Daily Brief

The US Department of Health and Human Services (HHS) is aiding healthcare providers hit by the Change Healthcare ransomware attack, assumed to be by ALPHV/BlackCat. HHS has enacted more lenient Medicare regulations and is expediting funding to the impacted medical facilities, aiming to ease their cash flow difficulties and maintain patient care. Over 70,000 pharmacies and healthcare organizations using Change Healthcare's software for insurance claims and prescriptions have faced operational disruptions since the cyber attack on February 21. The government has allowed for an expedited change in Medicare claims processing and encourages advance funding by Medicare Advantage organizations to the most affected providers. Medicaid and the Children's Health Insurance Program are advised to ease prior authorization demands and also offer advance payments. Paper claims are being accepted due to electronic billing system downtimes, highlighting the need for enhanced cyber security in the healthcare sector. Cybersecurity experts predict that the initially voluntary cyber security performance goals issued by HHS may soon become mandatory in the wake of this incident. Further complications emerge as the ALPHV/BlackCat ransomware gang appears to have performed an exit scam, faking a law enforcement seizure after allegedly embezzling over $22 million in ransom payments.

The National Security Agency (NSA) has released new guidance to help organizations adopt zero-trust principles, aiming to restrict adversary movement on internal networks. Zero-trust architecture emphasizes strict network resource access controls, assuming a threat may already be present on the network, contrasting with traditional trust models. NSA’s guidance focuses on the 'network and environment' component of zero trust, covering hardware, software, entities, and communication protocols. The NSA outlines four maturity levels for organizations to enhance network security through data flow mapping, segmentation, and software-defined networking. Data flow mapping involves detailed inventory and visibility of data storage and processing, while macro and micro segmentation prevent lateral movement across network segments. Software-defined networking affords centralized control and policy enforcement, contributing to granular security monitoring and heightened attack response capabilities. The guidance is part of an ongoing effort by the NSA to promote a resilient enterprise architecture through zero-trust, with previous guidance released on user pillar maturity.

Apple has issued emergency security updates for iOS to address two zero-day vulnerabilities that were actively exploited. The vulnerabilities, identified as CVE-2024-23225 and CVE-2024-23296, affect the iOS Kernel and RTKit, respectively. These security loopholes could enable attackers with kernel access to circumvent memory protections. Devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPadOS 16.7.6 received patches with improved input validation. There's a broad range of Apple devices impacted, though the company hasn't shared specific details about the disclosure source of the vulnerabilities. While Apple remains tight-lipped about the specifics of the attacks, zero-days are typically harnessed in sophisticated espionage campaigns against select targets. Users are urged to install the latest security updates promptly to prevent any future exploitation risks. This year, Apple has already rectified three zero-days, following last year's fix of 20 zero-days that were similarly exploited in the wild.

WogRAT, a new malware, exploits the aNotepad service for clandestine storage and retrieval of harmful code. The malware currently affects both Windows and Linux systems, predominantly in Asian regions including Japan, Singapore, and China. Executables of WogRAT masquerade as common software tools to likely spread through malvertising or similar tactics. For Windows, WogRAT deploys a .NET binary encoded in base64 on aNotepad, bypassing usual security detection due to the legitimacy of the service. The Linux version of WogRAT utilizes Tiny Shell and additional encryption, distinctly not using aNotepad for malicious code storage. WogRAT can send system profiles to its C2 server and execute commands, although methods of the Linux ELF binary distribution remain unknown. The ASEClab's report closes with a comprehensive list of indicators of compromise connected to WogRAT.

Nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information may have been stolen due to a cybersecurity incident involving Infosys' IT systems. Infosys, an Indian tech services company, was infiltrated, potentially exposing names, Social Security numbers, bank account details, and more. LockBit, a ransomware group, has claimed responsibility for the Infosys breach, which occurred prior to a law enforcement crackdown on their operations in December. The breach is reminiscent of a previous incident involving Infosys and Bank of America, where personal data of 57,028 customers were possibly accessed by unauthorized parties. Both incidents resulted in significant disruptions to Infosys-provided services to the affected financial institutions. Fidelity is working with Infosys to understand the breach's scope and to implement necessary security measures, while keeping affected customers informed of developments.

The U.S. Department of the Treasury's OFAC has sanctioned individuals and entities linked to the Predator commercial spyware. Predator spyware has been used to target U.S. government officials, journalists, and policy experts among others. Sanctions are imposed on the Israeli founder of Intellexa Consortium, Tal Jonathan Dilian, and Polish specialist, Sara Aleksandra Fayssal Hamou. Companies associated with the distribution of Predator technology are also targeted by the sanctions. Predator spyware's capabilities have been detailed in reports by Google's Threat Analysis Group and Cisco Talos, noting the use of zero-day vulnerabilities. Inclusion on the OFAC's SDN List freezes U.S. assets and bans transactions with the designated individuals and entities, with severe penalties for non-compliance. The U.S. move aims to counter the misuse of spyware technology and deter international partners from collaborating with sanctioned parties. Despite global concerns, Recorded Future reports that the distribution of Predator spyware is expanding to additional countries.

Retired U.S. Army Lieutenant Colonel David Franklin Slater indicted for allegedly disclosing national defense information (NDI) through a dating app. Slater, while holding a Top Secret clearance as a civilian Air Force employee, attended briefings on the war in Ukraine and passed on NDI. Information shared ranged from military targets to Russian military capabilities, classified up to the "Secret" category. Communication with the supposed Ukrainian woman, believed by Slater to be genuine, included requests for insights into U.S. intelligence assessments and Top Secret meetings. Slater faces the possibility of 10 years in prison, three years of supervised release, and a fine of $250,000 for each count if convicted. Justice Department officials emphasize the commitment to holding individuals accountable for jeopardizing national security by unlawfully disclosing classified information.

Cybercriminals exploited the open-source QEMU hypervisor platform to create stealthy network tunnels for a cyberattack on a large company. QEMU's virtual network interface and socket-type network device were used to establish a covert channel from the victim's system to the attacker's server. The tactic allowed attackers to avoid raising suspicion, bypass firewalls, intrusion detection systems, and operate with minimal impact on system performance. This approach is part of a trend where hackers utilize legitimate tools for malicious purposes to remain undetected, a method observed in 10% of Kaspersky's investigations. Tools such as Angry IP Scanner and mimikatz were also used in conjunction with QEMU to minimize the attack's footprint, including setting up a VM with only 1MB of RAM. To counter such sophisticated threats, Kaspersky recommends multi-level protection with 24/7 network and endpoint monitoring by SOC experts to detect and block early-stage attacks.

Social media platform X now exposes user IP addresses through its on-by-default audio and video calling feature, posing a significant security risk. Calls made through X are peer-to-peer, revealing IP addresses to each call participant, which could potentially lead to physical tracking. An 'Enhanced call privacy' setting can mask IP addresses by routing calls through X infrastructure, but it's unclear if the calls are encrypted. The platform's help page for the calling feature lacks information on whether any form of encryption is used to secure calls. X users are advised to disable the audio and video calling features for improved privacy and security, especially since the settings menu is considered complex to navigate. To disable the calling feature, users need to access the app settings, navigate to Privacy and Safety, then Direct Messages, and toggle off audio and video calling. Criticisms have arisen due to the feature being enabled by default, which may leave many users unaware of the potential exposure. The platform has been asked for clarification on security measures such as encryption but has not responded beyond an automated message.

North Korean threat actors have leveraged vulnerabilities in ConnectWise ScreenConnect to deploy a new malware known as TODDLERSHARK. The exploited flaws, CVE-2024-1708 and CVE-2024-1709, have enabled various cyber attacks, including the delivery of ransomware, cryptocurrency miners, and other malicious payloads. Researchers have identified similarities between TODDLERSHARK and previous malware such as BabyShark and ReconShark, linked to the Kimsuky espionage group. TODDLERSHARK uses advanced evasion techniques, including polymorphic behavior, to avoid detection, and employs a scheduled task for system persistence. South Korea's National Intelligence Service has reported incidents of North Korean hackers targeting domestic semiconductor firms, underlining the ongoing cyber threat posed by the country. The attacks, which occurred in December 2023 and February 2024, involved the extraction of sensitive data without the deployment of malware, using living-off-the-land tactics.

BlackCat ransomware gang is allegedly performing an exit scam, having taken offline their Tor data leak blog and negotiation servers. Administrators of BlackCat presented a fake FBI seizure notice to imply interference from federal law enforcement. Ransomware expert Fabian Wosar indicated that the seizure notice was implemented in a makeshift manner, signaling it as part of the scam. There have been accusations from an affiliate about the group stealing a $20 million ransom meant for them. The group, previously associated with high-profile attacks as DarkSide and BlackMatter, has fluctuated in activity following law enforcement pressure. BlackCat operators claim to be selling their malware source code for $5 million amid signs of wrapping up operations. It remains uncertain whether the group will resurface under a different name, given their tarnished reputation among potential affiliates.

Password management can significantly impact organizations, incurring costs through lost productivity, help desk support, and security risks. Employees spend an average of 11 hours per year on password-related issues, costing organizations $480.26 per employee in lost productivity. Help desk calls for password resets can comprise up to 50% of queries, with substantial expenses in support staff salaries and operational costs. Weak or reused passwords contribute to security vulnerabilities, with 86% of data breaches involving stolen credentials, and the average breach cost now at $4.45 million. Implementing multi-factor authentication (MFA) and single sign-on (SSO) solutions can enhance security while reducing help desk burden and costs. Regular employee training on password best practices and investing in password security software can prevent security incidents and operational inefficiencies. Self-service password reset options enable users to efficiently manage their passwords without help desk assistance, further reducing organizational expenses.

North Korean state-sponsored hacking group Kimsuky is exploiting vulnerabilities in ScreenConnect to install ToddlerShark malware. ToddlerShark malware is designed for long-term espionage, leveraging legitimate Microsoft binaries and altering the system registry to lower defenses. The malware establishes persistent access through scheduled tasks and continuously steals and exfiltrates data. ToddlerShark is a variant of Kimsuky's BabyShark and ReconShark backdoors previously targeting various international targets. The polymorphic nature of the malware makes it difficult to detect through static detection methods or signature-based systems. ToddlerShark's dynamic URL generation and unique payload hashes add to the difficulty of blocking the malware. Detailed analysis and indicators of compromise (IoCs) related to ToddlerShark to be shared by Kroll in an upcoming blog post.

Rapid7 reported two critical vulnerabilities in JetBrains' TeamCity CI/CD server in mid-February. JetBrains silently patched the vulnerabilities without a public advisory, contrary to infosec community norms. After Rapid7's warning, JetBrains published details of the vulnerabilities but didn't explain the silent patching. Exploits for the vulnerabilities began shortly after disclosure, amplifying concerns about the uncoordinated release. CVE-2024-27198 has a critical rating and enables an attacker to take administrative control and execute remote code. CVE-2024-27199 allows for information disclosure and system modification, including potential MITM attacks. JetBrains' cloud versions are safe; however, on-prem versions need updating to 2023.11.4 or the security patch plugin. The security community criticizes JetBrains' failure to adhere to coordinated vulnerability disclosure protocols.

Cybercriminals, identified as Savvy Seahorse, are using DNS hijacking to defraud victims through fake investment platforms. The scam entices individuals from various language groups, including Russian, Polish, and German speakers, showing a wide-reaching campaign. Social media ads and fake ChatGPT and WhatsApp bots lure victims into revealing personal information for purported high-return investments. The technical approach involves using DNS CNAME records to distribute traffic, making their phishing infrastructure elusive and resistant to takedown. Victims are tricked into entering personal details and depositing funds into fraudulent trading platforms, which are then transferred to a Russian bank. There is selective targeting as the actor excludes traffic from certain countries, such as Ukraine and India, though the rationale behind these exclusions is unclear. This method of cybercrime highlights an increasing sophistication in the ways DNS can be exploited for financial scams, marking a first in the use of CNAME records for such activity.