the HSC network between September 17 and September 29, 2024.

Texas Tech University Health Sciences Center is a crucial public institution dedicated to training healthcare professionals, conducting medical research, and providing patient care. This attack poses a severe cybersecurity threat and raises concerns about the potential theft of sensitive data.

In response to the attack, the Texas Tech University Health Sciences Center has committed to offering free credit monitoring services to the 1.4 million affected patients. The organization has also advised patients to be cautious of phishing attacks and social engineering tactics. Affected individuals are encouraged to regularly monitor their credit reports and health insurance statements.

Read the full article.

Cyberwise Insight: The Texas Tech University Health Sciences Center, a vital academic institution providing healthcare services and conducting medical research, highlighted the severe consequences of this cybersecurity breach in its post-attack statement. Data potentially compromised includes patients' names, dates of birth, Social Security numbers, driver's license information, health insurance details, medical history, and diagnostic information. This data carries various risks, from personal identity theft to financial fraud.

The "Interlock" ransomware group has been identified as being behind the attack on the Texas Tech University Health Sciences Center. On October 27, 2024, Interlock announced that the stolen data amounted to 2.6 TB and had been published on the dark web. The ransomware group infiltrated the healthcare institution's systems, seizing a total of 2.1 million files. The attackers demanded a ransom, pressuring the institution to pay. The requested ransom amount could range from hundreds of thousands to millions of dollars, depending on the organization's size.

Protective Measures

• Use Strong Passwords: Create complex and unique passwords for all systems. Furthermore, do not neglect to use multi-factor authentication (MFA).
• Regular Software Updates: Regularly update all your software and systems to protect against known vulnerabilities.
• Data Encryption: Protect your sensitive data with strong encryption methods, both during storage and transmission.
• Phishing Awareness Training: Provide employees with training on phishing and social engineering attacks, and ensure they are cautious about suspicious emails or links.
• Ensure Network Security: Prevent unauthorized access to your network by using a robust firewall and network monitoring systems.
• Data Backup: Regularly back up your critical data and store the backed-up data in a secure location.
• Access Control: Grant access only to necessary employees and establish access policies to ensure the lowest level of access for each user.

Critical SonicWall Vulnerabilities Pose Threat to Organizations

Research conducted by cybersecurity firm Bishop Fox has revealed that over 25,000 SonicWall SSLVPN devices are vulnerable to critical security flaws, posing a significant threat. The data indicates that a substantial portion of these devices are running on outdated, unsupported software versions and have not had current security patches applied. These vulnerable devices have become attractive targets for ransomware groups aiming to gain initial access to corporate networks.

Bishop Fox's scans, utilizing tools like Shodan and BinaryEdge, identified 430,363 publicly exposed SonicWall firewalls. Publicly accessible devices allow attackers to exploit these vulnerabilities and weaknesses to gain system entry. This situation is particularly dangerous when firewall management interfaces and SSL VPN connections are accessible over the internet.

Bishop Fox researchers stated, "Publicly exposed firewall management interfaces pose an enormous security risk. While SSL VPN is designed to provide access to external clients, it should be protected with source IP address restrictions."

Read the full article.

Cyberwise Insight: Beyond the 25,485 critical vulnerabilities identified in these devices, Bishop Fox also noted that 94,018 devices are susceptible to high-severity errors. These figures represent a considerable threat to organizations and carry an increased risk of further attacks.

Cybersecurity experts urge organizations using SonicWall devices to immediately update their outdated software versions and apply patches. Furthermore, they highlight that internet accessibility for SSL VPN and management interfaces creates a serious security risk. The implementation of additional security measures, such as IP address restrictions, is strongly emphasized.

This situation demonstrates that organizations may face greater threats due to slow patching processes and the continued use of outdated software. Taking the necessary steps to remediate vulnerabilities and become more resilient against attacks is of paramount importance.

Protective Measures

• Software and Hardware Updates: Ensure that the software versions used on your devices are updated to the latest, supported versions. It is especially crucial to avoid using End-of-Life (EOL) software versions.
• Disable Unused Interfaces: Management interfaces and SSL VPN connections should only be accessible from specific IP addresses. Internet-accessible interfaces pose a significant risk to attackers.
• Strong Password Policies and Multi-Factor Authentication (MFA): Implement strong passwords to defend against password weaknesses and, if possible, enable Multi-Factor Authentication (MFA).
• Firewall Configuration: Carefully configure the firewall settings on devices to allow access only to necessary access points. Unnecessary access paths should be closed.
• Network Segmentation: Implement network segmentation within your corporate network, allowing each segment to communicate only with other necessary networks. This can help prevent an attacker from moving laterally within the network.
• Regular Security Scanning and Auditing: Regularly scan and audit your entire network infrastructure for security vulnerabilities. Such audits help detect potential weak points early.
• Access Restrictions and Monitoring: Allow only authorized users to access critical systems. Furthermore, continuously monitor all network activities and access attempts, and report suspicious activities.
• Ransomware Defense: To provide protection against threats like ransomware, establish backup strategies and perform regular backups. Additionally, use frequently updated antivirus scanners on the network.

Dozens of Chrome Extensions Hacked: Millions of Users' Data at Risk

A widespread cyberattack targeting Chrome browser extensions has jeopardized the personal information of millions of users. At least 35 popular extensions were compromised, putting approximately 2.6 million users' data at risk of theft. This attack enabled malicious code to be injected into legitimate versions of the extensions by compromising the developers' accounts through a phishing campaign.

The attack began with phishing messages targeting extension developers on the Chrome Web Store. Emails sent to developers warned that their extensions were at risk of removal from the store, creating a false sense of urgency. The emails directed them to click a link to accept policies, which actually redirected users to a malicious OAuth application. This allowed the attackers to upload malicious extensions to the Chrome Web Store.

Read the full article.

Cyberwise Insight: Recent cyberattacks targeting Chrome browser extensions pose a significant threat to online security. Users rely on various browser extensions to streamline their daily tasks; however, malicious software can infiltrate systems through extensions and access personal data. This creates serious security vulnerabilities not only for individual users but also for organizations. While browser extensions enhance the web experience and accelerate user workflows, in the wrong hands, they can become potential security risks. Beyond the advantages offered by browser extensions, it is crucial for users to take various measures to protect their online security.

Security Measures to Take

• Download Extensions Only from Trusted Sources: Avoid installing extensions from suspicious sources outside the Chrome Web Store. The official store subjects extensions to a security review process to ensure their safety.
• Strictly Monitor Extension Permissions: Carefully review the access permissions of every extension you install. Extensions should only have the necessary permissions to fulfill their functions.
• Perform Updates: Always use the latest versions of your browser and extensions to protect against software bugs and security vulnerabilities. Up-to-date software offers stronger defenses against new threats.
• Use Two-Factor Authentication (2FA): Especially for important accounts, enhance account security by adding a second layer of security (e.g., a verification code sent to your phone number), not just a password.
• Audit Extension Data Communications: Malware can exfiltrate user data through extensions. Therefore, ensure that extensions are not sending data they shouldn't be and only collecting necessary data.
• Conduct Regular Security Scans: To protect user data, regularly scan your computer and extensions with antivirus software. You can also use browser extension security tools to find malicious extensions.

Operation PowerOFF: 27 DDoS Platforms Dismantled, Hundreds of Customers Identified

"Operation PowerOFF," conducted with the participation of law enforcement agencies from 15 countries, resulted in the dismantling of 27 illegal DDoS (Distributed Denial-of-Service) platforms. The operation, led by Europol, led to the arrest of the administrators of these platforms that offered DDoS attack services for hire, and the identification of hundreds of their customers. These platforms enabled users to pay to send large-scale internet traffic to targets, causing service disruptions. In addition to the arrests, approximately 300 platform users were identified, with some receiving warnings, while criminal proceedings were initiated against those who committed more serious offenses. Authorities emphasized that such services increase cyber threats and urged organizations to implement defensive measures to protect their networks.

Read the full article.

Cyberwise Insight: DDoS attacks aim to disrupt service by bombarding a targeted network, server, or service with an overwhelming amount of fabricated traffic. Such attacks can lead to the collapse of online services and significant business interruptions, posing substantial security threats to many large businesses and government agencies. 

"Operation PowerOFF" showcases the power of international cooperation and the determination in combating cybercrime. The dismantling of 27 for-hire DDoS platforms and the arrest of numerous culprits represent a significant victory against cybercriminals. However, given the evolving techniques and rapidly changing strategies of cybercriminals, the continuation of such operations and the continuous strengthening of cybersecurity measures will play a critical role in preventing future security breaches.

Measures to Take Against DDoS Attacks

• Utilize Advanced Traffic Monitoring and Analysis Tools: Continuously monitor your website traffic to quickly detect and respond to unusual abnormal activities.
• Leverage DDoS Protection Services: Professional DDoS protection services like Cloudflare and Akamai provide effective protection by filtering attacks and redirecting traffic.
• IP Address Blocking and Traffic Limiting: You can cut off malicious traffic flow by blocking suspicious IP addresses from attackers. Applying IP-based limitations to prevent excessive traffic ingress will also be beneficial.
• Collaborate with Internet Service Providers (ISPs): By cooperating with your ISP, you can intervene before and during DDoS attacks, attempting to block the attack at its source.
• Prepare System Backup and Disaster Recovery Plans: Regularly back up your data and create a disaster recovery plan to quickly restore your system after an attack.
• Avoid Dangerous Websites: Refrain from accessing suspicious platforms that offer DDoS attacks for hire. Be cautious of risks originating from such sites.
• Provide Employee Training and Awareness: Educate all your employees about DDoS attacks, teaching them how to act in the event of a potential attack and to take security measures.