Hello folks! It seems that there is never a dull week. To almost make that point abundantly clear, we have a large number of newly announced firewall vulns, some more ransomware hitting critical targets, and more state sponsored mayhem. So let’s get started and see what is going on!
Healthcare under perpetual attack
We tend to think of critical infrastructure in terms of energy, water, sewer, communications, etc. It should be noted that healthcare and financial sector folks are part of that too. Healthcare in particular is seeing a massive uptick in ransomware attacks, and this might be for a few reasons:
- Nothing creates more urgency than patient lives being impacted
- Healthcare is extremely visible to the community
- Hospital systems are either doing well financially or backed by governments to ensure continued operation
- IT and security teams are understaffed, overworked, and overwhelmed
This potent combination makes them an easy sector to rob, as there is a strong likelihood that the cyber-criminal will be paid and not caught. These threat actors can also take credit for exposing just how fragile the entire ecosystem is. They have targeted adjacent industries, like Change Healthcare’s pharmaceutical processing arm.
Catching up with Change Healthcare’s ordeal
After a couple of months of pretending that they had not paid a ransom, Change recently disclosed that they did indeed spend $22M to recover their data. Wired’s Andy Greenberg was all over it. The overall cost of this event is clicking in at over $1B, which should show that cutting corners on security (people, process, and technology) is yet again a poor move. The worst part? The ALPHV/BlackCat folks pulled an exit scam that would make Bernie Madoff proud, and due to infighting between the RaaS vendor (RansomHub) and their customer (ALPHV), Change is being extorted by the RansomHub for the SAME INFORMATION because ALPHV stiffed RansomHub.
Paying the ransom is a very serious choice that each company must make, but more and more data shows that it does not save the victims. The only thing it reduces is available budget for other things, like effective recovery and preventing re-infection. Just this week, several other healthcare and adjacent businesses were hit, like Octapharma Plasma (by BlackSuit group, HHS notice here), and LA County Health Services via a phishing attack.
Meanwhile, a substantial number of Americans’ personal information was likely part of this breach, and no amount of ransom paid can negate the danger that presents.
- Want to know more? Read about Change Healthcare’s view here.
- Want to get nerdy? The FBI’s flash report on ALPHV/BlackCat is here. It will be interesting to see if this was truly their pig payoff before going away.
Nation-state threat actors pulling out all of the stops
This week Cisco Talos disclosed the actions of a new threat actor UAT4356 against Cisco ASA devices, and it seems that this is a state sponsored threat. Much of the press on state-sponsored activity centers on endpoints. Perimeter devices have seen a glut of new attention, however. Ivanti’s VPN solution, Palo Alto firewalls, and now Cisco ASAs sit in critical parts of every network. For reasons obvious to most readers, I will not comment much further on this latest news.
State sponsored actors have a knack of finding new ways to attack critical parts of any environment, and they love to hit places they know are bottlenecks. Assets that cannot be removed. If the environment depends on them, all the better!
As with any vulnerability, immediate actions as advised by the vendor (including patching) are critical. But adversaries also know that it is hard to incur downtime in these mission critical environments, especially in a perimeter firewall. But we must. We need as an industry to allow for time to recover. Either we choose a small window for planned maintenance and updates or let attackers choose a much larger and more disruptive window for us. I can guarantee that window will cost more, disrupt more, and potentially put us out of work.
This week in AI
It’s going to be a long wait for the US Congress and other legislative bodies worldwide to become smart enough to wrestle with AI policies. Meanwhile, agencies like the NSA are starting to put forward guidance that can help. In this case, they recommend 3 phases of best practices, and this should be very helpful in crafting your own private AI deployment’s security strategy. Regardless of whether you trust the messenger or not, the advice is pretty solid and a good start.
Things I am keeping an eye on
- Threat actors are getting ready for their Christmas. We call it Election Season. Kitchen sink attack chains don’t sound like a good thing.
- Researchers had to sinkhole over 2.5 million IP addresses to neuter C2 in the PlugX malware’s botnet. Holy moly.
- Google Ads seem to have an issue screening their clients. A MadMxShell campaign is embedding a malicious scanner into the Google Ad service and tricking users into downloading the backdoor.
- Software keyboards are all the rage, but 8 of 9 Chinese app versions act as keyloggers. Mass surveillance is a feature!
- US DoJ teamed with Iceland to take down a crypto-mixing operation called Samourai Wallet. This removes yet another player in the market for hiding illicit activities. Cryptocurrency is proving to be anything but safe for criminals to hide behind.
- Some nation-state threat actors are advancing quickly to rival China and Russia in their efficacy. Iran’s IRGC apparently conducted a multi-year campaign impacting hundreds of thousands of accounts across USG and US company employees.
Good Reads
This week has been all about slides for CLUS for me, but these NIST-curated talks look like something I should start digging into! Tons of interesting technical content, and it might make a cool compliment to the steady diet of YouTube conference recordings I tend to favor.
I hope this update finds you well and that you have a good weekend. Please feel free to reach out and continue the discussion!
Mike
Leave a Reply