<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2024 3600 <![CDATA[Microsoft Delays Release of Controversial Recall Feature]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/microsoft-delays-release-of-controversial-recall-feature https://duo.com/decipher/microsoft-delays-release-of-controversial-recall-feature

Microsoft is delaying the release of its Recall feature in order to better incorporate security feedback. The delay comes a week after the company initially responded to widespread security concerns about Recall by making it opt-in only, instead of enabled by default on devices.

Recall was initially slated to be broadly available as a preview feature in Copilot Plus PCs next week. Microsoft on Thursday said that the feature will now become a preview feature in the Windows Insider Program in the coming weeks, instead. The company said it would then make Recall available in preview versions for Copilot Plus PCs “coming soon," but only after receiving feedback from the participants in the Windows Insider Program, which is its open software testing program that allows Windows users to preview and provide feedback on various builds.

“We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security,” said Pavan Davuluri, corporate vice president of Windows and Devices with Microsoft in the update on Thursday. “This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

When the feature was first announced, it was criticized for its ability to take continuous screenshots of users’ activity, which could include passwords or financial account numbers, and store those screenshots locally on their devices. That capability could make it easy for threat actors already on a system to target sensitive data, security experts said, and some security researchers even developed proof-of-concept tools to show how easy it would be to extract data from the Recall feature in Windows 11.

While Microsoft last week sought to improve some aspects of Recall - including giving it "additional layers of data protection” - some security and privacy experts called for the company to backtrack even more the feature, worrying about negative security and privacy consequences that could arise from the its capabilities.

Recall was one of many topics during Thursday’s House Homeland Security Committee hearing with Microsoft President Brad Smith, which focused on a scathing Cyber Safety Review Board report that outlined several internal security failures at Microsoft. When asked repeatedly by committee members about Recall, Smith said the product hasn’t been launched yet and the feature wasn’t finished, and that Microsoft has “had a process to share information and take lots of feedback.”

"It's a great lesson… if somebody's creating the Recall feature, they need to think about the security aspects of the Recall feature,” said Smith during the hearing.

Committee members in the hearing asked about various aspects of Microsoft’s security - from Microsoft’s ability to detect and respond to security incidents and reported vulnerabilities, to how it notifies victims, to how the CSRB itself operates. Overall, Smith said that Microsoft “accepts responsibility for each and every one of the issues cited in the CSRB’s report.” He pointed to steps Microsoft is taking to try to better improve its security across various areas, including to better protect identities and secrets, networks, engineering systems and tenants; monitor and detect threats; and enhance its response and remediation processes. From an organizational standpoint, the company has created an office of the CISO that includes senior-level deputy CISOs to better expand oversight of how security controls are baked into various engineering processes. It has also formalized a plan to tie one-third of the individual performance element for each senior leadership team member’s bonus to performance goals in meeting security milestones.

But hearing committee members pointed out that some of these plans were already announced as part of Microsoft’s Secure Future Initiative, weeks before the Recall feature was even launched.

“In May, Microsoft announced an expansion of the Secure Future Initiative that committed to making security a top priority,” said Rep. Bennie Thompson (D-Miss.) during the hearing. “But the same month, Microsoft announced Recall, a new feature that takes and stores periodic snapshots of a user’s computer screen, which has raised concerns amongst both privacy and security experts. Last Friday, Microsoft modified the rollout of Recall in order to incorporate significant changes. I hope it will continue to consider these concerns of security and privacy as it rolls out new products.”

<![CDATA[Scattered Spider Targets SaaS Platforms For Data Exfiltration]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/scattered-spider-group-eyes-saas-platforms-for-data-exfiltration https://duo.com/decipher/scattered-spider-group-eyes-saas-platforms-for-data-exfiltration

The well-known Scattered Spider threat group has evolved its tactics to target software-as-a-service (SaaS) applications for data theft and using “a more aggressive method of persistence” leveraging virtualization platforms.

Scattered Spider (also known as UNC3944) has been active since at least May 2022 and was behind several high-profile attacks, including ones on Caesars Entertainment and MGM Resorts. The group initially focused on credential harvesting and SIM swapping attacks before moving to ransomware and data theft extortion. Now, Mandiant researchers said that the group is focusing primarily on data theft extortion, a change that has “precipitated an expansion of targeted industries and organizations.”

As part of this shift, the financially motivated threat group over the past few months “has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse,” according to Mandiant in a Thursday analysis.

“This current attack path highlights, in addition to traditional dangers of sensitive data storage, the dangers of storing data in SaaS-hosted applications,” said Mandiant. “These risks are often overlooked as part of internal security due to traditional SaaS models offloading some risk to the application owner.”

Mandiant’s research, published Thursday, coincided with another report published this week by GuidePoint Security, which highlighted clues of the cybercrime group’s recent activity pointing to how it may have become an affiliate for the RansomHub ransomware-as-a-service operator. Despite these recent changes, the group has continued using its infamous initial access vector of targeting call centers to gain access to privileged accounts.

These attacks have used a sophisticated level of social engineering, including leveraging victims’ compromised PII, in order to bypass the methods used by help desks to verify user identity. Additionally attackers were able to bypass MFA protections by telling service desks they had a new phone and needed an MFA reset. After gaining control of targeted accounts, attackers would conduct reconnaissance via Microsoft applications, targeting internal help guides and documentation for VPNs and remote telework utilities in Sharepoint, for instance.

“SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues."

“UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications,” said Mandiant researchers. “With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.”

Researchers observed attackers pivoting to SaaS applications like vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, Workday and Google Cloud Platform, in order to perform reconnaissance. The threat actors exfiltrated data from these applications via cloud synchronization tools like Airbyte and Fivetran in order to move data to attacker-owned cloud storage resources (primarily S3 buckets).

Researchers also observed the threat group accessing virtualization platforms like Sphere and Azure in order to create new virtual machines, which they then used to conduct follow-on activities. For example, the group relied on a number of publicly available tools, like privacy-script.bat, in order to reconfigure the VM to deactivate certain policies, such as removing default Microsoft Defender protections or Windows telemetry features that could help with forensic investigations.

“The importance here is the observation of abusing administrative groups or normal administrator permissions tied through SSO applications to then create this method of persistence,” said researchers. “Additionally, a lack of endpoint monitoring allowed the group to download tools such as Mimikatz, ADRecon, and various covert tunneling tools, such as NGROK, RSOCX, and Localtonet. The use of these tools allowed UNC3944 access to the device without the need to use VPN or MFA. Other tooling included the installation of Python libraries, such as IMPACKET.”

In order to limit the impact of these types of operations, researchers recommend that organizations use host-based certificates and MFA for VPN access, and develop strict conditional access policies to control visibility for cloud tenants. At the same time, companies can increase their monitoring capabilities around SaaS applications.

“SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues,” said researchers. “For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent.”

<![CDATA[Decipher Podcast: Amy Bogac]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-amy-bogac https://duo.com/decipher/decipher-podcast-amy-bogac

<![CDATA[Thousands of FortiGate Devices Compromised in Ongoing Campaign]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/thousands-of-fortigate-devices-compromised-in-ongoing-campaign https://duo.com/decipher/thousands-of-fortigate-devices-compromised-in-ongoing-campaign

A campaign by Chinese state-sponsored attackers targeting a bug in Fortinet’s FortiOS SSL VPN software has resulted in the compromise of more than 20,000 FortiGate security appliances in the last few months, and many of them were compromised before the vulnerability became public, Dutch government security officials said.

The attacks involve exploitation of a buffer overflow (CVE-2022-42475) in FortiOS, which Fortinet disclosed and patched in December 2022. At the time of the disclosure, the flaw was already being exploited by attackers, but it wasn’t until earlier this year that researchers identified a widespread campaign targeting vulnerable appliances. In that campaign, disclosed by the Dutch Military Intelligence and Security Service (MIVD), the attackers exploited the bug and installed a backdoor known as COATHANGER in order to maintain persistent access to the compromised devices.

“This RAT is a targeted persistent malware that operates outside of traditional detection measures and is specifically designed for FortiGate devices. Another feature is that this malware is not aimed at gaining access to systems but at maintaining access,” the MIVD said in an analysis of the malware in February.

At the time of that initial report, the MIVD said that it had found the malware on several systems during incident response engagements, but the scope of the campaign has since become clearer. The agency said this week that it had identified more than 20,000 FortiGate appliances that have been compromised by the unnamed Chinese actor.

“Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475,” the agency said.

“Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry. The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.”

Fortinet released fixes for the vulnerability in December 2022, but organizations are often slow to patch edge security devices. Attackers know this and the last few years have seen a marked increase in attacks on these devices, which offer privileged access to an organization’s network.

“The NCSC and the Dutch intelligence services have been seeing a trend for some time that vulnerabilities in publicly accessible edge devices such as firewalls, VPN servers, routers and email servers are being exploited. Due to the security challenges of edge devices, these devices are a popular target for malicious parties. Edge devices are located at the edge of the IT network and regularly have a direct connection to the internet. In addition, these devices are often not supported by Endpoint Detection and Response (EDR) solutions,” the MIVD said.

<![CDATA[Ransomware Attacks Leverage Recent Critical PHP Flaw]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/ransomware-attacks-leverage-recent-critical-php-flaw https://duo.com/decipher/ransomware-attacks-leverage-recent-critical-php-flaw

Threat actors behind a recent ransomware campaign have been leveraging a new PHP vulnerability (CVE-2024-4577) in order to execute arbitrary PHP code on targeted systems.

The PHP Group last week fixed the argument injection vulnerability, which impacts all versions of PHP on Windows and affects all versions of the XAMPP development environment installed on Windows. Researchers initially said on June 7 that they observed attackers scanning for the flaw. However, in a new analysis this week, the Imperva threat research team said the flaw was being leveraged in a campaign deploying ransomware called TellYouThePass.

“From as early as June 8th, we have detected attacker activity leveraging this vulnerability to deliver malware, which we have now identified to be a part of the 'TellYouThePass' ransomware campaign,” according to Gai Stapel and Daniel Johnson with Imperva in an analysis. “As we analyzed attacks exploiting this vulnerability, we noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system.”

The TellYouThePass ransomware has been around since at least 2019, and has previously leveraged Apache vulnerabilities, like the Log4j flaw and a known and widely exploited bug in ActiveMQ (CVE-2023-46604). TellYouThePass has previously been labeled by security researchers as a commodity-level, “low sophistication” ransomware that has been used to target businesses and private individuals.

In these most recent attacks, the threat actors used the known exploit of the PHP bug in order to execute code on targeted systems. They then used living-off-the-land tactics by leveraging the “system” function to run an HTML application file, through the mshta.exe native Windows binary, which is used to execute remote payloads. After execution, the sample would send a request to the C2 server with details about the infected machine. The binary then carried out various basic ransomware functionalities, generating encryption keys and encrypting files within previously enumerated directories with predefined file extensions.

“The ‘TellYouThePass’ ransomware campaign has been in operation since 2019 and has taken various forms over the years,” including samples written in Java, .Net and Golang, according to researchers. “Recently observed variants have taken the form of .NET samples delivered using HTML applications.”

Updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6, and organizations that are running vulnerable versions of PHP should update as soon as possible. In a separate advisory, the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added CVE-2024-4577 to its Known Exploited Vulnerabilities catalog, saying it was “known to be used in ransomware campaigns,” and gave government agencies a due date of July 3 to patch the flaw.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” said CISA.

<![CDATA[Decipher Podcast: The Microsoft Recall Recall]]> dennis@decipher.sc (Dennis Fisher)lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-the-microsoft-recall-recall https://duo.com/decipher/decipher-podcast-the-microsoft-recall-recall

<![CDATA[Mandiant: 165 Snowflake Customers ‘Potentially Exposed’ in Campaign]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/mandiant-165-snowflake-customers-potentially-exposed-in-wider-campaign https://duo.com/decipher/mandiant-165-snowflake-customers-potentially-exposed-in-wider-campaign

In a new analysis of a recent high-profile campaign impacting customers of cloud-based data storage company Snowflake, researchers with Mandiant said that since at least April 14, the threat group behind the attack has used compromised credentials to access over 100 customer tenants.

Mandiant’s analysis reiterated a joint statement issued last week with both Snowflake and CrowdStrike, that the attack did not stem from a breach of Snowflake’s platform, but instead leveraged stolen credentials for accounts that did not have MFA enabled. The joint statement came after reports emerged of several companies discovering unauthorized access on databases hosted by Snowflake, such as Ticketmaster.

Mandiant tied the campaign to an actor it called UNC5537, which it said is a financially motivated threat actor that has been compromising "a significant volume of records from Snowflake customer environments," extorting victims and advertising their data for sale on cybercrime forums. Researchers said they have identified members of the threat group that had associations to other tracked groups, but they assessed with “moderate confidence” that UNC5537 is made up of members based in North America, and that the group works with one additional member in Turkey.

“To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations,” according to Mandiant’s threat intelligence team in a Monday post. “Snowflake’s Customer Support has been directly engaged with these customers to ensure the safety of their accounts and data. Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies.”

UNC5537 was able to access the companies’ Snowflake instances through credentials stolen from the customers, primarily via infostealer malware campaigns targeting non-Snowflake owned systems, some of which dated as far back as November 2020, said researchers. The infostealer malware variants associated with this campaign included well-known ones like the Racoon stealer, Vidar and Redline. In some of the investigations into the incident, researchers found that these malware families had targeted contractor systems, which were also used for personal activities like gaming or downloading pirated software.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” said researchers. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

"Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies.”

The successful compromises primarily targeted Snowflake accounts that didn’t have MFA enabled and that still had credentials that had not been rotated or updated, sometimes for years. The impacted instances also did not have network allow lists in place to only enable access from trusted locations, said Mandiant.

Researchers weren’t able to recover the complete sample of a utility that had been reportedly used by the threat actors in the attacks (which researchers called FrostBite), but they assessed that it was being leveraged to perform reconnaissance against target Snowflake instances.

“Mandiant observed usage of both .NET and Java versions of FROSTBITE,” said researchers. “The .NET version interacts with the Snowflake .NET driver. The JAVA version interacts with the Snowflake JDBC driver. FROSTBITE has been observed performing SQL recon activities including listing users, current roles, current IPs, session IDs, and organization names. Mandiant also observed UNC5537 use a publicly available database management utility DBeaver Ultimate to connect and run queries across Snowflake instances.”

The campaign highlights the prevalence and dangers of infostealer malware, and also several basic security issues like a lack of MFA and the problem of “exposed credentials” (in fact, Mandiant found that almost 80 percent of the accounts leveraged by the threat actor in this attack had prior credential exposure). However, the campaign has also brought Snowflake’s own security control implementation policies for customers into question. Snowflake on its website has said that it supports MFA for users connecting to its platform, and that MFA support is provided as an integrated Snowflake feature. However, though Snowflake “strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA” at a minimum, MFA is enabled on a per-user basis, and users that aren’t automatically enrolled in MFA and instead must enroll themselves.

Snowflake is now looking at changing its policies around implementing security controls.

“As we shared on June 6, we continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses, and we are developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies,” said Brad Jones, CISO at Snowflake in an update on Monday.

<![CDATA[The Emerging Ecosystem Dedicated to AI Accountability]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/the-emerging-ecosystem-dedicated-to-ai-accountability https://duo.com/decipher/the-emerging-ecosystem-dedicated-to-ai-accountability

Organizations across both the private and public sector are pondering the best ways to manage emerging security risks in generative AI models, and independent evaluation processes have repeatedly been at the heart of the strategies proposed so far by the DHS, White House and more. But it’s not so simple.

These types of assessments aim to provide accountability by measuring AI systems against various risks, such as levels of data protection, privacy, potential biases or others. But the ecosystem of AI third-party auditors, and even the frameworks looking at how to best evaluate systems, are all still nascent. Many technology companies already conduct internal or contract-based AI assessments or offer bug bounty programs, but top generative AI companies are self-selective when it comes to the external research teams that they work with. The teams that are able to perform independent research on AI models are running into issues around a lack of transparency and understanding of the large language models (LLMs) behind AI systems that add further complexity to these assessments.

“The ecosystem for assessing and auditing AI models is still in its formative stages, but is growing rapidly,” said Casey Ellis, founder and chief strategy officer at Bugcrowd. “We're seeing a mix of traditional cybersecurity firms expanding their services to include AI security, as well as new startups specifically focused on AI risk management.”

When evaluating AI, there are several different assessment factors, including biases and ethical principles, transparency, accountability and explainability; as well as areas that fall more solidly into the cybersecurity bucket like data protection, privacy and consent. NIST has developed various frameworks that can help organizations better implement security into the development and use of AI systems, including its AI risk management framework released in January 2023 (with a draft version for generative AI released more recently in April). In May, NIST released an Assessing Risks and Impacts of AI program aiming to help organizations better understand how an AI technology would be “valid, reliable, safe, secure, private and fair once deployed.”

However, these frameworks and standards for helping third-party companies better assess AI systems are still fairly new or in development. A report from last year by the United Nations Educational, Scientific and Cultural Organization (Unesco) and Montreal-based artificial intelligence research institute Mila titled “Missing Links in AI Governance,” found that “despite recent policy developments in AI accountability, we are still a far cry from an AI policy ecosystem that enables the effective participation of third-party auditors.”

“We do not yet have the standards and regulatory framework that we need to ensure that third-party auditors are accredited, protected and supported to play their part,” according to the report. “To ensure equity and accountability in the deployment of AI systems, the communities that are most likely to be harmed by these systems must be better represented in the audit, assessment or evaluation process. Third-party auditors, who can play that role, need to be accredited and supported within a policy ecosystem that ensures their independence, integrity, and effectiveness.”

The Emerging Third-Party Ecosystem

Some companies have already set up internal teams to evaluate the safety and security of their AI efforts. For example, Google’s Responsible AI and Human Centered Technology team aims to create AI principles and make sure that products are built on those principles, as well as improve “consistent access, control, and explainability” of AI models. However, the third-party assessment ecosystem has no contractual obligation with technology companies and instead provides important and independent assessments of potential weaknesses with AI systems - including potential cybersecurity issues. A security research ecosystem is emerging around AI, and companies like Bugcrowd are looking at ways to integrate this into their existing platforms by accommodating AI-specific flaws and encouraging crowd-sourced security research.

“Interest from security researchers in AI is very high and it continues to grow,” said Bugcrowd’s Ellis. “There's a lot of curiosity and drive to understand how AI models can be exploited and protected, and to taxonomize the understanding of AI-specific flaws. Hackers are quickly adapting traditional security principles to the AI context and developing new techniques to uncover AI-specific vulnerabilities. Meanwhile, there’s an enormous amount of research and development going into leveraging AI to accelerate attacker workflows.”

AI can be assessed both as a threat - including taking a close look at the risks that could develop in an organization should it be deployed in a hasty or poorly secured manner - and as a target. Assessments in the latter category, relating to cybersecurity, share some similarities with traditional security audits, including researchers’ focus on data security, integrity and the potential for exploitation, said Ellis.

“That said, they are also very different - while it’s relatively easy to draw a bright line around the presence or absence of a vulnerability like IDOR or SQL Injection, generative AI is fuzzy by design so the definition of ‘vulnerable’ becomes more difficult to define,” said Ellis.

“Security researchers assess how well models can withstand attempts to manipulate inputs to produce erroneous or harmful outputs,” said Ellis. “They also examine data poisoning risks, model inversion attacks, and the confidentiality of training data. Additionally, the security of the deployment environment and the potential for API abuse are critical factors.”

Transparency and Terms of Service Roadblocks

Shayne Longpre, PhD candidate at the MIT Media Lab, has talked to dozens of other researchers from different teams, and said that one major concern is how terms of service conditions of popular AI models often prohibit research into vulnerabilities related to things like bypassing safety measures or jailbreaks.

“While some elite research teams that already had connections to OpenAI or Google or elsewhere were more comfortable doing the initial research, other teams were experiencing a lot of chilling effects… there’s some chilling effects on disclosing the results of the research, there are disincentives to tackle certain problems, so people tend to choose less sensitive ones over more sensitive ones, there’s limited transparency into the closed corporations’ systems, so it’s hard to be able to do good research in many cases,” said Longpre.

Longpre in a March open letter to companies like OpenAI and Meta, along with 350 other independent researchers (as well as professors, executives and analysts), urged generative AI companies to make voluntary commitments for both legal safe harbor, which would protect good-faith evaluation research that is conducted via established security vulnerability disclosure practices, and technical safe harbor, which would protect evaluation research from account termination.

“Whereas security research on traditional software has established voluntary protections from companies (“safe harbors”), clear norms from vulnerability disclosure policies, and legal protections from the DOJ, trustworthiness and safety research on AI systems has few such protections,” according to the letter. “Independent evaluators fear account suspension (without an opportunity for appeal) and legal risks, both of which can have chilling effects on research.”

Overall, a lack of transparency for third-party researchers into data limits their ability to uncover the problems. For instance, AI models have safeguards and moderation systems attached, which look at both inputs - to prevent misuse from users - and revise the outputs on the fly if the model seems to be saying anything inappropriate, said Longpre. However, for researchers that don’t have a good level of transparency into the system, it’s difficult to know if an error was caught by the input or output detector, said Longpre.

“If you know the training data, it’s easier to search through that training data to try to understand what kind of risks there might be, [such as] does it have knowledge about very sensitive [information],” said Longpre. “These are the sorts of things that are very important to be able to diagnose and fix these systems… and improve the safety in the long run.”

The Future of AI Accountability

Third-party assessments are key to AI accountability, and various U.S. government agencies have recognized that in their guidelines around AI over the last year. The DHS in its roadmap for AI cybersecurity initiatives, for instance, said it plans to create a number of independent evaluation processes for AI systems used by the department, which will include a test facility that will look at pilots, algorithm training and use cases. It also plans to hold a HackDHS for AI Systems assessment where vetted researchers will be asked to hunt for security flaws in DHS systems that leverage AI. On the defense side, the DHS said it plans to evaluate AI-enabled vulnerability discovery and remediation tactics that can be used for federal civilian government systems.

As AI’s role in the cybersecurity and broader tech industry continue to evolve, Unesco and Mila in their “Missing Links in AI Governance” report said that third-party audits across the AI systems lifecycle are necessary accountability measures, particularly as they represent a wider range of perspectives that could help identify key issues.

“Third-party auditors can shine a light on problems that are unforeseen, deprioritized, or ignored by those who develop, purchase, deploy, or maintain AI systems,” according to the report. “Third-party audits may also be used to focus attention on disparate impacts against various marginalized stakeholders who are too often excluded from consideration. As they have no contractual relationship with the audit target, third-party auditors are less likely to be influenced by the preferences, expectations or priorities of the audit target.”

<![CDATA[Critical PHP Flaw CVE-2024-4577 Patched]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/critical-php-flaw-cve-2024-4577-patched https://duo.com/decipher/critical-php-flaw-cve-2024-4577-patched

The PHP Group has fixed a vulnerability in all versions of PHP on Windows that can allow an attacker to execute arbitrary code. The flaw also affects all version of the XAMPP development environment installed on Windows, and researchers have already seen attackers scanning for the flaw (CVE-2024-4577).

Updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6, but there is a proof-of-concept exploit available and the researchers who discovered the vulnerability can be exploited easily in a couple of scenarios. The fla itself is an argument injection bug and is the result of an incomplete fix for a separate vulnerability from 2012.

“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack,” the researchers from Devcore, who discovered the bug, said in an analysis.

Researchers from the Shadowserver Foundation, which tracks exploit and attack activity across the Internet, said they have seen scanning activity already targeting this bug.

“We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows,” the group said Friday.

There are two specific scenarios in which attackers can exploit a vulnerable version of PHP. The first scenario is whenPHP is running in CGI mode, which is quite common.

“When configuring the Action directive to map corresponding HTTP requests to a PHP-CGI executable binary in Apache HTTP Server, this vulnerability can be exploited directly,” the Devcore researchers said.

The second scenario is when the PHP binary is exposed in CGI directory, which is the default mode for XAMPP, the widely used PHP development environment. XAMPP has not released an update for this flaw yet.

Organizations that are running vulnerable versions of PHP should update as soon as possible.

<![CDATA[After Backlash, Microsoft Recall Will be Disabled by Default]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/after-backlash-microsoft-recall-will-be-disabled-by-default https://duo.com/decipher/after-backlash-microsoft-recall-will-be-disabled-by-default

Microsoft said it has updated its controversial Recall feature with what it calls “privacy and security safeguards,” and will disable the feature by default in its Copilot Plus PCs.

The update comes on the heels of a torrent of backlash from privacy experts about the feature, which was previously enabled by default in Copilot Plus PCs. The criticism centered around the feature’s ability to take continuous screenshots of users’ activity, which could include passwords or financial account numbers, and store those screenshots locally on their devices.

In a Friday post, Pavan Davuluri, corporate vice president for Windows and Devices, said that enrollment in Windows Hello - Microsoft’s biometrics and PIN authentication process - will also now be required to enable Recall, and “proof of presence” will be required to search through the feature.

“Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards,” said Davuluri in the post. “With that in mind we are announcing updates that will go into effect before Recall (preview) ships to customers on June 18.”

Microsoft in its Friday update said it is adding "additional layers of data protection," including decryption protected by Windows Hello Enhanced Sign-in Security (ESS), which they said means that Recall snapshots will only be decrypted and accessible when the user authenticates. Davuluri said Microsoft also encrypted the search index database.

Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, said that it is "gratifying that Microsoft responded to the unanimous public outcry against this feature, but making it opt-in still leaves unanswered questions."

"Will the company use dark patterns to get people to opt-in without fully understanding that they’re doing so?" said Pfefferkorn. "Will employers who want to surveil their employees’ every move - because let’s be honest, that’s the only real use case for this idea - get to turn this on for their employees? What about domestic abusers who could force their victims (such as a spouse or child) to turn this feature on? There is simply no good reason for this feature; nobody was asking for it, and the non-creepy use cases (such as finding a recipe you think you looked at once) are too minor to justify the creepy ones. It should be killed entirely."

The purpose of the feature is to help consumers better locate content they had previously viewed on their device. Microsoft during Recall's initial launch had argued that users would have control over what type of screenshots the feature collects and stores on their devices. It also said that Recall snapshots would be kept on the local hard disk of users' devices and protected using data encryption on these devices.

When the feature was initially launched, security professionals said these measures were not enough, and that Recall would provide another vector for threat actors to steal sensitive data. The initial announcement of the feature was also particularly dumbfounding as it occurred weeks after Microsoft declared updates to its Secure Future Initiative, where Charlie Bell, executive vice president with Microsoft Security said “we are making security our top priority at Microsoft, above all else—over all other features.”

Security researcher Alexander Hagenah earlier this week developed a proof-of-concept called TotalRecall that extracts data from the Recall feature in Windows 11. Hagenah in his description of TotalRecall earlier this week also called on Microsoft to recall and rework the feature, and review the internal decision making that led to this situation, "as this kind of thing should not happen."

"When you’re logged into a PC and run software, things are decrypted for you," said Hagenah in the description of TotalRecall earlier this week. "Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do. For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall."

<![CDATA[Wyden Pushes HHS to Mandate Healthcare Cybersecurity Standards]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/wyden-pushes-hhs-to-mandate-healthcare-cybersecurity-improvements https://duo.com/decipher/wyden-pushes-hhs-to-mandate-healthcare-cybersecurity-improvements

In the three months since the crippling Change Healthcare ransomware attack, the healthcare industry has not seen changes for the better but instead only more attacks against hospitals and healthcare providers, most recently against pathology provider Synnovis. Sen. Ron Wyden (D-Ore.) wants to light a fire under the U.S. government to fast track cybersecurity improvements in this sector.

In a new letter this week, Wyden called on Department of Health and Human Services (HHS) Secretary Xavier Becerra to take “immediate, enforceable steps” that would require large healthcare organizations to bolster their cybersecurity practices. Wyden’s letter to the HHS, which is currently investigating whether a breach of protected health information occurred in the Change Healthcare attack, comes a week after he called on the SEC and FTC to investigate the “negligent cybersecurity practices” of parent company UnitedHealth Group.

“The agency’s current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress,” said Wyden in his letter on Wednesday. “HHS must act now to address corporations’ lax cybersecurity practices, which have enabled hackers to steal patient health information and shut down parts of the health care system, causing actual harm to patient health.”

One security gap on Change Healthcare’s end, which enabled the ransomware actors to achieve initial access, was the failure to enable multi-factor authentication (MFA) on a Citrix remote access portal account. Threat actors behind the attack were able to access this account, which didn’t have MFA, through compromised credentials.

This is a very basic cybersecurity best practice that the HHS could require for healthcare organizations, Wyden argued. But beyond MFA, there should be other minimum cybersecurity standards for what CISA has labeled “systemically important entities,” or the critical infrastructure making up the public health and safety systems in the U.S., like clearinghouses or large health systems.

“These technical standards should address how organizations protect electronic information as well as ensure the health care system’s resiliency to these attacks by continuing its critical functions including maintaining access to medical records, providing medical care, and supporting community health,” said Wyden. “HHS should reinforce these standards and ensure broad adoption by requiring entities that participate in the Medicare program to meet these requirements.”

“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security."

The standards should include requirements so that organizations can rebuild their IT infrastructure quickly - within 48 to 72 hours - if they are targeted by threat actors. In UnitedHealth’s case, while the company was able to restore its cloud-based systems within days, many of its key systems had not been engineered to run in the cloud, and instead ran in the company’s own servers, elongating their restoration process, according to UnitedHealth CEO Andrew Witty during his testimonies in May before multiple government committees. Wyden also urged the HHS to conduct regular audits of healthcare organizations and provide technical security assistance for providers.

Ransomware groups like Conti, FIN12 and Hive have targeted various hospitals, providers and clinics over the years, and in 2023 the healthcare and public health sector was the most common ransomware target of any critical infrastructure sector in 2023, according to the FBI.

"The sector and its supply chain have been constantly bombarded by financially-motivated cyberattacks for years,” said Brett Callow, threat analyst with Emsisoft. “It's a problem that governments have failed to get to grips with and, unless we [see] some bold new strategies, the attacks will invariably continue."

The HHS did not respond to a request for comment. In December, the department announced plans to update its healthcare sector cybersecurity regulations for the first time in 21 years. The updated regulations would include voluntary, healthcare-specific cybersecurity performance goals, as well as measures to increase accountability and coordination within the healthcare space. The HHS also said it would work with Congress to create incentives for hospitals to improve the cybersecurity of their systems. At the same time, the Healthcare and Public Health Sector Coordinating Council in April showcased a five-year Health Industry Cybersecurity Strategic Plan, which recommends 10 cybersecurity goals that it hopes will be implemented by 2029.

However, the performance goals wouldn’t be mandatory, and security experts worry about the long implementation timeline of five years. Wyden, for his part, said the HHS should go further.

“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” said Wyden in his letter. “I urge HHS to use all of its authorities to protect U.S. health care providers and patients from cybersecurity risk.”

<![CDATA[The Challenge of Reporting on Complex Breaches]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-challenge-of-reporting-on-complex-breaches https://duo.com/decipher/the-challenge-of-reporting-on-complex-breaches

Veteran security journalist and podcaster Ryan Naraine joins the Decipher podcast to discuss the challenges of separating fact from fiction when reporting on complex incidents such as the Snowflake breach.

<![CDATA[Exploit Attempts Against Check Point CVE-2024-24919 On the Rise]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/exploit-attempts-against-check-point-cve-2024-24919-on-the-rise https://duo.com/decipher/exploit-attempts-against-check-point-cve-2024-24919-on-the-rise

Attackers have been attempting to exploit the recently disclosed Check Point vulnerability (CVE-2024-24919) for more than a month but many of those attempts have been unsuccessful, thanks to broken payloads or other issues. But recent days have seen an uptick in real exploits in use from a variety of sources.

The vulnerability is a path traversal bug that affects several Check Point products, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances, and can allow an attacker to gain access to arbitrary files on a target device. Check Point released an advisory with an update to address the bug last week and research teams, as well as the Cybersecurity and Infrastructure Security Agency (CISA) have been urging affected organizations to apply it as soon as possible.

At the time of the initial disclosure, the majority of the exploit attempts that researchers had seen were not successful.

“Although we tagged this issue very quickly, we actually saw the first exploit attempt (attempt), with a non-working exploit, hitting Sift on May 30, 2024 - presumably somebody thought they’d figured it out and pushed the big “go” button a bit too quickly,” Ron Bowes of GreyNoise said in an analysis of the exploit attempts.

“The word “attempts” is doing a lot of work in that sentence because, from what we can tell, this payload doesn’t actually work.”

But that reprieve didn’t last long, as successful exploits began showing up by May 31 and have increased sharply in the last few days. GreyNoise’s data shows that nearly 800 individual IP addresses have been attempting to exploit the Check Point bug since June 2. There is a proof-of-concept exploit that’s publicly available, and while some attackers have used it, others are trying their luck with other exploits and ways to reach the vulnerability.

While early attacks were likely quite targeted, as most zero-day exploitation tends to be, that is certainly not the case any longer.

“Unfortunately, we didn’t directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn’t hit our sensor network (although as we expand our new sensors and personas to real networks, we expect to start seeing this type of 0-day exploitation in Sift!),” Bowes said.

<![CDATA[Synnovis Ransomware Attack Disrupts Healthcare Services]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/synnovis-ransomware-attack-disrupts-healthcare-services https://duo.com/decipher/synnovis-ransomware-attack-disrupts-healthcare-services

Synnovis, one of the UK’s top pathology and diagnostic service providers, on Tuesday confirmed that it was targeted by a ransomware attack that has been impacting its IT systems and resulting in interruptions to many of the organization’s pathology services across top hospitals in London.

The organization, which provides lab services to National Health Service (NHS) partners and clinical users, is a collaboration between SYNLAB UK & Ireland, Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospital NHS Foundation Trust. The ransomware attack was first uncovered on Monday, and a spokesperson for the NHS England London region on Tuesday said that the attack was having a “significant impact” on the delivery of NHS services at the partner hospitals - the Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts - and primary care services across six boroughs. Details about how the attack occurred have not yet been disclosed.

“It is still early days and we are trying to understand exactly what has happened,” said Mark Dollar, CEO with Synnovis in a Tuesday statement. “A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS Trust partners to minimise the impact on patients and other service users.”

Both NHS London and Synnovis said that emergency care continues to be available, but some patient appointments - including, reportedly, transplant surgery - have been canceled or redirected to other providers in order to prioritize “urgent work.” Synnovis and the NHS said they are working with the government’s National Cyber Security Centre and the Cyber Operations Team to respond to the attack.

“Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised,” said Dollar. “We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected. We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments.”

The attack comes on the heels of another major ransomware attack in the healthcare industry - against the U.S.-based Change Healthcare in February - and both incidents showcase the potential for disruption that cyberattacks can have in this sector. Healthcare has proved to be a lucrative space for ransomware groups, with groups like Conti, Karma FIN12 and Hive targeting hospitals, providers and clinics over the years. Like this latest attack on Synnovis, previous ransomware attacks have impacted the efficiency of healthcare processes, with hospitals being forced to divert patients away from their emergency departments or reschedule appointments and surgeries. One challenge that makes cybersecurity particularly difficult in the healthcare space is that the industry is made up of a tangle of networks and partnerships. If one organization gets hit, like Synnovis, the impact of the fallout cascades across the hospitals it partners with.

“I think ransomware groups recognize the impact of healthcare attacks and they think they will get paid in order to save patients,” said Allan Liska, intelligence analyst with Recorded Future. “They also know that even if they aren't paid they might be able to sell the patient data and even if they aren't successful the ransomware groups know there will not be any repercussions for carrying out these attacks.”

<![CDATA[Decipher Podcast: Garrett Yamada]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-garrett-yamada https://duo.com/decipher/decipher-podcast-garrett-yamada

<![CDATA[Researchers Warn of Potential Abuse of Azure Service Tags]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/researchers-warn-of-potential-abuse-of-azure-service-tags https://duo.com/decipher/researchers-warn-of-potential-abuse-of-azure-service-tags

Microsoft is warning customers about the potential for an attacker to abuse the service tags feature in Azure to forge requests from a trusted service and bypass firewall rules, potentially gaining access to cloud resources without authorization.

The technique was discovered by researchers from Tenable, who reported it to MIcrosoft in January. MIcrosoft Security Response initially acknowledged it as a vulnerability and said the company would issue a patch, but later decided that a patch was not necessary and instead released updated guidance and documentation.

Service tags allow Azure customers to represent a certain block of IP space for Azure services. The tags often are used for network configuration tasks such as building firewall rules. The Tenable researchers found that by abusing service tags, an attacker could bypass firewall rules if there aren’t any other validation controls in place.

“This vulnerability enables an attacker to control server-side forge requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers’ internal assets, data and services,” Tenable said.

Microsoft stressed in its updated guidance that service tags are not meant to be a security control.

“Cross-tenant access is prevented by authentication and only represents an issue where authentication is not used. However, this case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic. Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. No exploitation or abuse of service tags has been reported by a third-party or seen in the wild per our own investigation,” Microsoft said in its guidance.

“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests. Input validation is used to assure where the traffic originates and who is sending the traffic. Additional authentication and authorization checks must be implemented for a layered network security approach.”

Both Microsoft and Tenable encouraged Azure customers to add authentication and authorization controls on top of any network controls based on service tags.

<![CDATA[Snowflake: Customer Accounts Targeted in ‘Identity-Based Attacks’]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/snowflake-customer-accounts-targeted-in-identity-based-attacks https://duo.com/decipher/snowflake-customer-accounts-targeted-in-identity-based-attacks

Cloud-based data storage company Snowflake is urging its customers to implement multi-factor authentication (MFA) after observing a “targeted threat campaign against some Snowflake customer accounts.” The company, in a joint statement with Mandiant and CrowdStrike on Sunday, said that the attack did not stem from a breach of its platform, but instead leveraged compromised credentials for accounts that did not have MFA enabled.

The company released the statement after reports emerged of several companies discovering unauthorized access on databases hosted by Snowflake. In a Friday SEC filing, Live Nation Entertainment disclosed that it had discovered “unauthorized activity within a third-party cloud database environment” on May 20, which contained data from its subsidiary Ticketmaster. Meanwhile, earlier in May, Santander said that it became aware of unauthorized access to a database hosted by “a third-party provider,” with threat actors obtaining information related to customers of Santander Chile, Spain and Uruguay, as well as all current, and some former, employees.

Ticketmaster has reportedly confirmed that its stolen database was hosted on Snowflake, while a Santander spokesperson said it has no further comment "given ongoing investigation." Snowflake in its Sunday statement said that it is “investigating an increase in cyber threat activity targeting some of our customers’ accounts,” but stressed that the activity has not been caused by a vulnerability, misconfiguration or breach of its platform, or caused by compromised credentials of current or former Snowflake employees. Instead, the company said that identity-based attacks are being "directed at users with single-factor authentication.”

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” according to Brad Jones, CISO at Snowflake, in a Sunday statement. “Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations.”

The statement also comes after a threat actor called Shiny Hunters claimed that it was selling data for both Santander and Ticketmaster. In a now-deleted post by Israeli cybercrime intelligence company Hudson Rock, meanwhile, the threat actor claimed that they accessed this data after a hack of Snowflake’s cloud storage services. Snowflake disputed this claim in its joint statement with Mandiant and Crowdstrike, saying the breaches did not stem from its products.

Snowflake said that it did find evidence that threat actors were able to obtain personal credentials for a former Snowflake employee, and they used those credentials to access that employee’s demo account. The demo account, which did not have MFA enabled, did not contain sensitive data and was not connected to Snowflake’s production or corporate systems, according to Snowflake.

In addition to enforcing MFA on all accounts, Snowflake is also urging customers to set up Network Policy Rules so that they only allow authorized users or traffic from trusted locations. Impacted organizations should reset and rotate their Snowflake credentials, said Jones. On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a security advisory on the incident, calling it an "increase in cyber threat activity targeting customer accounts" and encouraging Snowflake users to hunt for any malicious activity and report their findings to the agency.

Alex Delamotte, senior threat researcher with SentintelLabs, said “there is a lot of conflicting information about this incident that suggests the default security configuration of Snowflake customer instances may not always be sufficient, though this does not indicate a breach of Snowflake itself.”

“The advice from Snowflake on mitigating this attack is telling: the recommendations are to enable MFA and restrict network policies,” said Delamotte. “These are basic security hygiene steps. It’s likely that the attackers behind these incidents discovered that many Snowflake customers were not following best practices, which explains the sudden uptick in such attacks.”

Snowflake on its website said that it supports MFA for users connecting to its platform, and that MFA support is provided as an integrated Snowflake feature. However, MFA is enabled on a per-user basis; users are not automatically enrolled in MFA and instead must enroll themselves, according to Snowflake. Snowflake “strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA” at a minimum, according to its website. With the shared responsibility model, cloud service providers view certain practices - including MFA - as the responsibility of the end user, so that it’s a risk management decision that is up to end users to decide, said Toby Lewis, global head of threat analysis at Darktrace.

“Under the shared responsibility model, cloud service providers (CSPs) typically view certain practices such as MFA as the responsibility of the end-user, however, we are seeing increasing industry push-back on this type of thinking,” said Lewis.

This article was updated June 4 to reflect Santander's response to a request for comment and to add information about CISA's security alert.

<![CDATA[Operation Endgame Targets Trickbot, IcedID, Other Botnets in Huge Disruption]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/operation-endgame-targets-trickbot-icedid-other-botnets-in-huge-disruption https://duo.com/decipher/operation-endgame-targets-trickbot-icedid-other-botnets-in-huge-disruption

In perhaps the largest coordinated action against malware operators and their infrastructure, Europol and a cadre of law enforcement agencies have disrupted the operations of several notorious malware families, including IcedID, Trickbot, Smokeloader, and Bumblebee. As part of the disruption, authorities arrested four suspects, seized more than 2,000 domains and 100 servers.

The action, known as Operation Endgame, was a comprehensive move against a large swath of the malware infrastructure in use today. Trickbot, for instance, has been in operation for barely a decade and has been used to drop many other types of malware, including the Ryuk ransomware, and has been associated with Emotet, as well. IcedID has occupied a similar position in the ecosystem and has been used by many cybercriminals to drop additional malware on compromised systems. Many of the malware families targeted in Operation Endgame have been in operation for quite a long time, and some of them, including Trickbot, have been targeted by takedowns in the past.

But this operation has a different flavor to it, not just with the broad international coordination, but also with the promise of more to come in the future.

“International law enforcement and partners have joined forces. We have been investigating you and your criminal undertakings for a long time and we will not stop here. This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the Operation Endgame site says.

Eight Russian suspects allegedly associated with these various malware operations have been added to Europol’s most wanted list as a result of the action. Several security companies and other organizations assisted with Operation Endgame, including Abuse.ch, Spamhaus, Team Cymru, and Shadowserver.

<![CDATA[Wyden: SEC, FTC Should Investigate UnitedHealth’s ‘Negligent’ Security Practices]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/wyden-sec-ftc-should-investigate-unitedhealth-s-negligent-security-practices https://duo.com/decipher/wyden-sec-ftc-should-investigate-unitedhealth-s-negligent-security-practices

On the heels of the massively disruptive Change Healthcare ransomware attack earlier this year, Sen. Ron Wyden (D-Ore.) is calling on the SEC and FTC to investigate the “negligent cybersecurity practices” of parent company UnitedHealth Group.

The question of accountability has emerged in the months after the February ransomware attack that led to disruptions in patient care and delays in prescription orders across the country, as well as the compromise of the health and personally identifiable data of an estimated one-third of Americans. In his letter to FTC Chair Lina Khan and SEC Chair Gary Gensler on Thursday, Wyden said that UnitedHealth, its senior executives and its board of directors should all be held responsible.

“The cyberattack against UHG could have been prevented had UHG followed industry best practices,” according to Wyden’s letter. “UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors. Accordingly, I urge the FTC and SEC to investigate UHG’s numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable.”

One security gap on Change Healthcare’s end that helped actors achieve initial access was the failure to enable multi-factor authentication (MFA) on a Citrix remote access portal account. Threat actors behind the attack were able to access this account, which didn’t have MFA, through compromised credentials. In government hearings earlier in May, UnitedHealth Group CEO Andrew Witty presented varying, conflicting statements about the company’s MFA policy. Witty first said the company’s policy was to have MFA for externally facing systems, but that the policy had not been in place at the time of the hack, and later said that the MFA policy was not all-encompassing for external servers, and instead included exceptions for older technology that had been upgraded.

Beyond the lack of MFA, however, Wyden said that security best practices should rely on multiple lines of defense, and it’s still unclear how threat actors achieved administrative privileges and lateral movement after gaining initial access.

“Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” said Wyden. “In addition to the company’s cybersecurity failures, the company also clearly failed to plan for ransomware and to ensure that its digital infrastructure could be promptly restored in hours or days, rather than weeks.”

“In addition to the company’s cybersecurity failures, the company also clearly failed to plan for ransomware and to ensure that its digital infrastructure could be promptly restored in hours or days, rather than weeks.”

Wyden also pointed to a lack of expertise and understanding of cybersecurity from UnitedHealth’s senior executives and board members. While many boards of directors today are trying to better understand issues like risk assessment and security strategy, by creating dedicated security committees or adding members with security expertise, none of UnitedHealth’s board members have “any meaningful cybersecurity expertise,” said Wyden. At the same time, said Wyden, UnitedHealth’s CISO Steven Martin had not previously held a full-time security role, instead working in various technology jobs at UnitedHealth and Change before he landed the CISO role in June 2023.

However, “due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses,” said Wyden. “Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses.”

UnitedHealth is already under investigation by the Department of Health and Human Services’ Office for Civil Rights, which in March announced it was looking at whether protected health information was compromised in the ransomware attack.

The FTC and SEC have previously been involved with security investigations across various industries. The FTC, which requires financial services companies to adopt MFA under its Safeguards Rule, has previously ordered companies like alcohol marketplace platform Drizly and education tech company Chegg to take specific security actions after security failures at these companies led to breaches. The SEC, meanwhile, has taken the approach of looking at how organizational security gaps impact investors. In 2023, for instance, the SEC filed a lawsuit against SolarWinds and its CISO after the 2020 SolarWinds attacks, alleging that they made false statements to investors about the company’s security risks and vulnerabilities.

When asked for comment, UnitedHealth Group said: "The malicious criminal attack on Change Healthcare – as well as other recent cyberattacks on the health system – underscores the need to fortify cyber defenses and strengthen resilience, and we look forward to working with policymakers and other stakeholders in helping develop strong, practical solutions."

"The fact that the company moved quickly and effectively in response to this attack is testament to our company’s commitment to strong cybersecurity. UnitedHealth Group has an experienced board with effective, broad-based skills in risk management, including cybersecurity," according to UnitedHealth Group. "Members of the Audit and Finance Committee, which oversees the company’s cybersecurity program, have experience with cybersecurity and in leading organizations operating in industries facing significant cybersecurity risks."

An SEC spokesperson said that Gensler will respond to members of Congress directly. An FTC spokesperson, meanwhile, said that the FTC received the letter but did not have any comment.

<![CDATA[U.S. Sanctions Three Chinese Nationals for Alleged Connection to 911 S5 Botnet]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/u-s-sanctions-three-chinese-nationals-for-alleged-connection-to-911-s5-botnet https://duo.com/decipher/u-s-sanctions-three-chinese-nationals-for-alleged-connection-to-911-s5-botnet

UPDATE--The United States government has sanctioned three Chinese nationals for their alleged roles in running the 911 S5 proxy service, which consisted of compromised machines that the network’s operators rented out to cybercriminals as proxies through which they could connect to the Internet and hide their identities.

The Department of the Treasury’s Office of Foreign Asset Control on Tuesday announced sanctions against Yunhe Wang, Jingping Liu, and Yanni Zheng, and also against three companies allegedly controlled by Wang, Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

“These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats,” said Under Secretary Brian E. Nelson. “Treasury, in close coordination with our law enforcement colleagues and international partners, will continue to take action to disrupt cybercriminals and other illicit actors who seek to steal from U.S. taxpayers.”

The Department of Justice announced on Wednesday that Wang had been arrested on May 24 and law enforcement had seized 23 domains and more than 70 servers that were part of the botnet.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators. The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation," FBI Director Chris Wray said.

The 911 S5 network was essentially a botnet made up of compromised computers and the operators allowed customers to proxy their Internet connections through those machines. In some cases, the customers used the service to submit fraudulent claims through the various COVID-19 relief programs run by the federal government. The botnet also was connected to some bomb threats made in 2022 in various locations in the U.S. Researchers from the University of Sherbrooke in Canada detailed the operations of the 911 S5 network in 2022, along with the operations of other similar services.

As part of the sanctions, OFAC said that Wang was the main operator of the 911 S5 network, while Liu was allegedly in charge of the financial side of the business.

“The virtual currency that 911 S5 users paid to Yunhe Wang were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Jingping Liu. Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the OFAC statement says.

Zheng, meanwhile, allegedly assisted Wang in buying luxury properties. The OFAC sanctions mean that U.S. persons or companies can not do business with the sanctioned entities or people.

In its indictment, the Justice Department said that Wang had earned as much as $99 million by operating the 911 S5 botnet, and had accumulate a huge pile of assets that are subject to forfeiture, including "a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains."

This story was updated on May 29 to add information about Wang's arrest.