Change Healthcare hackers cash in $22 million ransom.

Is the ALPHV gang pulling up a twenty two million dollar rug? Meta platforms are experiencing outages. Ukraine claims a cyberattack on the Russian Ministry of Defense. Malicious phishers hope to hook hashes. TeamCity users are warned of critical vulnerabilities. The Discord leaker pleads guilty. AmEx suffers a third-party data breach. Amazon is flooded with fake copycat publications. Our guest is Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division to discuss Volt Typhoon. And, Dude, she is just not that into you. 

Today is March 5th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Is the ALPHV gang pulling up the twenty two million dollar rug?

The ransomware gang ALPHV, also known as BlackCat, implicated in the attack on Change Healthcare, has been embroiled in controversy with allegations of a $22 million ransom payment and internal disputes. A Bitcoin transaction of 350 bitcoins, valued at around $22 million, was made to an address connected to ALPHV, leading to speculation that Change Healthcare paid a ransom. Security firms Recorded Future and TRM Labs have linked this Bitcoin address to AlphV and to payments from other victims. Subsequently, an affiliate accused ALPHV of withholding their share of the ransom, providing the transaction as evidence. This dispute raises concerns that sensitive data accessed during the attack could still be at risk of exposure. Furthermore, ALPHV’s leak site displayed what appeared to be a law enforcement seizure notice, sparking speculation about the gang's current status and whether this signals a takedown by authorities or a strategic withdrawal by the gang amidst the fallout from their recent activities. There’s strong speculation from cybersecurity experts on social media that takedown notice is bogus, and that ALPHV is indeed pulling the rug out from under its affiliates. This one is still developing, so stay tuned. 

Meta platforms are experiencing outages. 

Meta's platforms, Instagram, Facebook, and Threads, are experiencing global outages, impacting many users since reports began at 10 a.m. ET. Facebook and Threads are not loading, and Instagram is partially accessible. The outage coincides with Super Tuesday in the U.S., potentially affecting presidential campaigns' ability to communicate with voters. Meta acknowledges the issue and is working on a resolution. Concurrently, YouTube and Gmail users report loading and email delivery problems, though it's unclear if these are related to Meta's outage. 

Ukraine claims a cyberattack on the Russian Ministry of Defense. 

The Ukrainian Main Intelligence Directorate (GUR) claims to have hacked the Russian Ministry of Defense, stealing sensitive data. The operation, described as a "special operation" by the GUR, led to the acquisition of software for data protection and encryption, secret service documents, and details on the ministry's structure and personnel, including the Deputy Minister of Defense, Timur Ivanov. Evidence of the breach was posted online, though its authenticity remains unconfirmed. This incident follows previous, unverified GUR cyber attacks on Russian agencies, with this latest attack not involving operational disruption.

Malicious phishers hope to hook hashes.

Researchers at Proofpoint highlight a threat actor using phishing emails with malicious attachments to steal employees' NTLM hashes, which are encoded passwords critical for user authentication in Windows. Microsoft aims to replace NTLM with the more secure Kerberos protocol due to vulnerabilities like password cracking and "Pass-The-Hash" attacks. The phishing campaign, identified in late February 2024, involved emails urging recipients to open a ZIP file that triggers a connection to an attacker-controlled SMB server, capturing NTLMv2 challenge/response pairs without deploying malware. This method reveals sensitive data such as domain names and usernames, helping attackers gauge further exploitation potential. Known for distributing malware like QBot and Pikabot, this marks the actor's first known attempt at NTLM credential theft, highlighting their adaptability and resources. Organizations are advised to block outbound SMB connections to counteract these tactics.

TeamCity users are warned of critical vulnerabilities. 

JetBrains has alerted users of their TeamCity build management and continuous integration tools to urgently patch two newly disclosed vulnerabilities identified by Rapid7. One of the vulnerabilities is a critical authentication bypass flaw with a 9.8 CVSS score, which could allow remote attackers to fully compromise servers via an alternative path issue. The second, with a 7.3 CVSS score, permits limited information disclosure and system alteration, including HTTPS certificate replacement, through a path traversal issue. These flaws pose a significant risk, potentially enabling attackers to control projects and launch supply chain attacks. JetBrains has released an updated software version and a security patch plugin for users unable to upgrade, ensuring all TeamCity On-Premises versions are covered.  They say TeamCity Cloud customers have been patched and secured. 

The Discord leaker pleads guilty. 

Jack Teixeira, a Massachusetts Air National Guard member, pleaded guilty yesterday to leaking classified documents on Discord. He admitted to willful retention and transmission of national defense information and faces a proposed sentence of over 16 years. The 22-year-old's actions included sharing sensitive data related to international affairs with his fellow online gamers under the alias "TheExcaliburEffect." Despite previous warnings about his handling of classified information, Teixeira accessed and leaked details on topics like Russia's invasion of Ukraine. His sentencing is set for September 27, after a plea deal that prevents further Espionage Act charges. The incident has prompted the Air Force to discipline 15 personnel and the Department of Defense to review its classified information access protocols.

AmEx suffers a third-party data breach. 

American Express has notified customers of a third-party data breach at a merchant processor, leading to the exposure of credit card details. This breach did not affect American Express's systems directly but involved a service provider used by several merchants. The compromised data includes American Express card numbers, names, and expiration dates. The specifics of the affected merchant processor and the scope of impacted customers remain undisclosed. American Express has informed regulatory authorities and is contacting affected customers, assuring that they won't be held liable for any fraudulent charges. Customers are advised to monitor their account statements for suspicious activity over the next 12 to 24 months.

Amazon is flooded with fake copycat publications.

In the weeks leading up to the publishing of her memoir, tech journalist Kara Swisher noticed a disturbing proliferation of fake biographies on Amazon, featuring AI-generated images of her and authored by unknown individuals, posing as genuine accounts of her life. Swisher initially dismissed it as a curiosity, but the issue quickly escalated when dozens of these AI-generated knockoffs flooded Amazon. This incident highlights a growing challenge on Amazon: the influx of AI-generated books designed to mimic and compete with legitimate publications. Amazon has implemented measures like limiting self-publishing volumes and mandating disclosure of AI-generated content, but the effectiveness of these policies remains questionable at best. Swisher reached out directly to Amazon's CEO Andy Jassy, which led to the removal of some fake listings, but of course most aspiring authors don’t have direct access to high-level executives. The episode underscores the broader issue of AI-driven content undermining genuine creative efforts, necessitating stronger verification and authentication processes to protect authors and maintain the integrity of digital publishing platforms.

 

Coming up next is my discussion with Deputy Assistant Director Cynthia Kaiser of the FBI Cyber Division talking about Volt Typhoon.

 

 

Dude, she is not that into you. 

And finally, our loose-lips-sink-ships desk tells of of one David Franklin Slater, a 63-year-old retired Army lieutenant colonel and former civilian employee at United States Strategic Command (USSTRATCOM), who was arrested for allegedly disclosing sensitive national defense information to an individual claiming to be a woman from Ukraine through a foreign dating site. While employed at USSTRATCOM, where he had Top Secret Security clearance, Slater reportedly sent secret Pentagon documents about Russia's war in Ukraine and discussed national defense information via email and messaging platforms. He was charged with one count of conspiracy and two counts of unauthorized disclosure of national defense information, actions described as potentially causing "serious damage to national security."

Here’s a bit of advice. If your online crush suddenly shows undo interest in the mundane yet highly classified details of your day job, chances are they are not really that into you. Cut your losses, tell your bosses, and move on with your life.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.