Flair Data Systems Cybersecurity News Update 2-28-2024

Lots of updated news around LockBit since they were hit by law enforcement over the past couple of weeks. Something that I have been thinking about a lot has been around the fact we never really see Anonymous mentioned anymore in the news. It makes one wonder if those that at one point supported or were part of Anonymous decided to go at things for a monetary purpose...food for thought. 

Outside of that, one hot topic that I have had continued conversations about, has been giving users "Administrator" privileges on their local systems.  This is a hot topic for many organizations, some take the hard line that no one will have it (knowing it will cause for higher calls from users to Help Desk for assistance). Others have taken the line of they do not have the workforce to support every user needing something. Other organizations are heavy in technical staff or developers, and removing those administrator rights would impede their ability to perform necessary work. For the most part, I am asked how I would recommend solving this problem and for the most part it goes back to enabling your users, but to do so in a safe way requires technical controls (i.e., Endpoint management software) that will elevate software as needed with a privileged token without giving that right to the user on a constant basis for any and all tasks.  There are multiple vendors that can help in this fashion, but the challenge is picking the best solution for your team to own it effectively.   

With that, let’s jump into this week’s cyber security news update. 

LockBit Updates 

It was discovered during the takedown that Lockbit was actually deleting the data as promised if a ransom was paid - are we really surprised by this one? 

• During the takedown, it was discovered that LockBit was building an updated version of their file encrypting malware (LockBit-NG-Dev) where it would possibly be considered LockBit 4.0 
• This was a change in their coding from C/C++ to .NET compiled with CoreRT and packed with MPRESS 
• The new version appears to have supported three encryption modes (using AES+RSA) called "fast", "intermittent", and "full" 
• Offering a feature that would allow it to self-delete where it overwrites LockBit's own file contents with null bytes 

Link (1): https://therecord.media/lockbit-lied-about-deleting-exfiltrated-data-after-ransom-payments 

Link (2): https://www.bleepingcomputer.com/news/security/lockbit-ransomware-secretly-building-next-gen-encryptor-before-takedown/#:~:text=LockBit%20ransomware%20developers%20were%20secretly,cybercriminal's%20infrastructure%20earlier%20this%20week. 

Connectwise ScreenConnect Vulnerabilities

CVE-2024-1709: affects ScreenConnect 23.9.7 and older - allows any remote attacker to bypass authentication to delete the ScreenConnect user database and get control of an admin user 

• CVE-2024-1708: allowing path traversal, which enables an attacker to access files and directories that should not be accessible 
• Exploitation of CVE-2024-1709 has been seen in mass in the wild starting the day after the patch was released 
• The cloud version of ScreenConnect was automatically patched, but anyone still running the on-premise version is reliant on customers to patch manually 

Link (1): https://www.techrepublic.com/article/connectwise-screenconnect-vulnerability/ 

Thousands of wireless customers suffer outage 

Last Thursday, it probably felt like an apocalyptic event, or you were on vacation when a good portion of cell services were disrupted due to the ATT outage. 

• ATT is attributing the outage to a software bug "cased by the application and execution of an incorrect process used as we were expanding our network, not a cyber attack" 
• This type of event (much like the 2019/2020 Pandemic) will lay the groundwork for tabletop scenarios and how to prepare for them 
• Interesting enough though, people were calling 911 to "test their phones" - which is not what I thought of doing when the service was down 

Link (1): https://www.cbsnews.com/news/numerous-us-cellphone-providers-experiencing-outages-downdetector/ 

Prescription delays due to Change Healthcare cyberattack 

Change Healthcare (owned by Optum) has been experiencing a cyber incident for the past week 

• Blackcat has taken responsibility for this incident, even though Change Healthcare has been stating it was a nation-state attacker (based on their 8-k SEC filing) 
• Change Healthcare incident has disrupted pharmacy services nationwide 

Link (1): https://therecord.media/change-healthcare-blackcat-alphv-incident-drags-on 

Link (2): https://status.changehealthcare.com/incidents/hqpjz25fn3n7 

PayPal files patent for new stolen cookies detector 

PayPal has filed a patent application for a way to identify when "super-cookie" is stolen. 

• Super-cookies (also referred to as "flash cookies") are Local Shared Objects that are injected at the network level as unique identifier headers by the user's ISP 
• These are used primarily for cross-site tracking, following users across different browsers on the same device, collecting data on browsing activity, and serving as persistent "device fingerprints" 

Link (1): https://www.bleepingcomputer.com/news/security/paypal-files-patent-for-new-method-to-detect-stolen-cookies/  

U-Haul affected by a breach 

On Dec 5th, 2023 - an unauthorized actor was able to access systems used by U-Haul dealers and team members to track customer reservations and view customer records, using legitimate credentials. 

• After an investigation, it appears that certain customer records were access in the breach, including name and drivers licenses - U-Haul is in the process of notifying customers 
• In 2022, another incident similar to this one occurred, with stolen credentials 
• My question to any organization storing any type of sensitive information, why are you not implementing MFA on your platforms for access?  Some type of MFA challenge is better than nothing at all, especially considering users are notorious about credential reuse and the high number of password breaches that are continuously occurring 

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/67k-customers-impacted-by-data-breach-according-to-u-haul 

Brand domains used in spam operation 

Affecting more than 8,000 domains and 13,000 subdomains - being tracked as SubdoMailing 

• The threat actor is being called RessurecAds, where they will resuscitate dead domains of or affiliated with big brands with the end goal of manipulating the digital advertising ecosystem for nefarious gains 
• Brands have included: ACLU, ebay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, VMWare, and others 
• Marketing departments will stand up domains, use them for campaigns, and then abandon them after a period of time without properly cleaning things up - which allows for threat actors to come in and purchase the abandoned domain 
• One example would be where a company could add this campaign domain in their SPF records, but when its abandoned the DNS owners are never notified to remove that entry and still considered "trusted" 

Link (1): https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html 

Steel giant hit with cyberattack 

ThyssenKrupp, one of the world's largest steel producers, employing over 100k personnel and annual revenue over $44.4 billion 

• ThyssenKrupp has confirmed a breach of their systems in its Automotive division last week, forcing them to shutdown IT systems as part of its responses and containment efforts 
• They are considered a crucial component of the global supply chain of products that use steel as a material across various sectors 
• Currently no threat actor group has taken responsibility for this attack, nor has the organization offered any insight 
• This is not their first attack either; 2022, 2020, 2016, and 2013 

Link (1): https://www.bleepingcomputer.com/news/security/steel-giant-thyssenkrupp-confirms-cyberattack-on-automotive-division/ 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends! 



About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business.  With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program. 

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children. 

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S.  We provide trusted cyber security services in Plano, TX.