By the CyberWire staff
At a glance.
- ArcaneDoor cyberespionage campaign exploited Cisco zero-days.
- UnitedHealth Group confirms Change Healthcare data breach.
- CrushFTP patches zero-day flaw.
- APT28 exploits Windows Print Spooler vulnerability.
- MITRE compromised through Ivanti VPN zero-days.
- Kaiser Permanente discloses data breach.
- PlugX C2 server sinkholed.
ArcaneDoor cyberespionage campaign exploited Cisco zero-days.
Cisco Talos describes a sophisticated cyberespionage campaign by a previously unobserved state-sponsored threat actor that targeted vulnerabilities affecting Cisco Adaptive Security Appliances (ASAs). Beginning in November 2023, the threat actor used two ASA zero-days (CVE-2024-20353 and CVE-2024-20359) to deploy two backdoors dubbed "Line Runner" and "Line Dancer" within government networks around the world. Line Dancer is used to execute commands, while Line Runner allows the threat actor to maintain persistence on a compromised device.
Cisco has issued patches for the two vulnerabilities and urges customers to apply them as soon as possible. The UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security, and the Australian Signals Directorate's Cyber Security Centre issued a joint advisory on the campaign, stating, "The sophistication demonstrated by the threat actors’ use of multiple layers of novel techniques and the concurrent operations against multiple targets around the world is cause for concern to the authoring agencies. Since VPN services are essential components of computer network security, vulnerabilities in such services are particularly consequential and a public disclosure of critical vulnerabilities can enable their use by a wide variety of threat actors."
UnitedHealth Group confirms Change Healthcare data breach.
UnitedHealth Group has confirmed that the February ransomware attack against its Change Healthcare platform resulted in the theft of "protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America." The company added, "Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals." The Record reports that UnitedHealth Group's CEO Andrew Witty will testify before Congress next month.
UnitedHealth Group also confirmed for the first time that it paid a ransom to the attackers, TechCrunch reports. The ransomware gang behind the incident, ALPHV, received a $22 million cryptocurrency payment before pulling an apparent exit scam on the affiliate that carried out the attack. That affiliate began leaking the alleged stolen data last week in an attempt to secure its own ransom payment from UnitedHealth. A UnitedHealth Group spokesperson told TechCrunch, "A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure."
[Guide] How to Enhance Password Security in Your Active Directory
Learn how to review your Active Directory and uncover vulnerabilities such as compromised passwords on inactive accounts, weak passwords on overprivileged accounts, or a widespread issue of poor access security throughout your organization. We also provide a complimentary tool to assist you in getting started.
Download this comprehensive guide to learn how you can audit your Active Directory for password-related security risks and start remediation on vulnerabilities.
CrushFTP patches zero-day flaw.
File transfer server CrushFTP has received a patch for an actively exploited vulnerability that allows users to escape the virtual file system (VFS) and access system files, SecurityWeek reports. CrushFTP said in an advisory, "Please take immediate action to patch ASAP. A vulnerability was reported today (April 19, 2024), and we patched it immediately. v10 version 10.71 is patched. v11 version 11.1.0 is patched. This vulnerability exists in the wild." CrowdStrike said in a Reddit post that the flaw is "being used in the wild in a targeted fashion." Rapid7 notes that the vulnerability is "trivially exploitable" by fully unauthenticated threat actors.
The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog and set a deadline requiring Federal agencies to patch the flaw by May 1st.
APT28 exploits Windows Print Spooler vulnerability.
Microsoft has published a report on Forest Blizzard (also known as "APT28" or "Fancy Bear," a threat actor attributed to Russia's GRU), warning that the threat actor used a tool dubbed "GooseEgg" to exploit a privilege escalation vulnerability (CVE-2022-38028) affecting Windows Print Spooler. The researchers state, "Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks."
Microsoft patched the Windows Print Spooler vulnerability in October 2022 after it was reported by the US National Security Agency.
Save 15% and level up your cyber skills.
Elevate your knowledge and skills with N2K's practice tests, designed to skill-check and help you conquer certifications like a pro. Whether you’re new IT or cyber, or ready to hone in on your technical or managerial skills, there's a certification to help. Check out N2K's catalog of practice tests and use promo code “NETWORK” to save 15% through 4/30/2024.
MITRE compromised through Ivanti VPN zero-days.
The MITRE Corporation disclosed last week that one of its research and prototyping networks was breached by a suspected nation-state threat actor, BleepingComputer reports. The company explained in a blog post, "Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials."
Kaiser Permanente discloses data breach.
Major US healthcare provider Kaiser Permanente has disclosed a data breach that may have affected 13.4 million Americans, BleepingComputer reports. The organization stated, "Kaiser Permanente has determined that certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter) when members and patients accessed its websites or mobile applications." A spokesperson told BleepingComputer that the breached data "may include IP addresses, names, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, details showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
PlugX C2 server sinkholed.
Researchers at Sekoia say they've sinkholed a command-and-control server used by the China-linked PlugX USB worm. The researchers explain, "Almost four years after its initial launch, between ~90,000 to ~100,000 unique public IP addresses are still infected, sending distinctive PlugX requests daily to our sinkhole. We observed in 6 months of sinkholing more than 2.5M unique IPs connecting to it." The worm has infected systems in more than 170 countries. The researchers add, "Many nations, excluding India, are participants in China’s Belt and Road Initiative and have, for most of them, coastlines where Chinese infrastructure investments are significant....Consequently, it is plausible, though not definitively certain as China invests everywhere, that this worm was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects."
Sekoia can send commands that will disinfect systems in countries that give them permission to do so. The researchers note that sending commands to systems they don't own could raise legal issues, so they're seeking permission from various law enforcement agencies and national CERTs before launching disinfection campaigns.
Patch news.
Progress Software has issued a patch for a critical command injection vulnerability (CVE-2024-2389) affecting its Flowmon network monitoring product, BleepingComputer reports. The vulnerability has a severity score of 10, and can allow an unauthenticated user to execute arbitrary system commands.
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Crime and punishment.
The US State Department has imposed visa restrictions on thirteen individuals "who have been involved in the development and sale of commercial spyware or who are immediate family members of those involved." The State Department said in a press release, "These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and U.S. Government personnel." Dark Reading notes that this is the first use of the State Department's spyware-related visa restriction policy announced in February. The policy is intended to curb the misuse of commercial spyware.
The US Justice Department has unsealed an indictment charging four Iranian nationals for their alleged involvement in cyberespionage campaigns targeting the US Departments of Treasury and State, several defense contractors, and two New York-based private companies.
The US Department of Justice has charged two individuals with operating a cryptocurrency mixer that laundered more than $100 million in criminal proceeds. The Justice Department alleges that Keonne Rodriguez and William Lonergan Hill operated the Samourai Wallet, which "executed over $2 billion in unlawful transactions." Both individuals have been arrested. Law enforcement in Iceland has seized Samourai's servers, and the app has been removed from the Google Play Store.
Policies, procurements, and agency equities.
President Biden on Saturday signed into law an expanded version of Section 702 of the Foreign Intelligence Surveillance Act (FISA), CBS News reports. Attorney General Merrick Garland stated, "This reauthorization of Section 702 gives the United States the authority to continue to collect foreign intelligence information about non-U.S. persons located outside the United States, while at the same time codifying important reforms the Justice Department has adopted to ensure the protection of Americans’ privacy and civil liberties." The bill has been criticized by privacy advocates for its broad scope and invasive powers. Senator Ron Wyden (Democrat of Oregon) stated, "Searches have gone after American protesters, political campaign donors, even people who simply reported crimes to the FBI. The abuses have been extensive and well documented." The Guardian notes that the modified version of Section 702 allows the government to compel any service provider with access to communications equipment to hand over requested data.
The President also signed a bill this week that would force TikTok's parent company ByteDance to sell the platform or face a ban in the United States, the Associated Press reports.