Robin’s Newsletter #341

29 December 2024. Volume 7, Issue 52
2024 in Review: Standout events, key themes, lessons learned, a quiz, and more!
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This year

Standout events from 2024…

Change Healthcare ransomware attack

The February 2024 Change Healthcare ransomware attack affected a substantial proportion of the US population. The attack was claimed by the ALPHV/BlackCat ransomware gang, who exploited weak security controls, including the use of stolen credentials of a customer support employee and the lack of proper access controls within Change Healthcare’s systems. The attackers were able to operate undetected for nine days, exfiltrating terabytes of sensitive data, including: personal information (names, addresses, dates of birth, Social Security numbers, driver’s license numbers, passport numbers), medical records (diagnoses, medications, test results, imaging, care and treatment plans), Insurance policy details, and financial and banking information. The incident caused widespread disruption to healthcare services, with 94% of US hospitals affected the month following the attack. UHG initially paid a $22 million ransom, but a second ransomware group, RansomHub, later emerged claiming to possess stolen data. The total recovery cost is estimated to reach $2.3 billion, making it one of the most expensive cyberattacks in history.

CrowdStrike outage

The CrowdStrike outage in July 2024 made security and business agendas alike. A “logic error” in a CrowdStrike endpoint protection software update caused millions of Windows computers worldwide to crash. This incident had a massive impact, disrupting air travel, card payments, and healthcare services. The widespread disruption and the scale of the outage make this event particularly important, highlighting the potential consequences of software failures in critical infrastructure. In August, CrowdStrike president Michael Sentonas accepted the prestigious (and humorously oversized) “Pwnie” award for “Most Epic Fail” at the Defcon security conference.

Salt Typhoon campaign

The Salt Typhoon campaign, attributed to Chinese state-backed actors, represents a persistent threat of cyber espionage. This campaign involved the compromise of multiple internet service providers to identify the targets of counter-espionage activities and metadata associated with ‘who is calling who’. US Deputy National Security Advisor Anne Neuberger revealed that the campaign affected at least eight US telcos and “a couple dozen countries,” primarily in the Indo-Pacific and European regions. She also confirmed that the campaign had been active for “likely one to two years”. The FCC has proposed new cybersecurity regulations, requiring telecom companies to submit annual attestations of their cybersecurity risk management plans or face potential fines. Perhaps ironically, the Chinese-backed campaign has led to a $3 billion funding boost for the FCC’s “rip and replace” programme, aimed at removing and replacing this equipment from Chinese manufacturers.

Need to Know

Twelve tantalising trivia titbits to test thy talent:

  1. How many days did it take Kyivstar to fully restore its network after a Russian cyberattack?
  2. What did law enforcement do to troll LockBit administrators after seizing their infrastructure?
  3. An SSH backdoor was caught just in time, what open source library had unknown attackers painstakingly compromised?
  4. What couldn’t Leicester City Council turn off following a ransomware attack?
  5. What’s the passcode to ‘non-sensitive areas’ at NCSC’s London HQ?
  6. How many suspects were arrested in Operation First Light, an international crackdown on scammers?
  7. What percentage of major updates did CrowdStrike reckon security teams review?
  8. Why did a Palo Alto Networks hospitality event cause offence at Black Hat?
  9. What was STINKY about the crew onboard USS Manchester?
  10. How many years does Marriott have to file security reports with the FTC?
  11. In what unusual payment form did attackers of Schneider Electric want paying?
  12. Why did South Korean police arrest the CEO and five employees of a set-top box manufacturer?

Check out the answers ⤵ (no cheating!) and post your results on social media for bragging rights, tag me and use the hashtag #RobinNeedsToKnow:

  • 0-3: Cautious Clicker
  • 4-7: Diligent Defender
  • 8-11: Persistent Protector
  • 12: Security Sentinel  

Key themes

Ransomware threats, sophisticated nation-state activity, and the increasing exploitation of zero-day vulnerabilities marked the cybersecurity landscape in 2024. You’re forgiven for thinking that’s a similar summary to previous years; it is. Look a little closer, and some trends will emerge from the details.

Ransomware remains a dominant threat

Throughout 2024, ransomware attacks continued to plague organisations globally, impacting diverse sectors like healthcare, government, and critical infrastructure. Notable examples include the attack against Change Healthcare, resulting in estimated costs of $2.3 billion for parent company UnitedHealth, and the attack on Synnovis, which significantly disrupted NHS blood and transplant services in the UK. In March, Belgian brewery Duvel was forced to halt production after detecting ransomware on its network. In a lighthearted response to that incident, Duvel assured everyone that they had sufficient beer reserves to meet demand. Groups like LockBit, Black Basta, Rhysida, and ALPHV, continue to engage in exfiltration and encryption to extort money from victims. Successful law enforcement disruptions were observed, such as that against LockBit, but ransomware remains a significant challenge.

The payment rate continues a long-term trend of reducing, hitting an all-time low of 28% in Q1 2024, meanwhile the size of those payments that are made are increasing year-on-year.

Ransomware payment rates are decreasing year-on-year (Source: Covewave)

Ransom payment sizes are increasing year-on-year (Source: Covewave)

Nation-state activity increasingly blurs with cybercrime

Distinctions between nation-state cyber espionage and financially motivated crime are becoming more blurred. Evidence suggests state actors using ransomware for financial gain and distraction, while also leveraging criminal infrastructure and techniques. Some of this may be poorly paid state-affiliated workers moonlighting to top up their pay-packets, while some nation state actors have compromised other infrastructure to mask their own actions. This convergence raises concerns about attribution and response.

Exploitation of zero-day vulnerabilities

A joint advisory from Five Eyes cybersecurity agencies in November 2024 warned that exploiting zero-day vulnerabilities is becoming the “new normal.” While older software issues were previously the most commonly exploited vulnerabilities, the trend is shifting towards exploiting vulnerabilities before patches are available. The decreasing time-to-exploit further compounds the problem. Our conversation history notes that the average time-to-exploit in 2023 was just 5 days, a significant drop from 32 days in previous years. This means organisations have a very limited window to patch vulnerabilities once they become known.

Scammers are becoming increasingly sophisticated

Scams increased in sophistication and profile, as deepfakes were used to impersonate the CEO of advertising giant WPP, and in separate romance scams to con victims out of $46 million in Hong Kong. On X/Twitter, the SEC’s account was compromised in a SIM swapping attack and used to manipulate the price of BitCoin and other cryptocurrencies.

Lessons learned

Three events and some questions to reflect on in the New Year…

  • Merck reached an 11th-hour settlement with its insurers over their refusal to pay out $700 million on the pharmaceutical giant’s ‘all risks’ policy following the NotPetya outbreak in 2017. Does your cyber insurance have any sub-limits or exclusions you’re not aware of?

  • An “unprecedented sequence of events” and “inadvertent misconfiguration” resulted in UniSuper’s Private Cloud subscription being deleted by Google. Poof, and the tenant was gone. How would you respond if your whole cloud tenant was suddenly inaccessible?

  • The DragonForce ransomware group attempted to extort a victim company by calling their front desk. The ensuing transcript of the conversation, involving a hilarious exchange with “Beth” from HR, is worth a chuckle. Does your front desk know how to handle an inbound security incident?

And finally

  • Honourable mention to the underrated threat group, February 29. 2024, being a leap year, brought its share of technological hiccups related to the dastardly leap day, when self-pay gas station pumps across New Zealand malfunctioned, and other software vendors issued workaround such as ‘changing the time and date’.
Answers
  1. 8 days. Hats off. Seriously impressive. (vol. 7, iss. 1)
  2. They published a seizure notice mimicking LockBit’s leak site. (vol. 7, iss. 8)
  3. XZ Utils compromise was discovered due to a persistent engineer probing performance issues. (vol 7. iss. 13
  4. Streetlights - most victims are concerned with keeping the lights on! (vol. 7, iss. 17)
  5. 1234 is the four-digit code to the lavs. (vol. 7, iss. 19)
  6. 3,900 suspects were arrested. (vol. 7, iss. 26)
  7. 54% - the stat was published the day before CrowdStrike’s team pushed out an update that bricked 8.5 million Windows PCs. (vol. 7, iss. 29)
  8. They had women dressed as lampshades. (vol. 7, iss. 33)
  9. The crew were running their own wifi network, having bolted a Starlink terminal to the outside of the ship. (vol. 7, iss. 36)
  10. 20 years - Marriott settled historic breaches with the FTC that will see it reporting compliance into the 20_40s_! (vol. 7, iss. 41)
  11. Baguettes. (vol. 7, iss. 45)
  12. Adding distributed denial-of-service capabilities to their products. (vol. 7, iss. 49)

Return ⤴

Robin
  Robin's Newsletter - Volume 7