By the CyberWire staff
At a glance.
- Law enforcement operation disrupts LockBit.
- Change Healthcare cyberattack disrupts prescription processing.
- ScreenConnect flaw exploited by ransomware actors.
- Data breach at suspected Chinese government contractor.
- Apex vulnerabilities open Salesforce instances to attack.
- Earth Preta targets Asian countries with PlugX variant.
- AT&T outage caused by error, not cyberattack.
- Google Cloud Run abused to spread malware.
Law enforcement operation disrupts LockBit.
A wide-ranging law enforcement operation, dubbed "Operation Cronos," has disrupted the activities of the LockBit ransomware gang. Authorities have arrested two alleged members of the gang in Poland and Ukraine, BleepingComputer reports. The operation, led by the UK's National Crime Agency, also resulted in the seizure of 34 servers and more than 200 cryptocurrency accounts tied to the gang. The US Department of Justice has unsealed indictments against two Russian nationals for their alleged involvement in LockBit attacks.
Europol said in a press release, "The UK's National Crime Agency has now taken control of the technical infrastructure that allows all elements of the LockBit service to operate, as well as their leak site on the dark web, on which they previously hosted the data stolen from victims in ransomware attacks. At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets linked to these criminal activities."
The Japanese Police, the National Crime Agency, and the FBI have released decryption tools designed to help recover files encrypted by LockBit.
The US State Department has announced a $15 million reward "for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group." Additionally, the US Treasury Department on Tuesday sanctioned two Russian nationals, Ivan Gennadievich Kondratiev and Artur Sungatov, for their alleged participation in LockBit attacks.
Secure your future with a master’s degree in cybersecurity from Penn State World Campus.
Boost your cybersecurity career with Penn State World Campus! Our online master's program delivers cutting-edge knowledge, hands-on skills, and expert insights. Benefit from flexible learning that fits your schedule, while gaining industry-relevant expertise in areas like threat detection, risk management, and ethical hacking. Join a renowned institution, be guided by industry leaders, and advance your career in the dynamic field of cybersecurity. Elevate your skills, secure your future — apply today!
Change Healthcare cyberattack disrupts prescription processing.
A cyberattack against Optum Solutions's Change Healthcare platform continues to disrupt prescription processing at pharmacies across the US, BleepingComputer reports. The American Hospital Association said in a statement on Thursday, "[W]e recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum. It also is recommended that organizations which utilize Optum’s services prepare related downtime procedures and contingency plans should Optum’s services remain unavailable for an extended period."
Optum's parent company UnitedHealth Group said in an SEC filing, "On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident. The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational."
ScreenConnect flaw exploited by ransomware actors.
Ransomware actors are actively exploiting critical flaws affecting ConnectWise’s ScreenConnect product, the Record reports. Christopher Budd, director of Sophos X-Ops Threat Research, told the Record, "We’ve seen multiple attacks involving ScreenConnect in the past 48 hours. The most noteworthy has been a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022....We’re also seeing RATS, infostealers, password stealers, and other ransomware. All of this shows that many different attackers are targeting ScreenConnect. Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them, and check for any signs of compromise."
Sophos said in a report published yesterday that attacks targeting ScreenConnect have more than doubled since a proof-of-concept exploit was published on Wednesday. Sophos notes that "[p]atching the server will not remove any malware or webshells attackers manage to deploy prior to patching and any compromised environments need to be investigated."
Secure your legacy apps at scale — with zero coding and zero hassle
Modernize your identity infrastructure and get rid of technical debt without sacrificing your complex access policies. Use Strata to integrate non-standard apps with any identity service while using any vendor, standard, or app architecture. Or use it to migrate away from outdated identity providers and consolidate IDPs. It’s seamless, simple and code-free. Share your top identity security priorities, and receive a pair of complimentary AirPods Pro.
Data breach at suspected Chinese government contractor.
Malwarebytes has published an analysis of a data leak from i-Soon, a Chengdu-based cybersecurity vendor that appears to provide hacking services to the Chinese government. The data trove, which was posted on Github, contains "complaints about the company, chat records, financial information, products, employee information, and details about foreign infiltration," including claims that the company infiltrated government departments in India, Thailand, Vietnam, South Korea, and NATO countries.
The Associated Press cites two I-Soon employees as saying that the Chinese police are investigating the leak. The AP notes that the leaked documents "reveal, in detail, methods used by Chinese authorities to surveil dissidents overseas, hack other nations, and promote pro-Beijing narratives on social media."
Researchers at SentinelOne note, "The leaked documents align with previous threat intel on several named threat groups. Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies."
The CyberWire has published a summary of the breach and its ramifications.
Fill in the cyber roles and skills gaps you actually need.
N2K’s Talent Insights solutions provide the workforce intelligence needed to take strategic action. Our workforce experts and proprietary data-analysis tools do the heavy lifting to assess and refine your cyber job roles, the competencies required, and build org charts to organize your workforce. The takeaway? Clarity on where you are, what you need, and a data-driven framework to get you there. Ready to dive in? Learn more.
Apex vulnerabilities open Salesforce instances to attack.
Researchers at Varonis have identified "high- and critical-severity vulnerabilities and misconfiguration" affecting Apex, the programming language used by Salesforce instances. The researchers note, "If exploited, the vulnerabilities can lead to data leakage, data corruption, and damage to business functions in Salesforce." Nitay Bachrach, senior security researcher at Varonis, told Dark Reading, "In some cases, the exploitation was very tricky and required techniques we developed in-house, and in others, it was a simple oversight — the guest user was just able to execute code for no reason, and that leaked sensitive data. Under the shared responsibility model, users can choose to write code, but they're also responsible for making sure it is secure. Salesforce is not responsible for Apex code...uploaded by the users to their Salesforce instances."
Earth Preta targets Asian countries with PlugX variant.
Trend Micro describes a PlugX malware campaign that targeted entities in Taiwan, Vietnam, China, Singapore, Hong Kong, Japan, India, Malaysia, and Mongolia in 2022 and 2023. The researchers believed the campaign is tied to the China-aligned threat actor Earth Preta (also known as "Mustang Panda" and "Bronze President"). The PlugX sample used in this campaign is similar to a variant used in a campaign dubbed "SMUGX" that's targeted Foreign Affairs ministries and embassies in Europe since at least December 2022. The malware is distributed via spearphishing lures that are "related to current events, such as the Taiwanese presidential election that occurred in January 2024."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
AT&T outage caused by error, not cyberattack.
AT&T says its widespread service outages on Thursday were caused by a technical error, the Washington Post reports. AT&T spokesman Jim Greer told the Post, "Based on our initial review, we believe that today’s outage was caused by the application and execution of an incorrect process used as we were expanding our network, not a cyberattack." The company added, "[W]e are taking steps to ensure our customers do not experience this again in the future."
Google Cloud Run abused to spread malware.
Cisco Talos warns that Google Cloud Run is "being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe." The researchers note evidence that "the distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket." The Trojans are particularly focused on Latin America, with the "current variant of Astaroth [targeting] more than 300 institutions across 15 Latin American countries."
Crime and punishment.
A Ukrainian national, Mark Sokolovsky, has been extradited to the United States from the Netherlands after being indicted for crimes related to his alleged operation of the Raccoon Infostealer malware-as-a-service, Malwarebytes reports. The US Attorney's Office of the Western District of Texas said in a press release, "In March 2022, concurrent with Sokolovsky’s arrest by Dutch authorities, the FBI and law enforcement partners in Italy and the Netherlands dismantled the digital infrastructure supporting the Raccoon Infostealer, taking its then existing version offline. Sokolovsky is charged with one count of conspiracy to commit fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft. He made his initial court appearance Feb. 9, and is being held in custody pending trial."