🎓️ Vulnerable U | #063

LockBit Ransomware Unmasking, Major VPN vulnerabilities, Counterfeit Cisco gear, F5 BigIP vulns, Ascension Healthcare cybersecurity incident outage, and more!

Author

Matt Johansen
May 09, 2024

Read Time: 9 minutes

Howdy friends!

I’m sitting in the exact same seat as I was a few weeks ago, writing this from SFO on my way home. It was work last time, RSA this time. Thanks to everyone who came to the Vulnerable U party. We had over 150 folks come through, and it was great meeting so many of you.

The theme of the week was absolutely AI. If you can get past the droves of vendors who threw AI on their banners but aren’t actually doing anything AI-related, there was actually some interesting tech floating around. Companies with huge piles of enriched security data training models might start to see some interesting results. Also I saw a vendor throwing all of npm and pypi at OpenAI to discover malware, the false positive rate is high so they just eat that and verify manually - super cool and actually useful use of AI.

Were you at RSA?

If so, did I get to meet you? And what was your favorite part? Or tell me something you learned

Login or Subscribe to participate in polls.

I wrote a piece this week on how our privacy regulations need stronger teeth for mental health data protection:

In recent years, the importance of privacy in mental health care has come under intense scrutiny, particularly following a series of high-profile data breaches that have exposed the sensitive information of thousands of patients. These incidents underscore the urgent need for enforceable privacy rights to protect individuals seeking mental health support.

The BetterHelp Case

This is the news that inspired me to write this blog. BetterHelp, a massive online therapy provider, was caught trading information, including mental health information, to Facebook and Snapchat for advertising purposes. In 2023, the Federal Trade Commission (FTC) charged BetterHelp with disclosing this sensitive health data despite promises to keep such information private. This data included user emails, IP addresses, and answers to personal mental health questions. As a result, BetterHelp agreed to a $7.8 million settlement, affecting approximately 800,000 people who used their services between August 2017 and December 2020. This incident is not only a disgusting breach of user trust, it will likely deter people who were already hesitant to seek therapy for mistrust of the system.

ICYMI

🖊️ Something I wrote: A thread on the Dropbox data breach

🎧️ Something I heard: Randomly stumbled upon this hypnotic song this week that has been an ear worm (no relation to RFK).

🎤 Something I said: I was on the Bishop Fox live stream at RSA this week talking about AppSec

🔖 Something I read: Got to sit and talk with Daniel Miessler at RSA and had a great convo around his thoughts on spending time working on things that align with your purpose. I’ll write more about my take on this soon.

📣 Sponsor

Data theft is up 13% since last year, keep your assets safe. 

Learn about the shortcomings of traditional security approaches to securing modern infrastructure from IAM analyst Jack Poller in "Modernizing Secure Access to Infrastructure."

  • Surprising Source of Breaches: Only 5% result from software vulnerabilities—where should we really focus our efforts?

  • Human Factor Dominance: 74% of breaches involve human error. Is your security strategy human-proof?

  • Stolen Credentials Surge: A staggering 71% year-over-year increase in incidents. How secure are your access points?

  • Server Vulnerabilities: With 85% of breaches involving servers, how can we better protect these critical assets?

Vulnerable News

The U.S. Department of Justice (DOJ) charged Dmitry Yuryevich Khoroshev, a Russian national, as the leader of the LockBit ransomware group:

  1. Indictment and Charges:

    • Dmitry Khoroshev, 31, from Voronezh, Russia, has been charged with using LockBit ransomware to attack over 2,000 victims and extort at least $100 million in ransom payments.

    • The indictment includes 26 counts, accusing Khoroshev of developing and administering LockBit from September 2019 to May 2024.

  2. Impact and Victims:

    • LockBit ransomware targeted individuals, small businesses, multinational corporations, hospitals, schools, non-profits, critical infrastructure, and government agencies.

    • The ransomware group extorted at least $500 million and caused billions in broader losses, affecting over 2,500 victims in 120 countries, including 1,800 in the U.S.

  3. Law Enforcement Actions:

    • The U.S., U.K., and Australia have sanctioned Khoroshev.

    • Authorities seized LockBit's darknet websites and replaced them with press releases and decryption tools for victims.

  4. Khoroshev’s Denial and Repercussions:

    • Khoroshev, using the alias LockBitSupp, denied the charges on Russian cybercrime forums, claiming mistaken identity.

    • The U.S. Department of State has offered a $10 million reward for information leading to Khoroshev’s arrest.

  5. Previous Indictments:

    • Khoroshev is the sixth person indicted in connection with LockBit. Other indicted individuals include Artur Sungatov, Ivan Gennadievich Kondratyev (Bassterlord), Mikhail Matveev (Wazawaka), Mikhail Vasiliev, and Ruslan Magomedovich Astamirov. (read more)

This story was a big splash this week and it is cool research by Leviathan. I, for one, don’t think anyone should be using a VPN for security reasons. They’re a useful tool for companies to help with access to internal resources, but HTTPS being so ubiquitous means using a VPN on public WiFi just transfers which ISP can see what you’re browsing. There are some specific VPNs, like Proton, that I’d say have some use cases for privacy depending on your threat model (i.e. 3 letter agencies wanting your info and Proton won’t fork it over). But here is a summary of this cool research:

  • Vulnerability Description: Attackers on the same local network can bypass a VPN’s protection without alerting the user.

  • Technical Mechanism:

    • DHCP (Dynamic Host Configuration Protocol): When a device connects to a network, it requests an IP address from the DHCP server, which assigns it an IP and sets the Internet gateway.

    • DHCP Option 121: Allows a DHCP server to set more specific routes on a user’s system. Attackers can abuse this to reroute traffic through a rogue server they control, circumventing the VPN.

    • DHCP Starvation Attack: Attackers can force a network’s DHCP server to exhaust its IP addresses, prompting users to reconnect and allowing the rogue server to take over.

  • Scope of Attack:

    • Potentially exposes metadata like source and destination addresses, not the content itself (which is typically encrypted with HTTPS).

    • Could be exploited by compromised DHCP servers, rogue network administrators, or fake wireless hotspots. (read more)

Counterfeit Cisco gear ended up in US military bases, used in combat operations

"One of the largest counterfeit-trafficking operations ever."

Well, here is a new “Florida Man” story. Turns out this guy made a massive scam illusion of legitimacy to sell off fake Cisco gear. 19 companies and about 15 Amazon storefronts, 10 eBay ones. From the article: “He imported the products from China and Hong Kong and used fake Cisco packaging, labels, and documents to sell them as new and real. Legitimate versions of the products would've sold for over $1 billion, per the indictment.”

Also, he sold a bunch of it to the U.S. military, hospitals, and schools. It has to be a hard problem to solve at scale, ordering hundreds of millions of dollars worth of hardware and having to verify, down to the chip level, that what you bought is what you expected. Especially if manufactured in an adversarial nation. (read more)

Seems Google is merging Mandiant and VirusTotal.

  • Google Threat Intelligence:

    • AI-Powered Analysis: Utilizes Google's Gemini AI to analyze potentially malicious code, summarize findings, and augment threat research processes.

    • Combining Expertise: Integrates data from Mandiant's incident response and threat research teams with telemetry from Google’s user and device base.

    • VirusTotal Integration: Utilizes VirusTotal’s crowdsourced malware database for enhanced visibility and observability.

  • Google Security Operations:

    • Generative AI for Efficiency: Simplifies threat detection, investigation, and response through AI technology.

    • Investigation Assistant: Helps security professionals make faster decisions by answering questions, summarizing events, hunting for threats, and providing recommended actions.

    • Playbook Assistant: Aids in creating response playbooks, customizing configurations, and incorporating best practices. (read more)

This got some attention this week and a lot of rumors said it was Zscaler, which IntelBroker later confirmed is who they were talking about. Zscaler said they’re investigating but have no evidence of any security incident besides a rogue test server with no customer info on the internet but not connected to their network. Security week covered this part - Zscaler Investigates Hacking Claims After Data Offered for Sale

This feels a lot like AT&T recently who had all their data for sale and claimed they had no evidence it was there, until they did. We’ll see how this ends up. (read more)

  • Vulnerabilities Fixed:

    • F5 Networks fixed two high-severity vulnerabilities in their BIG-IP Next Central Manager.

    • The vulnerabilities are an SQL injection flaw (CVE-2024-26026) and an OData injection flaw (CVE-2024-21793).

  • Exploitation Potential:

    • These vulnerabilities can be exploited to gain admin control and create hidden rogue accounts on any managed assets.

    • The flaws allow unauthenticated attackers to execute malicious SQL statements on unpatched devices remotely.

  • Attack Description:

    • SQL Injection: Involves injecting malicious SQL queries into input fields or parameters, resulting in unauthorized access and system takeovers.

    • OData Injection: Similar in impact, allowing remote execution of malicious SQL statements via the BIG-IP Next Central Manager API. (read more)

Read Satya Nadella’s Microsoft memo on putting security first

If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.

Satya Nadella

Whelp. If I got this note from my CEO, I’d certainly take it seriously. I know talk is cheap and all that, but when it gets that high up at a company like Microsoft, I’m inclined to think some things might change. Could this be the result of the government pressuring them to increase security efforts due to the few high-profile nation-state hacks recently?

I hope this initiative is sincere and not just lip service to making the share price and lawmakers happy. (read more)

  • Dell experienced a data breach affecting customers' names and physical addresses.

  • The breach involved a database on a Dell portal containing limited customer information related to purchases from Dell.

  • Data Exposed:

    • Customer names

    • Physical addresses

    • Dell hardware and order information (including service tag, item description, date of order, and warranty information)

    • No email addresses, telephone numbers, or financial payment information were exposed.

Hacking Forum Claims:

  • On April 29, the Daily Dark Web reported a post on a hacking forum advertising Dell customer data.

    • The post claimed to have information on 49 million people, including names, addresses, service tags, and customer numbers, aligning with Dell’s disclosed breach data.

  • Dell did not comment on or dispute the hacker's claims. (read more)

A pentester stole a bunch of vulnerability reports and other sensitive info on the way out the door after being fired from his job. After the company asked him for an exit interview and some supervised deletion of the materials, the consultant not only refused, but CC’d some journalists on his reply and demanded 5 years salary to delete the files. Then in subsequent emails, cc’ing more journalists, he demanded 10 years salary.

Turns out this is seen as …not a best practice, and he is facing criminal extortion charges. All the while he’s trying to now peddle the info he stole for a book deal… Wild stuff! (read more)

Ascension healthcare takes systems offline after cyberattack

Here we go again. Change Healthcare all over again? This time it is an actual healthcare provider, Ascension, who operates hundreds of facilities including hospitals and senior care homes. We don’t have a ton of details here but this obviously smells like ransomware.

"Out of an abundance of caution we are recommending that business partners temporarily suspend the connection to the Ascension environment. We will inform partners when it is appropriate to reconnect into our environment," (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay