By the CyberWire staff
At a glance.
- A look at foreign influence operations focused on the US elections.
- Palo Alto Networks warns of critical VPN zero-day.
- RansomHub begins leaking alleged Change Healthcare data.
- Change Healthcare attack has cost $872 million so far.
- Mandiant ties OT attacks to Russia's GRU.
- Ukraine-linked hackers deploy ICS malware against Russian infrastructure company.
- Cyberattack hits New York State Legislature office.
A look at foreign influence operations focused on the US elections.
Microsoft has published a report on foreign influence operations focused on the 2024 US elections, finding that "Russian efforts are focused on undermining U.S. support for Ukraine while China seeks to exploit societal polarization and diminish faith in U.S. democratic systems." Over the past two months, Microsoft has observed at least seventy Russian threat actors using traditional and social media to peddle disinformation surrounding the war in Ukraine.
Microsoft also found that Russia, China, and Iran have all used generative AI to support their influence campaigns, although "fears that sophisticated AI deepfake videos would succeed in voter manipulation have not yet been borne out." The researchers believe that simpler AI-enhanced content will be more effective than fully AI-generated content.
Separately, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) issued an advisory on election interference. The advisory notes that "the People’s Republic of China (PRC), the Russian Federation, and the Islamic Republic of Iran continue to be the primary nation-state actors leveraging influence operations exploiting perceived sociopolitical divisions to undermine confidence in U.S. democratic institutions and shaping public perception toward their interests."
Save 15% and level up your cyber skills.
Elevate your knowledge and skills with N2K's practice tests, designed to skill-check and help you conquer certifications like a pro. Whether you’re new IT or cyber, or ready to hone in on your technical or managerial skills, there's a certification to help. Check out N2K's catalog of practice tests and use promo code “NETWORK” to save 15% through 4/30/2024.
Palo Alto Networks warns of critical VPN zero-day.
Palo Alto Networks last week disclosed a critical zero-day vulnerability (CVE-2024-3400) affecting its GlobalProtect VPN product, SecurityWeek reports. The company began issuing hotfixes for the flaw on Sunday. Palo Alto's Unit 42 said in a threat briefing, "A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled."
The company added, "We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future."
Researchers at Volexity published a report on the exploitation of the flaw, stating, "The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations."
RansomHub begins leaking alleged Change Healthcare data.
The RansomHub extortion group has begun leaking what it claims to be data stolen during the ALPHV/Blackcat attack against Change Healthcare in February, BleepingComputer reports. BleepingComputer says the group is posting screenshots that include "data-sharing agreements between Change Healthcare and insurance providers, including CVS Caremark, Health Net, and Loomis. Other documents contain accounting data, including aging reports, insurance payment reports, and other financial information." The dataset also contains "patient information, including amounts owed and bills for patient care services rendered."
The ALPHV/Blackcat ransomware gang disappeared after receiving a $22 million payment, leaving nothing for the affiliate who carried out the attack. The affiliate claims to have partnered with RansomHub in order to secure its own payment in exchange for keeping the data confidential. Change Healthcare hasn't confirmed that it paid the $22 million ransom or that RansomHub's data is legitimate.
Change Healthcare attack has cost $872 million so far.
UnitedHealth Group disclosed in an earnings call that the ransomware attack against its Change Healthcare platform has cost the company $872 million so far, the Record reports. That number is expected to surpass $1 billion by the end of the year. UnitedHealth's President and Chief Financial Officer John Rex stated, "Of the $870 million, about $595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities. For the full year, we estimate these direct costs at $1 billion to $1.15 billion. The other components affecting our results relates to the disruption of ongoing Change Healthcare business. This is driven by the loss of revenues associated with the affected services, all while incurring the support and costs to keep these capabilities fully ready to return to service."
Secure your legacy apps at scale — with zero coding and zero hassle.
Modernize your identity infrastructure and get rid of technical debt without sacrificing your complex access policies. Use Strata to integrate non-standard apps with any identity service while using any vendor, standard, or app architecture. Or use it to migrate away from outdated identity providers and consolidate IDPs. It’s seamless, simple and code-free. Share your top identity security priorities, and receive a pair of complimentary AirPods Pro.
Mandiant ties OT attacks to Russia's GRU.
Mandiant has published a report on the recent activities of Sandworm, a threat actor attributed to Russia's GRU. Mandiant now tracks the group as "APT44," and notes that "no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign." The threat actor has a much broader focus than the war in Ukraine, however, and the researchers are tracking "operations from the group that are global in scope in key political, military, and economic hotspots for Russia."
Mandiant's report ties APT44 to several hacktivist groups that have claimed responsibility for attacks against OT systems in the United States and the European Union, including a water utility in Texas, a wastewater treatment plant in Poland, and a hydroelectric dam in France. These attacks don't seem to have had any serious effects, but the researchers note that "[c]ontinued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs." Sandworm has also been responsible for several damaging attacks in the past, including the 2017 NotPetya attack and the disruptions of Ukraine's energy grid in 2015 and 2016.
Ukraine-linked hackers deploy ICS malware against Russian infrastructure company.
Researchers at Claroty have published a report on "Fuxnet," a strain of ICS malware deployed by Ukraine-linked hackers against Moscollector, a Moscow-based company that manages underground water and communications infrastructure. The hacking group, called "Blackjack," posted online last week claiming to have damaged 87,000 remote sensors and IoT devices used by the Russian company. Claroty thinks this claim is exaggerated, but the malware does appear to have bricked at least 500 sensor gateways. The researchers note, "If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Cyberattack hits New York State Legislature office.
A disruptive cyberattack hit the New York State Legislature’s bill drafting office early Wednesday morning, the Associated Press reports. The Record says the attack has delayed efforts to enact the state budget. New York Governor Kathy Hochul said in a radio station interview, "We have to go back to the more antiquated system we had in place from 1994....Our understanding right now is that it will take a little bit longer to deal with the legislative side of it because a lot of data is included in the computers."
Surge in brute-force attacks against VPNs and SSH services.
Cisco Talos warns that brute-force attacks against VPN services, web application authentication interfaces, and SSH portals have spiked over the past month. The researchers note, "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies. Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Crime and punishment.
Europol, working with law enforcement agencies from nineteen countries, has disrupted the popular LabHost phishing-as-a-service platform, BleepingComputer reports. Law enforcement arrested thirty-seven suspects around the world, including the alleged developer of the service in the UK. The operation also identified more than 40,000 phishing domains linked to LabHost.
The Australian Federal Police (AFP) and the FBI have arrested two men for allegedly developing and distributing the Firebird remote access Trojan (also known as "Hive"), BleepingComputer reports. One of the individuals lived in Australia, while the other was a resident of California. AFP Acting Commander Cybercrime Sue Evans said in a statement, "While cybercriminals may think they can safely and anonymously operate online, these charges demonstrate that the virtual world does not stand as a barrier against the long arm of the AFP. The AFP continues to cooperate with foreign and domestic law enforcement partners to address RATs and has participated in global action against malware developers in a number of overseas jurisdictions."
The US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) have published a joint advisory on the Akira ransomware gang, noting that Akira operators have raked in $42 million from 250 victims since March 2023.