LockBit was building next gen encryptor before takedown
Monday’s takedown of LockBit led by the FBI and the UK’s National Crime Agency along with other partners has been the story of the week. We covered the takedown news on Tuesday, the seizure of key assets and arrests of affiliates on Wednesday, and yesterday we highlighted the fact that the gang did not delete stolen data even after having been paid, and that the U.S. State Department is now also offering rewards of up to $15 million to anyone who can provide information about LockBit ransomware gang members and their associates. It now also appears that its developers were secretly building a new version of their file encrypting malware, called LockBit-NG-Dev but probably to be eventually named LockBit 4.0. This latest version was written in .NET rather than C, supported three encryption modes, provided randomization of file naming to complicate restoration effort, and had a self-delete mechanism. A link to a technical analysis of LockBit 4.0, prepared by Trend Micro is available in the show notes to this episode.
(Bleeping Computer and Trend Micro)
Thousands of wireless customers suffer outage
U.S. based customers of Verizon, T-Mobile, and AT&T, including some 911 services found themselves without wireless much of yesterday. This included customers in North Carolina, Louisiana, Texas, Florida, California, Massachusetts, Michigan, Minnesota. As of this recording a cause had not been identified, however, by late Thursday afternoon, AT&T stated that three-quarters of its network has been restored. The outages felt by customers of Verizon and T-Mobile were explained as being problems encountered while trying to connect with other networks.
(Bleeping Computer and Reuters)
Prescriptions on hold due to Change Healthcare cyberattack
The health technology firm Change Healthcare confirms that this attack has led to delays in processing prescriptions for patients. Change Healthcare merged with Optum in 2022, which itself is a subsidiary of UnitedHealth Group, which “has access to around one-third of U.S. patients and which handles 15 billion healthcare transactions annually.” In addition to prescriptions, “pharmacy, medical records, dental, payment services and patient engagement services are still affected.” The incident, which is still ongoing at the time of this recording, has been confirmed as being contained to Change Healthcare only, and all other systems across UnitedHealth Group are operational.
Industrial sector ransomware attacks increased by 50% last year
A new report from Dragos says that ransomware in the industrial sector increased 50% from 2022 to 2023 to become that sector’s primary attack vector. LockBit was responsible for a quarter of all industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. Manufacturing remains the primary target. The report also outlines three new OT Threat Groups— Voltzite, Gananite and Laurionite. Voltzite targets electric power generation, transmission, and distribution as well as defense industrial bases, satellite services, telecommunications, and educational organizations. It is associated with Volt Typhoon. Gananite currently targets critical infrastructure and government entities in the Commonwealth of Independent States, using publicly available proof of concept (POC) exploits for internet-exposed endpoints and focuses on espionage and data theft. Laurionite targets and exploits Oracle E-Business Suite iSupplier web services and assets across aviation, automotive, and manufacturing industries. A link to the Dragos report is available in the show notes to this episode.
(Security Magazine and Dragos)
Huge thanks to this week’s episode sponsor, Conveyor
Doppelgänger targets German elections through influence
According to research from SentinelLabs and ClearSky Cyber Security, the group, aligned with Russia, has been busy sending out propaganda and disinformation content to influence public opinion, regarding Ukraine and German elections. Using a range of social media platforms, especially X (formerly Twitter), the group reposts content from popular profiles, or simply fakes them, and point readers to longer articles. An advisory sent from the researchers states, “We anticipate that Doppelgänger’s activities, targeting not only Germany but also other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years.”
Cyber Pros Embrace AI, says ISC2
According to a new report from ISC2, “most cybersecurity professionals believe that AI will have a positive impact on their jobs, helping alleviate pressures caused by the cyber skills gap.” The security certification organization found that 82% of respondents agreed that AI will improve job efficiency for cyber professionals, with 35% stating that it already has. The report says only 27% of cybersecurity professionals said their organizations have a formal policy in place to govern the safe and ethical use of AI. A link to this report is also available in the show notes to this episode.
(InfoSecurity Magazine and ISC2)
Open-source SSH-Snake tool weaponized for network attacks
SSH-Snake is a self-modifying worm designed essentially to intelligently patrol a network infrastructure to detect weaknesses before attackers do. It now appears to have been co-opted by threat actors to use these powers to harvest credentials and IP addresses of targets, and to use SSH keys to gain a deeper foothold inside a network. According to The Hacker News, “it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host.”
FTC fines Avast $16.5 million for allegedly selling user browsing data
According to The Record, the FTC “alleges that Avast’s Czechia-based cybersecurity software arm used its browser extensions and antivirus software to collect, indefinitely store, and allow a partner company to sell users’ web browsing histories from 2014-2020 without adequate notice and consumer consent.” The sale of the web browsing data was led by Avast’s American subsidiary Jumpshot, which allegedly told customers that data from its more than 100 million online global consumers could allow them to “see where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”