Whoa, what a week! We’re seeing a lot of the organizations I have the privilege to talk to battling a confluence of ransomware events. All the while, the battle between law enforcement and those threat actors is playing out in the open. If you prefer your news to be steadily bad, there are stories for you there as well. So let’s get right into the top news, where threat actors are taking patients hostage.

Dirty Blackcat trickery

Change Healthcare (subsidiary of UnitedHealth’s Optum group) was hit by the now notorious Blackcat (ALPHV) Ransomware as a Service (RaaS). If you think this doesn’t impact you, think again. This particular company provides the software that runs pharmacies, processes payments, manages supply chain, and so much more. So hopefully no one you know is sick, hospitalized, or dependent on any medications. 100’s of major healthcare systems are impacted, as are almost every major pharmacy chain in the US. Piling on, the breach seems to have compromised the information on millions of American patients.

Blackcat first claimed the activity. Now Optum confirmed today (1 March) that they have high confidence it is Blackcat. Even though Blackcat has withdrawn their claim. Curious, isn’t it? That confidence from Optum and their partners tells us that it is probably Blackcat’s standard playbook at work. The withdrawn claim by the Blackcat folks could be a lot of things. Negotiations might be part of the reasoning. ALPHV certainly seems to be hitting healthcare hard, and the FBI and CISA are raising awareness on this disturbing trend.

This group typically uses social engineering to masquerade as a technical support group. From there they use screen sharing software, newly created accounts, and Cobalt Strike to maintain persistence and orchestrate Meddler-in-the-Middle (MiTM) so they can harvest credentials, tokens, and MFA factors. Then comes the ransom event. CISA provides a holistic look, including mitigation, detection, and prevention measures.

  • Want to read more? Change Healthcare has been working with their partners to keep folks updated here. And this CyberExpress report helps recap the broad strokes.
  • Want to get nerdy? This CISA write-up is fresh and stands as one of the most up-to-date resources on this very dynamic threat.

LockBit’s next resurrection

We see a press boost every time law enforcement or a private company decides to take down a particular group or APT. Lockbit’s most recent take down was touted as a “huge blow” just 10 days ago. It was coordinated amongst multiple national LEOs and government entities (the FBI is getting good at this stuff). It was a victory for the ages. But like my D&D peeps understand about any hydra, if you don’t cut off all of the heads at once, more will grow in their place! LockBit already had a ransomware operation in motion with Fulton Country, Georgia (USA). We now see that surviving members have threatened to leak data that could impact many important criminal trials, endangering many witnesses, victims, and potentially preventing some of the worst people from being brought to justice. We’ll see how this progresses.

Lockbit is a packaging vehicle for a whole ecosystem of payloads and capabilities, but it usually makes its initial forway through RDP, drive-by attacks, phishing, or stolen credentials. the malware itself spreads and escalates using built-in credentials and living off the land binaries (LOLbins) and then exfiltrates then encrypts for a double-ransom impact. They are Russian-hosted. One upside – these takedowns usually see adversaries hit by exploited vulnerabilities just like their victims. Signs point to Lockbit’s most recent takedown being via a PHP vulnerability. Just a little retribution for their taking patients hostage.

  • Want to read more? Brian Krebs has a pretty good recap and explainer on the overall event.
  • Want to get nerdy? Once again, CISA offers us with a great look at how the gang operates. This also makes recommendations on how best to mitigate, detect, and prevent their attacks. They even take a crack at mapping the TTPs, as LockBit isn’t in ATT&CK’s main database yet.

This week in AI

FBI Director Christopher Wray told an audience at a recent national security conference that AI is a major enabler for adversaries looking to “engage in malign influence.” We’re already seeing a lot of AI use in influence campaigns. So he might be alluding to a much more concerted effort. I worry about our media, social media, and our ability to discern truth. Having this capability ramp up just as so many have lost their own ability to reason and value truth seems super scary, no?

Things I am keeping an eye on myself

  • A new-ish adversary going by the name “USDoD” has hacked defense contractor Thales and already leaked more than 24GB of data. They have threatened to show even more. This comes after their breaching the FBI and Airbus, and it is believed that they are using Infostealer malware. This will strain international relationships and impact national security if it holds up.
  • A bunch of great lessons and benefits are discussed in this cool article on The Hacker News. It show the value of doing blameless postmortems to share lessons learned and improve trust in the industry.
  • Ivanti VPN woes are still of major concern, so much so that the Five Eyes countries have issued urgent pleas to patch and to improve detection capabilities.
  • While we’re all focused on healthcare and government targets above, the Phobos RaaS has been on a hot streak. The US Government is warning of their activity in other critical infrastructure attacks (including healthcare).
  • When we look at most security incidents today, almost all of them include some sort of exploit. A huge portion of those are due to coding issues, and memory management is a critical gap. It turns out that using C and C++ is part of the issue, and the US Government is strongly advocating for software as a whole to move to memory safe languages to help reduce the CVE deluge we’re all under. Time to learn some Rust or Go!

Good Reads!

  • NIST just released NIST Cybersecurity Framework version 2.0. Add the new CSF to your reading list, folks, as this is set to be a bible for most of us heading forward. Like it or not! Big changes abound, including the addition of a Govern function (now we have 6 major functions). It includes a lot of goodies, like quick start guides and tips that can help accelerate your security programs.

I hope you folks have a safe and healthy weekend – please feel free to respond, comment, or provide feedback if you get the urge!