NewsBites Volume XXVI – Issue 19

Top of the News

2024-03-06

BlackCat Operators Deploy Exit Scam

The ALPHV/BlackCat ransomware operators appear to have made away with a $22 million ransom payment without sharing the proceeds from the affiliate that actually conducted the attack on Change Healthcare. Soon after, a banner appeared on the group’s website, that made it look as though the site had been taken down by the FBI, the UK’s National Crime Agency (NCA), and other law enforcement organizations. While the agencies have been involved in various takedown efforts over the past few weeks, they say they have not conducted a takedown of this particular group.

Editor's Note

Shock and horror as people realise you can't trust criminals. In all the "to pay or not to pay ransom" debates, the fact you can't trust criminals often seems to be overlooked.

Brian Honan

Feeling flush with a $22 million payment, Black Cat appears to be ready to offer their source code for another $5 million, then set up shop under a new name "off the radar." This would also be a good time to develop new capabilities, for example version 3 of their ransomware has a requirement for victim specific access tokens before it will execute, making analysis or reversing much more difficult. For most of us, just double down on your existing ransomware protections and have your threat hunters keep you apprised of developments.

Lee Neely

US Dept. of Health and Human Services Steps In to Help Address Problems Caused by Change Healthcare Ransomware Attack

Change Healthcare suffered a ransomware attack on February 21. The company provides IT services to healthcare entities, including pharmacies, that allows those organizations to process claims and prescriptions electronically. In the wake of the attack, healthcare organizations are reporting cash flow issues because they cannot submit claims and receive payments. The US Department of Health and Human Services (HHS) is stepping in to help hospitals and other healthcare providers weather the fallout from the attack. Specifically, HHS says that the Centers for Medicare & Medicaid Services (CMS) will expedite the process for changing clearinghouses, and make other changes, such as relaxing or removing prior authorization requirements.

Editor's Note

This is big, particularly for the smaller pharmacies, which are suffering with payment processing challenges as Change Healthcare is offline. Consider your supply chain dependencies, up and downstream, and look at ways you can make them more resilient.

Lee Neely

There will be plenty of lessons learned from this cyber incident at both the company and federal level. At the top of the list will be how the federal government addresses market consolidation of suppliers. More to follow in the coming months.

Curtis Dukes

Time and time again I’m seeing that the most catastrophic impacts in incidents is not from PII being stolen, it’s from the systems not being accessible. Many incident responders will tell you that the biggest cost of ransomware is not the extortion payment, but the loss of system availability and recovery.

Lance Spitzner

This one is one to watch. It was *very* difficult to get any funding for cyberattacks in a healthcare environment. The actual financing went to many other critical parts of the business. Does this attack open the wallet for more healthcare institutions to redirect funding to the cybersecurity teams? I hope that financially impacting things to this level opens the eyes of the business.

Moses Frost

The Rest of the Week's News

2024-03-07

VMware Releases Fixes for Multiple Vulnerabilities

VMware has released fixes to address four vulnerabilities in their ESXi, Workstation, and Fusion products. Two of the vulnerabilities, which affect all three products, are use-after-free issues. The other vulnerabilities are an out-of-bounds write vulnerability that affects ESXi, and an information disclosure vulnerability that affects all three products. The vulnerabilities are concerning enough that VMware has released updates to address them in end-of-life products, too.

Editor's Note

Good idea to query all cloud services/hosting providers you are using to get assurances they are patching all use of the flawed VMware software.

John Pescatore

The CVSS scoring on these flaws is somewhat confusing. CVE-2024-22252 and CVE-2024-22253 have CVSS scores of 9.3 in workstation and 8.4 in ESXi. CVE-2024-22254 has a CVSS score of 7.9 and CVE-2024-22255 has a CVSS base score of 7.1. The flaws are in Workstation 17.x, Fusion 13.x, ESXI 7.0, 8.0[2] and 8.0 and are tied to the USB controller virtualization used to support peripherals. If you're running any of these versions apply the update. Odds are workstation and fusion users are already getting prompted to update.

Lee Neely

Apple Releases Emergency iOS Updates

Apple has released updates for iOS and iPadOs to address two critical zero-day vulnerabilities. One of the vulnerabilities (CVE-2024-23225) affects the iOS kernel; the other (CVE-2024-23296) affects the RTKit. Both could be exploited to bypass kernel memory protection. The flaws are fixed in iOS and iPadOS 17.4; CVE-2024-23225 has also been fixed in iOS and iPadOS 16.7.6.

Editor's Note

The bad news is that we are seeing a lot of “bypass” vulnerabilities in software now, meaning protections were never fully thought through or tested. The good news is that patching can be done much faster on mobile operating systems. The bad news is that “can be much faster” requires mature processes to turn “can be” into “was.”

John Pescatore

The initial security report from Apple had a very small number of CVE's listed. The current report for iOS/iPadOS 17.4 lists 40 flaws while 16.7.6 lists 19 flaws addressed. iOS/iPad OS also introduces PQ3 iMessage encryption as well as providing support for third-party app stores as mandated by the recent EU ruling against Apple. EU users will be able to install apps from "alternative app marketplaces" and sideload apps. These marketplaces have to be vetted with Apple before they can be downloaded to your device.

Lee Neely

The default for Apple users should be to have automatic updates enabled.

William Hugh Murray

JetBrains TeamCity Vulnerabilities are Being Actively Exploited

JetBrains has released updates to address two authentication bypass vulnerabilities in their TeamCity on-premises software development platform. One of the vulnerabilities (CVE-2024-27198) is a critical authentication bypass vulnerability with a CVSS score of 9.8; the second (CVE-2024-27199) is a high-severity relative path traversal issue. The flaws are reportedly being actively exploited, and in some cases, exploitation is leading to ransomware deployment.

Editor's Note

Given the severity and that these are being actively exploited, you're going to want to update your servers now. Compromising the server would allow an attacker full control over all TeamCity projects, builds, agents and artifacts. The flaw affects all versions up to 2023.11.3. You have two options, either update to TeamCity 2023.11.4, or apply the relevant security patch plugin for version 2023.11.3 and below. Your best option, long term, is that update to 2023.11.4.

Lee Neely

SBOM Experiment at Power Substation

US gas and electric utility Southern Company conducted an effort to create a software bill of materials (SBOM) for an operational technology (OT) site in Mississippi. In a presentation at the S4x24 ICS/OT security conference this week, Southern Company principal cybersecurity architect Alex Waitkus described the process, noting that prior to the experiment, “We had no idea what the different versions of software we were running.”

Editor's Note

This is a good exercise in determining the viability of SBOMs and demonstrating how they need to evolve to fulfill their potential. To build this "composite SBOM," the details needed to be gathered from 17 vendors with 38 unique devices. After identifying all the software versions, the team then verified the contents of the vendor provided SBOMs were accurate and complete (not all were) then they were mapped to vulnerability databases, verified and assessed, focusing on exploitable flaws. In the meantime, the site started updating firmware making the SBOM out of date by the time it was delivered, reinforcing the goals of the next phase of the project which will focus on automating inventory, SBOM collection, verification, vulnerability and exploit analysis.

Lee Neely

SBOM, like “Zero Trust,” got way overhyped – Southern Company’s experience points out that software inventory is the required first step before a SBOM can be useful, not the other way around. The other big lesson learned is start putting SBOM requirements in all software (on-premise and cloud) procurements now.

John Pescatore

SBOM implementation continues to gain traction both in the US and internationally. Knowing your environment, what HW, what SW versions, and, where your sensitive data is kept, is crucial to defend against attack. That’s why the CIS Critical Security Controls prioritize them one, two, and three.

Curtis Dukes

While software bills of material for the products we buy may make it easier to know what software one is running, it is important to know that in any case. That said, I have had few clients that could tell me that with any confidence or authority.

William Hugh Murray

Software Engineer Allegedly Stole AI IP From Google with the Intent to Share it with Chinese Companies

A US federal grand jury has indicted a former Google software engineer on four counts of theft of trade secrets. Linwei Ding, aka Leon Ding, allegedly stole AI-related trade secrets from Google, placed the data in his personal Google Cloud account, and planned to provide the stolen intellectual property to Chinese companies. He was arrested in California earlier this week.

Editor's Note

The engineer, in an attempt to mask his activities, reportedly copied the confidential information into the notes app on his company provided laptop, then converted the notes to PDFs before uploading them to their (personal) Google account. The engineer also started a company, with him as CEO, claiming to have experience with Google's thousand-card computational platform and he just needed to replicate and update it. He's facing up to 10 years in prison and up to a $250,000 fine for each of the four theft counts. EDR and other cloud security components are evolving to make tracking this sort of activity easier; you may want to investigate capabilities of tools you already have. The analysis could also reveal needed workarounds to current practices. You may need to adjust.

Lee Neely

Canada’s Financial Intelligence Agency Experiences Cyberattack

The Financial Transactions and Reports Analysis Centre of Canada’s (FINTRAC’s) corporate system has been offline since the weekend due to a cybersecurity incident. FINTRAC is Canada’s national financial intelligence agency.

Editor's Note

FINTRAC is an Ottawa-based government body founded to detect and investigate money laundering and similar crimes, including suspicious transactions relating to terrorist finances, and a partner to Canada's law enforcement and intelligence agencies. Canada is not having a good year, considering the recent foreign ministry, RCMP and Hamilton attacks. FINTRAC’s notification says their most sensitive systems are not impacted, and that only the corporate business systems are offline, reminiscent of the RCMP statement of nominal impact during their incident.

Lee Neely

Canadian City Government Suffers Ransomware Attack

The City of Hamilton, Ontario, is recovering from a ransomware attack that began in late February. The incident affected IT systems at nearly all Hamilton government entities. As of Wednesday, March 6, Hamilton’s water and wastewater treatment waste collection, transit, and emergency services are operational. Online payment systems remain offline; transactions are being processed manually.

Editor's Note

This attack is a bit more impactful than FINTRAC or the RCMP attack. The attack happened February 25th and teams have been working around the clock since to restore services. While many services are online, there is no ETA for a full recovery other than to exceed the recovery time of the Toronto library which took four months. With the changes in how we deliver services, insourced, cloud, outsourced, including APIs and other data interchange services, it'd be a good idea to make sure that you not only have it all documented, but also have a team who has experience rebuilding services from backup.

Lee Neely

Cisco Patches High-Severity Flaws in Secure Client

On Wednesday, March 6, Cisco released updates to address a pair of high-severity vulnerabilities in its Secure Client VPN application. One of the vulnerabilities (CVE-2024-20337) is an insufficient validation of user input issue affecting the SAML authentication process in Cisco Secure Client for Linux, macOS, and Windows. The second vulnerability (CVE-2024-20338) is an uncontrolled search path element issue in the IDSE Posture module of Cisco Secure Client for Linux. Cisco also released updates to address five medium-severity vulnerabilities in other products.

Editor's Note

While the SAML exploit is only possible for the Secure Client, aka AnyConnect, when an external browser is enabled for that authentication process, the smoothest integration/user experience comes from using that external browser, so don't assume disabling that is an option. The fix is to deploy an updated client. AnyConnect allows the client to be updated as part of the connection process before the connection is complete.

Lee Neely

This client is probably installed on millions of systems. The external browser may not be as broadly deployed; however, if you are using a Yubikey or some other type of external authentication such as, for example, Microsoft Entra ID for SAML-based authentications with Phishing Resistant MFA, then you cannot use the built-in browser and must use the external browser. This is not a simple attack to pull off because of all the alignment of pieces, but the exploit itself may be trivial. Patch. Lots of people need to patch these clients, so patch.

Moses Frost

Lurie Children’s Hospital Makes Progress in Ransomware Recovery

Lurie Children’s Hospital in Chicago is making progress in their recovery from a January 31 cyberattack. Lurie’s electronic health record (EHR) platform is now operational, as are their phones and other key systems. They are still working to reactivate the MyChart patient portal and the rest of their systems.

Editor's Note

The current status page (Cybersecurity Matter link below) does an excellent job of organizing the information about what happened, what's impacted, and what to do. This is an excellent communication style to have in your hip pocket if you're ever in their shoes.