Malware Activity
Health and Human Services Organization Discloses Ransomware Attack and Breach from Early 2022
On January 5, 2023, Maternal & Family Health Services (MFHS) disclosed that a ransomware attack occurred on April 4, 2022, and unauthorized actors had access to their systems prior to the attack, specifically since August 21, 2021. MFHS is a private non-profit health and human services organization that serves Northeast Pennsylvania. The organization confirmed that breach notification letters began being sent to those potentially impacted, including former and current employees, patients, and vendors, on January 3, 2023. The information that may have been compromised during the ransomware attack includes, but is potentially not limited to, names, addresses, dates of birth, driver's license numbers, Social Security numbers (SSNs), financial account and payment card data, usernames, passwords, medical information and/or health insurance information. MFHS currently has no evidence that the compromised data has been misused and a ransomware group has yet to be attributed to the April 2022 attack. CTIX analysts will continue to monitor for advancements and update accordingly.
Threat Actor Activity
Cold River Threat Actors Target United States Nuclear Research Labs
Recent research has revealed that Russian threat actors targeted several United States nuclear research laboratories in late summer 2022. The threat actors are tied to the Cold River (Callisto, TAG-53) organization, a Russian state-sponsored group known to commonly conduct cyberespionage operations. It is believed that affiliations between the threat group and the Russian state surfaced when data trails led back to an IT employee in Syktyvkar named Andrey Korinets. Several email addresses tied to Korinets were used in connection with Cold River operations between 2015 and 2020 alongside discussions on several Russian dark web forums. Between August and September of 2022, Cold River launched a social engineering campaign targeting nuclear scientists with fake login portals in an attempt to steal credentials. Specifically, threat actors mimicked copies of the Argonne, Brookhaven, and Livermore National Laboratories login pages and distributed them in their phishing emails. It has not been determined if any further compromise has occurred from this campaign or why these facilities were specifically targeted. Recent activity from the group shows that Cold River registered several domain names imitating non-governmental organizations investigating war crimes in the Russia/Ukraine conflict. CTIX will continue to monitor for any fallout from these campaigns and provide additional updates accordingly.
Vulnerabilities
Okta Autho Patches Critical RCE Vulnerability Impacting a Very Prolific Open-Source Library
A critical remote code execution (RCE) vulnerability has been patched in the popular JsonWebToken open-source encryption library maintained by Okta Autho. The library is downloaded from Node Package Manager (NPM), a free library and registry for the publishing of JavaScript software packages utilized by developers. Specifically, JsonWebToken is utilized to digitally create, sign, and verify a JSON Web Token (JWT), the open-source standard defining how to securely transmit information between parties as a JSON object. The vulnerability, tracked as CVE-2022-23529, is described as an input validation flaw. A threat actor could exploit this vulnerability by manipulating the "secretOrPublicKey" argument in JsonWebToken's verify() method, used to verify and return the unencrypted information. This can be carried out via maliciously crafted code input, allowing the attacker to gain control over a key retrieval parameter to take over accounts, impersonate users, steal sensitive information, and elevate privileges to carry out malicious follow-on activity. Although it is rated as high severity, the flaw received a CVSS score of 7.6/10 due to the fact that the attacker would still need to compromise the key management process between an application and a JsonWebToken server before being able to exploit this vulnerability. With an estimated 36 million NPM downloads per month, the popularity of the JsonWebToken poses a massive risk to supply chains. The patch implements additional checks for the "secretOrPublicKey" parameter, and CTIX analysts urge all JavaScript developers dependent on the library to upgrade to the secure version immediately.
- Bleeping Computer: CVE-2022-23529 Article
- Dark Reading: CVE-2022-23529 Article
- GitHub: CVE-2022-23529 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
