Ransomware Attack Costs Change Healthcare Nearly $1B

United Healthcare, the parent company of Change Healthcare, has released financial information about the recent ransomware attack that disrupted cashflow and the ability to provide care to hospitals and pharmacies across the United States. The company published their quarterly earning results in which they disclosed that repairs are likely to exceed $1 billion over time, including the $22 million ransom payment that was made.

The attack, which has been attributed to an ALPHV/BlackCat associated criminal group, saw Change Healthcare’s data taken ransom and held until an initial payment was made to the group. Once the group started to recover from the initial attack a second group was able to come in and steal around 4TB of data pertaining to personally identifiable information, setting efforts back and driving up the costs of recovery.

Hotfixes for Palo Alto Zero-Day Bug in Firewall OS

Palo Alto Network recently released an update that addresses a critical security flaw, being tracked as CVE-2024-3400, on its PAN-OS platform. The vulnerability affects firewalls that are utilizing versions 10.2, 11.09, and 11.1 of the OS and was found after independent researchers at Volexity noticed suspicious activity on a customer’s firewall.

Palo Alto has noted that limited attacks have been made utilizing this vulnerability, which allow for threat agents to gain unauthorized access to a user’s system and execute harmful commands. While the hotfix has been pushed to all versions of the affected OS, Palo Alto has said that disabling device telemetry can temporarily mitigate the risk, but cannot guarantee the long term efficacy of the practice.

Both researchers and Palo Alto stress the importance of updating to the new, patched versions of the OS, and issues like these are a great example why regular maintenance of all systems and keeping systems up to date with the latest security patches are imperative in the day to day.

Microsoft Fights Spam by Limiting Bulk Emails

Microsoft has announced measures to combat spam by implementing a daily limit of 2,000 external recipients for bulk emails sent via Exchange Online starting in January 2025. Prior to this initiative Microsoft, did not limit the amount of outgoing emails, but now they aim to prevent abuse of resources and ensure fair usage.

The new External Recipient Rate (ERR) limit will be a subset of the existing Recipient Rate limit of 10,000 recipients per day. This change will roll out in two phases, affecting newly created tenants first and then existing ones by the end of 2025.

Customers needing to exceed the ERR limit can consider using Azure Communication Services for Email, tailored for high-volume business-to-consumer communication. This is similar to a practice recently implemented by Google, who requires user accounts to set up SPF/DKIM and DMARC email authentication for their domains.

Defensible Strategies

Learn from those who have been attacked

CISA Issues Warning About Breach at Sisense

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a breach at business intelligence company, Sisense, that may have exposed user data. The breach itself seems to be due to a compromise of Sisense’s self-managed deployment of Gitlab.

The method that the threat agents used to gain access to the company’s Gitlab code repository, but by gaining access to that, the agents were able to make their way into Sisense’s Amazon S3 cloud storage. This allowed data like access tokens, email account passwords, and even SSL certificates to be accessed.

CISA has raised the concern that Sisense may not have been doing enough to protect the sensitive data, but also notes that the clean up of the breach will largely not be able to be handled by Sisense, as the data in question can only be changed by the end users of the online dashboard.

X.com Hands Gift to Phishers As it Pivots From Twitter.com

The Company formerly known as Twitter, has started to automatically modify links mentioning “twitter.com” to read as “x.com”, which has led to dozens of new domain registrations trying to exploit this and create convincing phishing links. Domains like “goodrtwitter.com” were registered, but displayed as “goodrx.com” due to the new modifications.

Most of these newly registered domains were created defensively to prevent abuse, but some were not properly limited, and allowed threat agents to divert traffic away from legitimate sites. Twitter/X has since corrected the error, but this incident sparked concern and amusement from social media users and security analysts, alike.

WordPress Website Admins Urged to Delete Plugin

Admins who utilize the Malware Scanner and Web Application Firewall plugin from miniOrange on their WordPress are being told to remove the plugins after a critical security flaw was discovered. The flaw, being tracked as CVE-2024-2172, has been rated a 9.8 out of 10 for severity and affects the Malware Scanner versions up to 4.7.2 and Web Application Firewall versions up to 2.1.1.

The vulnerability allows for threat agents to gain administrative access to the website through either of the two plugins, using the flaw to update user passwords and escalate their privileges to that of an administrator. Once the agent has gained access to an account and raised the privileges to that of an admin, they can upload malicious files, modify content, and potentially redirect users to harmful sites or inject spam.

Despite the plugins being permanently closed, WordPress still urges admins to remove them and notes that there are still over 10,000 active installations of the Malware Scanner and 300 of the Web Application Firewall.

Schools in Scranton, Pennsylvania Undergo Ransomware Attack

Schools in Scranton, Pennsylvania, faced a ransomware attack this week, causing IT outages and disruptions to computer systems and services. The Scranton School District is actively investigating the security breach with third-party forensic specialists to determine the source of the incident, assess its impact on systems, and restore full functionality as swiftly as possible. The district ordered staff to refrain from using electronic devices and to uninstall school-related apps from mobile devices, while acknowledging potential limitations in accessing certain files and slower system functions due to increased security measures.

The attack led to delays in classes and prompted the district to implement alternative teaching methods, such as using pencil and paper instead of Chromebooks for student tasks. While the Scranton School District has not disclosed specific details about the ransomware attack, including the identity of the ransomware family or whether there was a data breach, efforts are underway to resolve the issue promptly and securely. Cooperation from staff and the community is emphasized as the district works to mitigate the impact of the attack and return to normal operations.

New Zero-Trust Guidance Released by the NSA

The National Security Agency (NSA) has issued best-practice recommendations for federal agencies regarding cybersecurity, particularly focusing on the Network and Environment pillar of its zero-trust framework. Despite the focus of the new Cybersecurity Information Sheet (CIS) being government related agencies and industries, expert chief information security officer (CISO), Steve Winterfeld, advises that the wider business world can benefit from zero-trust guidance.

The takeaways from the NSA guidance:

1. Learn All Seven Pillars of Zero Trust

2. Expect Attackers to Breach Your Perimeter

3. Map Data Flows to Start

4. Move to Macrosegmentation

5. Mature to Software-Defined Networking

6. Realize Progress Will Be Iterative

Experts agree that unauthorized access incidents are inevitable, the difference being whether organizations are able to catch those incidents before they become breaches. While most networks have evolved over time, rearchitecting them to fit within the new guidance will take time.

Defensible Strategies

Learn from those who have been attacked

Scareware Scam Perpetrators Sued by FTC

Two firms involved in a scareware scam have be fined $26 million by the US Federal Trade Commission (FTC) due to their involvement which led to consumers believing that their computers were infected by malware. The tech support scam, operated by Restoro Cyprus Limited and Reimage Cyprus Limited, was claimed to have generated tens of millions of dollars by using false and unsubstantiated claims about malware infected computers.

The scam involved fake Microsoft Windows pop-ups claiming computers were infected with viruses, urging users to scan their computers to avoid damage. Despite the actual health of the computers, scans that “found” performance or security issues convinced users to purchase repair software, costing between $27 and $58, with false promises of urgent fixes. Investigations confirmed victims' claims, revealing that telemarketers also persuaded users to pay for additional remote access services.

The FTC plans on using the fine to compensate scammed consumers and to see a permanent injunction against the companies if the court approves the proposed settlement.

70 Million+ Records Stolen From AT&T

Researchers have found and confirmed that data leaked on Breached claiming to be from AT&T is legitimate. The data in question is over 70 million records that were obtained from an unnamed AT&T department in 2021 by a threat agent group that goes by the moniker ShinyHunters.

AT&T has denied any data breach, and researchers have not been able to confirm that the information included in the database is specifically related to AT&T users, but the claim has been verified in all other aspects. AT&T has claimed that after an internal investigation, that the data does not appear to have come from their systems, but they did not rule out that the breach could have happened via a third party. The information included in the leak is:

• Name

• Phone number

• Physical address

• Email address

• Social security number

• Date of birth

Incidents like these reinforce why it is important to audit your third party risk management practices/plans. If you need any help with this, please feel free to reach out to Cyber Defense!

CISA Gives Warning of Active "‘Roundcube” Email Attacks

On February 12th, the United State’s Cybersecurity and Infrastructure Security Agency (CISA) gave a warning about a medium severity security flaw that was added to their Known Exploited Vulnerabilities (KEV). The vulnerability was added after evidence was found of active exploitation and is being tracked as CVE-2023-43770 with a CVSS score of 6.1.

The exploitation utilizes plain text messages to deploy a malicious link reference and lead to information disclosure from the web based email service. Roundcube has addressed the flaw with a new version, 1.6.3, which was released in September of last year, but those users who have not updated to this version are still vulnerable to this exploit.

New FortiOS Zero Day Exploit Announced

Earlier this month, Fortinet announced that it patched a critical remote code execution vulnerability that had been found in their FortiOS platform. The exploit, which is being tracked as CVE-2024-21762, was announced by Fortinet, with them stating that it may have been exploited in the wild. The impacted versions of OS are as follows:

• 6.0

• 6.2

• 6.4

• 7.0

• 7.2

• 7.4

Patches have been released for all versions EXCEPT the 6.0 version, and Fortinet is suggesting to users utilizing that version to upgrade to the latest build, 7.6, which is not affected by the vulnerability.

While Fortinet did not release details of potential attacks involving the vulnerability, it was released alongside information that some customers have yet to patch two other, older vulnerabilities that have been actively exploited by threat agents in China

Malware ‘Pikabot” Makes Resurgence

Threat agents have made significant changes to an existing malware known as Pikabot, that has reduced the complexity of the code. The security researchers that have been tracking Pikabot noted that this is a devolution of the malware which has streamlined itself to avoid efforts to be analyzed.

Pikabot, alongside another loader called DarkGate have both emerged as attractive replacements for threat agents that are using older malware software to gain access to a target’s network. These developments have come to light during a current cloud account takeover campaign that has seen hundreds of compromised user accounts in dozens of Microsoft Azure environments affected, especially those belonging to senior executives.

Defensible Strategies

Learn from those who have been attacked

Romanian Hospitals Offline After Ransomware Attack

After a ransomware attack over the weekend of February 10th, dozens of hospitals and healthcare facilities were knocked offline. The ransomware attack targeted the Hipocrate Information System by deploying the Backmydata ransomware, which encrypted data pertaining to the healthcare facilities.

Romania’s National Cyber Security Directorate (DNSC) announced that most of the impacted hospitals have fresh backups of their data, which will allow for fast restoration of all systems, but currently, the hospitals have isolated the impacted systems. According to a cancer treatment organization that was affected, all of their servers were shut down and they had to register over 180 patient admissions on paper.

Situations like these show why it is important to have a Business Continuity and Disaster Recovery Plan (BC/DR) in place. If you need help reviewing your BC/DR or have any questions about getting one set in place, please feel free to reach out!

Generative AI and Cybersecurity in 2024

Last year, generative AI saw the rise from a headline grabbing novelty to an indispensable tool for increasing productivity. Cybersecurity experts have now had a full year observing how threat agents and cyber criminals are using this to bolster their attacks and have started to report on the most common ways they have seen AI used.

Threat agents are using generative AI in a few ways to expand their attack repertoire, including marrying the two types of phishing through social engineering. In the past, threat agents would have to choose between broad phishing attempts and catching few vulnerable targets, or taking a more hands-on approach and actively researching the target in something known as ‘whale phishing’. Generative AI has given threat agents the ability to join these two together, allowing for tonally convincing messages on a mass scale.

There have also been attempts to create ‘unstoppable’ malware using AI, though nothing has come of that at this time. AI has been used to review source code of open sources software though, and find not only disclosed vulnerabilities, but some unknown ones as well.

WordPress Plugin Containing Vulnerabilities Found in over 300,000 Websites

According to security researchers, there were two flaws found inside of a Mailer Plugin associated with WordPress hosted websites discovered in the month of December. The researchers stated that the flaws affected over 300,000 websites and were discovered within a few weeks of each other. One flaw allowed for the hijacking of the password reset function through the plugin’s authentication API and the other allowed for threat agents to insert dangerous or malicious code into the webpages.

WordPress was notified with the findings and proof-of-concept code that demonstrated how the flaws could be exploited, and to the benefit of everyone, WordPress worked over the holiday break and released an update that addressed these flaws (version 2.8.8 of POST SMTP Mailer Plug). The researchers have noted only 53% of the plugin installations are currently running the latest updated version, leaving those who have not vulnerable.

Incidents like this show why it is imperative to both keep your software and any associated plugins up to date, but also why it is important to make sure to audit your third party risk management practices/plans. If you need any help with this, please feel free to reach out to Cyber Defense!

Critical Password Reset Vulnerability at GitLab Patched

GitLab has resolved a critical authentication vulnerability that was found, allowing threat agents to hijack password reset emails. The vulnerability was found to affect all GitLab accounts that allowed logins with username and passwords. Even accounts that had two-factor authentication (2FA) were subject to password reset, but not the full takeover, as the vulnerability did not allow access to the 2FA tokens.

The initial vulnerability was focused around an option that allowed users to reset their account passwords with a secondary email, but the flaw created an instance where that secondary email did not need to be verified, allowing the threat agents to use non-account associated email addresses to receive the reset email. GitLab has updated all instances of their software to close out this vulnerability, but they still suggest that all users update to the latest version and enable 2FA on all accounts.

Windows SmartScreen Bypass Exploited In Attacks

Trend Micro released a report showing that a recent vulnerability within Windows SmartScreen is actively being exploited in attacks. The exploit is being used by threat agents to use social phishing techniques to have unknowing users click on a URL that then does not trigger the Windows Defender SmartScreen checks and allows for the delivery of malicious code.

According to Microsoft the security defect has been patched, but Trend Micro reports that it is actively being used in a malicious campaign to deliver a malware strain that can harvest information to be leveraged against the company being affected. The malware not only steals data from web browsers and various messaging applications, it also takes screenshots of and gathers system information to be leveraged by the threat agents.

Vulnerabilities like these show why, despite systems in place to protect us from phishing attempts, nothing can replace knowledge and best practices when it comes to dealing with sensitive information and outside sources. If you have any questions, or would like to take a look into having your employees trained against situations like these, please reach out!

Defensible Strategies

Learn from those who have been attacked

Operation Triangulation Deemed Most Sophisticated iPhone Hack

A hidden hardware function in iPhones was found to be the center of what Kaspersky’s security researchers are calling the most sophisticated hack they have seen involving Apple. This vulnerability was used to spy on an undisclosed key political figure and the unknown threat agent didn’t go after mass deployment, even though they utilized the exploit for roughly four years.

The exploit, similar to the Pegasus attacks that plagued iPhone users a few years ago, relied on iMessage to backdoor the iPhone, but also relied on the usage of three other vulnerabilities, of which one was the hidden hardware function similar to that of a developer debug program. The researchers were not able to determine how the threat agent was able to find this exploit, as the hardware function does not seem to have been documented anywhere and could have been included in the phone on accident.

Apple has since patched out the exploits that made Operation Triangulation possible, so most people should have no worries, but researchers point towards examples like these as reminders that despite Apple’s reputation of being more secure, threat agents will never stop trying to get into personal devices to leverage information.

SonicWall Firewalls Found to be Vulnerable to Potential Attacks

Security researchers have found over 178,000 next gen firewalls from SonicWall that have had their management interface exposed online. This seems to be the result of security flaws CVE-2022-22274 and CVE-2023-0656, that are caused by the same exploitation and code path as each other, just in different places along that path.

These exploits allow for remote code execution (RCE) attacks, which allow threat agents to execute malware on a remote device either over public or private networks. In the instance that the threat agent can’t get full control though, they are also able to push the firewall into maintenance mode, causing disruption of service issues.

SonicWall’s Product Security Incident Response Team has attested that they have no knowledge of an active exploit, but to make sure to update to the latest firmware versions as soon as possible.