February 24, 2024

Hello all,

This week saw several shadows of potential digital apocalypse spread across the cyberverse. AT&T triggered a meltdown in cellular traffic, the Chinese had a major leak exposing some of their activity, LockBit Ransomware group was unplugged, and ConnectWise’s rapid action stopped the death of western culture as we know it (I could be exaggerating a bit but read on).

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

• AT&T was making some back-end networking changes in the wee hours of Thursday morning and managed to take down cell activity for much of their customer base and several other carriers for a good portion of the day. We’re still waiting for a technical triage of what occurred, but it was probably DNS. It is always DNS.
• The Chinese Ministry of Public Security had a rather insecure thing happen. One of their contractors, iSoon apparently had someone leak a bunch of documents that show how China has been spying on other countries, giving a glimpse into the Middle Kingdom’s extensive espionage apparatus.
• ConnectWise revealed two vulnerabilities in their ScreenConnect software on Monday February 19th and advised their customers to patch immediately. The most severe vulnerability was “embarrassingly easy” to exploit according to some researchers, granting full control of the server. Recognizing the apocalyptic potential of this hole, the Security community rose up en masse to identify and notify organizations that were vulnerable. Huntress Labs was early out of the gate with analysis and had named this flaw SlashAndGrab, providing detailed forensics and incident reports. ConnectWise, to their credit, took the magnanimous step of making the update patch free, even to companies with expired licenses. And in another extraordinary move, after seeing that there were still unpatched ScreenConnect versions communicating on the internet, ConnectWise invalidated those licenses, effectively stopping further propagation. Nevertheless, some damage has already been done and there are a good number of companies and devices that have been successfully attacked, with crypto miners, back-doors, and ransomware being unleashed. Among those hit, Optum Healthcare is a likely victim. More on that below.
• LockBit Ransomware group had much of their nefarious operation killed and subsequently exposed by the good guys this week in operation “Cronos”. US, British, and other international authorities worked together to unlock the bits of this prolific plague. Over 14,000 accounts associated with the dirtbags were shut down on services such as Mega, Toutanova, and Protonmail. And at least 3 of their affiliates were arrested in both the Ukraine and Poland by mid-week. The take-down has resulted in a treasure-trove of information about their operation, decryption keys, and clues leading to identifying the inhuman scum behind this evil organization. In the linked articles, there is a lot more information about LockBit to peruse.
• Microsoft Outlook patched a flaw that would have allowed for a 1-click (or zero) RCE. If you haven’t updated yours yet, please do so quickly.
• Mozilla released security updates for Firefox and Thunderbird. There were a lot of them, so if you use either, update soon.

In Ransomware, Malware, and Vulnerabilities News:

• CrowdStrike’s 2024 Global Threat Report is out with some scary statistics about what is happening in the world of cyber. It is worth downloading and reading.
• Akira Ransomware is still having great success exploiting Cisco AnyConnect CVE 2022-3259. That is neraly 2 years old. Anyone that hasn’t patched that and has their AnyConnect on the public internet is criminally negligent in this author’s opinion.
• Optum Healthcare aka Change Healthcare was apparently hit by a cyberattack, forcing United Healthcare to sever their connection to them, causing chaos in Pharmacies across America who cannot access orders. Early reports are that this may be related to the ScreenConnect vulnerability and a LockBit Ransomware variant still in operation.

In Other News Events of Note and Interest:

• Nvidia has a problem that most companies wish they had – they cannot make enough product to keep up with demand. They’re having to resort to ensuring that they “allocate fairly”.
• ValiDrive is a free tool from GRC.com. The author purchased 12 inexpensive drives from Amazon, then tested them. All turned out to be fraudulently claiming to be 1TB drives, but were in fact only capable of holding 64GB or so before simply throwing the remaining data away. ValiDrive will let you know if you can reliably store data on your removable drive and if it truly has the capacity it claims.

In Cyber Insurance News:

• Personal Cyber Insurance is starting to become more mainstream. You can do everything right, … “but the fact remains that as careful you may be, you can fall victim to a cyberattack through no fault of your own” perhaps it is time to consider this inexpensive addition for your peace of mind in this cyber minefield called the internet.

The continually connected world can be quite disruptive at times. This morning, while at church, I received an alert that an account compromise was in progress. I stepped out and contacted one of my team who quickly shut down that particular liege of Lucifer. It was done, but it took me a while to move past that event and to participate in the service. It makes me wonder, how much peace of mind do we lose to the ever-on, always connected and available, ubiquitous digital matrix we’re enmeshed in? I look forward to the day when automated systems can handle the day-to-day routine dirtbag script kiddie attack. Or am I confused and am actually thinking of the paradise of the next life?

Keep the Shields up, they really are out to get you.

Viscount Zebulon Wamboldt Pike
Red-N Weekly Cyber Security News

Headline NEWS

• AT&T Outage Triggered by Company Work on Network Expansion
• Chinese Ministry of Public Security Breach
• Leak of Chinese hacking documents supports warnings about how compromised the US could be
• ConnectWise ScreenConnect 23.9.8 security fix – notice from ConnectWise
• SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)
• ScreenConnect servers hacked in LockBit ransomware attacks
• ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
• ConnectWise ScreenConnect attacks deliver malware
• CISA: Update ConnectWise ScreenConnect Servers Or Take Offline
• FBI, British authorities seize infrastructure of LockBit ransomware group
• Lockbit hackers’ swagger on display after police leak identities online
• Microsoft Outlook flaw opens door to 1-click remote code execution attacks
• Mozilla Releases Security Updates for Firefox and Thunderbird

Ransomware, Malware, and Vulnerabilities News

• Another day, another FBI takedown of routers infected by malware
• Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft
• iOS 17.3 Update Fixed Shortcuts Bug That Sent Data to Attackers
• 2024 CrowdStrike Global Threat Report: From Breakout to Breach in Under Three Minutes
• Google’s Cloud Run Service Spreads Several Bank Trojans
• Akira Ransomware Exploiting Cisco Anyconnect Vulnerability
• Over 2M Mr. Cooper mortgage and loan customers’ records exposed by unsecured database
• Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI
• Hackers Claim Data Breach at Staffing Giant Robert Half, Sell Sensitive Data
• North Korean hackers linked to defense sector supply-chain attack
• Hackers Are Targeting Walmart Spark Drivers’ Accounts
• Hackers launched 250,000+ Attacks to Exploit Ivanti VPN 0-Day
• Joomla CMS Patches Critical XSS Vulnerabilities
• U-Haul says hacker accessed customer records using stolen creds
• Over 28,500 Exchange servers vulnerable to actively exploited bug
• Recent Zero-Day Could Impact Up to 97,000 Microsoft Exchange Servers
• New WiFi vulnerabilities allow attackers to fake and overtake networks
• Ohio Lottery cybersecurity incident: Hackers demanded money
• Russian-Linked Hackers Target 80+ Organizations via Roundcube Flaws
• Encrypting Ransomware Declines as InfoStealers and AI Threats Gain Ground
• Most ransomware attacks on critical services in 2023 happened in North America or Europe
• Critical infrastructure software maker PSI Software SE confirms ransomware attack
• After years of losing, it’s finally feds’ turn to troll ransomware group
• Site run by cyber criminals behind Fulton County ransomware attack taken over
• LockBit held victims’ data even after receiving ransom payments to delete it
• LockBit extorted billions of dollars from victims, fresh leaks suggest
• LockBit, the world’s worst ransomware, is down
• LockBit takedown: Police shut more than 14,000 accounts on Mega, Tutanota and Protonmai
• Ukraine arrests father-son duo in Lockbit cybercrime bust
• LockBit affiliates arrested in Ukraine, Poland
• Fulton County, GA to spend $10M for upgrades after cyber attack
• Cyberattack on ETISALAT Claimed by LockBit Ransomware
• Motilal Oswal Financial Services group falls prey to cyber-attack by ransomware group LockBit
• Cactus ransomware claim to steal 1.5TB of Schneider Electric data
• Colorado public defenders still crippled by ransomware attack
• Francis Howell, MO School District returned to classrooms Thursday after cyberattack
• University of Cambridge apparently suffering DDoS attack – and it isn’t the only one affected
• University of Wolverhampton, UK confirms ‘cyber security incident’
• Network access blocked at Willamette University, OR after “cybersecurity incident”
• Telecom bears brunt of 2023 DDoS surge, attacks increase 16% globally
• New Migo Malware Targeting Redis Servers for Cryptocurrency Mining
• New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics
• How to proactively prevent password-spray attacks on legacy email accounts
• Hackers exploit critical RCE flaw in Bricks WordPress site builder
• New SSH-Snake malware steals SSH keys to spread across the network
• Ukrainian Raccoon Infostealer Operator Extradited to US
• Hackers using stolen credentials to launch attacks as info-stealing peaks
• Dragos warns of rising ransomware, inaccurate vulnerability advisories
• VoltSchemer attacks use wireless chargers to inject voice commands, fry phones
• VMware urges admins to remove deprecated, vulnerable auth plug-in
• Automatic attack disruption in Microsoft Defender XDR
• US govt shares cyberattack defense tips for water utilities
• Q&A: The Cybersecurity Training Gap in Industrial Networks
• Change Healthcare aka Optum is experiencing a cyber security issue
• Pharmacies across America are having trouble processing some prescriptions because of a cyberattack
• UnitedHealth Group Reports Cyber Incident Involving ‘Suspected Nation-State Associated’ Threat Actor
• Russian Government Software Backdoored to Deploy Konni RAT Malware
• Insecure Apex code plagues many Salesforce deployments
• Orgs Face Major SEC Penalties for Failing to Disclose Breaches
• The race to back up vulnerable GPS
• Jamf says 9% of smartphone have fallen for phishing attacks
• Canadian federal police says they were targeted by cyberattack
• Pinellas Park, Florida man charged in cryptocurrency scheme
• Secure email gateways struggle to keep pace with sophisticated phishing campaigns
• Global Network Service Provider Misconfigured Cloud Data Leak Exposes Over 380 Million Records
• White House to Issue Executive Order to Fortify U.S. Ports and Maritime Cybersecurity
• Cybersecurity for satellites is a growing challenge, as threats to space-based infrastructure grow
• Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen
• Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data
• DoorDash slapped with $375K civil penalty for consumer privacy violations
• Vending machine error reveals secret face image database of college students
• Nvidia publishes new security driver updates for Windows 7, 8, and older Kelper GPUs
• Thousands in Butler County, PA lost private data to cyberattack

Other News Events of Note and Interest

• Cool Tool: LibreOffice 7.6.5 Office Suite Is Out Now with More Than 90 Bug Fixes
• Cool Tool: Quite useful for identifying fraudulent USB drives that lie about capacity
• Jeff Bezos and Nvidia join OpenAI and Microsoft backing humanoid robot unicorn valued at $2 billion
• Sabre completes migration to Google Cloud, closes 17 data centers
• Adobe launches AI assistant that can search and summarize PDFs
• Adobe unveils new AI-powered audio features in Premiere Pro
• Google Chrome will soon protect your home network from cyberattacks
• Intel’s new flagship CPU reportedly draws over 400W on its own
• Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private
• The FTC bans AI fakes of individuals — and unveils greater powers to win stolen money back
• Forget ChatGPT — Groq is the new AI platform to beat with blistering computation speed
• Firefox 123 is out with search for Firefox View, website compatibility reporting, and more
• Robo-calls no more as federal ruling makes clear statement on annoying practice
• Apple Adds Post-Quantum Encryption to iMessage
• A common goal for European cyber security, version two coming in October 2024
• Nvidia CEO on GPUs: “We allocate fairly”
• Nvidia CEO Jensen Huang declares ‘new industry’ after AI ‘tipping point’
• Bouncing back from a cyber attack
• All you need to know about the Digital Services Act
• Windows Photos gets Generative erase, and recent AI editing features
• Microsoft Will Use Intel to Manufacture Home-Grown Processor
• How to use Copilot Pro to write, edit, and analyze your Word documents
• Microsoft to force-update your Windows 11 22H2/21H2 PC to 23H2
• Microsoft Edge’s downloaded files bug is annoying users
• Microsoft making sure you know why old unsupported CPU can’t bypass Windows 11 requirements
• Edge got a new sidebar button and users are not happy, here is how to turn it off
• Windows 11 KB5034765 won’t install, taskbar issues, and explorer.exe crashes
• Windows 11 with no taskbar? It has gone missing for some thanks to new update
• Microsoft fixes the bug causing video playback, record, and capture issues in Windows 11/10
• VMware VCSP Customers Seeing 10x or More Cost Increases Under Broadcom
• Is your Intel Core i9-13900K crashing in games? Your motherboard BIOS settings may be to blame
• Wi-Fi 7: everything you need to know about the new wireless standard

Cyber Insurance News

• Privacy Beats Ransomware as Top Insurance Concern
• Cyber MGA Coalition Predicts Common Vulnerabilities to Increase 25% in 2024
• Personal cyber insurance in demand as digital crimes increase