Threat Briefing: June 28, 2024

Cyber threat actors can sometimes be quick to brag about their attacks, which can be good for their reputation, but bad for the reputation of their victims. Sometimes cyber actors compromise a computer system and don’t always realize who or what they have breached.

This week, ransomware group LockBit claimed responsibility for an attack against the Federal Reserve, but actually compromised a financial institution instead. This serves as a good reminder that sometimes cyber criminals claim responsibility for an attack they haven’t committed or sometimes they have the wrong victim.

When a cyber threat actor publicly claims an attack, it forces organizations to respond, either by trying to confirm if an attack did occur or to disprove what a cyber threat actor has said and repair any potential damage.

• • Government Accountability Office (GAO) Warns Defense Counterintelligence & Security Agency (DCSA) Needs to Address Cyber Risk with National Background Investigation Services System – The GAO indicated the DCSA did not address several cyber-risk management steps. The GAO also found the agency only partially implemented several controls like incident tracking, security awareness training, and privacy controls. The DCSA assumed responsibility for conducting federal background checks following a breach of the Office of Personnel Management in 2015. NextGov

• • LockBit Incorrectly Claims Ransomware Attack Against Federal Reserve – LockBit claimed to have stolen 33Tb of data from the Federal Reserve, however, the data released from LockBit was data for Evolve Bank & Trust, an Arkansas-based financial institution. Evolve Bank has notified its customers that it was the victim of a cyber attack and PII data of customers was available on the dark web. Evolve had previously been cited by the Federal Reserve due to deficiencies with several compliance programs. The LockBit actors potentially found documents from the Federal Reserve within Evolve’s network and believed they had accessed the Federal Reserve instead. Security Week

• • P2PInfect Botnet Used to Deploy Cryptocurrency and Ransomware on Infected Victims – The botnet infects misconfigured Redis servers. P2PInfect originally was discovered in 2023 and the malware for the botnet is written in the Rust programming language. Compromised servers encrypted with ransomware found ransom notes instructing them to pay 1XMR or approximately $165 to decrypt their files. P2PInfect also includes a SSH password sprayer and the threat actors behind P2PInfect have also changed passwords on compromised system. The Hacker News

• • U.S. Cybersecurity & Infrastructure Security Agency (CISA) Finds Unsafe Memory Code in Majority of Open Source Projects – The unsafe code is possibly leading to memory spillover risks. CISA found that 52% of Open Source Security Foundation projects had memory-unsafe code. Furthermore, a quarter of the code in the top 10 largest open-source projects had memory-unsafe code. Projects identified in the study include OpenSSL, Linux Kernel, and Kubernetes. BankInfoSecurity

• • New Artificial Intelligence (AI) Jailbreak Can Allow AI Models to Provide “Forbidden” Information Discovered by Microsoft Researchers – The jailbreak is called “Skeleton Key,” and could be utilized to get AI models to include Meta Llama3, Google Gemini Pro, OpenAI GPT, and Anthropic Claude 3. Microsoft researchers discovered that if they asked AI models to augment their behaviors and provide a “warning” label to information it considered to go against its guidelines, the AI model would provide the information researchers asked for. Security Week