Healthcare Compromise Still Affecting Pharmacy Billing, LockBit Won’t Stay Down, SolarWinds Cyberthreat Actors Using New TTPs

The ScreenConnect vulnerabilities, CVE-2024-1709, authentication bypass, CVSS score 10, and CVE-2024-1708, path-traversal flaw, CVSS score 8.4, can be mitigated by updating to version 23.9.8. Monitor the ScreenConnect App_Extensions folder for suspicious .aspx and .ashx files. Note CVE-2024-1709 has been added to the CISA KEV catalog with a due date of 2/29. ConnectWise has also revoked licenses for unpatched servers, which may help reduce the attack vector. In the meantime, Change Healthcare is still working to restore services, they have published a dashboard providing incredible transparency on all their application component status' which should IT staff working to bring services back online. They also provide mechanism for filing a support ticket for issues with services not identified.

Lee Neely

Taking down distributed criminal enterprises tends to be notoriously hard. The distributed nature, and the ability for others to quickly re-implement the tools and techniques used by a particular group will often result in limited impact of takedown actions. However, the bust of LockBit was still a welcome relief for many past victims who are now able to decrypt some of the files affected by LockBit.

Johannes Ullrich

After a couple of days, LockBit is firing back at the taunts from the FBI, watch from a distance, don't engage. LockBit says they still have customer data, and are posturing about releasing/extorting the data, while that may or may not happen, don't lose site of the protections you're implementing for ransomware, know LockBit decryption keys are available. Expect LockBit look-alike or derivative attacks.

Lee Neely

This will continue to be a cat-and-mouse game between law enforcement and cybercriminal until either: 1) the bad guys are all locked up; or 2) it is no longer monetarily advantageous to the criminals. Increased focus should be on crypto-currency transactions and removing them as a way for cybercriminals to hide.

Curtis Dukes

Taking down criminals' online infrastructure can appear to be like a game of whack-a-mole: as soon as one site is taken down another re-appears. The important takeaways from these takedowns are not that the infrastructure is back up and running but that law enforcement have seized and are analysing data that result in other intelligence lead takedowns and arrests. These takedowns also disrupt the activities of these gangs, seize valuable assets such as crypto-wallets, and send a message to them that they are not untouchable. As a community, let's keep our eyes on the goal of putting those criminals behind bars and not be distracted by their recovery operations.

Brian Honan

Two techniques warrant consideration. First, after a post-incident password change, SVR actors are going after unused accounts following the password reset instructions. Second, they are capturing Cloud Authorization tokens. In the first case, make sure that idle accounts are not just disabled but deleted after a defined period. In the second, common techniques here are password spraying, MFA bombing (or fatigue) or even circumventing device registration processes. Make sure you're using phishing resistant MFA for cloud accounts, train users on MFA attacks. Review cloud authentication token lifetime, dialing it back based on risk.

Lee Neely

SVR is no different than other threat actors; they are going after where the data are. Today, that is increasingly the cloud. The other interesting thing to note here, and I’ve mentioned in the past, and even in the cloud pen testing class, is the use of residential proxies and other “cheap” technologies to get around Conditional Access policies. Using location to bypass further interrogation, such as MFA, violates zero trust.

Moses Frost

The key line in the report, “…Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target.” The use of credential harvesting for initial access has increased over the past year for both cloud and on-prem environments. The best defense continues to be use of multi-factor authentication and removal of dormant accounts.

Curtis Dukes

Not sure just how radically new these TTPs are. What the article implies is that the cyberthreat actors are focusing on the Cloud, and getting in via compromised accounts and access credentials. I forgot where I saw this quote but I loved it: “Cyber threat actors are no longer hacking into end points, they are simply logging into end points”. This is why I feel phishing-resistant MFA is becoming so important, to include the Cloud.

Lance Spitzner

It’s taken six months from initial commitment but is now a reality at least for US federal entities. Some of the delay can be chalked up to government inertia, some to Microsoft for increased storage requirements. The timing just happens to line up with the upcoming release of the CSRB report on Microsoft security lapses. Regardless, defenders need adequate logging services to defend their environment.

Curtis Dukes

Having increased logging for non-FCEB tenants would help, particularly small businesses who can't afford license levels which include the in-depth logging. Make sure you know what level (depth and timeframe) of logging you're getting from our cloud services and dig deep on forwarding those logs to a service where you can control the retention.

Lee Neely

It’s funny, shouldn’t logging just come with the service? We will see how this plays out, just like in the “firewall” market. Some firewalls come with built-in logging tools; others you bring your own.

Moses Frost

Infrastructure providers are uniquely enabled to shut down their own networks in creative ways never available to an outside adversary. Don't attribute to malice what can be explained by a simple misconfiguration.

Johannes Ullrich

The good news is it wasn't a cyberattack. The bad news is the configuration team had a really bad day. I have anecdotally been told it was an error of under 10 lines of code. AT&T customers are being provided with a $5 credit on their next bill to compensate for the outage. Among all the recovery and communication efforts, consider what you'd do with the responsible team were you in this position. Is this valuable experience which can be leveraged to prevent recurrence or are they an example of a career limiting move? Consider those scenarios where you'll "just use our cell phones," did you consider diversity in base carriers?

Lee Neely

Is AT&T Wireless critical infrastructure? If so, will this bring up hearings in Congress? I would imagine there is some concern when the fire departments tell people they need to find someone on the street with cell service for 911.

Moses Frost

The lesson for the rest of us is "if it ran today, do not do anything tonight that will keep it from running tomorrow." When making a major change, have a plan for returning to a running state.

William Hugh Murray

The Malawi passport system has had challenges since they changed providers in 2021 after citing irregularities. The country is silent on what data has been breached, and those in Malawi with expired or no passports are unable to get them and therefore unable to leave the country, and citizens are demanding resumption of services. This is a scenario to consider, evaluate transparency, communication as well as resiliency. Make sure that you've properly considered the business impact of your service and adjust accordingly.

Lee Neely

The report is encouraging Americans to work together to adopt memory safe programming language supported by improved software measurability (SQA) process. The trick is not only selecting these languages, like Rust, for a project but also migrating existing, working, projects to them as well as augmenting the development process to include the modernized measurement. The age old challenge of cost and time to market may undo this plan without pervasive support in the organization and industry.

Lee Neely

Most of the major operating system vendors have already announced plans to move software development to the memory safe programming language Rust. Unfortunately, it takes time to code existing software products with a new programming language.

Curtis Dukes

This administration is taking on the software quality issue. This is just one measure.

William Hugh Murray

Attackers continue to target ThyssenKrupp with goals of either disrupting production or industrial espionage. Previous attacks in 2013, 2016, 2020 and 2022 by groups like the Mount Locker and NetWalker ransomware gangs. While no group has stepped up to take credit for this attack, and ThyssenKrupp reports they are in the process of gradually returning to normal operations, this is also an ideal opportunity to pursue means to prevent future attacks.

Lee Neely

While comments are being made about the magnitude of the breach, and indications of infections tied to python package install scripts, the exact nature of the event is being held close at this time. RCMP has sufficient mitigations to allow operations to continue event with affected systems offline. I'm hoping I'd come off as unfazed and operational if I were in their shoes, how about you?

Lee Neely

Back in September 2022, U-Haul had another breach which took five months to detect; this breach was discovered on December 5th and the attackers were in the system from July 20th to October 2nd, 2023. Both attacks used compromised credentials. Affected accounts are required to change their passwords and additional security measures have been implemented. The data breached included names, dates of birth and driver's license numbers. The payment processing system was not affected. If you've got a U-Haul account, you may want to change the password proactively, particularly if you're not sure that it is a strong password unique to U-Haul. Affected users are being offered one year of Experian identity protection, monitoring and restoration. Here is a chance to dig into ways to improve detection and response time.

Lee Neely

This one is interesting. This attack group is opportunistic and not a targeted attack. How many criminals could use this data to determine who is moving and when to target them? I just now considered the threat model here.

Moses Frost

There are no workarounds for these flaws. CVE-2023-6397, CVE-2023-6399 and CVE-2023-6764 only apply to their Firewall products while CVE-2023-6398 applies to both Firewalls and APs. Zyxel published a matrix of CVE's and affected products, generally for their firewalls, apply ZLD V5.37 Patch 2. For APs, apply the model appropriate version of 6.29 or 6.70 to your APs. Note some devices have hotfix which must be obtained directly from Zyxel.

Lee Neely

I can’t believe that I am saying this, but for ISPs and places outside the U.S., Zyxel has a very sizable market. That’s a scary thought.

Moses Frost

The bounty on this bug was $2,063. The query didn't prevent SQL Injection, which can be used to steal information from the database. The flaw only affects configurations which have enabled the custom table for usermeta option in this plugin. The fully patched version of Ultimate Member was released on February 19th, make sure that you've got the updated version. Wordfence firewall rules were released January 30th and again February 29th for the paid and free versions respectively.

Lee Neely

Bug bounty programs continue to pay huge dividends in finding vulnerabilities in software products. Now comes the hard part: getting users to download and install the necessary security patch before evildoers weaponize the vulnerability.

Curtis Dukes

One of the trends here, also seen with 800-171, is that CISA is making these frameworks apply to all sizes and types of businesses, not just federal agencies or big business. Too often the question, particularly for a SMB, is how to get started with security and while they may wish to hire help to implement, the framework and supporting documents are themselves free. Note that these are coordinated with organizations such as ISO/IEC to support crosswalk for both understanding and leveraging existing practices.

Lee Neely

The purpose of the Framework is to help (encourage) management to manage and reduce risk. The intent of this update is to make it more broadly applicable and effective.

William Hugh Murray

It’s been ten years, even an outstanding tool like CSF needs a refresh. With this update NIST is connecting governance and supply chain as important parts of one’s cybersecurity program. Well-done, and here’s hoping for another good ten year run!

Curtis Dukes