The MITRE Corporation on Friday disclosed a breach impacting one of its collaborative networks used for research, development and prototyping. MITRE said in January attackers had exploited two known Ivanti Connect Secure vulnerabilities in order to deploy sophisticated backdoors and harvest credentials.

MITRE, a nonprofit organization that manages federally funded research and development centers supporting government agencies in cybersecurity, defense, homeland security and more, is only the latest high-profile organization to be hit via Ivanti’s vulnerabilities in its Connect Secure and Policy Secure gateways - the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was another recent target, according to officials. MITRE said that, in its specific incident, the nation-state actor behind the attack first performed reconnaissance before exploiting the Ivanti flaws in one of its VPNs and bypassing its multi-factor authentication measures via session hijacking.

“In April 2024 we confirmed that MITRE was subject to an intrusion into one of our research and prototyping networks," said Lex Crumpton and Charles Clancy with MITRE in a Friday post. "MITRE’s security team immediately began an investigation, cut off all known access to the threat actor, and brought in third-party Digital Forensics Incident Response teams to perform their own independent analysis alongside our in-house experts."

After initial access, attackers were able to move laterally and use a compromised administrator account to dig into the network’s VMware infrastructure. Though MITRE had followed best practices and instructions from Ivanti and the U.S. government to upgrade, replace and harden their Ivanti devices, they did not detect the lateral movement into the VMware infrastructure, said Crumpton and Clancy.

During the course of the incident response, MITRE took various measures, including isolating impacted systems and segments of the network to curb the scope of the attack, improving their monitoring of impacted systems and migrating to new systems.

“We launched multiple streams of forensic analysis to identify the extent of the compromise, the techniques employed by the adversaries, and whether the attack was limited to the research and prototyping network or had spread further,” according to Crumpton and Clancy. “While this process is still underway, and we have a lot more to uncover about how the adversary interacted with our systems, trusted log aggregation was perhaps the most important component to enabling our forensic investigation.”

MITRE said the investigation is ongoing and it is still working to determine the scope of the information potentially compromised. The impacted unclassified MITRE research and development system, called the Networked Experimentation, Research, and Virtualization Environment (NERVE), was launched in 2015 as a way to help researchers better collaborate with external labs and partners. MITRE said there is currently no indication that its core enterprise network or partner systems have been impacted.

The incident shows the continued level of fallout from Ivanti’s flaws, disclosed in January (CVE-2024-21887 and CVE-2023-46805), which have been widely exploited by threat actors and also led to an emergency directive by the U.S. government ordering federal agencies to temporarily disconnect all instances of the appliances from agency networks, perform a factory reset and then rebuild and upgrade them.

Microsoft researchers have discovered a notorious Russian state-backed threat actor using a previously undocumented tool called GooseEgg to steal credentials and escalate privileges after gaining initial access to a new device.

The tool has been in use for at least four years and possibly longer, and it has the ability to exploit a Windows Print Spooler vulnerability (CVE-2022-38028), which wasn’t disclosed until 2022. Actors from a threat group that Microsoft calls Forest Blizzard, which is known more commonly as Fancy Bear or APT28, have deployed GooseEgg in attacks on a variety of targets in Europe and North America in recent years. The tool is relatively simple but is effective and has the ability to launch other apps and move laterally.

“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft said in a new analysis.

Forest Blizzard is a threat group associated with Russia’s GRU intelligence service and has been active for nearly 15 years. The group generally targets organizations of strategic value for Russia’s foreign policy objectives, including government agencies, technology providers, and higher education institutions.

“Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat,” Microsoft said in its analysis.

“The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.”

The first command doesn’t do much, but the second and third commands launch the actual exploit for the CVE-2022-38028 vulnerability, and the fourth one checks to make sure the exploit worked. Microsoft researchers said GooseEgg can create a new directory and when the Print Spooler service tries to load a specific driver, it is redirected to the attacker-created directory, where there is a function that has been modified by the attacker.

“This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code,” the Microsoft analysis says.

After Mandiant recently “graduated” the notorious Sandworm group into APT44, Decipher’s Lindsey O’Donnell-Welch and Mandiant analysts Dan Black and Gabby Roncone reflect on the most pivotal moments from Sandworm over the last decade, from NotPetya to the Ukraine electric power grid attacks. Below is a lightly edited transcript from the video interview conversation.

Lindsey O’Donnell-Welch: This is Lindsey O'Donnell Welch with Decipher and I'm joined today by two analysts with Mandiant, and we're going to talk about some new research that Mandiant released this week on the Sandworm group, now known as APT44. So here with me today is Dan Black, Mandiant principal analyst with Google Cloud, and Gabby Roncone, Mandiant senior analyst for the advanced practices team with Google Cloud. Dan and Gabby, Sandworm has been around for more than a decade, it's been affiliated with the Russian GRU, but Mandiant this week graduated Sandworm into an official APT group. Can you tell me a little bit about the decision process behind that? The group's been around for fifteen or so years - why now, and what went into that?

Gabby Roncone: Mandiant’s graduation process is this very unique, analytically rigorous process that we do and we've done since APT1, to essentially look back at all of our threat groups that are related to a certain threat actor, and do a rigorous deep dive on each one of those threat groups - try to understand the historical activity that we've seen and the current activity that we're seeing, and tie them together in In order to graduate them into an APT.

This is something that gets kicked off when we believe that a threat group is especially deserving of the higher threat assessment kind of associated with the title. So for us, Sandworm was this group that obviously has been incredibly active over the last ten years, since we've been tracking them, but has been sort of the primary cyber sabotage unit for the Russian military intelligence since the war in Ukraine started. And when we saw sort of the prominent role that Sandworm was taking in Ukraine, and we were also undergoing so much of our own research in Ukraine with incident response engagements and such, we believed that we needed to undergo the graduation process as well, to make sure that our understanding of that group was really as in-depth as it could be. So, we spent over a year going through every single cluster of activity we thought might be related to Sandworm in the past and the present, and we were luckily able to tie those major historical incidents to the group that we are now seeing in Ukraine.

Lindsey O’Donnell-Welch: Can you talk a little bit about the advantages of having an APT designation like this and how it fits into giving threat intelligence that's associated with this group's activities more context in the future?

“The most obvious sort of pivotal moment to me is their movement into wartime operations, but I think that, even though our classification of the Russia war in Ukraine started on February 24, 2022, the really disruptive attacks in Ukraine start after the invasion in 2014.”

Dan Black: Yeah, so I think to reflect a little bit on what Gabby said as well, the process of graduating something from an UNC to maybe a temporary name that we give something - so Sandworm was very much a temporary name that we had designated - you can think of the step to take it to an APT as us reflecting a very deep level of understanding and confidence in what we are talking about, and so this is kind of like the latest stage of a process for us to say “hey this is a very high severity threat, this is something that we have a very refined understanding of and we want to make sure that our customers, the public are understanding that threat in the same way that we are.” So a lot of what we tried to do in this report is write something that will hold the test of time to really contextualize what we've seen from a group over the past decade - its proclivities, its tendencies, what it likes to do, the wide scope of activity that it it partakes in - in hopes that that'll help people understand for their own threat models for the next decade in terms of what to expect, when they should think that they might be in the targeting scope of this group and what they should think about seeing in their networks if that's the case.

Lindsey O’Donnell-Welch: When I'm writing about these threat actors I always like to go down history lane and Sandworm has an absolutely extensive history in part because they've been behind super high-profile attacks. But then also, in the 2010s, it was really crazy to see these types of attacks where the group was using such destructive types of malware. So from your vantage point looking at anything from the Industroyer Ukraine electric power grid attacks to the NotPetya attacks, what have been some of the more pivotal moments over the years of tracking Sandworm from a threat Intel perspective?

Gabby Roncone: I feel like we can both take this one because I feel that we'll maybe have the same answer or maybe we'll have different answers. I feel like with this group everyone sort of picks their own thing that they really enjoy tracking. The most obvious sort of pivotal moment to me is their movement into wartime operations, but I think that, even though our classification of the Russia war in Ukraine started on February 24, 2022, the really disruptive attacks in Ukraine start after the invasion in 2014. A year after the invasion, you have the first blackout with BlackEnergy 2 in the Ukrainian power grid, and then almost exactly a year later you have the next one with Industroyer. It seems like this group has been able to propel itself forward by actioning these really specific high-level mandates that align really strongly with the Russian government interests at the time. And you see them just be active in every single geopolitical event that Russia seems to be having high stakes in. But kind of going off of that, you don't necessarily see the wartime pace of activity and just the rapid adaptation, prior to 2022, that then you do and in war times. So it's been really interesting to see how this group that's sort of been at the forefront of a lot of these novel operations that seem to almost push the line in the sand a little bit for what we see as norms in cyberspace over and over, for the last ten years, and then just suddenly ramping up their efforts very significantly during wartime.

“When you have a group that's moving first, that often means that there's lessons to be learned to identify from what they've done.”

Dan Black: Yeah. If I could reflect on something Gabby kept saying there - “novel,” “first,” “innovative” - all these concepts and the fact that they've often been the first mover in the threat landscape for some of the most brazen and reckless things we've seen. The first group to try to disrupt an energy grid with manual interaction and with custom malware to do that. The first to do this brazen case of digital election interference in 2016 with the U.S. elections, then trying to double down with that in 2017 in the French elections. The petty disruption of the Olympic Games in 2018 because they weren't allowed to participate under their national flag. It's a series of firsts in this space, and the thing that really drove us to want to report on this in-depth is the proliferation risk we see from some of that. When you have a group that's moving first, that often means that there's lessons to be learned to identify from what they've done, and the challenge that we see is when they do those kind of things is that either countries that are developing cyber attack programs, non-state actors who want to cause a little bit of chaos, they have this body of evidence to learn from because they're so forward-leaning in terms of the risk appetite. Their willingness to act is unparalleled. I think when you see other countries talked about in terms of developing cyber attack programs, they tend to do this in a test range or a test environment, something where they can collect the evidence they need but not expose it to the world. It almost seems like you know over the course of ten years, Sandworm/APT44 has participated in what's equivalent to live fire exercises. They've just done it in the real world with no concern for the downstream risks, the second order consequences, of what they're doing. The proliferation risk from this stuff, whether you think about back to 2015 when they first used Industroyer, to some of the stuff that we reported on just last year, about that they used in October 2022, the MicroSCADA, the living off the land attacks against OT technologies, they're the first ones to take these steps and other folks are going to absorb some of those lessons, iterate, adapt from what they've done, and they just make the threat landscape a little bit more dangerous every time they do that.

Gabby Roncone: I think also, one of the things kind of building on Dan's point here, that we found really interesting looking Sandworm’s wiper operations even from the beginning of the war, is that they went from using these wipers that we call multifaceted - so they have different components to them, they can do multiple things outside of wiping - to these pure wipers. And the pure wipers I guess are just wipers that wipe. They aren’t setting persistence, they have no network communications, they're not really doing anything other than to just be a lightweight tool to cause some disruption. But they are also moving into using sort of fake ransomware and you kind of see echoes of ransomware tactics in some of Sandworm's operations too, which I think goes along with the brazenness of the actor, but also that bit of proliferation risk that Dan's talking about. Not only is sandworm learning from ransomware actors that are causing real-time disruption in hospitals, in very high-risk environments, but they're also teaching the APT threat environment how to do that as well. So it's a very interesting situation.

Lindsey O’Donnell-Welch: That is an interesting dynamic. Now in more recent years I know that you guys have done a lot of research into what some of the activities of the group have been especially as it relates to both the war with Ukraine, but then also kind of some of the espionage activities that they've launched even outside of that situation. That was also highlighted in your research this week. One thing that stuck out to me has been this shift a little more towards espionage efforts that was outlined in the research. Can you talk a little bit more about what you're seeing there with the group, because, like you said, there's a lot there in terms of both using destructive malware but then also having these other elements to its attacks and I think espionage is one very interesting area that this group is carved out.

“So it's not necessarily about the enterprise networks that we saw them targeting in the beginning, but really more towards the high value targets of the front lines, ways that they can influence the outcomes of the conflict.”

Dan Black: Yeah I can take a first stab at least so I think one of the interesting things in thinking about Sandworm’s operations or APT44’s operations from the beginning of the war until today, is that Russia's war aims - what they've tried to achieve during the war - have evolved over that time. I think we all understand from reading all the different things that were out there that Russia thought it was going to win a very quick war at the beginning right? They thought that this thing was going to be over in a couple of weeks and so they kind of threw everything against the wall. We saw this mass wave of disruptions, all kinds of different wiper malware being used and a really really high intensity campaign of operations in those opening months of the war. After the first few months, it started to become very apparent that this wasn't going to be a war that was going to end overnight, that it is going to be a longer war, that they were going to have to settle in for the long term. And so in that adjustment, in terms of Putin, Russia, the understanding though that the war aims had fundamentally changed and what they could achieve had changed, we started to see a shift in the types of operations we saw from Sandworm. It's been very instructive to see that as they settled into thinking this is a long war that this wasn't going to be a war that moved rapidly from one front to another, but that the front was going to move inch by inch, that they really settled into thinking about targeting mobile devices about the the platforms, the networks that are being used on the frontline. So it's not necessarily about the enterprise networks that we saw them targeting in the beginning, but really more towards the high value targets of the front lines, ways that they can influence the outcomes of the conflict. And I think they learned very fast that being able to collect that intelligence in different forms from the front lines, that tactical type of intelligence, has a real benefit to the conventional forces. So Russia has this thing they call reconnaissance strike complex, it’s about how you pull data in to be able to support targeting all the different kind of outcomes on the front ends of the battlefield. They've really shifted towards that outcome at this point in time. So I think you know understanding what we're seeing here is really about understanding the different contours of the conflict and how they’ve learned to adapt to innovate, to absorb lessons of how to best support a long war, as their wider war aims changed.

Lindsey O’Donnell-Welch: Yeah, definitely. It’s interesting you mention the context there too because I do feel like there is so much geopolitical history that goes into not just the more recent years but just Sandworm and its activities over the past decade or 15 years. So I'd imagine having a deep knowledge as researchers and analysts of these different pieces of context and understanding the motives behind what Russia is doing or like why it might be doing one thing or the other also plays into a lot of how you view these different activity clusters.

Dan Black: Yeah, you know one other point I would make is that before 2022 we had never seen a high intensity armed conflict like this, with cyber operations supporting it at the scale, the intensity that we've seen, right? And so the change that we've seen from 2022 to 2024 is in part Sandworm learning how to best do that. If there's one thing that's true about this group, it’s that they tend to have more operational experience than anyone because they've been so forward leaning over the years, but the the strategic context of an armed conflict is so different than the things that we've seen the day-to-day, and they really had to change the way they needed to operate to be able to support that environment when they're no longer in a kind of standalone role doing things like NotPetya but trying to support the movements of conventional forces on the ground - very, very different outcomes and no amount of theory is going to make you ready for what's going happen in practice right? There's a steady evolution, adaptation, that learning process that's going on throughout the course of the war, they're doing that and it's our belief that in 2024 they're going to look very different than they did in 2023 as well. That learning process is still ongoing. They were on the defensive in 2023, and Russia's going back on the offensive so that may change the scope and the type of operations that we may see in the future as well.

“There's a steady evolution, adaptation, that learning process that's going on throughout the course of the war, they're doing that and it's our belief that in 2024 they're going to look very different than they did in 2023 as well.”

Lindsey O’Donnell-Welch: In the research that you talked a little bit about the adoption of personas - these identities that essentially is the group creating these identities on Telegram channels or other areas to claim either responsibility for various disruptive wartime operations or to kind of add that extra psychological like emphasis to amplify its attacks and one persona that was mentioned was the CyberArmyofRussia_Reborn. Can you talk a little bit about what you're seeing with these personas and how they've been adopted by Sandworm/ APT44 throughout the research that you've done on them?

Gabby Roncone: So Sandworm/APT44 has been using personas for a very long time. They have always had a really interesting blend of different types of operations that they conduct. So we consider Sandworm/APT44 to be a full spectrum threat actor and what this means is that they conduct disruptive operations, espionage operations, but also these influence operations. And these types of operations often are used to support each other for that psychological effect. With APT44 you might hear the name Guccifer 2.0 and have nightmares about 2016. Using these personas in cyber enabled influence operations allows them to take their operation to a different audience, create additional impacts and really show off their own successes or perceived successes. Those goals, those aims are basically what's happening here but in a different context.

We have seen three primary hacktivist personas since the war began in February 2022, but CyberArmyofRussia_Reborn is a particularly notable one because of how closely we've linked this group with actual APT44 disruptive operations. In one case, we saw a mismatch essentially between a hackivist car posting a claim for a wiper operation before the wiper operation actually successfully was deployed. So there's clearly a very close coordination between APT44 and CyberArmyofRussia_Reborn. There are several different reasons why CyberArmyofRussia_Reborn may be utilized in this way. They could be used in some cases to sort of take the effects of the war off of the front and make them amplified into civil society - especially since a lot of these wiper attacks aren't actually hitting military targets, they're hitting government and civil society organizations for the most part. So CyberArmyofRussia_Reborn also has elements to it that, even though they're coordinating with APT44, they are definitely doing some weird like DDoS stuff that - who knows if that's necessarily tied to - APT44 or not so we have to be a bit careful with our assessment there.

Lindsey O’Donnell-Welch: Thank you both so much for coming on, especially as we continue to look at where Sandworm and APT44 is going in the future - should be really interesting to see how this group continues to evolve.

Threat actors have been exploiting known vulnerabilities in open-source platform OpenMetadata in order to access Kubernetes workloads and use them for cryptomining.

The flaws (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848 and CVE-2024-28254) being targeted were previously disclosed and patched in versions of OpenMetadata prior to 1.3.1 on March 15. OpenMetadata serves as a central repository to help users manage metadata across different data sources.

Researchers with Microsoft’s threat intelligence team in a Wednesday analysis said that they have observed attackers exploiting the vulnerabilities since the start of April, in order to bypass authentication and achieve remote code execution. Kubernetes has previously been at the center of attacks leveraging cryptocurrency miners, including a large campaign in 2020 launched against Kubernetes clusters that abused exposed Kubernetes dashboards.

“For initial access, the attackers likely identify and target Kubernetes workloads of OpenMetadata exposed to the internet,” according to researchers. “Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image.”

After exploiting these flaws, attackers perform a number of reconnaissance measures on the system, including reading the environment variables of the workloads - which might contain credentials for services enabling lateral movement - and running a series of commands to gather information about the victim’s environment like the network and hardware information, OS version and active users. The attackers also send ping requests to a publicly available service, in this case OAST domains that are associated with an open-source tool called Interactsh, which helps to detect out-of-band interactions.

“OAST domains are publicly resolvable yet unique, allowing attackers to determine network connectivity from the compromised system to attacker infrastructure without generating suspicious outbound traffic that might trigger security alerts,” said researchers. “This technique is particularly useful for attackers to confirm successful exploitation and validate their connectivity with the victim, before establishing a command-and-control (C2) channel and deploying malicious payloads.”

After this initial reconnaissance phase, attackers then download cryptomining malware from a remote server located in China, before executing the malware. The attackers also added a personal note to victims, saying their actions are harmless and that they need the money, and asking for donations in Monero.

“Lastly, for hands-on-keyboard activity, the attackers initiate a reverse shell connection to their remote server using Netcat tool, allowing them to remotely access the container and gain better control over the system,” said researchers. “Additionally, for persistence, the attackers use cronjobs for task scheduling, enabling the execution of the malicious code at predetermined intervals.”

Researchers recommend that users of OpenMetadata check the clusters that run their OpenMetadata workload and ensure that the image is updated to version 1.3.1 or later. If OpenMetadata is exposed to the internet, researchers urged users to use strong authentication.

LastPass is warning of a phishing campaign designed to steal users’ master passwords and give attackers access to their password manager accounts.

In order to convince LastPass users to hand over their passwords, attackers used a mix of phone calls, phishing emails and a phishing page under the domain “help-lastpass[.]com,” which has since been taken down. If they were able to successfully obtain the users’ master passwords, attackers would log into the victims’ accounts and lock them out by changing their primary phone numbers, email addresses and the master password itself.

“Initially, we learned of a new parked domain (help-lastpass[.]com) and immediately marked the website for monitoring should it go live and start serving a phishing site intended to imitate our login page or something similar,” according to Mike Kosak, senior principal intelligence analyst with LastPass, in a Wednesday statement. “Once we identified that this site went active and was being used in a phishing campaign against our customers, we worked with our vendor to take down the site.”

Password managers like LastPass are top targets for attackers exactly because of their functionality as a centralized location for valuable credentials. In 2022, attackers were able to steal some LastPass customer data and gain access to the LastPass cloud storage service. Last week, the company said that a LastPass employee was unsuccessfully targeted by a deepfake audio call that impersonated the company CEO Karim Toubba.

LastPass also warned of another wide-scale phishing attack targeting its users last year, which included a link to a phishing page hosted on subdomains of “customer-lastpass[.]su.” That campaign had a global reach and targeted a variety of sectors, including 87 of the company's own employees.

While LastPass didn’t specify how many customers were targeted in its latest phishing campaign disclosed this week, and how many of the incidents were successful, the company said customers were receiving calls from 888 numbers claiming their accounts had been accessed from a new device, and instructing them to press “1” to enable access and “2” to block it. When customers pressed “2,” they were told they would receive a call shortly to “close the ticket.” They would then receive a call from someone with an American accent impersonating a LastPass employee. The caller could then send the victims an email, purporting to help them reset access to their account, which would actually take them to the phishing page in an attempt to steal their credentials.

The campaign, first unearthed by Lookout, appears to be linked to the CryptoChameleon phishing kit, which is a phishing-as-a-service offering for cybercriminals allowing them to create fake SSO sites using fraudulent branding in order to persuade victims to type in their credentials. CryptoChameleon, first discovered in February, has previously been used to target cryptocurrency platforms like Binance and Coinbase, as well as the Federal Communications Commission (FCC).

LastPass warned users not to respond to suspicious calls, texts and emails from people claiming to be from LastPass, and to alert them if these messages are received. The company said that no one at LastPass would ever ask customers for their master passwords.

“We have worked hard to disrupt this phishing campaign and have had the initial phishing site taken down,” said Kosak. “However, as the initial phishing kit itself continues to offer LastPass branding, we are sharing this information so that our customers can be aware of these tactics and take the appropriate response should they receive a suspicious call, text, or email.”

Law enforcement agencies in the United Kingdom have disrupted a large-scale cybercrime group that ran a phishing-as-a-service operation known as LabHost, arresting nearly 40 people and taking down the LabHost infrastructure.

LabHost began operations in 2021 and authorities say that the group’s customers hit nearly 70,000 victims in the U.K. alone, and many more globally. As part of the disruption carried out this week, authorities sent messages to 800 LabHost users telling them that they are part of the investigation.

“We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months,” the Metropolitan Police said in a release.

The LabHost platform was one of many such operations that offered users a number of services, including the ability to replicate the login pages for popular brands, allowing them to capture credentials from victims. Users could choose from a selection of pre-made templates or request customized ones. LabHost also offered users the ability to employ its custom LabRat malware tool, which can proxy connections between the victim and the targeted phished organization, allowing users to steal victims’ 2FA codes. At the time of this week’s disruption, law enforcement officials estimated that LabHost had about 2,000 active users.

The takedown operation was a joint effort between the Metropolitan Police, Europol, the National Crime Agency, and the City of London Police, along with other agencies. A number of technology companies also worked on the operation, including Microsoft, Trend Micro, Intel 471, Chainalysis, and the Shadowserver Foundation.

“This operation again demonstrates that UK law enforcement has the capability and intent to identify, disrupt and completely compromise criminal services that are targeting the UK on an industrial scale,” said Adrian Searle, Director of the National Economic Crime Center in the National Crime Agency.

Authorities said they arrested 37 people in this week’s operation, and are continuing to investigate other suspects. The LabHost takedown is the latest in a series of such operations by European law enforcement authorities targeting fraud, phishing, and ransomware groups in recent months. The largest of those operations was the takedown of the LockBit ransomware group and its infrastructure in February. That operation targeted LockBit’s operators as well as its infrastructure and also seized about 200 cryptocurrency accounts associated with its operators. Two suspected LockBit operators were arrested at the time, as well.

The LockBit and LabHost takedowns are prime examples of the cooperative efforts between law enforcement and security companies that are required to disrupt modern cybercrime operations. Many of these groups are transnational and they target victims around the world, requiring cooperation among agencies in many different countries, as well as work by threat intelligence and research teams at tech companies behind the scenes.

“Fraud is an international crime demanding a global approach. This operation is a fantastic demonstration of law enforcement agencies around the world coming together to crack down on criminals trying to take advantage of people in the UK,” said Security Minister Tom Tugendhat.

Recent activity by the well-known Sandworm group - which researchers with Mandiant have started calling APT44 - relies on a mix of espionage efforts and hacktivist personas, and shows how the group continues to pose a “persistent, high severity threat” to governments and critical infrastructure entities globally.

The threat group, which has been around for at least 15 years and is known for being affiliated with the Russian GRU, has played key roles in cyber operations supporting Russia’s military campaign as it enters its third year of war in Ukraine. Though the group is known for its destructive malware attacks, Mandiant researchers in a Wednesday analysis said that recently APT44 has increasingly conducted espionage-related attacks that likely support Russian military operations, such as intercepting communications via mobile networks or devices in order to gain a tactical military advantage. For instance, in August 2023 multiple governments warned of APT44’s Infamous Chisel malware used to collect information about Android devices and applications specific to the Ukrainian military. Even with the ongoing war researchers have seen the group launching espionage operations across North America, Europe, the Middle East, Central Asia and Latin America.

“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we've ever seen, in full-blown support of Russia’s war of territorial aggression,” said Dan Black, principal analyst on the cyber espionage team with Google's Mandiant. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly. Over the course of the war, we have seen APT44’s posture shift away from disruption as its primary focus toward espionage to provide battlefield advantage to Russia’s conventional forces.”

One emerging feature of APT44’s campaigns has been its emphasis on creating psychological operations that amplify the impact of its campaigns. For instance, the group has created hacktivist identities on Telegram channels to claim responsibility for its various disruptive wartime operations. Due to various clues including infrastructure similarities, Google’s Threat Analysis Group assesses that APT44 has created and controlled a persona called “CyberArmyofRussia_Reborn,” for instance. In January, this group’s Telegram channel posted videos that took credit for the manipulation of human machine interfaces used in water utilities in the U.S. and Poland. Mandiant researchers said they couldn’t independently verify these claims of intrusion or their links to APT44, but noted that impacted U.S. utility officials have publicly acknowledged the incidents at the same entities that the CyberArmyofRussia_Reborn video advertised as victims.

“Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44.”

“The attacks on the water sector and other critical infrastructure in the US and Europe by Cyber Army of Russia Reborn (CARR) are very serious, though it’s not clear if this was actually the GRU,” said John Hultquist, Mandiant’s chief intel analyst. “APT44 has leveraged the hacktivist group as a front for its operations before, but it is possible others have become associated with CARR and are operating outside of the GRU’s control or direction. Nonetheless, the GRU’s proximity to this activity is worrying.”

The Russian threat group, which has been attributed by the U.S. Department of Justice and by the UK National Cyber Security Centre to the Russian GRU Unit 74455, has been behind several high-profile attacks, particularly leveraging malware with destructive functionalities in the 2010s. In 2015 and 2016, the group was behind malware attacks against Ukraine’s electric power grids using malware known as BlackEnergy, Industroyer and KillDisk. The group also launched the NotPetya malware attacks in 2017 against companies worldwide and the Olympic Destroyer malware campaigns against the 2018 PyeongChang Winter Olympic Games.

Part of what sets the group apart is its ability to specialize in various missions like collecting intelligence or conducting information operations, and integrate them into a unified playbook over time, said researchers. APT44 has also used a diverse range of tactics, living-off-the-land techniques and and initial access methods, from phishing or exploiting known vulnerabilities, to targeted supply-chain compromises.

Mandiant on Wednesday announced it has “graduated” Sandworm into APT44. Mandiant researchers will frequently “graduate” threat clusters to named APTs as they collect more information over time and their knowledge of the group’s activities increases. APT44 has been extensively tracked by Mandiant for more than a decade, but researchers said that the near-term threat that the group poses for undermining elections in 2024 - a year where at least 64 countries worldwide will hold elections - is one particular factor.

“Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia,” said Mandiant researchers in their analysis on Wednesday. “Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44.”

In its 2024 first quarter earnings, Change Healthcare parent UnitedHealth Group reported that the massive ransomware attack that was uncovered at the end of February has cost the company $872 million so far.

Remediation efforts for the attack are still ongoing, but UnitedHealth Group’s earnings offer a glimpse into the financial costs of the attack in the eight weeks since it was announced. That figure includes direct response costs ($593 million), including costs for supporting the company’s platform restoration and those tied to increased medical care expenditures after the company suspended care management activities to help care providers with their workflow processes. Other financial impacts were tied to business disruption impacts ($279 million) from the attack.

"The company continues to make significant progress in restoring the affected Change Healthcare services while providing financial support to impacted health care providers," according to UnitedHealth Group’s Tuesday earnings release. "To date, the company has provided over $6 billion in advance funding and interest-free loans to support care providers in need."

Overall, in its first quarter earnings UnitedHealth Group said its revenue increased almost $8 billion year-over-year to $99.8 billion. The company, however, is still grappling with the fallout from the ransomware attack that occurred in late February, which included a reported $22 million payment to the BlackCat ransomware affiliates behind the attack and led to delays in patient care, prescription orders and payments, impacting providers, pharmacies and hospitals across the U.S.

Though most systems are online and claims processing is underway, UnitedHealth Group is now facing a second ransom demand from another ransomware group affiliate that claims to have patient and corporate data stolen from Change Healthcare’s systems.

The federal government has also stepped in, with the Department of Health and Human Services Office for Civil Rights in March opening an investigation into the incident and whether protected health information was compromised. In a new update on its website on Monday, Change Healthcare said that at this time, the company “knows that the data had some quantity of personal health information and personally identifiable information.”

“We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made — and will work with the Office of Civil Rights and our customers in doing so,” according to UnitedHealth Group’s update this week.

Lasting Damages

While UnitedHealth Group’s financial reports are one way to gauge the impact of the ransomware attack, the incident has a far-reaching and ongoing effect on many other organizations across the industry that's harder to pinpoint.

In a Tuesday hearing by the House Energy and Commerce Subcommittee on Health - titled "Examining Health Sector Cybersecurity in the Wake Of The Change Healthcare Attack" - government and healthcare entities talked about the ongoing impacts of the attack. Representatives from UnitedHealth Group did not participate in the hearing.

Adam Bruggeman, an orthopedic surgeon with the Texas Spine Center, said that the cyberattack led to his practice being unable to process claims and receive payments. While Bruggeman said his practice had enough cash reserves to continue operating without receiving payments during the outage, the practice still faced a number of significant challenges in dealing with the fallout from the attack. For instance, while the practice had the option to change over to an alternative clearinghouse a few weeks after the attack, not all insurers allowed the practice to do that for claim submissions, because integrating with a new clearinghouse is costly and time consuming.

“This made switching impractical,” said Bruggeman. “Instead, we had to either hold claims in limbo or resort to submitting them through individual online portals.”

The practice also could not receive ERAs from insurers, which typically accompany deposits in their bank account and give important information about which bills have been paid. This led to many patients receiving automated bills, which should have been marked as paid, leading to confusion and frustration from patients, said Bruggeman.

Another ongoing issue is the lack of transparency around the attack. Scott MacLean, Board Chair of the College of Healthcare Information Management Executives (CHIME) and SVP and CIO of MedStar Health, said that from the start, many members of CHIME “found themselves struggling to navigate the most significant cyber incident to hit our sector.” IoCs were not widely shared immediately, for instance, and for a certain period of time organizations weren’t sure which systems were safe to reconnect to.

“Following the attack, there was a dearth of information and our members found themselves in the dark navigating an extremely complex and far-reaching attack with few answers, and few options for continuing operations,” said MacLean. “The lack of answers hampered and continues to hamper recovery efforts.”

Many versions of the PuTTY client have a subtle vulnerability that can allow an attacker to compromise some private keys and then forge signatures and log into any remote servers on which those keys are used.

The bug affects versions 0.68-0.80 of PuTTY, a popular client used for SSH, Telnet, and other remote communication protocols, and derives from the fact that when using a specific NIST elliptic curve, the client produces biased ECDSA nonces. The weakness only applies to 521-bit ECDSA keys generated when using the NIST P521 curve. In order to exploit this vulnerability, an attacker would need to see a few dozen signatures from the private key, but that is a plausible scenario. Researchers at Ruhr University in Germany discovered the flaw and published details of it on Monday. The bug has been fixed in PuTTY 0.81.

“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents,” the advisory from the Ruhr University researchers says.

“Luckily, client signatures are transmitted within the secure channel of SSH, requiring a malicious server to acquire such signatures. If the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.”

PuTTY has been around for more than 20 years and while it was developed for Windows originally, it’s open source and has been ported to some other operating systems. The client can be used for remote sessions on servers, file transfers, and other functions. The Ruhr University researchers said that users should discard any client keys generated by the NIST P521 curve on affected versions of PuTTY.

“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the advisory says.

The Cybersecurity and Infrastructure Security Agency is responding to an intrusion affecting Sisense, a major provider of business and data analytics, that involves the compromise of customer data.

The agency released an alert about the incident on Thursday morning and Sisense has reportedly notified customers but has not released any public statements about the intrusion yet. CISA said independent security researchers discovered the compromise, and the agency urged Sisense customers to rotate their credentials.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations. We will provide updates as more information becomes available,” the CISA advisory says.

Sisense provides a number of business analytics products, including a platform and a cloud-based service. The company lists a slew of high-profile customers on its site, including NASDAQ, AirCanada, and others. The platform typically requires quite a lot of permissions and deep integration into enterprises. Researchers say that the information the unnamed attackers were able to exfiltrate from Sisense includes credentials and authentication token for some of the apps that the platform integrates with.

Late on Thursday, Sisense CISO Sangram Dash sent a communication to customers about the incident and outlined a long list of actions they should take in order to protect their organizations, including changing any and all Sisense-related passwords, changing passwords for all Sisense users, and logging all users out of the platform. For organizations that employ single sign-on, the company also recommends changing shared secrets for SSO, rotating the X.509 certificate for the SSO SAML provider, and changing the OpenID client secret for companies that have implemented OpenID.

“Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application,” the message says.

Sisense has not released any public statements about the incident yet.

UPDATE - Patches are now available for a critical-severity vulnerability in Palo Alto Network's PAN-OS software for firewalls. The flaw, first disclosed on Friday, is currently being exploited in the wild.

The vulnerability (CVE-2024-3400) ranks 10 out of 10 on the CVSS scale, and stems from a command injection issue in the GlobalProtect feature of PAN-OS. The flaw could enable unauthenticated attackers to execute arbitrary code with root privileges on the firewall. The flaw can lead to successful exploitation on specific OS versions - PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls - if the configurations for both GlobalProtect gateway and device telemetry are enabled.

“Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024,” according to the advisory on Friday by Palo Alto Networks. “Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.”

In its advisory, Palo Alto Networks said that users can verify if they have the GlobalProtect gateway and device telemetry configured by checking for entries in the firewall web interface.

The hotfix releases won’t be available until Sunday, but Palo Alto Networks has provided customers with several mitigations in the meantime, including temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

Details of the Exploitation

Volexity researchers on Friday said that they discovered a threat actor leveraging the vulnerability, which they track as UTA0218.

The researchers first identified the zero-day exploitation of the flaw on April 10, after receiving alerts about suspicious network traffic from the firewall of one of its customers. However, researchers said that the earliest evidence of attempted exploitation tracks back to March 26.

"A subsequent investigation determined the device had been compromised," said Volexity researchers in a Friday analysis of the flaw. "The following day, April 11, 2024, Volexity observed further, identical exploitation at another one of its NSM customers by the same threat actor."

The attacker was able to remotely exploit the bug in order to create a reverse shell and download post-exploitation tools, including a novel python-based backdoor.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," according to Volexity's threat research team. "During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests."

Impacted users are urged to apply mitigations and patches when available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday also added the flaw to its known exploited vulnerabilities catalog, where it lists flaws that are “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” Federal agencies have a deadline of April 19 to patch the flaw.

This article was updated on April 16 to reflect that patches are now available for the flaw.

The U.S. government has made public an emergency directive that it issued last week, ordering federal agencies to take various mitigation measures after a previously disclosed Microsoft compromise allowed threat actors to exfiltrate email correspondence between the agencies and Microsoft.

The emergency directive, which was originally issued privately to federal agencies on April 2 - and first reported on by CyberScoop - orders impacted agencies to take immediate action for tokens, passwords, API key or authentication credentials suspected of being compromised. Additionally, by April 30, agencies with any authentication compromises must reset their credentials and deactivate any associated applications, and review their sign ins, token issuances and other account activity logs for users with compromised credentials.

The Microsoft compromise, which was first disclosed in January but dated back to two months before that, impacted an undisclosed number of government agencies after a Russian state-sponsored actor called Midnight Blizzard compromised a number of internal Microsoft corporate email accounts and stole sensitive company information. In its advisory for the emergency directive, CISA said that the threat actor is using authentication details and other information exfiltrated from corporate email systems in order to gain additional access to customers.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” according to CISA in the emergency directive. “This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

All federal agencies known to be impacted by the compromise have been notified, according to CISA, and the required actions apply primarily to them. The emergency directive also orders all affected agencies to take steps to identify the full content of their correspondence with Microsoft and carry out a cybersecurity impact analysis by April 30. On CISA’s end, the agency will provide federal agencies with instructions for accessing and analyzing the content of emails, work to identify instances associated with the threat activity and provide technical support for impacted agencies.

The initial attack, which began in November, had specifically targeted high-value people inside the company, like senior leaders. According to Microsoft in an update in March on the attack, it is apparent that the threat group is attempting to "use secrets of different types it has found." The attack is ongoing, according to Microsoft, and Midnight Blizzard may be using the stolen information to create a picture of vulnerable areas to attack.

"Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," according to Microsoft's last update on the attack, on March 8. "Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024."

Microsoft has patched over 147 flaws in its largest Patch Tuesday release since 2017, including two actively exploited vulnerabilities.

One of the actively exploited bugs is an important-severity spoofing vulnerability in Windows Proxy Driver (CVE-2024-26234). While Microsoft on Tuesday originally said that the flaw was not being exploited in the wild, it later updated the advisory to confirm that the flaw had both been publicly disclosed and exploited.

The flaw was discovered by Christopher Budd, director of threat research with Sophos X-Ops. In an analysis of the exploitation activity surrounding the flaw released on Tuesday, Sophos researchers said that in December they found a malicious file, signed with a valid Microsoft Hardware Publisher Certificate. Upon further investigation, through looking at internal data and VirusTotal reports, researchers discovered the executable was previously bundled in a setup file for a product called LaiXi Android Screen Mirroring, which is marketed as software that connects and controls hundreds of mobile phones in order to automate tasks like following, liking and commenting in batches.

“It’s worth noting that while we can’t prove the legitimacy of the LaiXi software – the GitHub repository has no code as of this writing, but contains a link to what we assume is the developer’s website – we are confident that the file we investigated is a malicious backdoor,” said Andreas Klopsch with Sophos X-Ops in the Tuesday analysis.

According to researchers, the file would embed a tiny freeware proxy server, which they assessed was used by attackers to monitor and intercept network traffic on infected systems. Sophos researchers also noted that Stairwell researchers had published a separate independent investigation into LaiXi in January, which was based on a tweet by Johann Aydinbas.

"We immediately reported our findings to the Microsoft Security Response Center," according to Klopsch. "After validating our discovery, the team at Microsoft has added the relevant files to its revocation list (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234)."

Another important-severity flaw in Microsoft's security update was reported by a security researcher as exploited in the wild. This flaw is in Microsoft’s SmartScreen Prompt, a security feature that’s part of Defender and warns users of websites that might be malicious. The vulnerability (CVE-2024-29988), which could enable remote code execution, is not listed by Microsoft as exploited in the wild, but according to Trend Micro, the flaw was discovered being targeted by attackers in the wild.

“This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited,” said Dustin Childs with the Zero Day Initiative in an analysis of the Patch Tuesday updates. “I would treat this as in the wild until Microsoft clarifies.”

According to Childs, the flaw enables attackers to bypass the Mark of the Web feature (Microsoft’s warning that’s added by Windows to files from an untrusted location) and execute malware on targeted systems. The flaw is similar to another actively exploited vulnerability disclosed by Microsoft in February (CVE-2024-21412), which was used in attacks to bypass Microsoft Defender SmartScreen and infect financial market trader companies with the DarkMe malware.

“Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW,” said Childs.

Though as of Wednesday, the vulnerability is still not listed as exploited by Microsoft in its security update, the company said that exploitation of the flaw is “more likely.” In order to exploit the bug, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown, according to Microsoft.

Peter Girnus with Trend Micro’s Zero Day Initiative, and Dmitrij Lenz and Vlad Stolyarov with Google's Threat Analysis Group, were credited with reporting the flaw.

Microsoft in its update also fixed three critical-severity flaws in Microsoft Defender for IoT, its security product for Internet of Things devices. All three flaws (CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053) can enable remote code execution if exploited. Of these three bugs, CVE-2024-21322 has the highest CVSS score (8.8 out of 10), but Microsoft in its advisory for the flaw notes that attackers must have existing administrative access to the Defender for IoT web application in order to exploit the flaw.

“As is best practice, regular validation and audits of administrative groups should be conducted,” according to the security advisory.

In this week’s Memory Safe episode, Sherrod DeGrippo of Microsoft talks about her first experiences with hacker culture, why a Stanley Kubrik movie shows a glimpse of what AI is, and how she makes sure that “threat intelligence hits the right note.” Watch the episode below or download the podcast MP3 version here.

SAP has released security updates for three high-severity vulnerabilities in different products, including what it describes as a security misconfiguration flaw in SAP NetWeaver, which serves as the technical foundation for many SAP apps.

The issue (CVE-2024-27899) stems from password requirements not being checked in some features of SAP’s NetWeaver Application Server Java User Management Engine. Specifically, the “self-registration” and “modify your own profile" features don’t check that the existing password requirements are being met, which could potentially allow users to create simple passwords that can easily be cracked. These two features are optional and disabled by default, but customers can enable and configure them, said researchers with Onapsis in an analysis of the new SAP flaws.

“Onapsis recommends implementing the note independently of whether one or both features are enabled or not,” according to Thomas Fritsch with Onapsis in a Tuesday analysis. “This ensures security once you decide to enable one of the features. Keeping the vulnerability unpatched can lead to high impact on the system’s confidentiality and low impact on integrity and availability.”

The flaw has a CVSS score of 8.8 out of 10 and impacts SAP NetWeaver AS versions SERVERCORE 7.50, J2EE-APPS 7.50 and UMEADMIN 7.50.

SAP also disclosed an information disclosure flaw in its SAP BusinessObjects Web Intelligence tools, its suite of applications enabling businesses to view and analyze data. Specifically, versions 4.2 and 4.3 of the product’s Excel Data Access Service do not carry out the correct validation checks when excel files are uploaded, which could result in potentially malicious data being read.

“Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document,” according to the flaw’s CVE record. “On successful exploitation there could be a considerable impact on confidentiality of the application.”

Finally, SAP reported a high-severity directory traversal bug in several versions of its Asset Accounting tool (CVE-2024-27901), which could allow attackers with high privileges to exploit insufficient validation of path information provided by the users and pass it through to the file APIs. Beyond these three high-severity flaws, SAP also disclosed seven medium-severity flaws and published updates for two previously disclosed medium-severity vulnerabilities (CVE-2022-29613 and CVE-2023-40306).

“SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape,” according to SAP in its Tuesday security advisory. “On 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.”

A new security advisory from the U.S. government highlights sophisticated social engineering tactics used by threat actors in recent financially motivated attacks against the healthcare sector. The attackers impersonated healthcare organization employees in phone calls to IT help desks, in order to gain initial access to those employees' email accounts.

As outlined in a new industry alert from the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center, the phone calls to IT help desks would claim to be from an employee in a financial revenue cycle or administrator role. The threat actors did their homework and took careful steps to ensure their impersonations were convincing, making sure that their phone calls were from local area codes and providing sensitive details like employees' social security numbers, corporate IDs and demographic data. These details were likely taken from a mix of public networking sites and previous data breaches.

The threat actors would try to convince help desk attendees to enroll a new device for MFA by claiming that their phones were broken and that they could not log in or receive MFA tokens. If successful, the attackers would gain access to the impersonated employee's email account. In some cases, they would also register a domain spoofing the targeted organizations and create accounts impersonating the victim organization’s chief financial officer.

“After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts,” according to the HHS in its alert last week. “Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts.”

The HHS said the sophistication of these social engineering techniques are reminiscent of ones used by Scattered Spider. This cybercriminal group targets large companies and their IT help desk contractors, and is known for a ransomware attack last September against MGM Resorts. In Scattered Spider’s attacks, they have impersonated company IT or help desk staff via phone calls, as a way to obtain credentials from employees, direct them to run commercial remote access tools and to convince them to share their MFA authentication codes. They have also relied on MFA fatigue and SIM swapping attacks.

“Threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements."

However, “while the threat actor Scattered Spider (also known as UNC3944) claimed responsibility for this [previous] attack, which led to the deployment of ALPHV (also known as BlackCat) ransomware, there is currently no public attribution for the incident in the health sector,” said HHS. “While these recent campaigns in the health sector did not involve ransomware, both of these incidents did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals.”

In order to avoid these types of attacks, healthcare organizations can implement a number of measures in order to double check that the employees are who they say they are. For instance, organizations can require IT help desk employees to call back the phone numbers on record for the employees that are requesting password resets or enrollment of a new device, or require that the supervisor of the employee be contacted to verify these requests.

“It is important to note that when attempting callbacks for verification, the threat actor may claim to be too busy to take a phone call,” according to the advisory. “Other mitigations may involve monitoring for any suspicious ACH changes and revalidating all users with access to payer websites. Some hospitals have implemented procedures that require employees to appear in person at the IT help desk for such requests.”

There were no further details from HHS on the recent cyber incidents involving these tactics, but the healthcare sector has been recently been hit by various threats, including ransomware, as seen in the wide scale Change Healthcare attack. HHS also said attackers are increasingly using AI to amplify their voice-based social engineering tactics and avoid detection. In a recent global study of 7,000 people, one in four said that they had experienced an AI voice cloning scam or knew someone who had, according to HHS.

“Threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements,” said the HHS advisory.

A newly discovered threat group is using a custom piece of Android malware in a campaign that is targeting human rights activists in Morocco and western Africa.

The campaign is relatively recent and researchers say the threat group, known as Starry Addax, began in late February and starts with targeted phishing emails that include a lure that’s connected to the victim’s interests. The attackers are targeting both Windows users and Android users with this campaign, and the custom malware that they use is specifically designed for Android devices. Known as FlexStarling, the malware has a number of capabilities, including the ability to read call logs, text messages, and contacts. Researchers from Cisco’s Talos group analyzed the malware and the Starry Addax campaign that delivers it and found that the attackers have set up their campaign to be simple but effective.

“Starry Addax’s infrastructure can be used to target both Windows and Android based users. This campaign's infection chain begins with a Spear-Phishing email sent to targets, consisting of individuals of interest to the attackers, especially Human Rights activists in Morocco and the Western Sahara region. The email contains content that either requests the target to install the Sahrawi News Agency’s Mobile App OR may even consist of a topical theme related to Western Sahara,” the Talos analysis says.

The new threat group is specifically targeting victims in Morocco and the Sahrawi Arab Democratic Republic. The Android campaign centers on the FlexStarling malware, which is disguised as a version of the mobile app for the Sahara Press Service. If an Android user clicks on the malicious link in the spear phishing email sent by the Starry Addax threat actors, it will deliver the FlexStarling malware package. For Windows users, the experience is different and will redirect the victim to a site controlled by the attackers, which masquerades as a login page for a region-specific social media site.

“The use of FlexStarling with a Firebase based C2 instead of commodity malware or commercially available spyware signifies conscious efforts by the threat actor to evade detection."

The Talos researchers say this campaign is likely in its early stages and may evolve in the future. The earliest signs of the Starry Addax campaign appeared in January, when the attackers registered the first domain associated with it. Later that month, the FlexStarling malware was built and signed, and then in late February the spear phishing campaign began.

“Campaigns such as this one targeting high value individuals usually intend to run long and quietly. All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar,” the Talos analysis says.

“The use of FlexStarling with a Firebase based C2 instead of commodity malware or commercially available spyware signifies conscious efforts by the threat actor to evade detection and operate without being detected.”

The main objective of this campaign, of course, is to steal sensitive information from victims’ devices. The FlexStarling malware has the ability to download files from an attacker-specified URL and upload local files from the device to a Dropbox folder, as well as delete specific file paths and take other actions. The malware also has the ability to install other components if needed.

The Starry Addax actors are new to the threat landscape, but their capabilities likely will evolve as time goes on.

The discovery of a backdoor in some versions of the XZ Utils open source tool last week averted what could have been a widespread compromise in the Linux ecosystem and prompted intense analysis and discussion in the security and open-source communities. While much is known about how the long-term operation resulted in the malicious code landing in the package, plenty is still in doubt. Decipher editors Dennis Fisher and Lindsey O'Donnell-Welch discuss three of the biggest open questions tied to this situation.

Dennis Fisher: There's a lot that's known about this XZ backdoor but we wanted to talk about a couple of things that maybe we still don't know about what happened and I think there's probably a bunch of them but let’s try and hit two or three of the bigger ones. I think probably the biggest one at least for me is, who is Jia Tan, this persona that was responsible for adding the back door to the XZ Utils a few weeks ago. I've seen a lot of speculation about it, but I don't think anybody has really come up with a concrete answer to this. It may be more than one person using that persona. It could be an entire team. Nobody really knows because there's other sock puppet accounts that sort of popped up to amplify that persona's message in GitHub and other places too. I've seen a lot of speculation about whether this was Chinese operators based on time zones, people think that maybe whoever this was changed their time zone on their commits to central European to sort of throw things off. I really haven't seen anything concrete that's laying out evidence that shows us exactly who this persona was.

Lindsey: It's really interesting. That's the big question of the week and it's been really eye opening to see all the activities that have been unearthed by the GitHub sleuths of what this account has done since 2021 I think was when the account first appeared and then, over the years just really took the time and effort to build up that trust in the open source community. And it's really this person or people who really legitimately appeared on the outside as a trusted member who was interacting with other people in the community. I think I saw a stat that the account had made like six thousand code changes or something over the years so it's not like a one-off account like some of the others. This was someone who really embedded themselves into the community and tried to build up that reputation before they ultimately did become a co-maintainer for XZ and then kind of moved forward from there.

Dennis Fisher: I think for me the most plausible explanation is this is an intelligence agency somewhere that really plotted this out and took their time as you just described. They probably had several people you know on this team working on this issue over the years. That persona landed several sort of innocuous or actually helpful patches to XZ over the years which helps build that trust relationship you just mentioned. That's the type of thing that you would think that an intel agency would do. They have time, they have technical resources, they can plot this out over a long timeline and see if it bears fruit. If it doesn't, what have they lost? Nothing really, aside from people's time. And that doesn't bother them.

Lindsey: And what sticks out to me too is this account also was working with some other projects outside even of XZ. So that's not great. They were looking at what they could get away with or just, as I said before, trying to build up that trust in the broader community. So there's a lot there.

Dennis Fisher: That sort of brings up another one of the things I don't think we really know, which is whether this has happened before. When I was talking to Dan Lorenc on the podcast this week and all the really smart technical analyses I've seen, the answer is probably yes and we just don't know about it. This same team may have had several parallel projects going on that could still be going on. Why put all your eggs in one basket? Why not try this across ten or twelve different projects? If one of them bears fruit, great. If several do, even better. We got super lucky that somebody found this before it actually got loaded into any Linux distributions. And sometimes it's better to be lucky than good.

Lindsey: Yeah I mean it's like what Dan Lorenc said in the podcast that you did with him earlier this week, he said it was inevitable, and I agree with that. It's such a ripe environment for threat actors to close in on and swoop in and gain that trust. It's kind of a terrifying thought. Obviously we found that one, which was great, but this is either happening right now or has happened and you just don't know, because when you look at the backdoor at the more technical level, they were very thoughtful about not just what they were putting in but how they introduced it.

Dennis Fisher: Yeah, the timeline is the craziest thing to me. Three years, and it could have been even longer. We just don't know, we're not 100 percent sure. But even that's an insane amount of time to spend on something like this, but the payoff could have been really great for the attackers. It could have been a complete catastrophe for Linux users. But, if you're an APT and you're not trying to do this stuff, you're bad at your job. This is what your job is.

Lindsey: Even how the backdoor was introduced, different pieces of it were introduced over the time span of multiple commits. How do you even approach the different puzzle pieces?

Dennis Fisher: It was extremely subtle. It took a very smart person looking at a very weird anomaly that had nothing to do with the backdoor itself. It was just a case of, why is there a lag on my machine on this one utility and he somehow went down a rabbit hole and found it. So it's kind of amazing. So I think the third thing that's probably the biggest question in my mind is what this means for the broader open source maintainer community and open source security as a whole. It's extremely silly to point at this maintainer and say this is his fault, that he could have done X, Y and Z to prevent this. I haven’t really seen any smart commentary saying what could have been done. This is a really well-planned, well thought-out operation and one person maintaining this project. He's not expecting this. He's not defending against intel agencies on a regular basis. If this had happened in a closed source or proprietary package, probably no one would have found it or if they did it would have been far, far down the line.

Lindsey: Yeah I think that's a really good point. I've seen a lot of other people point to the fact that it was in open source software was actually helpful. I was thinking I've seen a lot of parallels between this and Log4j and obviously they're both in this same kind of community, but it's incredibly different in a way because with Log4j that was more of a vulnerability and this is more of a very targeted attack. It's really difficult to know how this could have been prevented and what this means for the OSS space in general. But It's a big question mark still for me.

Dennis Fisher: I think if an intel agency decides that they're going to target your software project or your organization, they're going to win. They have time, they have money, they have resources. You're at a massive disadvantage, no matter who you are and what your resource level is.