Government operation wounds big-time ransomware gang | #ransomware | #cybercrime

Welcome to The Cybersecurity 202! Hit me with your best music of 2023, won’t you?

Was this forwarded to you? Sign up here.

Below: A key cyber nominee is confirmed after months of holds, and Comcast says hackers accessed data in nearly 36 million accounts. First:

ALPHV/BlackCat gets the takedown treatment from international government agencies

International government agencies on Tuesday announced a multipronged offensive against a prominent ransomware gang, complete with the seizure of digital extortion websites, development of a decryption tool to save tens of millions of dollars worth of victim payments and an advisory about the group’s modus operandi.

Known as ALPHV or BlackCat, the gang mounted its own publicity campaign designed to offset the government takedown effort, but cybersecurity experts largely viewed the response as the death-throe-like flailing of an organization that had been severely damaged.

The takedown constitutes the latest blow governments have struck against ransomware gangs, following a similar operation against the Hive ransomware outfit at the start of this year, among other disruptions.

  • The Russian-speaking ALPHV had targeted the networks of more than 1,000 victims, the Justice Department said.
  • Attacks linked to ALPHV included those against critical infrastructure targets like hospitals and defense contractors, and, perhaps most prominently, two Las Vegas casinos.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa Monaco. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online.”

The gang and the takedown

Like most gangs these days, ALPHV operates on an affiliate model, in which they lend their ransomware tools to others in exchange for a share of profits. Another outfit, the English-speaking Scattered Spider linked to the MGM Grand and Caesar’s hacks, has been known to use ALPHV’s ransomware tech.

An advisory that the FBI and Cybersecurity and Infrastructure Security Agency released Tuesday said ALPHV and its associates had compromised more than 1,000 entities, three-quarters of which are in the United States. They’ve demanded over $500 million in ransom and received nearly $300 million in payments.

“ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations,” reads the advisory, which provides technical details on the group.

  • Additionally, “The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems,” the Justice Department said. “To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million.”
  • “The FBI has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated,” the DOJ said. The unsealed search warrant said that a “confidential human source” helped in the investigation.

The gang’s main extortion website for the gang featured a notice advertising the agencies that had seized the site early in the day on Tuesday.

Then the story got more complicated.

The counternarrative attempt

ALPHV claimed it took back control of its website and also put up some others, only for the situation to again appear to reverse. Brett Callow, a threat analyst at Emsisoft, detailed the seesaw in a thread on X, formerly Twitter:

Emotionally, it was more like this: 

“It’s probably mostly just bluster at this point,” Callow told me about the attempts by ALPHV to portray itself as doing okay. “Their operation has been compromised to an as-of-yet unknown extent, and other cybercriminals will want nothing to do with that.”

ALPHV even offered more favorable profit-sharing terms amid the takedown.

The operation’s a “huge win” for law enforcement, Charles Carmakal, Mandiant consulting chief technology for Google Cloud, said in a statement.

An attempt at rebranding is inevitable among the damage, some predicted:

In the meantime, others have sought to capitalize on ALPHV’s misery, said Kimberly Goody, Mandiant head of cybercrime analysis.

“Law enforcement actions against cybercriminal groups can create ripple effects in underground communities,” she said in a statement. “Actors can forge new alliances or shift to using other tools and malware to fill a void. LOCKBIT affiliated actors have seemingly attempted to take advantage of this situation to gain market share by appealing to ALPHV affiliates and offering to post data from victims who were in the negotiation process with ALPHV.”

Senate confirms Haugh to lead NSA, Cybercom after months of military holds

The Senate on Tuesday night confirmed Lt. Gen. Timothy Haugh to lead the National Security Agency and U.S. Cyber Command, following Sen. Tommy Tuberville’s (R-Ala.) lifting of military holds that began earlier this month. 

  • The 10-month blockade imposed by Tuberville in protest of the Defense Department’s abortion care policies threw a wrench in hundreds of military nominations, with a handful of them falling on cybersecurity positions.
  • Gen. Paul Nakasone, the incumbent, is set to leave as the longest-serving leader of Cyber Command. 

Haugh also faced a hold recently imposed by Sen. Ron Wyden (D-Ore.) over whether the Pentagon publicly acknowledged if the NSA buys Americans’ location data from data brokers, but the Record’s Martin Matishak reported that was resolved.

The NSA and the Defense Department “have provided Senator Wyden with information that is responsive to his inquiry about the purchase of Americans’ data, including internet browsing data, and therefore he has lifted his hold on General Haugh’s nomination,” Keith Chu, a Wyden spokesman, told the outlet.

  • Haugh’s deputy, Army Maj. Gen. William Hartman, was confirmed earlier this month when the lifts began. A pileup of cyber nominees in both Cybercom and the NSA are on track to be resolved now that Haugh has been confirmed to his post.

The NSA did not immediately return a comment to The Cybersecurity 202.

Comcast says data from 36 million accounts compromised in breach

Comcast announced nearly 36 million U.S. Xfinity accounts were exposed when hackers gained access to the telecommunications giant’s systems through a vulnerability in a third-party cloud provider, the Wall Street Journal’s Patience Haggin and Robert McMillan report.

Usernames and “hashed” passwords — passwords that are scrambled to make them unreadable to humans — were exposed, as well as birthdays, contact info, answers to security questions and the last four digits of users’ social security numbers.

  • Haggin and McMillan write: “The breach occurred between Oct. 16 and Oct. 19, Comcast said, and was due to a vulnerability in software made by Citrix, which lets employees remotely access corporate networks and is widely used by large corporations.” Suspicious activity was discovered Oct. 25 and the vulnerability is now patched, Comcast said.
  • Citrix parent company Cloud Software Group did not return the outlet’s request for comment. 

The Citrix exposure could impact other companies that rely on the cloud service, TrustedSec founder David Kennedy told the Journal. “We’re just seeing the beginning stages of these companies discovering that they’re breached,” Kennedy said, adding: “We’re going to see a lot more of these companies over the next few weeks and months.”

Comcast told customers to change their passwords and encouraged them to adopt multifactor authentication for their account log-ins. “We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” a spokesperson said in a statement.

Researchers devise method to hack, weaken long-used web encryption protocol

Researchers from Germany’s Ruhr University Bochum have designed a new hacking method known as Terrapin that is able to weaken and potentially cripple a key network encryption protocol that computer systems have relied on for decades, Ars Technica’s Dan Goodin reports.

  • The Secure Shell Protocol (SSH) allows computers to operate and communicate over unsecured networks. Developed and released in the 1990s, it allows for tasks like file transfers or remotely accessing a server.
  • As Goodin writes: “Today, it’s hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies.”

The Terrapin hack serves as a man-in-the-middle attack that stands in between the systems communicating with one another, posing as the sender and recipient of information between the actual computers. It attacks what’s known as the Binary Packet Protocol (BPP), which aims to prevent hackers from accessing data exchanged between systems’ communications.

“At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake — the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection,” the report notes.

  • “In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions,” wrote Fabian Bäumer, one of the three researchers. “Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case,” he adds.
  • The researchers developed a custom scanner to help detect whether applications are vulnerable to Terrapin and have advised developers to explore where patches are available.

CISA announces plan to update automated information sharing program, consolidate threat intelligence offerings (Inside Cybersecurity)

Trump disqualified from Colorado’s 2024 primary ballot by state Supreme Court (Patrick Marley and Azi Paybarah)

Who’s killing all these stories about a controversial tech mogul? (Daily Beast)

YouTube is the last bastion of unbiased journalism in India (Rest of World)

Interpol operation arrests 3,500 cybercriminals, seizes $300 million (Bleeping Computer)

Brazil’s first lady to sue Musk’s X over hacked account (Reuters)

He stole hundreds of iPhones and looted people’s life savings. He told us how. (Wall Street Journal)

Sony’s video game plans leaked by ransomware group (Bloomberg News)

An abused wife took on Tesla over tracking tech. She lost. (Reuters)

Verizon gave her data to a stalker. ‘This has completely changed my life’ (404 Media)

Thanks for reading. See you tomorrow.

Source link

National Cyber Security