Cybersecurity Roundup April 2024

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Kitchen-Sink Attack Chains: The Primary Cyber Threat to 2024 Elections    

As the 2024 elections approach, cybersecurity experts warn that the most significant threat to the democratic process will likely be a combination of various cyberattacks, rather than a single, isolated incident. These “kitchen-sink” attack chains, as they are called, involve hackers using multiple tactics in tandem to achieve their malicious goals, making them more difficult to detect and defend against.  According to a recent report by Mandiant, part of Google Cloud, the most potent threats to elections are chained attacks, where threat actors deliberately layer multiple tactics in hybrid operations to magnify the effect of each component. This approach has been used in past elections, such as the 2014 Ukrainian presidential elections, where Russian actors launched DDoS attacks, deleted files from the country’s central election computers, leaked emails and documents, and attempted to present fake results favoring a specific candidate.  In the 2020 US elections, two Iranian nationals carried out a campaign against multiple states’ voting-related websites, obtaining confidential voter information, sending intimidating and misleading emails, and spreading disinformation about election infrastructure vulnerabilities. They also breached a media company, which could have provided another channel for disseminating false claims.  Apart from state-sponsored actors, insiders, hacktivists, and cybercriminals also pose a threat to the democratic process. Fake social media accounts and websites affiliated with presidential candidates can be used to spread scams, malware, steal funds, or influence voters’ views by distributing fake news. These impersonations can also be used to interact with real people from campaigns and infiltrate their systems.  As the digital battlefield becomes increasingly accessible, it is crucial for election officials, campaigns, and voters to remain vigilant and proactive in safeguarding the integrity of the democratic process against these evolving cyber threats.
SSL.com Insights: To defend against the intricate and multi-layered threats described in the article, companies and organizations involved in electoral processes should enhance their defenses by integrating systems that examine content passing through their networks to detect harmful data packets and signs of tampering. They should also deploy technologies that verify the authenticity and security of websites, preventing unauthorized access to sensitive data and systems. Implementing measures that continuously monitor and analyze network traffic can help detect unusual patterns that may indicate a coordinated attack. SSL.com’s SSL certificates can play a crucial role in these strategies by ensuring that data transmitted across networks is encrypted, significantly reducing the risk of interception and tampering, and by authenticating the identities of entities involved, thus bolstering trust and security in digital communications.

Fortify Security, Trust SSL.com Certificates.  

Encrypt Today

State-Sponsored Hackers Breach MITRE R&D Network via Ivanti Zero-Day Vulnerabilities     

MITRE, a federally funded not-for-profit company, recently disclosed a breach of its Networked Experimentation, Research, and Virtualization Environment (NERVE) by a foreign state-sponsored threat actor in early January. The attackers exploited two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure VPN devices to gain initial access. These vulnerabilities were first reported by Volexity on January 10, attributing their exploitation to Chinese government-backed hackers.  After gaining access, the attackers conducted reconnaissance, bypassed multi-factor authentication using session hijacking, and moved laterally within MITRE’s network. They employed sophisticated backdoors and webshells to maintain persistence and harvest credentials, targeting the organization’s VMware infrastructure using a compromised administrator account.  While MITRE has not provided attribution details beyond identifying the attackers as a foreign nation-state threat actor, Google Cloud’s Mandiant is aware of several China-linked threat actors exploiting the Ivanti VPN vulnerabilities in their attacks.  MITRE’s ongoing investigation has found no evidence of impact on its core enterprise network or partners’ systems. The organization has shared information on the observed ATT&CK techniques, best practices for detecting such attacks, and recommendations for hardening networks.  The same Ivanti vulnerabilities were also used to hack into systems belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), potentially affecting 100,000 individuals. MITRE, widely known for its ATT&CK knowledge base of adversary tactics and techniques, recently opened a new AI Assurance and Discovery Lab to discover and manage risks in AI-enabled systems. 
SSL.com Insights: To enhance security against state-sponsored cyberattacks, such as those experienced by MITRE through exploited product vulnerabilities, organizations must deploy technologies that allow for the inspection and validation of encrypted network traffic which will then help identify and mitigate suspicious activities before they escalate. At SSL.com, we offer robust SSL/TLS certificate solutions tailored for IoT devices, ensuring secure and trusted device connections right from the start. By partnering with us, organizations can leverage our Hosted PKI and custom ACME-enabled CAs to manage certificate lifecycles effectively, mitigating risks associated with device and network security. Our SWS API further facilitates seamless certificate management directly from your IoT infrastructure.

Explore how SSL.com can enhance your IoT security.  

Learn More

CoralRaider Threat Actor Launches Global Attack Campaign with Multiple Info Stealers  

Cisco’s Talos security research unit has uncovered a widespread attack campaign by a threat actor known as CoralRaider, which employs a combination of information stealers to harvest credentials and financial data from users worldwide. The threat actor, believed to be of Vietnamese origin, has been targeting individuals across various business verticals and geographies since at least 2023.  CoralRaider’s attack campaign has evolved over time, with the threat actor previously using a customized QuasarRAT variant called RotBot and the XClient stealer to target financial and login information and steal social media accounts. Since February 2024, the threat actor has expanded its arsenal to include three information stealers: Cryptbot, LummaC2, and Rhadamanthys.  The attacks have targeted users in Ecuador, Egypt, Germany, Japan, Nigeria, Norway, Pakistan, the Philippines, Poland, Syria, Turkey, the UK, and the US, with some victims identified as employees of computer service call center organizations in Japan and civil defense service organizations in Syria. CoralRaider has been using phishing emails containing malicious links to deliver ZIP archives with crafted shortcut files, triggering a multi-stage infection chain that ultimately executes the information stealers on the targeted systems.  CryptBot, LummaC2, and Rhadamanthys are well-known information stealers with various capabilities, including harvesting credentials from browsers, stealing sensitive files, and exfiltrating data from cryptocurrency wallets and other applications. The use of these stealers in combination allows CoralRaider to maximize the impact of its attacks and gather a wide range of valuable information from its victims.  As CoralRaider continues to evolve and expand its global reach, organizations and individuals must remain vigilant and adopt robust cybersecurity measures to protect against these increasingly sophisticated threats. Regularly updating software, using strong and unique passwords, enabling multi-factor authentication, and educating users about the dangers of phishing emails are essential steps in mitigating the risk of falling victim to such attacks. 
SSL.com Insights: To counteract the global campaign by threat actors using multiple infostealers as reported by Cisco, organizations must implement robust file integrity monitoring and behavior analysis tools that can detect and respond to unauthorized access and modifications of sensitive data. Regular updates and comprehensive endpoint security solutions are critical in safeguarding against advanced malware strains that target credentials and financial information through stealthy mechanisms. Additionally, deploying encryption for sensitive files and employing enhanced detection protocols can mitigate the risk of information being stolen and misused. SSL.com’s S/MIME certificates ensure the integrity and confidentiality of email communications, providing a critical layer of protection against phishing schemes that might otherwise lead to the deployment of infostealers, and they also verify the sender’s identity to prevent impersonation attempts, thereby securing email as a communication channel.

Secure Email, Trust SSL.com S/MIME.  

Protect Emails

Change Healthcare Suffers Second Ransomware Attack by RansomHub   

Change Healthcare, a subsidiary of United Healthcare, has reportedly suffered another ransomware attack, this time by the RansomHub gang, just weeks after being targeted by ALPHV/BlackCat. RansomHub claims to have stolen 4TB of sensitive data, including information about US military personnel, patients, medical records, and financial information. The gang is demanding an extortion payment and threatens to sell the data to the highest bidder if the ransom is not paid within 12 days.  This second attack comes at a challenging time for Change Healthcare, which has only recently recovered from the previous ALPHV/BlackCat cyberattack. The company now faces a difficult decision regarding whether or not to pay the ransom to protect its clients’ sensitive information.  Malachi Walker, a security adviser at DomainTools, suggests that even if RansomHub is not directly connected to ALPHV/BlackCat, the group could be claiming ties to their victims to intimidate them into making a payment. He also highlights the thriving underground economy surrounding the ransomware scene, with various actors collaborating to share information.  While there is speculation about a possible connection between ALPHV/BlackCat and RansomHub, or if ALPHV has rebranded as RansomHub, Walker states that it is too early to confirm any direct link between the two groups.  This incident underscores the ongoing threat posed by ransomware gangs and the importance of robust cybersecurity measures to protect sensitive data in the healthcare industry. As Change Healthcare navigates this second ransomware attack, it faces a challenging situation in ensuring the safety of its clients’ information. 
SSL.com Insights: To effectively protect sensitive information, such as medical records and financial details, from emerging threats like ransomware, organizations must prioritize advanced security strategies tailored to their specific needs. Implementing rigorous monitoring tools that scan network traffic to detect unusual patterns can provide early warnings of a potential breach. Additionally, fortifying web-facing applications with tools that specifically block unauthorized attempts to exploit vulnerabilities can shield critical assets. For comprehensive data protection, encryption technologies should be employed to render sensitive data unreadable to unauthorized users, ensuring that even if data is compromised, it remains secure.

SSL.com Announcements

SSL.com’s S/MIME Certificates can now be integrated with an LDAP-enabled network

LDAP (Lightweight Directory Access Protocol) is an industry-standard protocol for accessing and managing directory information services. It is commonly used for storing and retrieving information about users, groups, organizational structures, and other resources in a network environment.

Integrating LDAP with S/MIME certificates involves utilizing LDAP as a directory service to store and manage user certificates. 

By integrating LDAP with S/MIME certificates, organizations can centralize certificate management, enhance security, and streamline the process of certificate retrieval and authentication in various applications and services that leverage LDAP as a directory service.

Contact sales@ssl.com for more information on LDAP integration. 

Single Sign On (SSO) can now be enabled for SSL.com accounts 

SSL.com users can now activate Single Sign On (SSO) for their accounts. This feature allows users to link their Google, Microsoft, GitHub, and Facebook accounts to their SSL.com accounts. Once linked and logged in to any of the four service providers mentioned, there is no need for users to repeatedly login to their SSL.com accounts with their username and password.  The adoption of SSO by SSL.com represents a commitment to maintaining high security standards while providing a user-friendly environment, ultimately fostering a safer and more secure online experience for its users. 

Automate Validation and Issuance of Email Signing and Encryption Certificates for Employees 

< p align=”justify”>Bulk enrollment is now available for Personal ID+Organization S/MIME Certificates (also known as IV+OV S/MIME), and NAESB Certificates through the SSL.com Bulk Order Tool. Bulk enrollment of Personal ID+Organization S/MIME and NAESB Certificates has the additional requirement of an Enterprise PKI (EPKI)  Agreement. An EPKI Agreement allows a single authorized representative of an organization to order, validate, issue, and revoke a high volume of these two types of certificates for other members, thereby enabling a faster turnaround in securing an organization’s data and communication systems. 

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.