Ineffective Ivanti Mitigation; Possible BlackCat Payday; Phobos Ransomware

At this point, incident response to Ivanti compromises is complicated by incorrectly applied mitigations, overwritten configurations and several similar vulnerabilities that are not always easy to tell apart. In addition, attackers may have found new vulnerabilities not covered by currently available mitigations and patches.

Johannes Ullrich

Threat actors are able to deceive Ivanti's internal and external ICT, resulting in failure to detect compromise. Imagine bypassing secure boot, such that whatever payload you've added passes muster as genuine code? So, yeah, a big deal. What this means is you need to grab the IOC's from the CISA message, and use them with other tools (in addition to the most recent ICT) to detect compromise. Assume compromise until proven otherwise. Resetting devices, all accounts. Assume that threat actors are able to get admin on LDAP connected accounts, such as your domain controllers. The CISA bulletin has a litany of mitigations, chief among them is limiting access, strengthening authentication and keeping things patched. If you do discover you've been tipped, please report it to IC3, your local FBI field office or CISA. They can help.

Lee Neely

The payment may have also triggered some disputes within ALPHV/Blackcat. As of this morning, law enforcement seized the ALPHV/Blackcat website (which has happened before). A simple site seizure, without obtaining access to key material and backend infrastructure, is a face-saving move by law enforcement. But we will see how far the takedown reached.

Johannes Ullrich

Some, not all, and a declining percentage of cyberinsurance policies do pay-off for ransomware payments. It is hard to find recent data but in recent years, cyberinsurance policy premiums paid have been something like 4x payouts. Like the extended warranty market, a good business for the seller but not a very good investment for the buyer, especially considering all that costs that still have to be paid to fix the problems that enabled the criminals to succeed.

John Pescatore

Change Healthcare’s 2021 revenue was $3.49B. Each day that its business operations are shuttered, it loses upwards of ten million dollars. Add to that reputation risk, and it’s understandable that a ransom payment would be considered. Also, in many instances cyber insurance companies initiate the payment to reduce recovery costs. That said, paying the ransom is no guarantee that business operations will be returned to operation quickly.

Curtis Dukes

Regardless of where the payment came from, this incident highlights the disruptiveness a ransomware attack, or indeed any cyberattack, can have on people's lives. It reinforces that cybersecurity is no longer an IT concern but can have major downstream impacts on businesses, individuals, society, and indeed the economy. When reviewing cybersecurity risks, we need look beyond their impact on our own organisations but also the impact they can have on partner organisations, customers, and society. It also highlights government’s need to invest more and provide additional supports to law enforcement to tackle the criminals behind these attacks.

Brian Honan

ALPHV/BlackCat affiliates are sabre rattling about getting cheated out of their share of the Change Healthcare ransom payment, leading many to conclude that is what this transaction was. ALPHV lists 28 companies they are extorting in addition to Change Healthcare, so it's not a given they paid. It will be interesting to see if the assumption is made that healthcare providers are inclined to pay, raising the frequency and intensity of attacks against that sector. For all of us the best bet is to double down on cyber hygiene, staying the course with our anti-ransomware protections, making sure you're connected with your local CISA, FBI, ISAC, etc. in case you need to reach out to report or verify your defenses.

Lee Neely

The attack vectors are largely the same for all ransomware gangs – phishing, RDP, and website drive by. Bottom line: if you’re ineffective in both patch and configuration management, you’re going to have a bad day when the cybercriminals find you.

Curtis Dukes

Your periodic reminder that if criminals are using these techniques to target critical infrastructure you can be guaranteed the same techniques will be used against other organisations. So review this paper and if appropriate, follow the recommendations.

Brian Honan

Make sure you're keeping an eye on all remote-access/RDP solutions in play, not just MS RDP and VNC. Provide secure mechanisms for remote access and support, listening to input on new and better services for this purpose. These guys modify firewall rules to bypass your protections, setup persistence, steal authentication tokens, so they can come and go as they please, and then they start the ransomware plays, including removing any discovered backups to make restoration painful if not impossible.

Lee Neely

This is a new type of supply chain attack. We are used to attackers tricking developers into installing malicious libraries. These ML models are in many ways similar. Not only will malicious models affect the results produced, but they are often installed and used like libraries, able to execute arbitrary code on a developer’s system during install.

Johannes Ullrich

The AI hook got this into the headlines, but really just another warning to consider all incoming software (AI or not) like you’d consider stream water on a hike: either filter it, or don’t drink it. Governance of AI projects have to have requirements for making sure tools/platforms/models used are checked for vulnerabilities and “pathogens.”

John Pescatore

The challenge is detecting the malicious capabilities of these AI/ML models. While it appears they were caught flat footed, Hugging Face has since added process to do malware, pickle and secrets scanning for every file in every repository for malicious code, unsafe deserialization or sensitive information and alert moderators/users. Additionally Hugging Face developed a new model for securely storing model data called "safetensors." As you're researching the use of AI/ML/LLMs be sure to start engaging with suppliers on security measures, not just for core components but externally provided ones as well.

Lee Neely

This goes back to 2018/2019 where the NSO group created messaging accounts, setup proxy and relay servers, which sent messages to mobile devices to exploit CVE-2019-3568, a buffer overflow app in the WhatsApp, present in iOS, Android, Windows Phone and Tizen devices. NSO is also facing similar charges from Apple and the Knight First Amendment Institute and has lost bids for their cases to be dismissed due to foreign state status, or that it is only licensed for national lawful surveillance. The question is how relevant would the source code of an app which compromised your app be five years later? Consider if you could use it to determine if you still have assumptions or code which should be adjusted.

Lee Neely

From what I read, the arguments made to the Judge to preclude source code from discovery were not sufficient. Instead, what appears to have happened is that the discovery claim would extend beyond the implant to the entire software stack. Because these systems may not have full functionality at the implant level, they want to see the full software stack to establish what the entirety of the solution can do. Is this some strange new precedent that is being set? I’m not a legal expert; what I can tell you is that I would be concerned that the source code to this system is now in more hands. This is not a criminal case; a civil case discovery can be much broader.

Moses Frost

German law enforcement is not just investigating the operators, they are also including traders and users. They have been monitoring the platform over an extended period, allowing the platform to operate after they had compromised it to support collecting incriminating information including identification, login credentials and other information.

Lee Neely

These dark web cybercrime markets have been in decline for several years. Today, many criminal gangs use chat channels to trade in illegal goods. That doesn’t mean that the law enforcement raid wasn’t successful, just that more nefarious elements trade on other platforms.

Curtis Dukes

CVE-2024-25063 and CVE-2024-25064 have CVSS scores of 7.5 and 4.3 respectively. While no evidence yet shows these are being exploited in the field, the fix is to update to the latest version of the software. Be sure to go to the Hikvision system relevant for your country/region, also review their security best practices to optimize your installation.

Lee Neely

The Hikvision system is used extensively in retail. If you have them, firewall and patch.

Moses Frost

Aside from your work to train users on social engineering and phishing attacks, here is where we also need phishing resistant authentication, so that even if captured, the credentials are not fully effective. Better still, passwordless authentication. This campaign captured usernames, passwords, password reset URLs and even photo IDs. Be sure you're enabling all the strong authentication as well as detection measures you already owned, rather than waiting for a "perfect" solution to raise the bar. Use this scenario to find gaps in your existing solutions.

Lee Neely

As a means of comparison, it took the city of Baltimore three months to return affected city services to full operation at a cost of around $18M. This attack spotlights the need for organizations both public and private to test data recovery plans at a minimum, quarterly.

Curtis Dukes

Something that is often lost in the debate about paying extortion demands from cybercriminals is that regardless of whether you pay those demands or not, the recovery from an attack like that suffered by Fulton County can take a long time and many systems could remain offline for weeks and months. Always, regularly review your recovery plans and test them to see how quickly you can actually recover.

Brian Honan

Fulton County was a LockBit victim and was one of the sites targeted after the LockBit takedown/re-emergence, saying the attackers still had their data and demanded payment. Interestingly, even though the deadline passed without payment, no data were released. Meanwhile, the county is using paper forms to process jail detainees, residents cannot pay utility bills or access property records online, and clerks are unable to issue marriage licenses or firearm permits. If you can get your hands on the details of the restoration, it'll be a good use case to consider for service resumption of services which are both widespread and interdependent. Take time to consider how you'd practice such a recovery.

Lee Neely

Have you had a strategy discussion on detecting, and thwarting, a living-off-the-land attack? Could you detect abnormal use of normal tools, irregular lateral movement and data exfiltration? While old techniques, such as dropping in Cobalt Strike, are still in use, these attacks are becoming commonplace.

Lee Neely

The operative phrase here is “through known vulnerabilities.” Cybercriminals are opportunistic and will use known vulnerabilities to attack you. Some professionals estimate that working exploits are generally available 24-36 hours after patch release. That’s a small window for the defender to work with in updating systems, so prioritizing all Internet-facing servers first for patching is key.

Curtis Dukes