LockBit hits ICBC and leaks Boeing data | Cyber Intelligence Briefing: 14 November

Top news stories this week

1. LockBit bites with CitrixBleed. Resurgent LockBit paralyses US arm of ICBC and leaks Boeing’s data. 
2. Resourceless regulator. ICO drops investigation into EasyJet breach.
3. Privilege denied. Australian court dismisses telecom giant Optus's bid to keep report confidential. 
4. DDoS deluge. OpenAI’s ChatGPT and Cloudflare fall victim to DDoS attacks.
5. Closed for business. RansomedVC shuts down operations after the arrests of six affiliates.
   
6. Three for three? SysAid vulnerability exploited by MOVEIt and GoAnywhere threat actor.
   
   

Listen to the Cyber Intelligence Briefing

   Spotify       Apple Podcasts      Google Podcasts    YouTube

1. CitrixBleed: LockBit hits ICBC and leaks Boeing data 

The US arm of the Industrial and Commercial Bank of China (ICBC) was hit by LockBit last week. The bank was reportedly forced to send details of US Treasury settlements to partners on a USB stick via courier. Separately, the ransomware gang has leaked 50GB of Boeing’s data on their leak site. Security researchers have suggested that a high-risk software vulnerability known as “CitrixBleed” was involved in both breaches. [Researcher: Georgina Varley]

So what?

Organisations with Citrix NetScaler Application Delivery Controller and NetScaler Gateway appliances should follow CISA's guidance on patching immediately, and consider conducting pro-active threat hunting.

2. ICO drops investigation into EasyJet breach due to limited resources

The UK’s data protection regulator has dropped its investigation into a 2019 data breach at EasyJet that affected 9 million customers. The Information Commissioner’s Office (ICO) cited limited resources for their decision to not probe what was described as one of the UK’s largest data breaches at the time.

So what?

The decision not to pursue enforcement action has raised concerns that it sends the wrong message to companies about their obligations to data subjects under the GDPR.

3. Court rejects Optus's legal privilege claim on incident report 

A judge rejected Australian telecom giant Optus’s claim that an incident report about a 2022 cyber attack was subject to legal privilege. Optus is facing a class action lawsuit over the breach which affected 10 million customers. The court rejected the company’s argument that the report was prepared to assess legal risks.

So what?

Organisations should avoid publicly referring to incident reports or other sensitive documents prepared following cyber attacks, as this can undermine legal privilege.

4. OpenAI and Cloudflare fall victim to large-scale DDoS attacks  

The Russia-linked hacktivist group Anonymous Sudan has claimed responsibility for DDoS attacks on OpenAI’s ChatGPT and cyber security firm Cloudflare. The attack on Cloudflare briefly disrupted the company’s main website, while the ChatGPT outage likely caused more extensive disruption to developers relying on ChatGPT’s API for coding-related tasks.

So what?

Organisations which have integrated public-facing AI services like ChatGPT should carefully consider the potential impact of service outage caused a DDoS attacks.

5. RansomedVC ceases operations following arrests

The short-lived and chaotic ransomware group RansomedVC has shut down, following the arrest of six affiliates. The group, which appeared last August and claimed an attack on Sony, posted an update on telegram criticising its affiliates for having poor operational security. The group had previously attempted to sell its infrastructure including its ransomware builder and dark web leak site.

So what?

Law enforcement pressure can shut down cyber criminal groups, but the individuals involved will often rebrand or join other groups.

6. Software vulnerabilities used to spread Clop and Cerber ransomware

A zero-day vulnerability (CVE-2023-47246) in the SysAid service management software is being exploited to deploy Clop ransomware. Microsoft has attributed the attacks to the same threat actor behind the MOVEIt and GoAnywhere data breaches earlier this year.

Separately, a critical vulnerability (CVE-2023-22518) in Atlassian Confluence servers is being used by threat actors to deploy Cerber ransomware. The exploit, which enables improper authorisation, recently saw its severity rating increased to the maximum 10 out of 10.

So what?

SysAid and Atlassian have released patches and threat hunting guidance for both vulnerabilities. Because the vulnerabilities impact on-premises deployments, remediation will likely need direct intervention which can be slow and costly.