The rebirth of Russia's cyber warfare.

A Russian hacker group boldly targets critical infrastructure. The Change Healthcare ransomware attack is projected to cost over a billion dollars. Three hundred bucks is the going rate for a SIM swap. PuTTY potentially reveals private keys. Cisco Talos reports a surge in brute-force attacks. Ivanti updates its MDM product. Omni Hotels & Resorts confirm a data breach. Financially motivated hackers target Businesses in Latin America with steganography. A prolific cryptojacker faces decades in prison. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. The ransomware equivalent of a Saturday night special. 

Today is April 17th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A Russian hacker group boldly targets critical infrastructure. 

For the past decade, Russia's Sandworm, a military cyber unit, has been notorious for its disruptive cyberattacks worldwide. Recently, a related hacker group, the Cyber Army of Russia or Cyber Army of Russia Reborn, has escalated these digital assaults, targeting critical infrastructure in the U.S., Poland, and France. This group has claimed responsibility for hacking water utilities and a hydroelectric dam, aiming to sabotage through the manipulation of control systems. Their actions, documented in social media videos, have resulted in tangible disruptions, such as an overflowed water tank in Texas.

Cybersecurity firm Mandiant links this group to Sandworm, suggesting either a shared identity or a collaboration between the two. Unlike Sandworm's indirect strategies, the Cyber Army of Russia Reborn directly targets foreign networks, marking a bold shift in operational tactics. Their attacks, characterized by a mix of technical knowledge and reckless tampering, have raised concerns over potential catastrophic outcomes.

While Sandworm appears to have transitioned towards espionage supporting Russia's military efforts in Ukraine, the Cyber Army of Russia Reborn continues its disruptive operations. This shift hints at a possible evolution in cyber warfare tactics, with implications for global cyber security and the risks of unanticipated, severe incidents stemming from less restrained cyber activism. 

Wired’s Andy Greenberg has the complete story, and we’ll have a link in the show notes. 

The Change Healthcare ransomware attack is projected to cost over a billion dollars. 

The ransomware attack on Change Healthcare, owned by UnitedHealth Group (UHG), has reportedly — so far — incurred $872 million in losses. The February incident led to hundreds of systems being taken offline, prompting criticism from the White House and Congress. Despite a first-quarter earnings of $7.8 billion, UHG faced significant direct costs and revenue losses due to the attack. The company estimates up to $1.15 billion in direct costs and additional losses of $350 to $450 million for the year. Restoration efforts have brought some services back, with the pharmacy claim platform at 80% functionality. Meanwhile, the ransomware gang behind the attack, AlphV or BlackCat, has seen internal conflicts and data leaks, with over 4 terabytes of sensitive data, including patient information, being leaked. UHG is working with authorities amidst ongoing extortion threats and data leaks, but faces scrutiny over its handling of the situation and the impact on the healthcare industry.

Three hundred bucks is the going rate for a SIM swap. 

Criminals are targeting T-Mobile and Verizon employees with text messages, offering $300 for assistance in conducting SIM swaps. This campaign aims at current and former employees capable of accessing necessary systems. Screenshots reveal offers from different numbers, with claims of obtaining contact info from employee directories. While initially thought to be solely targeting T-Mobile workers, Verizon employees have also reported receiving similar texts. T-Mobile confirmed they are investigating these solicitations for illegal activity but denied any system breach. The surge in SIM swap attacks, where criminals hijack phone numbers to access victims' personal and financial information, prompted the FBI to issue warnings and the Federal Communications Commission (FCC) to introduce new rules for secure authentication and customer notifications for SIM changes or port-out requests.

PuTTY potentially reveals private keys. 

A vulnerability in PuTTY, the free and open-source terminal emulator, serial console, and network file transfer application exposes a method for attackers to potentially recover the private key from 60 cryptographic signatures. This flaw arises from a deterministic nonce generation process intended to compensate for inadequate cryptographic randomness in some Windows versions. The issue could allow unauthorized SSH server access or enable attackers to sign commits fraudulently, posing a risk of supply chain attacks. The exploit requires acquiring signatures from server logins or signed Git commits. Users are advised to update their tools and replace potentially compromised keys.

Cisco Talos reports a surge in brute-force attacks. 

Cisco Talos reports a surge in brute-force attacks globally targeting VPNs, web application interfaces, and SSH services since March 18, 2024. Originating from TOR exit nodes and various anonymizing services, these attacks aim at various services including Cisco Secure Firewall VPN, Checkpoint, Fortinet, SonicWall, and others. The indiscriminate attempts use both generic and organization-specific usernames, potentially leading to unauthorized access, account lockouts, or denial-of-service. The threat, intensifying over time, leverages multiple proxy services, prompting Cisco to update its blocklist in response to the changing source IPs.

Ivanti updates its MDM product. 

Ivanti has updated its Avalanche mobile device management (MDM) product, addressing 27 vulnerabilities, including two critical bugs with a 9.8 CVSS score that could enable remote code execution by unauthenticated attackers. The critical flaws are heap overflow issues in the WLInfoRailService and WLAvalancheService components. Although there are no reports of these vulnerabilities being exploited, their severity underscores the importance of the patch, especially given Avalanche's role in managing extensive device deployments in large organizations. The update also rectifies 25 other vulnerabilities, mainly path traversal and out-of-bounds read issues. 

Omni Hotels & Resorts confirm a data breach. 

Omni Hotels & Resorts confirmed a data breach following the Good Friday cyberattack on March 29, with customer names, email and mailing addresses, and some loyalty program information compromised. Importantly, payment and financial details, along with Social Security numbers, were not affected. The attack's timing during a busy holiday period is indicative of ransomware gangs targeting hospitality for their capacity to pay significant ransoms due to potential revenue losses. The Daixin Team, a ransomware group previously focused on healthcare, claimed responsibility and initially demanded a $3.5 million ransom, later reduced to $2 million, though it's unclear if Omni paid. 

Financially motivated hackers target Businesses in Latin America with steganography. 

Security researchers from Positive Technologies have identified over 300 attacks by financially motivated hackers targeting businesses in Latin America, employing steganography to embed malicious code in digital images. The group behind these attacks, known as TA558, has expanded its focus from the hospitality industry in Spanish and Portuguese-speaking countries to various industries in Russia, Romania, and Turkey. TA558 uses a range of malware tools, including AgentTesla and FormBook. One documented attack involves exploiting a Microsoft Office vulnerability (CVE-2017-11882) to execute a PowerShell script hidden in a JPEG image, leading to the installation of Agent Tesla malware. 

A prolific cryptojacker faces decades in prison. 

Charles O. Parks III, a 45-year-old from Nebraska, is set to appear in federal court in Omaha, charged with operating a cryptojacking scheme that cost cloud computing providers millions. Arrested on April 13, Parks faces wire fraud, money laundering, and unlawful monetary transaction charges. From January to August 2021, he allegedly used cloud services under the guise of his corporate entities to mine over $970,000 in cryptocurrency, costing two major providers $3.5 million in resources. Parks reportedly manipulated account setups and benefits, continuing operations even after suspensions for nonpayment and fraud. The proceeds were laundered through exchanges, an NFT marketplace, online payment services, and banks, ultimately funding extravagant purchases. He risks up to 20 years in prison for wire fraud and 10 years for unlawful monetary transactions.

On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey. They discuss content and study strategies for Domain 2, Asset Security. 

We’ll be right back

Welcome back. You can find more details about the N2K training Joe is doing for his CISSP exam in our show notes. 

The ransomware equivalent of a Saturday night special. 

A "junk gun," often referred to pejoratively as a "Saturday night special," is a term used to describe cheaply made, low-caliber handguns that are considered to be of poor quality and reliability. Back in the 70s they were the go-to weapon of choice for, say, holding up a liquor store. Or so I’ve been told.

In the digital arms race of the 21st century, Sophos X-Ops has uncovered the cyber equivalent of "junk guns" proliferating across underground forums. Dubbed "junk-gun ransomware," this trend features rudimentary, low-cost ransomware tools sold mostly on a one-time purchase basis, diverging from the traditional Ransomware-as-a-Service (RaaS) model. This development democratizes cybercriminal capabilities, offering entry-level attackers the means to execute ransomware campaigns without substantial initial investment or technical skill.

Through their investigation, researchers discovered 19 varieties of such ransomware, indicating a significant shift towards enabling lower-skilled threat actors to partake in cyber extortion activities. These tools, available across several forums from June 2023 to February 2024, range in sophistication and cost, highlighting an emerging market catering to cybercriminals targeting smaller, less protected entities.

The allure of junk-gun ransomware lies in its accessibility and potential profitability for individuals targeting small businesses and personal devices. These digital weapons are cheap, hard to trace, and provide a low barrier to entry for illicit activities, mirroring the advantages once held by physical "junk guns." 

I must admit I’ve sometimes pondered the potential of a criminal business model of “nuisance” ransomware, low-level, low-sophistication, low-cost to the victim activities that provide steady cash flow for the criminal owner/operator, but which also flies under the radar of law enforcement, who have much bigger fish to fry. 

And when I say pondered I mean purely as a hypothetical, of course. A thought exercise. Stay in school, friends. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.