Secure Your Routers! Healthcare ALPHV/Blackcat Ransomware Updates

The advisory was issued in response to recent healthcare-related ransomware incidents. But keep in mind that the same techniques are also used in other industries. They are not healthcare-specific.

Johannes Ullrich

Starts with four items to do today. While urgent, most will take longer than a day. I would add network segmentation to the list. Ransomware attacks exploit the ability to move laterally.

William Hugh Murray

The ransomware group Blackcat is an equal opportunity attacker, every industry sector is a target. While the advisory updates IoCs and attacker tactics, the best defense remains diligence in patch, configuration, and credential management.

Curtis Dukes

Cencora’s filing is an example of a “compliance-only” breach notification, essentially saying “something bad happened, we noticed, not sure how bad yet, but we think we contained it.” Where possible, convince your management that “lack of liability through obscurity” does not help in the long run and providing more information helps the waters all businesses swim in to get cleaner sooner.

John Pescatore

With the filing, Cencora met the intent of new SEC rules around material cyber incidents. What’s interesting though, is how a Fortune 500 company with over $230B in annual revenue fell victim to what is likely a ransomware attack. Unfortunately, details are scant now.

Curtis Dukes

Cencora, formerly AmerisourceBergen, states there is no connection between this attack and the attack at Change Heathcare. Reality is that because of the havoc that can be created by attacking/disrupting healthcare, it will remain a popular target for attackers. This points back to cyber hygiene as well as proactive monitoring and security posture assessment. If you can, hire a third party to assess your security posture, before the attackers do it for you.

Lee Neely

Ubiquity routers are still under attack. We did not see a significant drop in scans for Ubiquity routers following the takedown. We are seeing even more scans for default credentials for other routers like, for example, Vyatta.

Johannes Ullrich

The hackers from APT28 were installing Moobot (a Mirai variant, leveraging SSH trojans) on vulnerable routers turning them into a botnet. Review your bash history, iptables and .ssh directories for unexpected keys. If you have a compromised, or suspected compromised device, perform a hardware factory reset, upgrade to the latest firmware, change default passwords, and make sure WAN access for administration is disabled.

Lee Neely

Law enforcement takedown of the botnet in January triggered a rush by evildoers to compromise other SOHO routers, using default login credentials. Of the mitigations offered in the advisory only two, hardware reset and change passwords, are ‘doable’ for the bulk of SOHO router owners. That is, if they even get word that their router is being targeted.

Curtis Dukes

Seems like a no-brainer to me that we would want to protect US consumer data, regardless of country of concern. Frankly, it’s long overdue to pass a national data privacy law vice the hodge-podge of state data privacy laws. The law would bound what, if anything, data brokers can do with US consumer data.

Curtis Dukes

Part of the issue is volume; the automation detection is missing about 1% of the bogus repos. The attack is flooding GitHub with millions of code repositories which contain the obfuscated malware. Initial small tests of this attack date back to May 2023, with things really ramping up in November of 2023 through today. The best defense is to monitor your code for infected payloads, and check for IOCs as outlined in the Apiiro blog posting.

Lee Neely

Hard to really justify an emergency here and emergency orders are definitely two-edged swords. But, assessing the environmental impact of the mostly speculative use of digital “currencies” would be good data to see.

John Pescatore

The miners are contending DOE's requested survey would take as much as 40 hours to complete. The injunction was filed in the Western District of Texas as there is a lot of Bitcoin mining in the state, which benefits from cheap power due to overproduction by windfarms located in the panhandle. The emergency order was used by DOE as the rulemaking process can take upwards of a year.

Lee Neely

Each Bitcoin costs more to mine than the one before it. This mimics real world mining. We have reached the point where energy is a major cost of such mining. Bitcoin miners are motivated to, and have been known to, steal the energy that they use. In any case, it is important for us to know the sources and uses of energy.

William Hugh Murray

Cisco is addressing five CVEs, CVE-2024-20321, BGP denial of service, CVE-2024-20267, IPv6 denial of service, CVE-2024-20344, Fabric Interconnects managed mode DOS, CVE-2024-20291, Port Chanel ACL programming flaw and CVE-2024-20294, Software Link Layer Discovery Protocol DOS flaw. Irrespective of the CVSS scores, these devices should already be at the top of your list to keep updated. All the flaws have patches for the affected devices, and while there is a workaround for the Port Channel ACL Programming flaw, applying the update appears much easier than the workaround.

Lee Neely

Reading the proposals, which range from small form factor secure compute platforms to regulate natural gas flows, increased security for 4G and 5G communications, to leveraging AI to detect and mitigate vulnerabilities in DER devices, this is some exciting research which should aid advances outside the energy sector.

Lee Neely

Energy is our most critical and fragile infrastructure. It is vulnerable to cyberattacks. It is not an exaggeration to say that it represents an existential risk. This is a much needed initiative with significant potential.

William Hugh Murray

CVE-2024-21339, CVSS score 7.8, allows an attacker to gain SYSTEM privileges. The fix is simple in principle, roll out the February updates from Microsoft and you're good to go. Note that on Wednesday, Microsoft changed their assessment from Exploitability assessment to Exploitation Detected. Make sure that update gets applied in a timely fashion, and you'll be good.

Lee Neely

There was a rash of attacks targeting German-speaking applied universities last year, including the University of Zurich and HS Kaiserslautern, this appears to continue that trend. The challenge in an educational setting is to enable collaboration while protection core IT. Consider completely separate networks, possibly even separate ISP connections, to ensure they remain isolated.

Lee Neely

In retrospect, February was a busy month for patching and remediation of vulnerabilities; if you're wondering why you're feeling bushed read this list. Then go back and make sure you're got as many of these updates automated as possible. Make sure you’re not still lovingly applying updates manually - think cattle not pets.

Lee Neely

They are taking advantage of users making typos in package names. For example, pycryptoenv and pycryptoconf are similar to pycrypto in name. The blog includes not only an analysis of the malicious packages but also a set of IOCs for you to leverage. As they say, check the name twice and download once, always make sure you're getting the genuine package you requested.

Lee Neely

This is a good case study for any law firm, but especially those chasing class action lawsuits and collecting lots of personal information from potential customers. The incident was not detected until the criminals contacted them, a third-party investigation took over 6 months to complete, and notification didn’t happen until a month after that. A breach of this size will have hard costs in the tens of millions of dollars - likely 10 times as much as the cost to avoid would have been.

John Pescatore

The write-up clearly indicates that Houser LLP were the victim of a successful ransomware extortion. What’s interesting is that per the filing, the breach was discovered in January 2024, yet the law firm had contact with the attacker(s) in June 2023. From that contact, agreement was reached that the attacker(s) would delete the pilfered data. So, bottom line, it took from May 2023 to February 2024 to notify victims that their PII had been stolen.

Curtis Dukes

Sensitive information includes credit card, social security, tax ID and driver's license numbers, financial account and medical information. Reports are that after the attackers were contacted by Houser, they agreed to delete the pilfered data, nor would it be distributed. Hauser has implemented improved security measures including ransomware detection, phishing simulation and MFA for Office 365. Affected parties are being offered credit monitoring services.

Lee Neely