Robin’s Newsletter #298

3 March 2024. Volume 7, Issue 9
Change Healthcare outage persists as ALPHV claims responsibility. Morris II GenAI worm. NIST CSF v2 launched.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Change Healthcare incident continues; ALPHV claims responsibility

  • Change Healthcare, a US platform used by 70,000 pharmacies and healthcare providers, suffered ongoing disruption to its services this week. The company, part of UnitedHealth Group, said it is taking “multiple approaches to restore the impacted environment” and continues to be “proactive and aggressive with all our systems”. The company has implemented workarounds to ensure it can fill prescriptions.
  • The ALPHV/Blackcat group has claimed responsibility for the attack, saying that “more than 6 [terabytes] of highly selective data” was exfiltrated, including personal and contact information, payment details, claims information, and dental records.
  • UnitedHealth has engaged Mandiant and Palo Alto Networks to assist in the investigation and response to the attack, as well as the FBI and law enforcement. The ScreenConnect vulnerability may have been the initial attack vector that gained the cybercriminals a foothold within the company’s network.
  • The ALPHV website was offline on Friday afternoon. However, it’s unclear why or if this is related to the attack.
  • LINK, CLAIM, WEB DOWN

ConPromptMized: Morris II’ AI worm

  • Security researchers created a worm that targets GenAI-powered applications and email assistants. The AI worm, dubbed Morris II in homage to the original 1988 computer worm, got ChatGPT, Gemini Pro and LLaVA, running in a test environment, to generate spam and exfiltrate personal data. 
  • The worm targets GenAI ecosystems through ‘adversarial self-replicating prompts’, where the model will replicate the input as output and the payload. The researchers proved they could achieve this with both text and image-based prompts.
  • Where the AI service can perform retrieval-augmented generation (querying a data source outside its primary large language model), an attacker can abuse this access to retrieve additional information and context.
  • Finally, the worm self-propagates by getting the GenAI service to connect with others and provide prompts to these systems. 
  • LINK (h/t Tim), VIDEO, MORE

NIST Cybersecurity Framework v2 launched

  • NIST Cybersecurity Framework: A decade after its introduction, NIST has released a major update to its popular cyber framework. Version 2 of the NIST CSF includes a new focus on governance and supply chains. Govern — a sixth core function, alongside identify, protect, detect, respond, recover — is all about how “cybersecurity risk management strategy, expectations and policy are established, communicated and monitored” within an organisation.
  • I think this is an important update, and govern is a reflection of the increasing importance of communication between security, management and executive teams, which is at the core of the other five functions (figuratively and literally: it’s a ring in the centre of the other five segments).
  • LINK, CSF

Interesting stats

A graph showing the estimated growth of security spending from $150 billion in 2021 to almost $300 billion by 2027 (Source: FT)

$150 billion security spending in 2021, rising to an estimated  $290 billion by 2027 in reporting from the FT, citing data from TD Cowen, Gartner, and McKinsey, which estimates a  $1.5—$2.0 trillion global cyber security market size. 

115% Okta’s Net Retention Rate (NRR), following disclosure of the Lapsus$ breach, down from  124% before, but not indicative of a significant exodus from the company.  Identity is core to modern IT; migrating is costly and probably people generally don’t care? LINK (h/t Simon)

Other newsy bits / in brief

  • SubdoMailing: Attackers are exploiting hanging DNS records from over 8,000 legitimate domains to send over 5 million spam and malicious emails daily, according to Guardio. The attackers abuse poor DNS hygiene and the DNS protocol, which delegates SPF and other email security configurations via CNAME records. By finding expired domains the attacker can purchase or ‘hanging’ domains where they can control the IP address (e.g. cloud services), they can send emails that big-name brands like eBay, PwC, MSN and McAfee will validate. For example, a legacy subdomain ‘marthastewart.msn[.]com’ points to msnmarthastewartsweeps[.]com’, from a competition run in 2001; the attacker registered the latter domain in 2022 and can now send mail that will be verified as coming from msn[.]com. LINK

  • NSO Group has been ordered to hand over its Pegasus spyware code to WhatsApp as part of the discovery in a case brought by the Meta-owned messaging app in 2019. LINK

  • The replacement to the UK’s Action Fraud cyber and financial crime reporting centre will not be live in April 2024 as originally intended. Officials from the City of London Police say that it will “go live in 2024,” but they “have not set a date” for the replacement, which has been outsourced to Capita and PwC. LINK

  • President Biden has tasked the Department of Commerce with investigating the national security threat posed by Chinese-manufactured connected cars, equating them to “smartphones on wheels” and citing China’s restrictions on US vehicles. LINK

⚠️ Breaches:

  • Telecommunications company YX International left a database containing SMS messages routed by its equipment and services exposed to the internet without a password. The database contained messages, including multi-factor authentication codes. YX International claims to send 5 million SMS messages each month. The database is no longer publicly accessible after a good-faith security researcher reported it. LINK
  • Cencora, a global pharmaceutical company, has reported that intruders have stolen data from its networks. The regulatory 8-K filing with the SEC said the event “has not had a material impact” on operations. LINK
  • Steel giant ThyssenKrupp has confirmed a cyberattack on its automotive division, which sounds like an early-stage ransomware intrusion. LINK
  • American law firm Houser LLP has said that the personal data of over 325,000 people were encrypted and “taken from the network” in May 2023. Following contact, “the unauthorised actor informed House that they deleted copies of any stolen data.” However, the LockBit takedown has shown that victims should take such claims with a pinch of salt. LINK
  • Cutout.Pro, an AI-powered photo and video editing platform, exposed the email addresses, hashed and salted passwords, IP addresses and names of 20 million members. LINK

🏴‍☠️ Ransomware: 

  • LockBit is attempting to relaunch its services, opening a new extortion site last weekend after law enforcement, led by the NCA, conducted a comprehensive takedown operation. LINK, TAKEDOWN

🕵️ Threat Intel:

  • CISA warns against using Ivanti VPN gateways even after factory resets. Ivanti fired back, saying that the vendor is “not aware of any instances of successful threat actor persistence”, but CISA followed up by advising customers to “consider the significant risk” of operating the devices in an enterprise environment. LINK
  • NCSC advisory on the [tactics, techniques and procedures (TTPs) being adopted by APT29 (aka Midnight Blizzard, Cozy Bear), ‘almost certainly’ part of Russia’ SVR foreign intelligence agency: brute forcing their way into dormant accounts, using MFA fatigue attacks against active accounts then enrolling new devices, and ‘residential proxies’ to obfuscate their traffic (much like the SOHO router botnet the FBI took down a few weeks ago. LINK, BOTNET
  • Mandiant says that an Iranian group is impersonating brands like Boeing and DJI to target aerospace and defence employees in the Middle East. The sites either try to capture credentials or deliver two unique backdoors dubbed MINIBUS and MINIBIKE. LINK
  • GitHub ‘besieged’ by millions of malicious repositories. GitHub is removing affected repos, but not all are identified. The campaign clones existing, legitimate repos for popular tools, adds malicious code before uploading them with identical names, forking them ‘thousands of times, ’ and promoting them on coding forums, Discord servers and other popular developer communities. LINK

🪲 Vulnerabilities:

  • 3D printers manufactured by Anycubic are downloading a file warning over a critical vulnerability. AnyCubic’s advisory says they received a ‘reminder’ the day prior about the issue with their MQTT server (an IoT messaging protocol), suggesting the company had previously been warned of the issue, however their timeline of events doesn’t reflect this. Remedying the situation involved strengthening the ‘authorization/permission management in the cloud server’ and that they would be taking steps to segregate the affected system further. LINK, ADVISORY

🧰 Guidance and tools:

  • The White House Office of the National Cyber Director has released a report recommending the adoption of memory-safe languages for software development. It won’t prevent all vulnerabilities (especially those in the logic of applications), but it is a welcome step nonetheless. LINK, REPORT
  • Registrars can now block all domains that resemble brand names. Brand Safety Alliance, an initiative started by GoDaddy that includes other prominent DNS parties, has created a service to monitor and block domain registrations, typo squats and homoglyphs for trademark owners. This looks like it could be really useful for organisations, saving them from having to register and manage (see SubdoMailing above) countless permutations of domain names. LINK, GLOBAL BLOCK

🔏 Privacy:

  • The UK Home Office’s trial of GPS tagging migrants crossing the English Channel in small boats has been ruled illegal by the Information Commissioner. During an 18-month trial, 600 people were forced to wear ankle tags that continuously tracked their location. The Home Office has failed to assess the privacy risks of the trial or give migrants clear information about what data was being collected. The Home Office has 28 days to update its policies and will not be required to delete the data. LINK.
  • Automattic, the parent company of Tumblr and WordPress, is to sell users’ data train AI tools. LINK
  • The White House has issued an executive order banning the sale of sensitive datasets to parties in China, Russia, North Korea, Iran, Cuba and Venezuela. The Justice Department will bring forward regulations covering genomic, biometric, personal health, geolocation and financial data. LINK
  • UK ICO fined the Ministry of Defence £350,000 ($443K) for putting email addresses of people seeking assistance under the Afghan Relocations and Assistant Policy in the TO: line instead of BCC: and their ‘lives at risk’. LINK

👮 Law Enforcement:

  • German police have seized Crimemarket and arrested six people. Crimemarket was a German-speaking trading platform selling illegal drugs, narcotics, and cybercrime services. The platform had over 180,000 users. LINK

💰 Investments, mergers and acquisitions:

  • Filigran, the company behind OpenCTI, an open-source threat intelligence platform, has raised €15 million ($16M) to build more open-source tools with enterprise offerings for larger customers. LINK

🏭 Industry news:

  • Palo Alto Networks shares tumbled by over 28% last week on reports of “softness” in US government spending. Now, the company is facing a would-be class action lawsuit from an investor who believes it misled them over claims that its AI strategy was driving more demand for multiple products from its Cortex, Strata and Prism platforms. LINK, RESULTS

And finally

🐸 Leap of faith: It’s 2024, and systems are still struggling with leap years. Here are a few examples of folks who struggled with 29th February:

  • Self-pay gas station pumps break across NZ as software can’t handle Leap Day. LINK
  • Citrix HDX HTML5 video redirection service crashing on 29th February. Their workaround? Stop the time service, set the date to 1st March, and restart the time service. LINK
  • Sophos Endpoint, Server, and Home spawned errors visiting HTTPS websites if rebooted on 29th February. LINK
Robin

  Robin's Newsletter - Volume 7

  ALPHV/Blackcat ConPromptMized GenAI Artifical Intelligence (AI) Morris II Worm NIST Cybersecurity Framework (CSF) SubdoMailing DNS Email security Action Fraud NSO Group Connected Vehicles Ivanti APT29 Russia GPS Tagging Leap Day Time