By the CyberWire staff
At a glance.
- Faulty CrowdStrike update causes widespread Windows outages.
- Change Healthcare attack could cost nearly $2.5 billion.
- Synnovis ransomware attack continues to impact blood supply at UK hospitals.
- AT&T reportedly paid a hacker $373,000 to delete stolen customer records.
- MuddyWater deploys new backdoor against Israeli organizations.
- BadPack delivers Android Trojans.
- Cyber threats targeting the 2024 Paris Olympics.
- Poco RAT targets mining entities.
- Kaspersky is shuttering its US operations.
Faulty CrowdStrike update causes widespread Windows outages.
A defective software update from CrowdStrike is causing major disruptions around the world, WIRED reports. Security researcher Kevin Beaumont says the CrowdStrike update contained an improperly formatted file that caused Windows systems to crash.
CrowdStrike's CEO George Kurtz said in a statement, "The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a security or cyberattack....CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. There is no impact to any protection if the Falcon sensor is installed. Falcon Complete and Falcon OverWatch services are not disrupted." The company has outlined workarounds for hosts that are still crashing. CNET notes that many systems will need to be reset manually.
The scope of the outage is difficult to quantify, but CNN quotes security expert Troy Hunt as saying this "will be the largest IT outage in history." ABC News reports that the incident disrupted airlines, banks, hospitals, government entities, and countless businesses. American Airlines, United, Delta, and Allegiant Air grounded all flights yesterday morning, and more than 5,000 flights had been canceled globally by yesterday afternoon. CNN says Charlotte Douglas International Airport in North Carolina and New York's JFK International Airport both told passengers to stay home until they confirmed their flight with the airline. The outage also caused issues at Ryanair, Spirit, Sun Country Airlines, Frontier, Lufthansa, Virgin Australia, Qantas, and others.
Sky News says the outage disrupted most GP practices in England, with thousands of surgeries affected "after the widely-used EMIS appointment and patient record system went down." NHS England stated, "The NHS has long-standing measures in place to manage the disruption, including using paper patient records and handwritten prescriptions, and the usual phone systems to contact your GP. There is currently no known impact on 999 or emergency services, so people should use these services as they usually would. Patients should attend appointments unless told otherwise."
The outage impacted 911 call centers in Oregon, Alaska, and Arizona, according to the New York Times. The AP reports that Mass General Brigham in Boston canceled all non-urgent visits yesterday, though its emergency rooms remained open. The health system stated, "[W]e are not able to access our clinical systems, including patient health records and scheduling."
Attention all security professionals! Want real-time IP intelligence at your fingertips?
Sign up for Scout Insight's free trial today! Get immediate insights into threats, search any IP with no training required, and enjoy intuitive graphical results. Whether you need to identify compromised hosts or enrich Splunk queries, Scout Insight has you covered. Don’t wait – accelerate your threat response now. Visit team-cymru.com/cyberwire to start your free trial!
Change Healthcare attack could cost nearly $2.5 billion.
UnitedHealth Group says the February ransomware attack against its Change Healthcare platform has cost the company nearly $2 billion so far, GovInfoSecurity reports. The company estimates the total damages will reach up to $2.45 billion. UnitedHealth Group's President and CFO John F. Rex said in an earnings call yesterday, "Of the total in the quarter, $0.64 per share were direct costs incurred in restoring the clearinghouse platform and other response efforts. These included higher medical expenses directly stemming from the temporary pause of some care management activities....The other component affecting our results relates to disruption of the ongoing Change Healthcare business. This largely encompasses the loss of revenues, combined with the cost of keeping these capabilities fully ready to serve."
Synnovis ransomware attack continues to impact blood supply at UK hospitals.
Hospitals in the UK are still struggling to replenish blood stocks following last month's ransomware attack on pathology service provider Synnovis, the Record reports. The Record cites a letter sent to National Health Service chief executives saying that national blood stocks are "in a very fragile position." Hospitals may need to move into "amber alert" status, which would reserve transfusions for the most severe circumstances. An amber alert status in the UK "occurs when there is a significant risk to the supply of blood that will affect clinical care."
Modernize Your Identity Systems with Ease.
Identity architects and engineers, Strata helps you integrate legacy apps with any IDP, ensuring seamless identity failover and applying MFA without touching app code. Reduce tech debt and enhance security with Strata's robust identity orchestration solution. Share your biggest identity challenge and receive a pair of complimentary AirPods Pro.
AT&T reportedly paid a hacker $373,000 to delete stolen customer records.
WIRED reports that AT&T paid a hacker approximately $373,000 worth of Bitcoin to delete a trove of customer data stolen from the company's Snowflake cloud storage account. AT&T disclosed last week that the stolen data included phone call and text message records from nearly every AT&T customer (approximately 109 million people) between May and October of 2022. A security researcher who assisted AT&T told WIRED he believes the only copy of the data was deleted, although there's no way to know for certain that the hacker didn't keep a duplicate.
MuddyWater deploys new backdoor against Israeli organizations.
Check Point warns that the Iranian threat actor MuddyWater is using a new backdoor dubbed "BugSleep" to target Israeli entities. The malware is distributed via spearphishing campaigns targeting "Israeli municipalities as well as a broader group of airlines, travel agencies, and journalists." Check Point notes, "BugSleep is a backdoor designed to execute the threat actors’ commands and transfer files between the compromised machine and the C&C server. The backdoor is currently in development, with the threat actors continuously improving its functionality and addressing bugs."
BadPack delivers Android Trojans.
Palo Alto Networks's Unit 42 has published a report on BadPack, a malware dropper used by many Android-based banking Trojans. Unit 42 explains, "BadPack is an APK file intentionally packaged in a malicious way. In most cases, this means an attacker has maliciously altered header information used in the compressed file format for APK files. These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools." The researchers reported their findings to Google, noting that "[b]ased on Google’s current detection, no apps containing this malware are found on Google Play." Unit 42 recommends that users avoid installing apps from third-party sources.
DMV Rising, D.C.’s Premier Conference for Cyber Execs.
The Washington, D.C. Maryland, and Virginia (DMV) region has established itself as a top-tier player in the global cyber industry. Join us on September 12, 2024 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.
Cyber threats targeting the 2024 Paris Olympics.
ZeroFox and Fortinet have both published reports on threats facing the 2024 Olympics in Paris. ZeroFox says the primary cybersecurity threat will be cyberattacks from Russia, which are "likely to take the form of DDoS attacks, data compromises, and scams carried out by Russian threat actor groups." The researchers note, "Russian cyber threat actors are likely to react to the strong showing of support for Ukraine at the Games, as well as previous bans of Russian athletes, by targeting the [International Olympic Committee]."
Fortinet is tracking cybercriminal activity on the dark web, observing "a significant increase in resources being gathered for the Paris Olympic Games, especially those targeting French-speaking users, French government agencies and businesses, and French infrastructure providers." These resources include "advanced tools and services designed to accelerate data breaches and gather personally identifiable information (PII), the sale of stolen credentials and compromised VPN connections to enable unauthorized access to private networks, and advertisements for phishing kits and exploit tools customized for the Paris Olympics."
Poco RAT targets mining entities.
Cofense is tracking a new remote access Trojan called "Poco RAT" that's targeting Spanish-speaking users in Latin America. The malware was first observed in February 2024 targeting entities in the mining sector. Its targeting has since expanded to the manufacturing, hospitality, and utilities sectors, though the mining industry remains its primary focus. The malware is distributed via finance-themed phishing emails that encourage users to download malicious files.
Cofense explains, "Unless the infected computer has a geo location in Latin America, the attempts to communicate are not responded to by the C2. If the infected computer appears to be coming from Latin America, then a very small conversation takes place over an extended period of time. Aside from being able to communicate basic information about the environment, Poco RAT also appears to be able to download and execute files making it capable of delivering other malware more specialized for information stealing or even ransomware."
Kaspersky is shuttering its US operations.
Russian cybersecurity company Kaspersky Lab is shuttering its business in the United States, BleepingComputer reports. The US Department of Commerce announced last month that Kaspersky would be banned from selling its products in the United States beginning September 29th, due to national security concerns. The company told BleepingComputer, "Starting from July 20, 2024 Kaspersky will gradually wind down its U.S. operations and eliminate U.S.-based positions. The decision and process follows the Final Determination by the U.S. Department of Commerce, prohibiting the sales and distribution of Kaspersky products in the U.S. The company has carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable."
Patch news.
Cisco has issued a patch for a maximum-severity vulnerability (CVE-2024-20419) affecting Cisco Smart Software Manager On-Prem devices, Ars Technica reports. The flaw could allow an unauthenticated remote attacker to change the password of any user, including administrators. Cisco states, "This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user." The vulnerability was assigned a CVSS score of 10.
Crime and punishment.
Two Russian nationals have pleaded guilty in the US to their participation in LockBit ransomware attacks, BleepingComputer reports. The US Justice Department said in a press release that Ruslan Magomedovich Astamirov deployed LockBit against at least twelve organizations in Virginia, Japan, France, Scotland, and Kenya, while Mikhail Vasiliev targeted businesses in New Jersey, Michigan, the United Kingdom, and Switzerland.
Interpol has arrested 300 individuals across 21 countries as part of a law enforcement operation targeting West African cybercrime syndicates, including the Black Axe gang. The police also identified 400 additional suspects and blocked more than 720 bank accounts.
Courts and torts.
A Manhattan district judge has thrown out most of the charges filed by the US Securities and Exchange Commission (SEC) against SolarWinds and its CISO Timothy Brown over the Russian state-sponsored hack the company sustained in 2019 and 2020, the Record reports. Judge Paul Engelmayer wrote in his decision that most of the charges "impermissibly rely on hindsight and speculation." The SEC had charged SolarWinds and its CISO with fraud for allegedly overstating the company's cybersecurity practices and failing to disclose known risks.