Robert Grupe's AppSecNewsBits 2024-04-20

Epic Fails: UnitedHealth ransomware cost raising to $1B, vulnerable smart locks - lack of sensitive data encryption protection. AI atttacks and security guidance.

Author

Robert Grupe
April 20, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Change Healthcare faces another ransomware threat

Hackers already received a $22 million payment. Now a second group demands money.

If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.

RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder”. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.

The incident reinforces that cybercriminals can’t be trusted to delete data, even when they are paid. For example, when a global law enforcement operation disrupted the notorious LockBit ransomware group, in February, police said they discovered that the cybercriminals still had data that investigators had paid to be deleted.

UnitedHealth Group says it is continuing to “make progress in mitigating the impact” of the attack and expanding financial assistance to health care providers that have been impacted. The American Medical Association said “serious disruptions continue” across physician practices. A survey of AMA members, conducted between March 26 and April 3, found 80 percent of clinicians had lost revenue and many are using their own personal finances to cover a practice’s expenses. Medical practitioners responding to the survey said they were heading toward bankruptcy, were struggling to “manage pain care” for cancer patients, and that procedures had been delayed. “Practices will close because of this incident and patients will lose access to their physicians.”

UnitedHealth, parent company of ransomware-besieged Change Healthcare, says the total costs of tending to the February cyberattack for the first calendar quarter of 2024 currently stands at $872 million. That's on top of the amount in advance funding and interest-free loans UnitedHealth provided to support care providers reeling from the disruption, a sum said to be north of $6 billion. The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time.

 

Octapharma Plasma pauses operations at all sites worldwide
According to its social media accounts, Octapharma Plasma's locations have been closed since Wednesday. "It was on Tuesday I looked at my app and then all of a sudden the server had went down so I was just questioning why it went down."

"On April 17, we identified unauthorized activity in our network environment, which has disrupted certain parts of our operations. We are taking this matter very seriously. Upon learning of this event, we began conducting an investigation with outside experts to understand the impact."

If it does turn out to be ransomware, Octapharma will join a growing list of US hospitals, health centers and medical firms that have been hit so far this year, as criminals increasingly target these critical orgs.

Encrypting hospital and pharmacy systems with malware may prevent patients from accessing life-saving treatments and medications. Plus, patients and donors trust healthcare companies to protect their sensitive medical and financial details, which puts these providers at risk of class-action lawsuits and investigations if they breach that trust and allow protected information to leak.

 

Michigan-based Cherry Health reported a data breach to regulators on Wednesday caused by a ransomware attack back in December 2023.

The health center revealed the scale of the sensitive data stolen. In addition to names, email and home addresses, phone numbers, and dates of birth - Health insurance information, Health insurance ID number, Patient ID number, Provider name, Service date, Diagnosis/treatment information, Prescription information, and Financial account information and/or social security numbers.

The [disclosure] filing in Maine mentioned bank account or credit/debit card numbers were stolen in combination with one of the following: security code, access code, password, or PIN for the account.

 

The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March World-Check is a screening database used for “know your customer” checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals. The hackers claim they stole the data from a Singapore-based firm with access to the World-Check database.

The database contains names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more - records on thousands of people, including current and former government officials, diplomats, and private companies whose leaders are considered “politically exposed people,” who are at a higher risk of involvement in corruption or bribery. The list also contains individuals accused of involvement in organized crime, suspected terrorists, intelligence operatives and a European spyware vendor.

 

The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified by Matt Brown about the critical weakness in March 2021.

“Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.” Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.crom, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.

Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.

Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”

 

Hackers have shared a database exposing 642,000 individuals’ personal information, including full names, email addresses, job titles, and the company they work for. The data allegedly comes from one of the world’s largest hospitality providers, Accor.

Troy Hunt No independent verification and no statement from the company, yet a headline stating a publicly listed multinational with billions of dollars of annual revenue has had customer data exposed. That's, uh, "brave".

 

The 8Base ransomware gang added a new UNDP entry to its dark web data leak website on March 27. ​The files they temporarily leaked via a now-expired link allegedly include "a huge amount of confidential information," personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts, and more.

 

Due to their mass exploitation and the vast attack surface, CISA issued this year's first emergency directive on January 19, ordering federal agencies to mitigate the Ivanti zero-days immediately.

Threat actors compromised one of MITRE's Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days. They could also bypass multi-factor authentication (MFA) defenses by using session hijacking, which allowed them to move laterally through the breached network's VMware infrastructure using a hijacked administrator account. Throughout the incident, the hackers used a combination of sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials. "No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible."

 

Cisco has alerted customers that one of its Duo telephony partners fell victim to a phishing attack on April 1, during which crooks stole an employee's credentials and used them to access message logs associated with Duo accounts. The stolen logs did not contain any message content, but reportedly did include phone numbers, identify countries, and states to which each message was sent, plus some metadata on the time and type of message, and info on which carrier handled the TXTs.

[rG: Logs shouldn't contain any sensitive information (e.g. PII)]

 

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the "C++ Library Manager for Windows, Linux, and MacOS," known as vcpkg.

The URLs for the malware installers, shown below, clearly indicate that they belong to the Microsoft repo, but we could not find any reference to the files in the project's source code. When leaving a comment, a GitHub user can attach a file, which will be uploaded to GitHub's CDN and associated with the related project using a unique URL. GitHub automatically generates the download link after you add the file to an unsaved comment. This allows threat actors to attach their malware to any repository without them knowing. Even if you decide not to post the comment or delete it after it is posted, the files are not deleted from GitHub's CDN, and the download URLs continue to work forever.

As the file's URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.

 

HACKING

The Akira ransomware operation has breached the networks of over 250 organizations. Akira operators are demanding ransoms ranging from $200,000 to millions of dollars, depending on the size of the compromised organization.

 

We collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description. When given the CVE description, GPT-4 is capable of exploiting 87 percent of these vulnerabilities compared to 0 percent for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit). GPT-4 can actually autonomously carry out the steps to perform certain exploits that open-source vulnerability scanners cannot find.

 

One of its employees earlier this week received several WhatsApp communications -- including calls, texts, and a voice message -- from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags. "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team."

 

  1. Victim receives a call from an 888 number claiming their LastPass account has been accessed from a new device and instructing them to press “1” to allow the access or “2” to block it.

  2. If the recipient presses “2,” they are told they will receive a call shortly from a customer representative to “close the ticket.”\

  3. The recipient receives a second call from a spoofed phone number and the caller identifies themself as a LastPass employee. The caller will send the recipient an email they claim will allow them to reset access to their account, but has a shortened URL that will send them to the “help-lastpass[.]com” site designed to steal the user’s credentials.

  4. If the recipient inputs their master password into the phishing site, the attacker attempts to log in to the LastPass account and change settings within the account to lock out the victim and take control of the account. These changes may include changing the primary phone number and email address as well as the master password itself.

Advanced features offered by CryptoChameleon include a captcha page, that prevents automated analysis tools used by researchers and law enforcement from crawling the Web and identifying phishing sites. The captcha may also make the page look more convincing to targets.

 

Sandworm, which is understood to work for Russia's GRU military intelligence and is now labeled APT44 by Mandiant, has strongly supported the ongoing invasion of Ukraine. This has included hitting Russia's neighbor with data-wiping malware, knocking out a segment of satellite comms terminals as well as mobile and internet services; stealing military secrets; and shutting down a Ukrainian power plant.

Yet the threat posed by Sandworm is far from limited to Ukraine. Sandworm operates the Telegram channels XakNet Team, CyberArmyofRussia_Reborn1, and Solntsepek, to draw attention to its activities and share any stolen data as it masquerades as some kind of independent hacktivist effort. Those channels mostly focus on causing chaos in Ukraine, though CyberArmyofRussia_Reborn1 has demonstrated it will go after Western targets, too.

In January, CyberArmyofRussia_Reborn's Telegram channel claimed credit for disrupting human machine interfaces (HMI) controlling OT systems at Polish and US water utilities. Shortly after, city officials in Muleshoe, Texas, confirmed that someone compromised its water infrastructure equipment and caused a tank to overflow.

Similar attempts were made at systems in nearby towns, Abernathy and Hale Center, and city officials reportedly "determined the common link to be the vendor software they use that keeps their water systems remotely accessible," according to local news reports.

Then in March, the same Telegram gang posted another video and claimed it compromised the technology controlling water levels at a French hydroelectric facility, thus allowing the miscreants to disrupt electricity generation.

 

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access. In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware.

The first incident earlier this year involved roughly 15,000 user accounts. By monitoring these accounts, Roku identified a second incident, one that touched 576,000 accounts. Breached Roku accounts were sold for as little as 50 cents each and likely obtained using commonly available stuffing tools that bypass brute-force protections through proxies and other means.

 

At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation. A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012. Three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.” As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).

 

The login attempts use both generic usernames and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses sending the login traffic. The IP addresses appear to originate from TOR exit nodes and other anonymizing tunnels and proxies. The attacks appear to be indiscriminate and opportunistic rather than aimed at a particular region or industry.

Successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise.

 

Spy Pet, a service that sells access to a database of purportedly 3 billion Discord messages, offers data "credits" to customers who pay in bitcoin, ethereum, or other cryptocurrency. They claims to be catching and compiling that data and is offering packages that can track more than 600 million users across more than 14,000 servers. Searching individual users will reveal the servers that Spy Pet can track them across, a raw and exportable table of their messages, and connected accounts, such as GitHub. Ominously, Spy Pet lists more than 86,000 other servers in which it has "no bots," but "we know it exists."

Discord users many not expect their messages, server memberships, bans, or other data to be grabbed by a bot, compiled, and sold to anybody wishing to pin them all on a particular user. Spy Pet openly asks those training AI models, or "federal agents looking for a new source of intel," to contact them for deals.

 

Charles O. Parks' scheme allegedly used a variety of personal and business identities to register “numerous accounts” with the two cloud providers and in the process acquiring vast amounts of computing processing power and storage that he never paid for. Prosecutors said he tricked the providers into allotting him elevated levels of services and deferred billing accommodations and deflected the providers’ inquiries regarding questionable data usage in unpaid bills. He allegedly then used those resources to mine Ether, Litecoin, and Monero digital currencies.

If convicted on all charges, Parks faces as much as 30 years in prison.

 

4.5 million DDoS attacks during the first quarter -- representing a 50% year-over-year (YoY) increase. DNS-based DDoS attacks increased by 80% YoY and remain the most prominent attack vector.

 

49.6% of all global internet traffic was generated by bots, marking a 2% increase compared to 2022. This is the highest level of bot activity that Imperva has reported since it started monitoring automated traffic in 2013. This rising automated traffic trend is costing businesses billions of dollars annually due to attacks on websites, APIs, and applications. The increase in bot-generated traffic comprised both automated and direct malicious engagements.

The global average of bad bot traffic reached 32%, with Ireland (71%), Germany (67.5%), and Mexico (42.8%) seeing the highest levels of bad bot traffic. The US also witnessed a higher ratio of bad bot traffic at 35.4% compared to 32.1% in 2022.

Account takeover (ATO) attacks also saw an increase of 10% in 2023, with 44% of all these attacks targeting API endpoints. Among all login attempts on the internet, 11% were associated with account takeover, impacting industries like Financial Services (36.8%), Travel (11.5%), and Business Services (8%).

The rapid adoption of generative AI and large language models resulted in the volume of simple bots growing to 39.6% in 2023 from 33.4% in 2022.

Automated threats caused a significant 30% of API attacks in 2023. Also, 17% of these were bad bots exploiting business logic vulnerabilities, which allows these bots to manipulate API functionalities and access sensitive data or user accounts.

The prevalence of bot traffic was observed across all sectors, with Gaming (57.2%) witnessing the most significant proportion of bad bot traffic. Simultaneously, Retail (24.4%), Travel (20.7%), and Financial Services (15.7%) experienced the highest volume of bot attacks. Advanced bad bots that mimic human behaviour and evade defences were most common on Law & Government, Entertainment, and Financial Services websites.

 

Conversations on SAP vulnerabilities and exploits have increased by 490% across the open, deep, and dark web from 2021 to 2023. The conversations primarily focused on how to exploit the vulnerabilities, guidance for the execution of exploitation for certain victims, and monetizing SAP compromises.

(exploit brokers) is offering a bounty of “up to $50,000” for a remote code execution (RCE) affecting SAP NetWeaver-based systems 12. CrowdFence released its updated price list on April 8th, 2024, highlighting SAP RCE Exploits for up to $250,000.

 

 

APPSEC

How ADR – application detection and response – can become the ‘EDR for apps’

80% of cyberattacks now target applications, emphasizing an urgent need to reflect on the way we approach application security (AppSec). Breaches such as MOVEit, Microsoft SharePoint, Ivanti Gateway and GoAnywhere highlighted the challenges of detecting and mitigating threats in real-time application behavior.

Today’s applications are constructed in a decentralized fashion, comprising various services that communicate based on mutual trust, often referred to as the "chain of trust." Attackers have evolved beyond exploiting vulnerabilities: they now exploit the application's inherent behavior by manipulating chains of trust. For instance, attackers can bypass authentication mechanisms built into the application, impersonating legitimate entities to gain unauthorized access.

However, most companies still lack the needed visibility into how their applications actually work and behave in live environments.

Application Detection and Response (ADR). ADR represents a more proactive AppSec strategy by continuously monitoring the interactions between application services to detect and respond to cyber threats. By leveraging in-application runtime context, ADR establishes baseline behavior standards for services, data flows and authentication mechanisms, allowing it to identify and prevent malicious activities effectively while they happen.

 

The National Security Agency (NSA) Cybersecurity Information Sheet (CSI), “Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems.” The CSI is intended to support National Security System owners and Defense Industrial Base companies that will be deploying and operating AI systems designed and developed by an external entity.

 

  1. Adversarial risk

  2. Threat modeling

  3. AI asset inventory

  4. AI security and privacy training

  5. Establish business cases

  6. Governance

  7. Legal

  8. Regulatory

  9. Using or implementing LLM solutions

  10. Testing, evaluation, verification, and validation

  11. Model and risk cards

  12. RAG: LLM optimization

  13. AI red teaming

 

VENDORS & PLATFORMS

The core element of Cisco's plan is the deployment of "enforcement points" – essentially teensy firewalls that can run on a server, or in data processing units (DPUs, aka SmartNICs) installed in servers or networking hardware. Enforcement points are made aware of the applications they observe and known good behaviors of that software. They're also kept up to date with info about new vulnerabilities or attacks – thanks to the work of Cisco's security intelligence teams, which distil oodles of signals gathered online using AI.

Armed with info about what an app should be doing, and attacks that could change its behavior, enforcement points check for anomalous behavior. When the software finds it, it can do a couple of things. One is inform admins about which apps need patching. The other is to implement a "compensating control" that protects the app – essentially by creating new network segments that don't allow dangerous traffic.

 

CycloneDX v1.6 builds upon the strengths of the CycloneDX standard, which provides a machine-readable format for bills of materials for software, hardware (HBOMs), services (SaaSBOMs), and AI/ML models (AI/ML-BOMs).

The cryptographic bill of materials helps organizations manage their cryptographic assets, allowing them to identify weaknesses and plan for a future where quantum computers can break current encryption methods.

 

Protobom, a new and innovative open source software supply chain tool. Protobom enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs) and file data, as well as translate this data across standard industry SBOM formats.

 

 

In the new joint program with OWASP, Checkmarx has made Codebashing available to all OWASP members for a duration of one year beginning today, April 18, 2024. Once they’ve completed the program, participants will receive the Checkmarx AppSec Pro Certification for OWASP members. 

 

LEGAL & REGULATORY

The LabHost phishing-as-a-service (PhaaS) platform has been disrupted in a year-long global law enforcement operation that compromised the infrastructure and arrested 37 suspects, among them the original developer. Until LabHost's takedown, the authorities estimated that the cybercrime service's operators had received $1,173,000 from user subscriptions. Shortly after the law enforcement agents took control of its infrastructure, messages were sent to 800 users to warn them they will be the subjects of upcoming investigations. Investigators have also established that LabHost has stolen approximately 480,000 credit cards, 64,000 PINs, and one million passwords for various online accounts.

 

MGM Resorts wants the FTC to halt a probe into last year's ransomware infection at the mega casino chain – because the watchdog's boss Lina Khan was a guest at one of its hotels during the cyberattack.

That legal complaint, filed in a Washington DC federal district court, demands among other things an end to the regulator's investigation into the malware infection unless Khan is recused from the probe, and a declaration that the watchdog acted unconstitutionally.

MGM earlier said it expected losses totaling at least $100 million from the attack. It presumably would rather the FTC not add to that pain with fines or some other punishment stemming from scrutiny of the corporation's IT practices.

Shortly after Khan's stay, the FTC initiated a "wide-reaching" investigation into MGM, and has since asked the resort owner to produce "more than 100 categories of information," the lawsuit claimed. Some of these requests are "seemingly derived directly from Chair Khan's personal experience in transacting business with MGM during the attack. Additionally, the publicity that the MGM hack garnered was "enhanced" by media reports about Khan and her aide being hotel guests, and led to a slew of private lawsuits against the business. "Specifically, it is now a defendant in fifteen consumer class actions."

 

One communications provider informed the National Security Agency that it would stop complying on Monday with orders under Section 702 of the Foreign Intelligence Surveillance Act, which enables U.S. intelligence agencies to gather without a warrant the digital communications of foreigners overseas — including when they text or email people inside the United States.

Another provider suggested that it would cease complying at midnight Friday unless the law is reauthorized.

National security officials strongly disagree with their position and argue that the law requires the providers to continue complying with the government’s surveillance orders even after the statute expires. That’s because a federal court this month granted the government a one-year extension to continue intelligence collection.

But its renewal has become an unusually divisive flash point, aligning conservative Republicans and liberal Democrats who are wary of granting the government broad surveillance authorities without new restrictions.

U.S. security officials, for their part, for years have extolled the benefits of the law, with White House officials saying that the intelligence collected accounts for more than 60 percent of the president’s daily briefing.

 

Apple said it pulled the apps from the store to comply with orders it received from Cyberspace Administration, China's internet regulator, "based on national security concerns." It explained to the publications that it's "obligated to follow the laws in the countries where [it operates], even when [it disagrees]."

The Great Firewall of China blocks a lot of non-domestic apps and technologies in the country, prompting locals to use VPN if they want to access any of them. Meta's Facebook and Instagram are two of those applications, but WhatsApp and Threads have been available for download until now.

The Chinese regulator's order comes shortly before the Senate is set to vote on a bill that could lead to a TikTok ban in the US. Cyberspace Administration's reasoning — that the apps are a national security concern.