Threat Briefing: March 22, 2024

Cyber actors employ a diverse range of tools and strategies to carry out attacks, ranging from cutting-edge technologies like artificial intelligence (AI) to the manipulation of legitimate tools or acquisition of authentic login credentials. These tools enable cyber actors to steal data, execute ransomware attacks, or persist covertly within compromised systems for extended periods. The motives and objectives of cyber actors vary, whether they are aligned with foreign interests or affiliated with criminal syndicates. Nonetheless, safeguarding computer systems is a collective goal, necessitating a combination of software defenses, robust policies, adherence to government regulations, and collaboration among different teams within organizations and with external entities in both public and private sectors.

U.S. Government Still Attempting to Identify Extent of Compromise of Critical Infrastructure by Chinese Cyber Group Volt Typhoon – Volt Typhoon, previously associated with breaches in telecommunication networks and military facilities, employs authentic credentials to infiltrate systems and relies on vulnerability scans to identify weaknesses. The U.S. government has confirmed the utilization of AI to detect Volt Typhoon-related activities and is striving to uncover further victims affected by its compromises. The Record

UnitedHealth Working to Restore Final Parts of System Compromised by Ransomware Attack in February– The attack against UnitedHealth’s subsidiary Change Healthcare has been called one of the “most significant and consequential” attacks against the healthcare system in the United States. UnitedHealth is working to restore the system used to submit medical claims and has already restored systems used for processing payments and pharmacy claims. Security Week

First International Resolution on the Safe Use of AI Adopted by the United Nations– The resolution had support from over 120 nations and was sponsored by the United States. While the resolution is non-binding, it supports the use of “safe, secure, and trustworthy AI systems” in addition to holding accountable members of the UN who use AI to abuse human rights. Bank Info Security

Operation “PhamtomBlu” Delivers NetSupport Remote Access Trojan to Microsoft Office Users– Victims are targeted with a malicious email instructing them to open a Word file. This file prompts victims to “enable editing” and activate an OLE package, initiating the execution of malicious code. This method bypasses security settings and retrieves NetSupport. Once installed, NetSupport can be exploited by malicious cyber actors to transfer files, monitor activities, capture keystrokes, and gather system information before deploying ransomware. Dark Reading

Nations Direct Mortgage Victim of Cyber Attack, Potentially Leaking Data of Customers – The incident took place in December 2023 and was orchestrated by an unidentified cyber threat actor. Investigations suggest that the actor may have obtained access to customer information such as names, addresses, account numbers, and Social Security numbers. Nations Direct joins a group of mortgage loan servicers and insurance companies targeted by cyber-attacks towards the end of 2023, including Mr. Cooper, Fidelity National Financial, First American, and LoanDepot. The Record