Cybersecurity Saturday

TWO BIG STORIES with an interlude

  • Good news
  • Cybersecurity Dive reported on Tuesday February 20,
    • “An international group of law enforcement partners said it disrupted LockBit ransomware operations Tuesday, seizing the infrastructure of one of the most prolific ransomware groups in recent history. 
    • “The Department of Justice, working in conjunction with U.K. authorities and other international law enforcement agencies, unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Kondratyev, charging them with deploying LockBit against numerous companies around the U.S. and other targets overseas. 
    • “The FBI and U.K. National Crime Agency, working with multiple partners, also seized numerous public facing websites and servers used by Lockbit. Authorities obtained decryption keys that will allow hundreds of targeted organizations and others to regain their stolen data.”
  • Cyberscoop adds more details on this important take down.
    • “A LockBit representative confirmed the operation in an online message posted on X by VX-Underground, an online malware repository. “FBI pwned me,” the representative said. 
    • “As of today, LockBit are locked out,” Graeme Biggar, the National Crime Agency Director General, said in a statement. “We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
    • Two people were arrested as part of the operation — one in Poland and one in Ukraine — as part of the operation, Europol said in its statement.
  • Dark Reading suggests that “Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit.”
  • Interlude
  • Cybersecurity reported on Thursday February 22, 2024.
    • “Critical vulnerabilities in ConnectWise ScreenConnect are under active exploitation by threat actors, and there is an urgent need for users to patch their systems, according to security researchers.
    • “ConnectWise ScreenConnect is a remote desktop application widely used by help desks and remote workers. A critical authentication bypass vulnerability, with a CVSS score of 10, could allow an attacker access to critical systems or confidential information. A path transversal vulnerability, with a score of 8.4, could allow an attacker to execute remote code.
    • “ConnectWise on Wednesday urged on-premises partners to immediately upgrade to the latest version of ScreenConnect, after its incident response team began to investigate reports of suspicious activity. The vulnerability applies to on-premises users.”
  • Dark Reading provides more details on this massive vulnerability
    • “Just days after initial exploitation reports started rolling in for a critical security vulnerability in the ConnectWise ScreenConnect remote desktop management service, researchers are warning that a supply chain attack of outsized proportions could be poised to erupt.
    • “Once the bugs are exploited, hackers will gain remote access into “upwards of ten thousand servers that control hundreds of thousands of endpoints,” Huntress CEO Kyle Hanslovan said in emailed commentary, opining that it’s time to prepare for “the biggest cybersecurity incident of 2024.”.
  • Bad News
  • The Wall Street Journal reports yesterday,
    • Pharmacies warned of long waits for customers and U.S. military clinics worldwide have been affected after a cyberattack against one of the country’s largest prescription processors rolled into a third day of downtime.
    • Health industry experts said that a cyberattack against Change Healthcare, part of insurer 
    • UnitedHealth Group’s Optum business, could have severe and lasting consequences should outages continue past the weekend.
    • “It’s a mess, and I believe it’s our Colonial Pipeline moment in healthcare,” said Carter Groome, chief executive of healthcare-focused consulting firm First Health Advisory, referring to a 2021 cyberattack that forced the major fuel artery for the U.S. East Coast to shut down for six days, causing long lines at gas stations. * * *
    • “Parent company UnitedHealth said Thursday in a regulatory filing with the U.S. Securities and Exchange Commission that it identified a cyberattack affecting systems at Change Healthcare on Wednesday. The company suspects a nation-state was behind the attack, the filing said. ***
    • “The American Hospital Association urged healthcare facilities Wednesday to disconnect from Optum and to check their systems for security vulnerabilities.
      • “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said.
    • “The association also urged members to test their data backups, check that critical patches are up-to-date and designate staff for shifts to manage manual processes.
    • “There is fragility in our infrastructure and in the lack of redundancy, the lack of rehearsals,” said Theresa Payton, CEO at cybersecurity consulting firm Fortalice.”
  • SC Media brings the stories together as follow:
    • “Security experts have warned for the past couple of days that the two flaws recently uncovered in ConnectWise’s ScreenConnect app could become the major cybersecurity story of 2024 – and that the healthcare and critical infrastructure sectors were especially vulnerable.
    • “Today, we’re inching closer to that reality as SC Media has learned that the recent cybersecurity incident at UnitedHealth’s Change Healthcare that led to slowdowns at pharmacies was caused by a strain of LockBit malware that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.
    • “Toby Gouker, chief security officer at First Health Advisory, stressed that while it was a LockBit strain of malware, it doesn’t mean that the recently taken down LockBit gang was responsible. Gouker said the two flaws were discovered as part of a crowdsourced team for the ConnectWise bugs on Feb. 15 and that the vulnerability notifications went out on Feb. 19.
    • “And that’s where the problems started. As many of you know, malicious actors watch for these announcements to come out,” said Gouker. “They prey on the timeframe between the announcement and when an organization is able to apply the patch. So from the get-go, these actors are working to figure out a way to exploit the disclosed vulnerability and capitalize on it.”
    • “While Goucker stands by his comments, ConnectWise remained somewhat defensive, yet cautious, issuing this statement late Friday night:”
      • “At this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability. Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs.” * * *
  • Here is a link to the CISA notice adding the Connect wise known exploited vulnerability (CVE-2024-1709) to its catalog on February 22. This was the only KEV change announced this week.
  • Optum provided the following update on the Change Healthcare breach this morning
    • Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.
    • We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.

In other vulnerabilities and breaches news,

  • On February 22, 2024, the HHS Office for Civil Rights announced
    • “On February 14, 2024, the U.S. Department of Health & Human Services Office for Civil Rights issued two Reports to Congress on Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance and enforcement, specifically, on HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. These reports are required to be submitted to Congress annually by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The HIPAA Rules provide the minimum required privacy and security safeguards for protected health information, and give individuals rights with respect to that information, such as the right to access their health information. These reports, delivered to Congress, help regulated entities (such as most health care providers, health plans, and healthcare clearinghouses) and their business associates in their HIPAA compliance efforts by sharing steps taken by OCR to investigate complaints, breach reports, and compliance reviews regarding potential violations of the HIPAA Rules. The reports include important data on the number of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.  * * *
    • “As in previous years, hacking/IT incidents remain the largest category of breaches occurring in 2022 affecting 500 or more individuals, and affected the most individuals, comprising 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.
    • “OCR’s 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html
    • “OCR’s 2022 Report to Congress on Breaches of Unsecured Protected Health Information may be found at:  https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.”
  • Cybersecurity Dive tells us,
    • “Organizations with weak cloud security controls and gaps in cross-domain visibility are getting outmaneuvered by threat actors and struck by intrusions, CrowdStrike said Wednesday in its annual Global Threat Report.
    • “Cloud environment intrusions jumped 75% from 2022 to 2023, as threat actors abused unique cloud features to initiate attacks, the report found.
    • “This is not surprising,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “We’ve seen more and more organizations deploying more and more cloud resources without necessarily having a cohesive or equivalent security posture for their cloud deployments as they do in their traditional enterprise deployments.”
  • Cyber Express informs us
    • “The fusion of Artificial Intelligence (AI) and cybersecurity has ushered in a new era of warfare, one conducted not on physical battlegrounds but in the vast expanse of cyberspace. With the global AI in the cybersecurity market projected to surge to $133.8 billion by 2030, the landscape is undergoing a seismic shift, with both promise and peril on the horizon. 
    • “At the heart of this revolution lies a paradox: while AI bolsters defenses, it also empowers malicious actors, fueling a surge in cybercrime. As cyberattacks grow in both scale and sophistication, the stakes have never been higher, with a staggering $9.22 trillion expected to be drained from the world’s internet users in 2024 alone. * * *
    • “As we navigate this tumultuous terrain, the imperative lies in striking a delicate balance between innovation and vigilance. Harnessing AI’s potential while mitigating its risks demands a multifaceted approach, one rooted in proactive defense, continuous adaptation, and unwavering resilience. 
    • “In the crucible of cyber conflict, AI emerges not merely as a technological marvel but as a beacon of hope, illuminating the path toward a safer, more secure digital future. Only by embracing the transformative power of AI can we hope to outmaneuver the adversaries lurking in the shadows of cyberspace.” 
  • CSO points out,
    • “Attackers prefer compromised valid accounts over phishing or any other infection methods to gain access into victim environments, according to an IBM report.
    • “As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available — and easily accessible — on the dark web,” IBM said in the report.
    • “The report, which is based on IBM X-Force’s penetration testing data from incidents in 2023, also found security misconfigurations and poor authentication enforcement as top application security risks opening organizations to identity-based attacks.”

From the ransomware front,

  • Tech Crunch identifies the “top 13 ransomware targets in 2024 and beyond.” Education is the top target, and healthcare is ranked number 11.
  • Cybersecurity Dive relates,
    • “The HHS has reached its second-ever settlement related to a ransomware attack, which exposed the protected health information of more than 14,000 people, the agency announced Wednesday. 
    • “Maryland-based Green Ridge Behavioral Health agreed to pay $40,000 and implement a corrective action plan after an investigation found potential violations of the HIPAA rule and lax protections after an attack reported in early 2019, according to the HHS’ Office for Civil Rights.
    • “The settlement comes as ransomware has become a growing and critical threat to healthcare organizations, and regulators have signaled interest in enforcing cybersecurity standards.” 

In other cybersecurity news,

  • SDXCentral calls our attention to the fact that
    • Gartner unveiled the top cybersecurity trends for 2024, including the impact of generative artificial intelligence (genAI), boardroom communication gaps, human risks, third-party security risks, continuous threat exposure and identity-first approaches to security.