By the CyberWire staff
At a glance.
- Change Healthcare hackers gained access via stolen credentials and a lack of MFA.
- Cuttlefish malware targets Turkish telecom companies.
- Muddling Meerkat uses China's Great Firewall to manipulate DNS queries.
- Vulnerability pattern affects popular Android apps.
- APT42 impersonates journalists and event organizers.
- Suspected North Korean threat actors target software developers with new malware.
- Verizon releases 2024 Data Breach Investigations Report.
- Threat actors abuse Microsoft Graph API for command-and-control.
- UK bans simple default passwords on IoT devices.
Change Healthcare hackers gained access via stolen credentials and a lack of MFA.
UnitedHealth Group CEO Andrew Witty testified before Congress on Wednesday, disclosing that the Change Healthcare hackers gained initial access via stolen credentials against a Citrix portal that did not have multifactor authentication enabled, TechCrunch reports. Witty stated, "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later." He added that he made the decision to pay the ransom, and that the threat actors stole "files containing protected health information (PHI) and personally identifiable information (PII), which could cover a substantial proportion of people in America."
Cuttlefish malware targets Turkish telecom companies.
Researchers at Lumen Technologies describe a malware platform they've dubbed "Cuttlefish" that's being used by a suspected Chinese threat actor to target telecom companies in Turkey. The malware is designed to steal authentication tokens from enterprise-grade small office/home office routers: "The Cuttlefish malware offers a zero-click approach to capturing data from users and devices behind the targeted network’s edge. Any data sent across network equipment infiltrated by this malware, is potentially exposed. What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses. Cuttlefish lies in wait, passively sniffing packets, acting only when triggered by a predefined ruleset. The packet sniffer used by Cuttlefish was designed to acquire authentication material, with an emphasis on public cloud-based services."
The researchers don't attribute Cuttlefish to any particular threat actor, but they note significant code overlaps with the China-linked activity cluster "HiatusRat."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Muddling Meerkat uses China's Great Firewall to manipulate DNS queries.
Infoblox has published a report on "Muddling Meerkat," a suspected Chinese government threat actor that uses China's Great Firewall (GFW) to generate fake DNS Mail Exchange (MX) records. The group's motivations are unclear. Infoblox explains, "The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses. This behavior, never published before, differs from the standard behavior of the GFW. These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead. This feature is truly remarkable and largely inexplicable."
The researchers speculate that Muddling Meerkat may be pre-positioning for future DDoS attacks, creating DNS noise to cover up malicious activity, or simply conducting internet mapping and research. Renée Burton, Vice President of Threat Intelligence at Infoblox, concludes in a blog post, "In my professional experience, I have found Chinese threat actors to be extremely adept at managing, understanding, and leveraging the DNS for many purposes—whether that be censorship, cybercrime, or DDoS attacks. They also have some of the finest researchers in the field. Whatever the real goal of Muddling Meerkat is, we should not underestimate the talent and patience required to achieve it."
Vulnerability pattern affects popular Android apps.
Microsoft has discovered a new "path traversal-affiliated vulnerability pattern" affecting popular Android apps that could allow a malicious app to overwrite files in another application's home directory, leading to arbitrary code execution or token theft. The vulnerability pattern affects an Android component that manages datasets meant to be shared between applications.
Microsoft explains, "The Android operating system enforces isolation by assigning each application its own dedicated data and memory space. To facilitate data and file sharing, Android provides a component called a content provider, which acts as an interface for managing and exposing data to the rest of the installed applications in a secure manner. When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application’s home directory."
The researchers identified several vulnerable Android apps that represent more than four billion downloads. Microsoft collaborated with Google to provide guidance to help Android developers avoid implementing this pattern.
Reinforce continuous learning with team access to N2K Industry Insights.
Keep you and your team on top of the latest news on threats, policies, trends, and more with enterprise access to N2K’s Industry Insights. Get a daily dose of thought leadership, situational awareness, and educational content from the N2K CyberWire network including CyberWire Daily, CSO Perspectives, Hacking Humans, and access to exclusive interviews and curated content fit to your organization. Learn more.
APT42 impersonates journalists and event organizers.
Mandiant says APT42, a threat actor linked to Iran's Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), is impersonating journalists and event organizers in targeted social engineering attacks. The threat actor is targeting "Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists," attempting to harvest credentials or deploy malware in support of cyberespionage operations. The hackers have sent spearphishing messages posing as real journalists from the Washington Post, The Economist, The Jerusalem Post, Khaleej Times, Azadliq, and other news outlets.
Mandiant notes, "These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection."
Suspected North Korean threat actors target software developers with new malware.
Researchers at Securonix are tracking a suspected North Korean phishing campaign that's targeting software developers with a new Python-based remote access Trojan. The threat actors send phony job interview requests to their targets, then trick them into downloading a malicious zip archive from GitHub as part of the interview process. Securonix notes, "This method is effective because it exploits the developer’s professional engagement and trust in the job application process, where refusal to perform the interviewer’s actions could compromise the job opportunity. The attackers tailor their approach to appear as credible as possible, often by mimicking real companies and replicating actual interview processes."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Verizon releases 2024 Data Breach Investigations Report.
Verizon has released its Data Breach Investigations Report (DBIR) for 2024, finding that ransomware and related extortion attacks were responsible for 32% of all breaches last year. Additionally, exploitation of vulnerabilities as an initial access point tripled last year compared to 2022, accounting for 14% of breaches. The researchers note, "This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. The MOVEit software breach was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to finance and insurance industries."
The report also notes that "[m]ost breaches (68%), whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack."
Threat actors abuse Microsoft Graph API for command-and-control.
Researchers at Symantec warn of an increase in attacks that use Microsoft Graph API to communicate with command-and-control infrastructure hosted on Microsoft cloud services. Symantec recently observed this technique "used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes." The researchers note that it "remains unclear who the developers of the threat are and what their motivation is."
Graph API has been abused by several nation-state actors in the past, including groups linked to North Korea and Russia.
UK bans simple default passwords on IoT devices.
The United Kingdom's Product Security and Telecommunications Infrastructure Act 2022 (PSTI) goes into effect today, banning IoT devices from using easily guessable default usernames and passwords, the Record reports. The law states that "[p]asswords must be unique per product; or capable of being defined by the user of the product. They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable."
Additionally, "[t]he manufacturer must provide information on how to report to them security issues about their product," and "[i]nformation on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner."
The law will be enforced by the UK's Office for Product Safety and Standards (OPSS).
Patch news.
The open-source R programming language has patched an arbitrary code execution vulnerability (CVE-2024-27322), BleepingComputer reports. The R language is frequently used for statistical computing and data visualization. Researchers at HiddenLayer discovered the flaw, noting that "the exploitation of a code execution vulnerability in R can have far-reaching implications across multiple verticals, including but not limited to vital government agencies, medical, and financial institutions."
Courts and torts.
Ernest Health, a US-based operator of rehabilitation hospitals, is facing several federal class action lawsuits following a data breach that affected at least thirty-three of its facilities across twelve states, GovInfoSecurity reports. The breach affected more than 100,000 individuals and may have involved medical information, health insurance data, names, addresses, Social Security numbers, and more. One of the lawsuits alleges that Ernest failed "to properly secure and safeguard the sensitive information that it collected and maintained as part of its regular business practices."
The US Federal Communications Commission (FCC) has levied a total of $196 million in fines against T-Mobile, Verizon, and AT&T for sharing customer location data without consent, the Record reports. Verizon was fined $47 million, AT&T $57 million, and T-Mobile and Sprint (which merged after the investigation began) were fined a collective $92 million. The Commission said in a press release, "The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to 'aggregators,' who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access."
Crime and punishment.
Former NSA employee Jareh Sebastian Dalke has been sentenced to 21 years and 10 months in prison after pleading guilty to attempting to leak classified information to someone he believed to be a Russian agent, the Register reports. The individual he was in contact with turned out to be an undercover FBI employee.
The US Justice Department said in a press release, "On or about Aug. 26, 2022, Dalke requested $85,000 in return for all the information in his possession. Dalke claimed the information would be of value to Russia and told the FBI online covert employee that he would share more information in the future, once he returned to the Washington, D.C.-area. Dalke subsequently arranged to transfer additional classified information in his possession to the purported Russian agent at Union Station in downtown Denver. Using a laptop computer and the instructions provided by the FBI online covert employee, Dalke transferred five files, four of which contained Top Secret [National Defense Information]."