Law Enforcement Turns Tables on LockBit; Varta Manufacturing Has Not Yet Resumed; Cyberattack Disrupts Change Healthcare

If you have been affected by LockBit, reach out to your local FBI contact to see if they have decryption keys available for you. At the same time: LockBit, the malware, is still around and modified installers have been sighted.

Johannes Ullrich

It appears that authorities are giving the LockBit organizers the digital middle finger as well as disclosing the identities of the two organizers to draw them into the open. Aside from watching that theatre play out, continue to expect variations/new generations of their ransomware. The other takeaway is that law enforcement has keys for LockBit, subsequently, decryption and/or recovery tools are available for free.

Lee Neely

The other shoe has dropped. Broadcasting the complete take-over via seized infrastructure must sting. Well-played by international law enforcement authorities. The only remaining question: will the evildoers learn their lesson or simply look to build new infrastructure and continue with the ransomware game?

Curtis Dukes

Again, well done to all involved. The intelligence data gathered by law enforcement during this operation will have many who are either directly involved in LockBit, or who are affiliates, looking over their shoulders for many years to come. This operation will hopefully become the template for many future operations to disrupt and detain other cybercriminal gangs.

Brian Honan

A good reason not to let your PR folks have the final word on breach releases is this quote from Varta: “Organised group of hackers who managed to break through the high security standards of VARTA's IT systems with a high level of criminal energy.” This is basically saying “Our security standards are only high enough to thwart disorganized individual hackers with low levels of energy, even though a successful attack could halt our production systems for two weeks or more.”

John Pescatore

While Varta is not sure when things will be on-line; they hope to have some services restored next week. They also warn customers that email exchanged between February 12 and 18th is lost and will need to be resent. Good move to notice where customer (or internal) communications are impacted by an incident and disclose that will need to be repeated. Have you considered how you'd detect gaps in either your ticketing or email system, let alone the steps to bridge them?

Lee Neely

Varta’s annual revenue is around $1B. With downtime (3 weeks), forensic experts, system rebuilds, system purchases, this incident will easily cost them more than $100M. Hopefully, Varta will provide details of the attack, to include what cyber defenses were in place, so that we can all learn from this unfortunate incident.

Curtis Dukes

Change Healthcare is part of the health tech company Optum which is operated by UnitedHealth group since 2022. Change Healthcare processes patient payments for about 1/3 of US patients across the country. As of February 23rd, the American Hospital Association has advised possibly affected healthcare organizations to disconnect their systems from Optum until it's deemed safe to reconnect. While Change is providing status updates, and hopes to resolve the issue today, it's not clear what patients needing prescriptions need to do. Don't forget to include and repeat customer workarounds/actions in your notifications. If you're impacted, the best bet is to talk to your pharmacy about options to provide at least a bridging amount of medication while the issue is resolved.

Lee Neely

Signal and Apple are taking the lead in implementing quantum safe encryption. But be careful rushing new algorithms into production. Apple developed its own "PQ3" algorithm. NIST is currently going through the deliberate and thorough process of identifying a quantum safe encryption standard. The process already eliminated a few algorithms that were initially considered safe by many experts. This isn't easy. If you develop software: Stay flexible and allow for encryption algorithms to be swapped later if needed. For any encryption implementation, a threat model is critical to define the most appropriate solution.

Johannes Ullrich

For anyone whose threat model ACTUALLY includes malicious actors capturing traffic now to decrypt in the future, quantum-resistant crypto may be something to consider. As Dr. J points out, several of the proposals NIST was considering have been found very weak (crypto is hard!), so best practice is probably to layer one of these new, shiny algorithms on top of something you already trust, like TLS 1.3.

Christopher Elgee

End-to-end encryption for all messaging is important but adding post-quantum encryption to an already encrypted service that only works on Apple devices shouldn’t be on anyone’s Top Ten risk list when business emails are still sent unencrypted.

John Pescatore

We still are about 5-10 years away from Q-Day and if you're in a sector where regulators are expecting you to implement PQC, this is a good place to see the process used to both certify and deploy a solution as well as see the impact. Otherwise, this may not be something you're focused on. Apple built their solution on both Signal's PQHDX and WhatsApp's auditable key directory leveraging both ECC and post-quantum Kyber and includes key rotation in their plans. Remember that all devices will need to be running an OS that supports PQ3 (and iMessage) or it will fall back to the older iMessage ECC or even SMS (none) encryption.

Lee Neely

While this is a great step on Apple’s part, remember most cyber attackers are far more likely to simply text their victim and trick them into doing something they should not do than try to break an encryption algorithm.

Lance Spitzner

One interesting "feature" of the outage was the reliance of media on "downdetector.com". This website does a great job in identifying widespread outages. But many reporting on the outage did not understand downdetector's methodology which led to reporting of outages in Verizon's and T-Mobile's network as well, which if they happened at all, were minor. Always consider the data collection methodology before drawing conclusions from data.

Johannes Ullrich

Yesterday morning, as I was changing flights in Denver, it was odd to see my AT&T device, in strong coverage area, with SOS service, and I had friends speculating that the root cause was a configuration or other process error. While we've all set up change processes, many of which include rollback plans, how many have of you tested the roll-back, let alone provided for an adequate time period to roll back? With nested interdependencies, it may not be the "5 minutes" your staff thinks it is. The challenge is to ask them to find an effective way to benchmark that process.

Lee Neely

Another data point on the need for system administration hygiene. But the real question is: Did the Gross Domestic Product of the US go down or up when all those mobile devices stopped beeping, ringing and vibrating??

John Pescatore

Well certainly a bad day for AT&T and its brand but it will survive. For organizations, this offers the perfect risk management tabletop exercise. Should you introduce an alternative communication pathway for business operation or can the company live with a little downtime? For users, it provides the opportunity to negotiate a discount on their plan when renewal time comes. And for government, perhaps a little red-teaming [tabletop] of the network-to-network peering is in order just to be safe.

Curtis Dukes

Let this outage serve as a good reminder as to how you manage business resilience as a result of an outage in your supply chain. I wonder how many businesses had staff who could not work or their productivity impacted by not having access to calls or to mobile data?

Brian Honan

CVE-2024-22245, authentication relay flaw, has a CVSS score of 9.6, and can be used to relay requests for Kerberos tickets from a malicious site through your authorized vCenter clients. CVE-2024-22250, session hijack flaw, CVSS score of 7.8, allows vCenter sessions to be hijacked. Removal of both the EAP browser plugin and windows service, on the client, are required to mitigate the flaw. There is no patch. This service is only used in vSphere 7 for SSO, moving to vSphere 8 allows for additional authentication options including ADFRS, Okta, and MS Authenticator.

Lee Neely

I've worked with a number of the USCG's cyber warriors, and they're great at what they do. I applaud any executive or legislative action that expands their ability to help defend the nation. Here's hoping they're also given the resourcing and latitude to continue growing their cyber force structure. Semper paratus, my friends!

Christopher Elgee

The message to the ports is to increase the security of their OT systems from PRC backed services and devices. The action calls for segmentation, monitoring, MFA, updating, backups, and reporting of incidents/suspected incidents, as we've seen in other critical infrastructure sectors. The Coast Guard, CISA and FBI are providing support for reporting and CISA can provide implementation guidance.

Lee Neely

A crucial part of our infrastructure to which we hardly give any thought unless it breaks.

William Hugh Murray

While it appears an administrator has to click a link to enable the exploit, it's still time to apply the updates. While Joomla provides updates for both 4.4 and 5.0, Joomla 4.4 sites can be upgraded, rather than migrated, to Joomla 5, so it's recommended to update to Joomla 5.0.3.

Lee Neely

The actions are prioritized to help get your arms around raising the bar, and some actions, such as changing default passwords, are effectively free. While removing direct (Internet) access to OT systems may sound like it'll be expensive requiring staff to use other mechanisms to reach them, the prevalence of targeted OT attacks, particularly successful ones, will quickly outweigh those costs. Leverage the resources in the report to keep things manageable.

Lee Neely

Just two pages. A two minute read. Actions to be taken. If taken across the industry, will raise cost of attack by a factor of ten. Great start.

William Hugh Murray

While it’s good to have security guidance specific to water systems, the guidance for every critical sector has been around for decades. Regular cybersecurity assessments, check. Inventory of assets (HW, SW, Data), check. Creating and exercising incident response and recovery plan, check. These and other critical security controls should become the minimum baseline required of every critical infrastructure provider.

Curtis Dukes

The worm is fileless and uses compromised credentials to access systems. You can raise the bar by disallowing password based authentication to Internet-facing SSH. Better still, don't allow SSH from the Internet, require certificate authentication for privileged users and review access, eliminating unused/unneeded accounts.

Lee Neely