09.12.24 Threat Report

Deloitte Data Breach

Deloitte UK has categorically denied allegations of a significant cybersecurity breach made by the ransomware group Brain Cipher. The group asserts that it has stolen over one terabyte of sensitive data from the professional services giant. However, Deloitte maintains that its internal systems have not been compromised.

‍

A spokesperson for Deloitte clarified that the claims pertain solely to an external system belonging to a single client and do not implicate Deloitte’s own network.

‍

“No Deloitte systems have been impacted,” the spokesperson informed Cyber Security News, aiming to reassure stakeholders about the security of the firm’s operations and client data.

‍

Brain Cipher’s Allegations: Over 1 Terabyte of Data Stolen

The ransomware group Brain Cipher, active since June 2024 and infamous for high-profile cyberattacks, alleges it exploited vulnerabilities in Deloitte UK’s cybersecurity framework. According to the group, this enabled them to exfiltrate over one terabyte of compressed data from Deloitte’s systems.

‍

The group has pledged to release evidence supporting their claims, including:

• Samples of allegedly stolen data.
• Reports detailing Deloitte’s cybersecurity practices and monitoring tools.
• Confidential contractual agreements with clients.

‍

Mocking Deloitte’s defences, Brain Cipher declared: “We will show excellent (not) monitoring work, and tell what tools we used, and use there today.”

‍

Additionally, Brain Cipher claims to have invited Deloitte to initiate private discussions via official corporate email, implying potential ransom negotiations.

‍

Potential Impact of the Alleged Breach

Despite Deloitte’s denial, cybersecurity experts remain vigilant, given the far-reaching consequences if Brain Cipher’s claims are verified. Such a breach could:

• Compromise sensitive client data, including business intelligence, financial records, and contracts.
• Erode trust in Deloitte, a leading member of the “Big Four” professional services firms.
• Tarnish Deloitte’s reputation, especially concerning its cybersecurity expertise.

‍

Deloitte’s assertion that the incident involves a single client’s external system highlights the persistent risks associated with third-party partnerships. Cybercriminals frequently target vulnerabilities in vendor or partner systems to infiltrate larger organisations.

This incident underscores the importance of robust third-party risk management strategies, including:

• Conducting stringent security assessments for all third-party systems.
• Implementing advanced threat detection and monitoring tools.
• Enhancing incident response plans to mitigate potential fallout from breaches.

‍

British Telecom BT Group Confirms Cyberattack Attempt by Black Basta Ransomware

‍

BT Group, one of the United Kingdom’s largest telecommunications companies, has confirmed an attempted cyberattack on its conferencing platform by the infamous ransomware group Black Basta. The company stated that the incident targeted specific elements of the platform but was swiftly contained. Affected servers were taken offline immediately to prevent further compromise.

‍

BT assured stakeholders that core services, including BT Conferencing’s live offerings and customer data, were unaffected. The organisation is actively cooperating with law enforcement and regulatory authorities as part of its incident response efforts.

Black Basta Claims Responsibility

Black Basta, a ransomware group linked to over 500 global cyberattacks since its emergence in 2022, has claimed responsibility for the breach. The group alleges it exfiltrated approximately 500 GB of sensitive data, including:

• Financial records.
• Personal employee information.
• Internal corporate documents.

‍

The group has threatened to release the stolen files unless a ransom is paid. BT has not commented on whether it is engaged in negotiations with the attackers.

‍

Advanced Tactics of Black Basta

The attempted attack highlights Black Basta’s sophisticated tactics, which often include:

• Social engineering: Employing methods such as phishing and email bombing to deceive employees and gain access to systems.
• Abuse of legitimate tools: Using platforms like Microsoft Teams for malicious purposes.

‍

This incident reflects a broader trend of ransomware campaigns targeting critical infrastructure and large enterprises. Black Basta has previously been linked to attacks on prominent organisations, including Hyundai Europe and Capita.

‍

Lessons from BT’s Response

BT’s swift containment of the attack and its ongoing investigation demonstrate the importance of maintaining robust cybersecurity measures. The organisation’s ability to limit the breach and ensure service continuity underscores the value of:

‍

NHS Hospitals Hit by Cyberattacks Struggle to Restore Systems

‍

Children's Hospital and Cardiac Unit Breached via Shared Digital Gateway Service

Two NHS trusts affected by separate cyberattacks last week have confirmed that they are still working to restore their systems. While both incidents have disrupted hospital operations, efforts to secure systems and resume normal functions are ongoing.

‍

NHS Wirral University Teaching Hospital: Gradual Recovery

The NHS Wirral University Teaching Hospital Trust, which oversees Clatterbridge and Arrowe Park hospitals, has downgraded its initial "major incident" to a "business continuity incident." However, the trust remains in the process of bringing its systems back online.

‍

In its first statement in nearly a week, a spokesperson explained:

• Emergency treatment is being prioritised, but patients should expect longer waiting times in emergency and assessment areas.
• Outpatient appointments are continuing as scheduled, and patients are encouraged to attend unless informed otherwise.

‍

Following the attack, NHS Wirral reverted to manual pen-and-paper operations. The identity of the attackers remains unknown, and no known cybercrime group has claimed responsibility for the intrusion.

‍

INC Ransom Takes Credit

The attack on Liverpool hospitals, including Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital, has been claimed by the ransomware group INC Ransom. A statement from Alder Hey Children's Hospital NHS Trust identified the intrusion point as a shared digital gateway service used by Alder Hey and Liverpool Heart and Chest Hospital.

‍

The trust confirmed that attackers unlawfully accessed systems containing data from the following hospitals:

• Alder Hey Children’s Hospital
• Liverpool Heart and Chest Hospital
• A limited amount of data from Royal Liverpool University Hospital

‍

Data allegedly stolen in the breach, including personal details of donors, patients, and hospital staff, was posted online last week. Screenshots of the data have been reviewed, and an investigation is underway to determine the extent of the breach.

‍

Alder Hey announced that after analysing the stolen data, it does not believe any of it relates to children or young people. The stolen data appears to involve adults, medical cases at the other affected hospitals, and hospital financial records.

‍

This finding provides relief to parents concerned about the exposure of their children’s medical information. However, the investigation is ongoing, and there remains a risk that the attacker could publish additional data.

‍

NHS Response and Progress

Alder Hey has made progress in securing the compromised systems and is collaborating with the National Crime Agency to ensure the attackers’ access remains blocked. However, the process of reconnecting systems is still incomplete.

‍

The NHS continues to maintain its longstanding policy of refusing to pay ransom demands. Since the WannaCry incident in 2017, no NHS organisation has reported paying a ransom, and it is unlikely that INC Ransom will succeed in extracting payment.

‍

The attacks on NHS Wirral and Liverpool hospitals underscore critical vulnerabilities in healthcare cybersecurity. Key takeaways include:

• Shared digital gateways: Organisations should assess risks associated with shared digital services to prevent cascading impacts across institutions.
• Incident response readiness: Hospitals must ensure robust procedures for reverting to manual operations while securing and restoring digital systems.
• Ransomware resilience: Enhanced monitoring, threat detection, and backup systems are vital to minimise disruption during cyberattacks.

‍

As hospitals work to restore systems, the incidents serve as a stark reminder of the importance of proactive cybersecurity measures in safeguarding critical healthcare infrastructure.

‍

Windows Server 2012 Zero-Day Vulnerability Enables Attackers to Bypass Security Checks

A critical zero-day vulnerability has been discovered in Windows Server 2012 and Server 2012 R2, allowing attackers to bypass essential security checks enforced by the Mark of the Web (MotW) feature. This flaw, undetected for over two years, presents a severe risk to organisations still utilising these server versions, even those with fully updated systems and Extended Security Updates (ESU).

‍

Details of the Vulnerability

The vulnerability affects specific file types and can potentially expose servers to malicious exploitation. Although full technical details have been withheld to prevent abuse, the flaw’s presence in fully patched systems highlights the urgency of this issue.

‍

Key facts:

• The vulnerability impacts both Windows Server 2012 and Server 2012 R2, including those with ESU.
• Discovered by 0patch researchers, the issue demonstrates the risks inherent in older server platforms that are no longer fully supported.

‍

Micropatches Developed by 0patch

In response to this discovery, 0patch researchers have promptly reported the issue to Microsoft and released micropatches to mitigate the risk. These micropatches are:

• Available free of charge until Microsoft provides an official fix.
• Delivered to online systems with the 0patch Agent installed on PRO or Enterprise accounts.
• Designed to provide immediate protection, reducing the exposure window for affected organisations.

‍

Affected Systems

The vulnerability impacts the following configurations:

• Windows Server 2012 (updated to October 2023).
• Windows Server 2012 R2 (updated to October 2023).
• Windows Server 2012 with ESU.
• Windows Server 2012 R2 with ESU.

‍

Recommendations

Organisations using Windows Server 2012 or 2012 R2 should take the following actions to mitigate risk:

1. Apply the 0patch micropatches immediately to safeguard against potential exploits.
2. Monitor Microsoft updates and apply the official fix once it becomes available.
3. Upgrade to newer, fully supported server versions to eliminate reliance on ageing systems with limited support.
4. Implement additional security measures, such as network segmentation and enhanced monitoring, to protect critical infrastructure.

‍

This vulnerability highlights the ongoing security challenges posed by legacy systems, even those believed to be fully patched. It highlights the importance of:

• Regular security audits to identify and mitigate risks proactively.
• Robust patch management strategies that include third-party solutions when official patches are delayed.
• Collaboration between independent security researchers and vendors, as demonstrated by 0patch’s rapid response.

‍

As the cybersecurity community awaits Microsoft’s official fix, this incident serves as a reminder of the need for vigilance and proactive measures to address the evolving threat landscape. Organisations should prioritise transitioning away from unsupported or nearing end-of-life systems to ensure long-term security resilience.