The Ohio History Connection Discloses Data Breach Potentially Impacting 7,600 Individuals
The Ohio History Connection (OHC), a statewide history nonprofit that is one of the oldest historical societies in Ohio, has suffered a data breach following a ransomware attack that occurred early July 2023. In their notice, OHC stated that the currently unnamed threat group encrypted their internal data servers and exfiltrated data. OHC detailed that the threat group rejected the organization's counteroffer during negotiations in early August 2023, and claim that "the personal information of certain stakeholders may now be accessible." The following information may have been accessed: names, addresses, Social Security numbers (SSNs) of current or former OHC employees (from 2009 to 2023), W-9 reports, additional records containing names and SSNs of contracted vendors of OHC, and images of checks provided to OHC by members and donors beginning in 2020. Approximately 7,600 individuals may be impacted by OHC's data breach, and the organization emphasized that there is currently no evidence that any misuse or attempted use of the exposed information has occurred. Data breach notification letters were mailed on August 23, 2023. CTIX analysts will continue to monitor for newly reported data breaches and provide details when applicable.
Threat Actor Activity
Chinese-linked Threat Actor Observed Conducting Espionage Operations on Taiwanese Organizations
Flax Typhoon, also known as Ethereal Panda, is a Chinese-linked threat group that has ran espionage operations targeting dozens of Taiwanese organizations as far back as mid-2021. The threat group has been observed targeting government agencies and organizations within the education, critical manufacturing, and information technology sectors across Southeast Asia, North America, and Africa. Flax Typhoon has also been observed gaining and maintaining long-term access to Taiwanese organizations' networks by utilizing tools built into the operating system and living-off-the-land tactics, making detection and mitigation more difficult. This has prompted researchers to continually publish the group's distinctive pattern of malicious activity in order to gain greater visibility into other parts of the actor's operation. There is significant concern about the impact that attacks would have if the group were to reuse their tactics in operations targeting other countries. The group gains initial access by exploiting known vulnerabilities in public-facing servers before deploying a VPN connection to collect credentials using Mimikatz and conduct further vulnerability scans. The group uses legitimate VPN applications, which makes distinguishing malicious traffic from legitimate traffic much more difficult. The behavior observed by Flax Typhoon suggests that the campaign's end goal is to perform espionage and maintain their network footholds. CTIX analysts recommend conducting vulnerability and patch management, especially on systems and services exposed to the public internet.
CISA Adds Critical Zero-day Ivanti Sentry Bug to the KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited critical zero-day vulnerability in Ivanti Sentry (formerly MobileIron Sentry) to its Known Exploited Vulnerabilities (KEV) catalog. The advisory comes after researchers published a working proof-of-concept (PoC) exploit. Ivanti's Sentry product is an in-line secure mobile gateway that allows administrators to manage and secure traffic between mobile devices and back-end enterprise systems. The flaw, tracked as CVE-2023-38035 (CVSS score of 9.8/10), is an authentication bypass vulnerability that could allow unauthenticated attackers to gain access to sensitive APIs. If successfully exploited, threat actors could make configuration changes on the administrative portal of Sentry that allow them to run commands and write files to victims' systems. In the PoC, the researchers stated that the exploit "abuses an unauthenticated command injection to execute arbitrary commands as the root user." An Ivanti spokesperson stated that at this time they are only aware of a limited number of impacted customers and didn't specify any of the technical details surrounding the compromise. This flaw affects all supported versions of Sentry and customers are urged to restrict port 8443 (used to access the Ivanti Sentry administrative portal) from the public internet until they can apply the remediation. In Ivanti's customer advisory, they state that each version of Sentry has its own dedicated script and if applied to the wrong versions, will not remediate the vulnerability. CTIX analysts recommend that all administrators responsible for their organization's instance of Sentry follow the guidance in Ivanti's advisory linked-below and apply the remediation script as soon as possible to prevent future exploitation. The vulnerability's presence on the KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies become compliant by remediating the flaw by no later than September 12, 2023.
- The Record: CVE-2023-38035 Article
- Security Affairs: CVE-2023-38035 Article
- Ivanti: CVE-2023-38035 Advisory
- CISA: CVE-2023-38035 KEV Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.