By the CyberWire staff
At a glance.
- Ivanti VPN gateways may still be compromised after factory resets.
- Change Healthcare confirms Blackcat/ALPHV ransomware attack.
- LockBit attempts to rebuild.
- NIST releases Cybersecurity Framework 2.0.
- Russia's APT29 targets cloud services.
- APT28 uses compromised Ubiquiti EdgeRouters.
- Suspected Iranian threat actor targets aerospace and defense entities.
- ThyssenKrupp sustains cyberattack.
- LoanDepot breach affected 17 million people.
- RCMP hit by cyberattack.
Ivanti VPN gateways may still be compromised after factory resets.
The US Cybersecurity and Infrastructure Security Agency (CISA) and other Five Eyes agencies warned yesterday that threat actors who have exploited recent vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways may be able to maintain root persistence even after the devices have undergone factory resets. Additionally, the advisory notes that "cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise."
The advisory states, "The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory. Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time."
Secure your future with a master’s degree in cybersecurity from Penn State World Campus.
Boost your cybersecurity career with Penn State World Campus! Our online master's program delivers cutting-edge knowledge, hands-on skills, and expert insights. Benefit from flexible learning that fits your schedule, while gaining industry-relevant expertise in areas like threat detection, risk management, and ethical hacking. Join a renowned institution, be guided by industry leaders, and advance your career in the dynamic field of cybersecurity. Elevate your skills, secure your future — apply today!
Change Healthcare confirms Blackcat/ALPHV ransomware attack.
UnitedHealth Group confirmed yesterday that the cyberattack sustained by Change Healthcare last week was a ransomware attack by the BlackCat/ALPHV gang. BleepingComputer reports that Blackcat on Wednesday claimed to have stolen six terabytes of data from Change Healthcare and its partners, including medical and dental records, insurance records, payment data, claims information, patients' PII, and active US military/navy personnel data. The Record notes that the gang has since removed the post.
The US FBI, CISA, and the Department of Health and Human Services (HHS) have issued a joint advisory warning that the ALPHV/Blackcat ransomware-as-a-service operation continues to target the healthcare industry. The advisory notes, "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023."
LockBit attempts to rebuild.
The LockBit ransomware gang is attempting to recover after a widespread law enforcement effort disrupted its operations last week, BleepingComputer reports. The gang has launched a new leak site that lists five of its victims. LockBit's main administrator, LockbitSupp, admitted that "Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time," which enabled law enforcement to seize the gang's servers. LockbitSupp added that "for 5 years of swimming in money I became very lazy."
BleepingComputer observes, "The long message from LockBit looks like damage control and an attempt to restore credibility for a tainted reputation. The gang took a heavy blow and even if it managed to restore the servers affiliates have a good reason to be distrustful."
Team Cymru’s Threat Intelligence solutions allow you to aim your sights on the malicious actors.
Imagine a world where you're always one step ahead of cyber threats, where your defenses are impenetrable because you see what others don't. With real-time access to the worlds largest threat intelligence data ocean, we enable you to turn the tables on attackers. Transform your security from reactive to proactive through accelerated threat hunting and incident response, made possible through automation. Team Cymru: be the hunter, not the hunted.
NIST releases Cybersecurity Framework 2.0.
The National Institute of Standards and Technology (NIST) yesterday released version 2.0 of its Cybersecurity Framework (CSF). The updated version "has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation."
Russia's APT29 targets cloud services.
A joint advisory from the UK's National Cyber Security Centre (NCSC) and other Five Eyes agencies has warned that APT29 (also known as "Cozy Bear," a threat actor attributed to Russia's SVR) has adapted its tactics to target governments and corporations that utilize cloud services. The advisory notes, "As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment. They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves. To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors."
APT28 uses compromised Ubiquiti EdgeRouters.
The US FBI, NSA, Cyber Command, and international partners have released a joint advisory warning that Russia's APT28 (also known as "Fancy Bear," a threat actor attributed to the Russian GRU) is using compromised Ubiquiti EdgeRouters to "globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools."
The advisory states, "As early as 2022, APT28 actors had utilized compromised EdgeRouters to facilitate covert cyber operations against governments, militaries, and organizations around the world. These operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. Targeted countries include Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US. Additionally, the actors have strategically targeted many individuals in Ukraine."
Cybersecurity training designed for your organization.
N2K’s Talent Development solutions make it easier for security leaders to get the right cyber training for their teams and enhance performance. Receive tailored, data-driven training roadmaps that are based on your team’s job roles and skills gaps. We’re inclusive of all learning sources–whether from our learning library, external sources, or something you already use– so your team gets the best of what they need. Let’s work together.
Suspected Iranian threat actor targets aerospace and defense entities.
Mandiant says the suspected Iranian threat actor UNC1549 has been targeting aerospace, aviation, and defense entities in Middle Eastern countries with two unique backdoors dubbed "MINIBIKE" and "MINIBUS." The campaign overlaps with activity by Tortoiseshell, a threat actor attributed to Iran’s Islamic Revolutionary Guard Corps (IRGC). Mandiant notes, "The potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war. Notably, Mandiant observed an Israel-Hamas war-themed campaign that masquerades as the 'Bring Them Home Now' movement, which calls for the return of the Israelis kidnapped and held hostage by Hamas. This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024."
ThyssenKrupp sustains cyberattack.
German steel production conglomerate ThyssenKrupp has confirmed that its automotive division sustained a cyberattack last week, BleepingComputer reports. The nature of the attack is unclear, but the company has disconnected systems as a precautionary measure. The incident caused production to shut down at the company's Saarland-based plant.
ThyssenKrupp said in a statement, "Our ThyssenKrupp Automotive Body Solutions business unit recorded unauthorized access to its IT infrastructure last week. The IT security team at Automotive Body Solutions recognized the incident at an early stage and has since worked with the ThyssenKrupp Group's IT security team to contain the threat. To this end, various security measures were taken and certain applications and systems were temporarily taken offline."
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
LoanDepot breach affected 17 million people.
US mortgage lender LoanDepot has disclosed that the ransomware attack it sustained in January resulted in the breach of data belonging to 17 million people, TechCrunch reports. The stolen data included Social Security numbers, names, dates of birth, email and postal addresses, financial account numbers, and phone numbers.
RCMP hit by cyberattack.
The Royal Canadian Mounted Police (RCMP) is investigating a cyberattack that hit its networks on Friday, CBC reports. An RCMP spokesperson said in a statement, "The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians. While a breach of this magnitude is alarming, the quick work and mitigation strategies put in place demonstrate the significant steps the RCMP has taken to detect and prevent these types of threats."
Crime and punishment.
The US Department of Justice has indicted an Iranian national, Alireza Shafie Nasab, for his alleged "involvement in a cyber-enabled campaign to compromise U.S. governmental and private entities, including the U.S. Departments of the Treasury and State, defense contractors, and two New York-based companies." The indictment states, "[I]n conducting their hacking campaigns, the group used spear phishing — that is, tricking an email recipient into clicking on a malicious link — to infect victim computers with malware. In the course of their campaigns against one victim, the group compromised more than 200,000 victim employee accounts. At another victim, the conspirators targeted 2,000 employee accounts. In order to manage their spearphishing campaigns, the group created and used a particular computer application, which enabled the conspirators to organize and deploy their spear phishing attacks."
Policies, procurements, and agency equities.
The Biden administration has issued an executive order that will prevent data brokers from selling sensitive data of Americans to China, Russia, and other "countries of concern." The order focuses on "genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information."
The White House stated, "The sale of Americans’ data raises significant privacy, counterintelligence, blackmail risks, and other national security risks—especially for those in the military or national security community. Countries of concern can also access Americans’ sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, and members of non-governmental organizations and marginalized communities to intimidate opponents of countries of concern, curb dissent, and limit Americans’ freedom of expression and other civil liberties."