By the CyberWire staff
At a glance.
- US Justice Department charges alleged leader of the LockBit ransomware gang.
- Chinese threat actor used Ivanti zero-days to access MITRE's prototyping network.
- MedStar Health sustains breach.
- Ascension health system disrupted by cyberattack.
- Mobile medical provider DocGo discloses data breach.
- Russia-aligned information operation uses generative AI to modify legitimate articles.
- Zscaler disputes claims of a breach.
- Wichita, Kansas, sustains ransomware attack.
US Justice Department charges alleged leader of the LockBit ransomware gang.
The US Justice Department has charged a 31-year-old Russian national, Dimitry Khoroshev, for his alleged role as the creator and administrator of the LockBit ransomware-as-a-service operation. The DOJ stated, "Khoroshev allegedly acted as the LockBit ransomware group’s developer and administrator from its inception in or around September 2019 through May 2024. Khoroshev and his affiliate coconspirators, grew LockBit into what was, at times, the most active and destructive ransomware variant in the world....Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery."
The US, the UK, and Australia have imposed travel bans and financial sanctions on Khoroshev, and the US State Department is offering up to $10 million for information leading to his arrest. The UK's National Crime Agency notes that Khoroshev himself had offered a $10 million reward to anyone who could reveal his identity.
Chinese threat actor used Ivanti zero-days to access MITRE's prototyping network.
The MITRE Corporation has disclosed additional details of the attack it sustained via two Ivanti Connect Secure zero-days earlier this year. The organization says a "China-nexus espionage threat actor" used the zero-days to bypass multifactor authentication and gain access to MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE). Once inside, "The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials." The threat actor then began exfiltrating data via the BUSHWALK web shell.
MITRE adds, "From February to mid-March, the adversary attempted lateral movement and maintained persistence within the NERVE. Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within Center."
What’s your back-up plan if your IDP goes down?
Join the next Identity Orchestration workshop and see exactly how you can build the right failover into every app. During an outage, your team needs access to mission-critical apps to keep getting the job done until order is restored. Strata helps you build the appropriate failover into every app — without a dedicated IDP or a complex process — so your essential apps stay on, no matter what. Don’t miss out!
MedStar Health sustains breach.
Maryland-based healthcare organization MedStar Health sustained a data breach affecting more than 183,000 patients, the Record reports. A hacker gained access to the data through email accounts belonging to three MedStar employees. The threat actor was able to access "patients’ names, mailing addresses, dates of birth, date(s) of service, provider name(s), and/or health insurance information."
The company said in a breach notification, "Patients whose information may have been involved are encouraged to review statements they receive related to their healthcare. If they identify anything unusual related to the healthcare services or the charges for services, they should contact the healthcare entity or health insurer immediately."
Ascension health system disrupted by cyberattack.
US health system Ascension has sustained a cyberattack that disrupted some of its systems, the Record reports. The organization, which runs 140 hospitals across the country, stated, "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption." The nonprofit is working with Mandiant to respond to the incident.
Mobile medical provider DocGo discloses data breach.
Mobile health service provider DocGo has disclosed a cyberattack that led to the theft of patient health information, BleepingComputer reports. The company stated in an SEC filing, "Promptly after detecting unauthorized activity, the Company took steps to contain and respond to the incident, including launching an investigation, with assistance from leading third-party cybersecurity experts, and notifying relevant law enforcement. As part of its investigation, the Company has determined that the threat actor accessed and acquired data, including certain protected health information, from a limited number of healthcare records within the Company’s U.S.-based ambulance transportation business, and that no other business lines have been involved."
Reinforce continuous learning with team access to N2K Industry Insights.
Keep you and your team on top of the latest news on threats, policies, trends, and more with enterprise access to N2K’s Industry Insights. Get a daily dose of thought leadership, situational awareness, and educational content from the N2K CyberWire network including CyberWire Daily, CSO Perspectives, Hacking Humans, and access to exclusive interviews and curated content fit to your organization. Learn more.
Russia-aligned information operation uses generative AI to modify legitimate articles.
Recorded Future's Insikt Group describes a Russia-linked influence network dubbed "CopyCop" that's using generative AI tools to modify content from legitimate mainstream media sources, inserting bias that aligns with Russian government perspectives. The researchers explain, "CopyCop websites focus their attention on US, UK, and French domestic news, politics, crime, and other nationally trending stories, in addition to covering the war in Ukraine from a pro-Russian perspective and the Israel-Hamas conflict from a point of view that is critical of Israeli military operations in Gaza."
Zscaler disputes claims of a breach.
Rumors circulated yesterday that cybersecurity firm Zscaler had been breached after the well-known cybercriminal threat actor "IntelBroker" posted on a forum offering access to the company for $20,000, BleepingComputer reports. Zscaler has disputed the claims, stating that "there is no impact or compromise to its customer, production, and corporate environments." The company added, "Our investigation discovered an isolated test environment on a single server (without any customer data) which was exposed to the internet. The test environment was not hosted on Zscaler infrastructure and had no connectivity to Zscaler’s environments. The test environment was taken offline for forensic analysis."
Dell discloses data breach.
Dell has disclosed a breach involving customer names and home addresses, as well as "Dell hardware and order information, including service tag, item description, date of order, and related warranty information," TechCrunch reports. The company didn't provide information on how many customers were affected or how the data was breached. TechCrunch notes that a user posted on a dark web forum last month claiming to be selling 49 million customer records from Dell, including "information of systems purchased from Dell between 2017 and 2024."
Wichita, Kansas, sustains ransomware attack.
The city of Wichita, Kansas, shut down its computer network following a ransomware attack yesterday, SecurityWeek reports. The city stated, "We are working with specialists to thoroughly review and assess systems before putting them back online. Systems will be restored on a staggered basis to minimize disruptions. We do not have a definitive timeline for returning all systems to production."
The city said first responders have switched to business continuity measures and are still providing services.
El Salvador suffers breach of citizens' biometric data.
Resecurity warns that a threat actor has leaked personally identifiable information (PII) belonging to 5.1 million citizens of El Salvador (about eighty percent of the country's population). The leak includes high-definition photos of the individuals, along with names, birthdates, phone numbers, email addresses, and home addresses. Resecurity notes that "this data leak is significant because it marks one of the first instances in cybercrime history where virtually the entire population of a country has been affected by a compromise of biometric data," adding that "the vast scale of this biometric and PII data breach places most of El Salvador’s population at significant risk for identity theft and fraud."
British Columbian government investigates cyber incidents.
The Canadian province of British Columbia is investigating multiple "sophisticated cybersecurity incidents" affecting government networks, the Record reports. The nature of the incident wasn't disclosed. BC's Premier David Eby said in a statement, "The government is working closely with the Canadian Centre for Cyber Security (Cyber Centre) and other agencies to determine the extent of the incidents and implement additional measures to safeguard data and information systems. We have also informed the Office of the Information and Privacy Commissioner. There is no evidence at this time that sensitive information has been compromised. However, the investigation is ongoing and we have more work to do to determine what information may have been accessed."
Patch news.
F5 has patched two high-severity vulnerabilities (CVE-2024-26026 and CVE-2024-21793) affecting BIG-IP Next Central Manager, Ars Technica reports. The vulnerabilities can be exploited to gain administrative control and create hidden accounts on devices. Researchers at Eclypsium discovered the flaws, explaining, "First, the management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself."