Malware Activity
The BORN Ontario Healthcare Organization Discloses Data Breach Due to MOVEit Campaign
The Better Outcomes Registry & Network (BORN) Ontario healthcare organization has disclosed a data breach impacting approximately 3.4 million individuals. BORN Ontario is a "perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario." The organization, in a cybersecurity incident notice, stated that the breach was caused by the Progress MOVEit campaign that exploited the zero-day vulnerability tracked as CVE-2023-34362 and noted that unauthorized copies of files containing personal health information (PHI) was exfiltrated. The impacted PHI was obtained from a "large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023" and those impacted were described as individuals seeking pregnancy care and newborns born in Ontario between January 2010 and May 2023. The stolen information includes the following data types: full name, home address, postal code, date of birth, and health card number. The following data was exposed for particular care treatments: dates of service/care, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy/birth outcomes. BORN Ontario emphasized that there is currently no evidence of misuse and no signs of the exfiltrated data being posted or offered for sale on the dark web. CTIX analysts will continue to monitor the BORN Ontario data breach and organizations impacted by the Cl0p MOVEit campaign.
- Bleeping Computer: BORN Ontario Data Breach Article
- BORN Ontario: MOVEit Cybersecurity Incident Notice
Threat Actor Activity
Researchers Detail Recent ShadowSyndicate Activity in New Report
A new threat actor group known as ShadowSyndicate, formerly known as Infra Storm, has recently come onto the scene using a wide variety of ransomware families in the past year. The threat actor has been linked to ransomware such as Quantum, BlackCat, Cl0p, Cactus, Nokoyawa, Play, and Royal. They are also known to deploy tools such as Cobalt Strike, Sliver, and IcedID in conjunction with their use of ransomware. The infrastructure for this threat group was discovered and mapped by researchers using an SSH fingerprint that was then traced to eighty-five (85) different servers. Of those eighty-five (85), fifty-two (52) of them were identified as being used as command-and-control (C2) servers for Cobalt Strike. Researchers also described how many of these servers are being attributed to multiple types of ransomwares, noting that the infrastructure appears to be shared between the different Ransomwares-as-a-Service (RaaS). Researchers also noted that there were IP addresses and past SSH clusters from ShadowSyndicate that were linked to Cl0p, indicating that there is possibly a connection between the two (2) threat groups or that they are sharing infrastructure. The identified servers were primarily located in Central America and Europe, specifically Panama, Cyprus, and Russia. CTIX analysts will continue to monitor the activity of this new group as well as their evolving tactics, techniques, and procedures (TTPs).
Vulnerabilities
Actively Exploited libwebp Vulnerability Impacts Millions of Applications
Google has assigned a maximum CVSS severity rating of 10/10 to an actively exploited and previously disclosed zero-day vulnerability that has a scope extending much further than researchers initially thought. The flaw, tracked as CVE-2023-5129, is a heap-based buffer overflow in Google Chrome's libwebp library, specifically rooted in the Huffman coding algorithm. The libwebp library is an open-source toolkit for WebP, a lossy compression graphics format, used by multiple browsers and image editors. A threat actor could exploit this vulnerability by executing out-of-bounds memory writes via maliciously crafted HTML pages. Successful exploitation could cause a system crash, as well as access to privileged data, and arbitrary code execution. This is a very dynamic situation since the flaw was initially thought to only affect the Chrome browser and originally given the identifier CVE-2023-4863. However, researchers found that wasn't the case, prompting them to change the CVE identifier. Ultimately, this was a flaw in the libwebp library itself used to process WebP images by many other browsers and applications including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers. The vulnerability's extended scope means that it affects millions of applications. This vulnerability has been patched, and CTIX recommends that all readers ensure their browsers are up to date by running the most stable and secure version.
- Bleeping Computer: CVE-2023-5129 Article
- The Record: CVE-2023-5129 Article
- The Hacker News: CVE-2023-5129 Article
- CISA: CVE-2023-5129 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
