The usual suspects are up to their usual tricks.

ODNI’s Annual Threat Assessment highlights the usual suspects. The White House meets with UnitedHealth Group’s CEO. A convicted LockBit operator gets four years in prison. The Clop ransomware group leaks data from major universities. Equilend discloses a data breach. Fortinet announces critical and high-severity vulnerabilities. GhostRace exploits speculative race conditions in popular CPUs. Incognito Market pulls the rug and extorts its users. Patch Tuesday notes. On the Learning Layer, Sam Meisenberg talks with Joe Carrigan from Johns Hopkins University Information Security Institute, and co-host of Hacking Humans podcast. They explore Joe's journey on the road to taking his CISSP test. And, I do not authorize Facebook, Meta or any of its subsidiaries to use this podcast. 

Today is March 13th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

ODNI’s Annual Threat Assessment highlights the usual suspects. 

The Office of the Director of National Intelligence’s 2024 Annual Threat Assessment reveals an escalating cyber threat landscape, with China identified as the top persistent cyber adversary to the U.S., targeting government, private sector, and critical infrastructure. ODNI says Russia continues as a significant global cyber threat, focusing on Ukrainian conflict-related cyber operations. North Korea is expected to ramp up illicit activities, including cyber theft, to support its WMD program. The U.S. faces challenges from strategic competition among major powers, transnational threats, and regional conflicts, with organized cybercriminals refining ransomware attacks against critical services and exploiting weak defenses worldwide, especially in low-income countries. The proliferation and sophistication of ransomware attacks are fueled by inexpensive, anonymizing online infrastructure, making them more accessible to newcomers. Despite occasional operational pauses by cybercriminal groups due to law enforcement actions, their activities often resume or evolve. Without cooperation from countries providing safe havens for cybercriminals, like Russia, mitigation efforts are limited. The report also highlights China's cyber espionage, the threat of aggressive cyber operations against the U.S., and surveillance and censorship practices. It underscores Russia's foreign policy use of cyber disruptions and Iran's increasing cyber aggression, posing a threat to U.S. and allied security. Iran's potential influence operations targeting the U.S. elections are noted. North Korea's cyber program is characterized as sophisticated and versatile, focusing on espionage, cybercrime, and strategic objectives. In response, CISA has outlined a 2024 plan to address these threats, particularly from China, through enhanced cybersecurity and collaboration efforts.

The White House meets with UnitedHealth Group’s CEO. 

Yesterday, White House officials met with UnitedHealth Group’s CEO and industry representatives to address a cyberattack on UnitedHealth's tech unit, Change Healthcare, that disrupted U.S. healthcare operations. This gathering marked the first coordinated effort between healthcare providers and insurers post-hack. The cyberattack, attributed to the "Blackcat" ransomware group, significantly impacted the healthcare system, affecting the processing of medical claims and payments. Health insurers have since implemented alternative payment processes to assist healthcare providers. Change Healthcare, crucial for processing about half of U.S. medical claims, serves numerous healthcare entities. U.S. officials have urged UnitedHealth to expedite payments to affected providers, highlighting the extensive reach and impact of the cyberattack on the healthcare sector.

A convicted LockBit operator gets four years in prison. 

Mikhail Vasiliev, a Russian-Canadian involved in the LockBit ransomware operation, has been sentenced to four years in prison by an Ontario court. Arrested in November 2022 and pleading guilty to eight charges in February 2024, Vasiliev played a crucial role in numerous high-profile cyberattacks, demanding ransoms totaling over $100 million. His activities, particularly targeting Canadian businesses, led to significant disruptions between 2021 and 2022. Despite his lawyer's claims of pandemic-driven criminality, Justice Michelle Fuerst labeled Vasiliev a "cyber-terrorist" driven by greed. He has been ordered to pay $860,000 in restitution and faces potential extradition to the U.S. for further charges. Meanwhile, despite law enforcement efforts to disrupt LockBit, including arrests and a $15 million reward for information, the gang attempts to recover, using new infrastructure to resume attacks, although their activity level may be overstated according to recent analysis.

The Clop ransomware group leaks data from major universities. 

The Clop ransomware group leaked personal and financial data stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California. The breach occurred through vulnerabilities in the Accellion File Transfer Appliance (FTA), a tool used by these institutions to share and store sensitive information. Stanford Medicine reported that stolen data included Social Security numbers and financial details. UMB acknowledged a breach involving personally identifiable information, while the University of California recognized a broader cyberattack impacting several entities. Similar incidents also affected the University of Colorado and the University of Miami. Although internal networks remained secure, the compromised Accellion servers led to significant data exposure. The Clop ransomware group, potentially linked with the FIN11 cybercrime group, aims to pressure victims into paying ransoms to prevent data leaks. This series of attacks underscores ongoing security challenges and the necessity for robust cybersecurity measures against ransomware threats.

Equilend discloses a data breach. 

Financial technology firm EquiLend has disclosed a data breach due to a ransomware attack in January, attributed to the notorious LockBit group. This incident compromised personal information of EquiLend employees, including names, birth dates, Social Security numbers, and payroll details. Although there's no evidence of misuse, affected individuals are offered two years of free credit monitoring and identity protection. The attack led to temporary service disruptions, but the full extent and whether a ransom was paid remain undisclosed. LockBit's leak site currently does not list EquiLend, suggesting possible negotiations.

Fortinet announces critical and high-severity vulnerabilities. 

Fortinet has announced vulnerabilities in its products, with two classified as "critical" and others as "high" severity, prompting an advisory from CISA. The vulnerabilities impact FortiClient EMS, FortiManager, FortiOS, and FortiProxy. Critical vulnerabilities include allowing command execution on admin workstations through malicious log entries, and enabling code execution on FortiOS and FortiProxy via the captive portal due to security flaws. Fortinet recommends updating to the latest software versions to address these issues. Additionally, "high" severity issues affect multiple Fortinet services, particularly relating to SSLVPN features. While no attacks exploiting these vulnerabilities have been reported, Fortinet's advisory highlights the necessity of timely security updates to prevent potential cybersecurity risks.

GhostRace exploits speculative race conditions in popular CPUs. 

Researchers from IBM and VU Amsterdam have unveiled a new data leakage attack named GhostRace, affecting major CPU manufacturers and various software. GhostRace exploits speculative race conditions (SRCs), potentially allowing attackers to access sensitive data like passwords and encryption keys from memory. This technique generally requires physical or privileged machine access, making practical exploitation challenging. The attack leverages speculative execution alongside race conditions, previously exploited in CPU attacks, to bypass synchronization primitives meant to prevent such conditions. The researchers utilized a novel method called Inter-Process Interrupt (IPI) Storming to disrupt a victim process’s execution, facilitating speculative concurrent use-after-free (SCUAF) attacks, leading to significant data leakage in tests on the Linux kernel. Although focusing on x86 and Linux, the vulnerability extends to all major hardware platforms and various software implementing similar synchronization without protective serializing instructions. Intel, AMD, Arm, and IBM have been informed, with AMD advising that measures against Spectre-type attacks could mitigate GhostRace risks. The Xen hypervisor and Linux developers have acknowledged the issue, with Linux introducing an IPI rate limiting feature, albeit with reservations about further action due to performance concerns.

Incognito Market pulls the rug and extorts its users. 

Incognito Market, a darknet narcotics platform, has turned extortionist against its users, threatening to expose private messages, transaction details, and crypto transaction IDs unless a ransom is paid. The blackmail message boasts about the unreliability of their "auto-encrypt" feature and the non-deletion of messages, warning of a potential data dump including over 557,000 orders and 862,000 crypto transaction IDs. The market is demanding ransoms ranging from $100 to $20,000, based on the user's activity level, promising to keep their information from law enforcement. This revelation follows a significant "exit scam" that saw users lose access to their Bitcoin and Monero funds, highlighting the inherent risks and lack of trust in darknet marketplaces. Incognito Market has even published a list showing who has paid the ransom, possibly to coerce more into paying.

Patch Tuesday notes. 

Microsoft's March 2024 Patch Tuesday addressed 59 vulnerabilities across its product range, without any being Zero-day or publicly disclosed beforehand. Two vulnerabilities are rated as Critical, affecting Windows Hyper-V with a Denial of Service (DoS) and Remote Code Execution risk, and 57 are deemed Important, spanning products like Skype, Microsoft Components for Android, Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, and Microsoft Dynamics. This update also includes fixes for several Chromium issues. Released ahead of the Pwn2Own competition, the patch volume is notably low for March. Microsoft recommends updating all products to the latest versions to secure against potential exploitation of these vulnerabilities.

On the first segment of a special series of the  Learning Layer special series, host Sam Meisenberg talks with Joe Carrigan from Johns Hopkins’ Information Security Institute, and my co-host of Hacking Humans podcast. Same and Joe explore Joe's journey as he embarks on the road to taking his CISSP test after 14 years in the cyber industry, and why he decided to get it now. We will have a link for more info in our show notes. 

 

I do not authorize Facebook, Meta or any of its subsidiaries to use this news story. 

And finally, Here we go again—MalwareBytes notes another round of that tired Facebook hoax claiming you can magically forbid Meta from using your photos and posts by copying and pasting some legal mumbo jumbo. Honestly, it's like Groundhog Day on social media, with this nonsense popping up more times than I can count since its first appearance in 2012. Despite clear statements from Facebook and numerous debunkings by fact-checkers like Snopes, people keep falling for it and spreading it around.

Let's set the record straight once and for all: posting a "declaration" on your Facebook timeline does absolutely nothing to change the terms you agreed to when you signed up. Facebook doesn't own your content, but yes, you give them permission to use it according to their terms—which, by the way, you agreed to. If you're that concerned about privacy, maybe it's time to rethink your relationship with social media instead of sharing a pointless post that achieves nothing but fueling more misinformation.

It's incredibly frustrating to see this hoax circulate time and time again, especially when there are legitimate privacy concerns to be aware of. Instead of doing a bit of research or questioning the efficacy of these viral "solutions," people just hit share, perpetuating fear and confusion. If you're tempted to share something like this "just in case," please don't. It only keeps this endless cycle of misinformation going. Let's be more critical of what we share and stop these hoaxes from getting yet another undeserved round of attention.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.